HIPAA Privacy Regulation - PowerPoint PPT Presentation

Loading...

PPT – HIPAA Privacy Regulation PowerPoint presentation | free to view - id: 4a259-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

HIPAA Privacy Regulation

Description:

Privacy Regulation of the Health Insurance Portability and Accountability Act of ... Contact Privacy Officer of organization that violated privacy regulation ... – PowerPoint PPT presentation

Number of Views:237
Avg rating:3.0/5.0
Slides: 25
Provided by: kathari6
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA Privacy Regulation


1
HIPAA Privacy Regulation
  • Daniel Brzovic, Protection Advocacy, Inc.

2
OVERVIEW
  • Overview of HIPAA Privacy Regulation
  • Basic elements of regulation

3
Privacy Regulation of the Health Insurance
Portability and Accountability Act of 1996
(HIPAA).
  • Provides for uniform national privacy standards
    so that records can be transmitted and stored
    electronically
  • Provides for individuals to have access to their
    own records and an opportunity to correct them so
    that electronic records can be accurate
  • Requires that privacy and security be built into
    the policies and practices of health care
    providers and health plans.
  • Allows for the free flow of protected health
    information for treatment, payment and health
    care operations.

4
Key Concepts
  • Covered Entities The HIPAA Privacy Rule applies
    to health care providers, health plans and health
    care clearinghouses
  • Who transmit any health information
    electronically
  • Protected Health Information - PHI Any oral or
    recorded information relating to the past,
    present, or future physical or mental health of
    an individual, the provision of health care to
    the individual or the payment for health care
  • Treatment, payment or other health care
    operations The HIPPA privacy rule does not
    impose disclosure restrictions on the exchange of
    medical files for the purposes of treatment,
    payment or other health care operations

5
Key concepts contd.
  • Minimum Necessary Standard Whenever a covered
    entity uses or discloses protected health
    information or requests such information from
    another covered entity, it must make reasonable
    efforts to limit the information to the minimum
    amount necessary to accomplish the intended
    purpose of the use or disclosure
  • This standard is not as strict if the patient
    initiates the disclosure (i.e., signs an
    authorization form)

6
Basic Elements of Privacy Regulation
  • National Standard
  • Notice
  • Confidentiality
  • Psychotherapy Notes
  • Limits on Employers
  • Hospital Directories
  • Access
  • Right to Amend
  • Accounting of Disclosures
  • Safeguards, Security
  • Complaints

7
National Standard
  • The HIPAA Privacy Rule establishes a national
    standard for health privacy. It sets a minimum
    federal standard, a baseline with minimum
    protections for consumers. Stronger or more
    stringent i.e. more privacy protective state
    laws still remain in effect. States are also
    free to enact stronger protections in the future.

8
HIPAA Preemption
  • Preempts less stringent state privacy laws
  • This means state laws providing less protection
    for confidentiality than HIPAA does
  • This also means state laws providing less access
    for an individual to the individuals own
    records, and less opportunity to correct the
    records
  • California law is more stringent than HIPAA in
    some respects, and less stringent in others

9
California Privacy Laws
  • Confidentiality of Medical Information Act
    Civil Code 56 et seq.
  • Lanterman-Petris-Short Act WIC 5328 et seq.
  • Lanterman Act WIC 4514 et seq.
  • Alcohol/substance abuse and HIV records
  • Patient Access to Medical Records Act HSC
    123110 et seq.
  • Other statutes.

10
Notice
  • Notice of Privacy Practices
  • Good faith effort to obtain signature
  • Signature is not required, or condition for
    treatment
  • Not a consent form

11
Confidentiality Exceptions
  • Patient (or representative) signs valid
    authorization for release
  • Disclosure required by law
  • Public health activities
  • Victims of abuse, neglect, domestic violence.
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Specialized government purposes
  • Other enumerated purposes

12
Authorization for Release
  • PHI may be released to anyone if the patient (or
    personal representative) signs a valid
    authorization.
  • The authorization must be filled out completely.
  • The authorization must contain
  • Name of information provider
  • Name of information recipient
  • Description of PHI to be disclosed
  • Purpose of disclosure or use

13
Authorization (Continued)
  • Disclosure can be very broad, e.g.
  • Any and all providers may disclose to
  • Anyone
  • Any and all of my PHI
  • This authorization is at my request
  • It is best to have a narrowly-tailored
    authorization
  • You should go over the authorization with the
    client carefully, and make sure the client is
    only disclosing what is necessary

14
Authorization (Continued)
  • The authorization must also contain
  • Notice that if PHI is disclosed by the recipient,
    it may no longer be protected under HIPAA
  • Notice that the authorization may be revoked
    unless the provider has taken action in reliance
    on the authorization
  • If the authorization is obtained by a provider,
    notice that treatment, payment, enrollment, or
    eligibility for benefits cannot be conditioned on
    signing the authorization, and exceptions

15
Authorization (Continued)
  • The authorization must also contain
  • Expiration date or event
  • Signature and date
  • Relationship or authority of person signing if
    signed by someone other than the patient
  • A copy of the authorization must be given to the
    individual (if the authorization is obtained by
    the provider)
  • There must be a separate authorization for
    psychotherapy notes
  • There must be a separate authorization for non PHI

16
Authorization (Continued)
  • Additional California requirements
  • The authorization must be in 14-point type or
    handwritten by the person who signs it
  • The use as well as the disclosure can be
    restricted
  • Revocation must be in writing
  • There must be a notice that the individual is
    entitled to a copy
  • There must be an expiration date (rather than a
    date or event)
  • Under California law, further release of the
    information also requires the same type of
    written authorization

17
Psychotherapy Notes
  • Mental health providers may not disclose
    psychotherapy notes without first obtaining a
    patients voluntary authorization, except in
    specific instances
  • Psychotherapy notes are a narrow category
  • Psychotherapy notes are notes by a mental health
    professional documenting or analyzing the
    contents of conversation during a private
    counseling session or a group, joint, or family
    counseling session and that are separated from
    the rest of the individuals medical record.

18
Limits on Employers
  • Health care providers and health plans are barred
    from disclosing identifiable health information
    to employer
  • In California, employers have the same
    confidentiality requirements as medical care
    providers

19
Hospital Directories
  • Right to opt-out of having name and health status
    publicly available in a hospitals directory
  • In California (subject to opt-out requirements)
    if someone requests information about a patient
    by name, the hospital may release information
    about the individuals general condition and
    location in the hospital

20
Access
  • Right to see and copy own medical records (Does
    this include third parties?)
  • Copies must be supplied within 30 days of request
  • Reasonable fee
  • California access law is preempted in most cases
    with notable exceptions

21
Right to Amend
  • Right to amend or supplement own protected health
    information as long as the covered entity
    maintains the information
  • The covered entity must act no later than 60 days
    after it receives the request
  • Grievance procedure for refusal to amend
  • In addition, California law allows an addendum of
    not more than 250 words to be added to medical
    records

22
Accounting of Disclosures
  • Right to receive an accounting of disclosures of
    PHI made by the covered entity during the six
    years prior to the date that request was made
  • Includes disclosures to or by business
    associates, but not disclosures related to
    treatment, payment, or health care operations, or
    if authorization was given

23
Safeguards, Staff training, Privacy Officer
  • Covered entities must have appropriate technical
    and administrative safeguards in place to protect
    information
  • Training of staff
  • Appoint Privacy Officer

24
Complaints When Your Rights Are Violated
  • Contact Privacy Officer of organization that
    violated privacy regulation
  • File a Federal complaint with the Department of
    Health and Human Services Office for Civil Rights
  • Seek State level recourse (in California, this
    may include an action for damages under
    California law)
About PowerShow.com