HIPAA Privacy Regulation - PowerPoint PPT Presentation


PPT – HIPAA Privacy Regulation PowerPoint presentation | free to view - id: 4a259-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

HIPAA Privacy Regulation


Privacy Regulation of the Health Insurance Portability and Accountability Act of ... Contact Privacy Officer of organization that violated privacy regulation ... – PowerPoint PPT presentation

Number of Views:238
Avg rating:3.0/5.0
Slides: 25
Provided by: kathari6


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA Privacy Regulation

HIPAA Privacy Regulation
  • Daniel Brzovic, Protection Advocacy, Inc.

  • Overview of HIPAA Privacy Regulation
  • Basic elements of regulation

Privacy Regulation of the Health Insurance
Portability and Accountability Act of 1996
  • Provides for uniform national privacy standards
    so that records can be transmitted and stored
  • Provides for individuals to have access to their
    own records and an opportunity to correct them so
    that electronic records can be accurate
  • Requires that privacy and security be built into
    the policies and practices of health care
    providers and health plans.
  • Allows for the free flow of protected health
    information for treatment, payment and health
    care operations.

Key Concepts
  • Covered Entities The HIPAA Privacy Rule applies
    to health care providers, health plans and health
    care clearinghouses
  • Who transmit any health information
  • Protected Health Information - PHI Any oral or
    recorded information relating to the past,
    present, or future physical or mental health of
    an individual, the provision of health care to
    the individual or the payment for health care
  • Treatment, payment or other health care
    operations The HIPPA privacy rule does not
    impose disclosure restrictions on the exchange of
    medical files for the purposes of treatment,
    payment or other health care operations

Key concepts contd.
  • Minimum Necessary Standard Whenever a covered
    entity uses or discloses protected health
    information or requests such information from
    another covered entity, it must make reasonable
    efforts to limit the information to the minimum
    amount necessary to accomplish the intended
    purpose of the use or disclosure
  • This standard is not as strict if the patient
    initiates the disclosure (i.e., signs an
    authorization form)

Basic Elements of Privacy Regulation
  • National Standard
  • Notice
  • Confidentiality
  • Psychotherapy Notes
  • Limits on Employers
  • Hospital Directories
  • Access
  • Right to Amend
  • Accounting of Disclosures
  • Safeguards, Security
  • Complaints

National Standard
  • The HIPAA Privacy Rule establishes a national
    standard for health privacy. It sets a minimum
    federal standard, a baseline with minimum
    protections for consumers. Stronger or more
    stringent i.e. more privacy protective state
    laws still remain in effect. States are also
    free to enact stronger protections in the future.

HIPAA Preemption
  • Preempts less stringent state privacy laws
  • This means state laws providing less protection
    for confidentiality than HIPAA does
  • This also means state laws providing less access
    for an individual to the individuals own
    records, and less opportunity to correct the
  • California law is more stringent than HIPAA in
    some respects, and less stringent in others

California Privacy Laws
  • Confidentiality of Medical Information Act
    Civil Code 56 et seq.
  • Lanterman-Petris-Short Act WIC 5328 et seq.
  • Lanterman Act WIC 4514 et seq.
  • Alcohol/substance abuse and HIV records
  • Patient Access to Medical Records Act HSC
    123110 et seq.
  • Other statutes.

  • Notice of Privacy Practices
  • Good faith effort to obtain signature
  • Signature is not required, or condition for
  • Not a consent form

Confidentiality Exceptions
  • Patient (or representative) signs valid
    authorization for release
  • Disclosure required by law
  • Public health activities
  • Victims of abuse, neglect, domestic violence.
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Specialized government purposes
  • Other enumerated purposes

Authorization for Release
  • PHI may be released to anyone if the patient (or
    personal representative) signs a valid
  • The authorization must be filled out completely.
  • The authorization must contain
  • Name of information provider
  • Name of information recipient
  • Description of PHI to be disclosed
  • Purpose of disclosure or use

Authorization (Continued)
  • Disclosure can be very broad, e.g.
  • Any and all providers may disclose to
  • Anyone
  • Any and all of my PHI
  • This authorization is at my request
  • It is best to have a narrowly-tailored
  • You should go over the authorization with the
    client carefully, and make sure the client is
    only disclosing what is necessary

Authorization (Continued)
  • The authorization must also contain
  • Notice that if PHI is disclosed by the recipient,
    it may no longer be protected under HIPAA
  • Notice that the authorization may be revoked
    unless the provider has taken action in reliance
    on the authorization
  • If the authorization is obtained by a provider,
    notice that treatment, payment, enrollment, or
    eligibility for benefits cannot be conditioned on
    signing the authorization, and exceptions

Authorization (Continued)
  • The authorization must also contain
  • Expiration date or event
  • Signature and date
  • Relationship or authority of person signing if
    signed by someone other than the patient
  • A copy of the authorization must be given to the
    individual (if the authorization is obtained by
    the provider)
  • There must be a separate authorization for
    psychotherapy notes
  • There must be a separate authorization for non PHI

Authorization (Continued)
  • Additional California requirements
  • The authorization must be in 14-point type or
    handwritten by the person who signs it
  • The use as well as the disclosure can be
  • Revocation must be in writing
  • There must be a notice that the individual is
    entitled to a copy
  • There must be an expiration date (rather than a
    date or event)
  • Under California law, further release of the
    information also requires the same type of
    written authorization

Psychotherapy Notes
  • Mental health providers may not disclose
    psychotherapy notes without first obtaining a
    patients voluntary authorization, except in
    specific instances
  • Psychotherapy notes are a narrow category
  • Psychotherapy notes are notes by a mental health
    professional documenting or analyzing the
    contents of conversation during a private
    counseling session or a group, joint, or family
    counseling session and that are separated from
    the rest of the individuals medical record.

Limits on Employers
  • Health care providers and health plans are barred
    from disclosing identifiable health information
    to employer
  • In California, employers have the same
    confidentiality requirements as medical care

Hospital Directories
  • Right to opt-out of having name and health status
    publicly available in a hospitals directory
  • In California (subject to opt-out requirements)
    if someone requests information about a patient
    by name, the hospital may release information
    about the individuals general condition and
    location in the hospital

  • Right to see and copy own medical records (Does
    this include third parties?)
  • Copies must be supplied within 30 days of request
  • Reasonable fee
  • California access law is preempted in most cases
    with notable exceptions

Right to Amend
  • Right to amend or supplement own protected health
    information as long as the covered entity
    maintains the information
  • The covered entity must act no later than 60 days
    after it receives the request
  • Grievance procedure for refusal to amend
  • In addition, California law allows an addendum of
    not more than 250 words to be added to medical

Accounting of Disclosures
  • Right to receive an accounting of disclosures of
    PHI made by the covered entity during the six
    years prior to the date that request was made
  • Includes disclosures to or by business
    associates, but not disclosures related to
    treatment, payment, or health care operations, or
    if authorization was given

Safeguards, Staff training, Privacy Officer
  • Covered entities must have appropriate technical
    and administrative safeguards in place to protect
  • Training of staff
  • Appoint Privacy Officer

Complaints When Your Rights Are Violated
  • Contact Privacy Officer of organization that
    violated privacy regulation
  • File a Federal complaint with the Department of
    Health and Human Services Office for Civil Rights
  • Seek State level recourse (in California, this
    may include an action for damages under
    California law)
About PowerShow.com