HIPAA%20PRIVACY%20RULE:%20AN%20OVERVIEW%20GUIDE%20FOR%20BUSINESSES - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

HIPAA%20PRIVACY%20RULE:%20AN%20OVERVIEW%20GUIDE%20FOR%20BUSINESSES

Description:

HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966 ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 26
Provided by: ppa57
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA%20PRIVACY%20RULE:%20AN%20OVERVIEW%20GUIDE%20FOR%20BUSINESSES


1
HIPAA PRIVACY RULE AN OVERVIEW GUIDE FOR
BUSINESSES
  • Written by
  • PRIYAL PARMAR
  • 7557 Rambler Road, Suite 1465
  • Dallas, Texas 75231
  • (214) 891-5960
  • (214) 891-5966 Facsimile
  • pparmar_at_owenfazio.com

2
INTRODUCTION
  • HIPAA was enacted on August 21, 1996 as a set of
    basic national privacy standards and fair
    information practices to protect the privacy of
    the health information of consumers, and to
    protect an individuals right to access and
    control the use of personal health information
    (PHI)
  • This presentation provides a summary of the HIPAA
    Privacy rule. The goal of this presentation is
    to provide a guideline that businesses can use to
    ensure compliance with HIPAA. This information
    is not exhaustive and the attorneys at Owen
    Fazio, P.C. can provide more detailed guidance
    upon request.

3
WHO HAS TO COMPLY WITH HIPAA?
  • Covered entities This includes
  • All health plans individual or group health
    plan that provides, or pays the cost of, medical
    care (includes health insurers)
  • A health plan that has gt50 participants is
    automatically a covered entity
  • An entity is not considered to be a health plan
    for Hipaa purposes if
  • It falls under the Public Health Service Act
  • It provides incidental health care services
  • All health care clearing houses any public or
    private entity that processes (or facilitates the
    processing) of health information received from
    another entity in a non standard format
  • Health care providers provide medical and
    health services and any person or organization
    that furnishes, bills, or is paid for health care
    services or supplies in the normal course of
    business
  • Those health care providers that transmit health
    information in electronic form in connection with
    a standard transaction
  • Examples of standard transactions eligibility
    request, claim submission, claim status inquiry,
    claim payment, referral request, medical services
    authorization

4
WHAT IS COVERED?
  • Protected Health Information (PHI) Information
    that
  • Relates to the past, present, or future physical
    or mental health or condition of an individual,
    OR
  • Relates to the provision of health care to an
    individual, OR
  • Relates to the past, present, or future payment
    for health care, AND
  • Is individually identifiable, AND
  • Is transmitted by electronic media, maintained in
    any medium described in the definition of
    electronic media or transmitted or maintained in
    any other form or medium.
  • What is excluded from PHI?
  • PHI in education records covered by Family
    Educational Right and Privacy Act - FERPA
  • Employment records held by the covered entity in
    its role as an employer
  • De-identified information. This can be
    accomplished by using two methods
  • MIT method qualified people use statistics and
    scientific methods to show that there is a very
    small risk that the information could be used by
    others to identify a subject of the information.
  • Safe-harbor method remove all of the 18
    enumerated identifiers

5
USES AND DISCLOSURES
  • Those that require no patient permission
  • Treatment
  • Payment
  • Health care operations
  • Public policy activities
  • Those that require patients oral agreement
  • Directory information name, location, general
    condition, religious affiliation
  • Disclosures to persons involved in the
    individuals care or payment of care
  • Disclosure to family members of the patients
    general condition and death for the purpose of
    notification
  • Those that require patients written
    authorization
  • Disclosure of psychotherapy notes
  • Disclosure for marketing purposes

6
REQUIRED ELEMENTS OF A WRITTEN AUTHORIZATION
  • Specific description of the information to be
    disclosed
  • Specific identification of the covered entity
    authorized to make the use or disclosure
  • Specific identification of the person(s) to whom
    the covered entity may make disclosure
  • Specific description of each purpose
  • Expiration date or event
  • Signature of the individual
  • Date
  • Information regarding right to revoke the
    authorization and the exceptions to it
  • Ability or inability of the covered entity to
    condition treatment, payment, enrollment in the
    health plan, or eligibility for benefits, on the
    authorization
  • Potential for the information disclosed pursuant
    to the authorization to be subject to
    re-disclosure by the recipient
  • NOTE
  • The authorization must be written in plain
    language
  • Covered entity must provide the individual with a
    copy of the signed authorization
  • Covered entity must retain a copy of the signed
    authorization for itself
  • The authorization is considered defective if
  • Expiration date has passed
  • It is not filled out completely
  • It is known to be revoked
  • It contains false material

7
REQUIRED DISCLOSURES
  • Must be disclosed
  • When individual requests his/her own PHI
  • When the Department of Health and Human Services
    (DHHS) requests the PHI to investigate a covered
    entitys compliance with HIPAA

8
MINIMUM NECESSARY RULE
  • Covered entity must make reasonable efforts to
    limit PHI to the minimum necessary to accomplish
    the intended purpose of the use, disclosure, or
    request
  • If it is a routine disclosure, the covered entity
    is required to implement policies and procedures
    to restrict such disclosures to the minimum
    necessary standard

9
INDIVIDUAL RIGHTS Right to Receive Notice
  • Purpose to notify individual about protections
    of health information by the covered entity
  • Must post notice in a conspicuous place where
    patients are likely to look. Ex payment window
  • Must also keep copies for patients to take
  • If the covered entity has a website, the notice
    must be posted on the website as well
  • Note The next 5 slides explore the Right to
    Receive Notice in more detail

10
What are the components of the notice?
  • It must contain a statement that additional uses
    and disclosures require written authorization
  • It must clearly outline the covered entities
    legal duties with respect to the information
  • It must give instructions on how to file a
    complaint with the Department of Health and Human
    Services if the individual feels that his/her
    privacy rights have been violated

11
Who must give notice?
  • Any health care provider with a direct treatment
    (not indirect) relationship with the individual
    must give notice
  • Indirect treatment relationship when a health
    care provider delivers health care to the
    individual based on the orders of another health
    care provider and the health care provider
    typically provides services or products, or
    reports the diagnosis or results associated with
    the health care, directly to another health care
    provider, who provides the services or products
    or reports to the individual
  • Ex radiologists, pathologists, clinical
    laboratories
  • Health care clearing houses, correctional
    institutions, and group health plans that provide
    benefits through health maintenance organization
    (HMO) contracts are not required to give notice,
    but must provide one upon request by an
    individual
  • Affiliated covered entities under common
    ownership or control may designate themselves as
    one single entity and produce a single notice

12
When must notice be given?
  • At the time of enrollment of new client or time
    of first service delivery
  • Within 60 days of making a material revision to
    the notice
  • Any time patient requests a notice
  • A health plan should remind enrollees about how
    to obtain a copy of the notice at least once
    every 3 years.

13
Who must the notice be given to?
  • EACH ENROLLEE, NOT each covered spouse or
    dependent

14
Acknowledgment
  • Once notice is given, a covered entity should
    obtain a written acknowledgement by either
  • Signature on the notice
  • Initials on the notice cover sheet
  • Signature on a separate list
  • If covered entity is unable to obtain
    acknowledgement, it must document its good faith
    attempts to obtain it and reason(s) why it was
    not obtained

15
RIGHT TO ACCESS PHI
  • Patients have right to inspect and copy their PHI
    in a designated record set (group of records
    maintained by or for a covered entity that are
    medical records, billing records, enrollment,
    payment, claims adjudication, case management
    record systems or records used by covered
    entities to make decisions about individuals)
  • Exceptions
  • Psychotherapy notes
  • Information in anticipation of legal proceedings
  • PHI that is subject to Clinical Laboratory
    Improvement Amendments (CLIA) to the extent the
    provision of access to the individual would be
    prohibited by law or exempt from CLIA
  • Covered entity must comply in a timely manner,
    usually 30 days
  • For records not maintained on site, covered
    entity has 60 days to comply
  • A one time extension of 30 days is allowed, but
    covered entity must give individual the need and
    the reason(s) for the extension.
  • Covered entity must have a procedure in place to
    challenge denial of access
  • Two situations when access can be denied and no
    appeal is available
  • Inmates of a correctional institution
  • Research participants, but only until research is
    completed.
  • If access is denied, individual must receive a
    written explanation of the basis for denial. It
    should be easy to understand and inform of any
    existing appeal rights. It must also alert the
    individual of the availability of the right to
    complain to the covered entity or the DHHS.

16
RIGHT TO AMEND PHI
  • Individuals have the right to amend incorrect or
    incomplete PHI
  • A covered entity must respond timely to the
    request for amendment within 30 to 60 days

17
RIGHT TO AN ACCOUNTING OF DISCLOSURES OF PHI
  • Individuals have the right to receive an
    accounting of disclosures of PHI made by a
    covered entity in the 6 years prior to the date
    on which the accounting is requested.
  • Accounting must include
  • Date of disclosure
  • Name of the entity or person who received the PHI
    and address if known
  • Brief description of PHI disclosed
  • Brief statement of the purpose of the disclosure
  • Exceptions to the right to receive an accounting
  • To individuals or their personal representatives
    for treatment, payment, or healthcare operations
  • For national security or intelligence reasons
  • For a facilitys directory
  • PHI made prior to the April 14, 2003 compliance
    deadline
  • Pursuant to an authorization
  • To correctional institutions or law enforcement
    officials
  • Incident to a use or disclosure otherwise
    permitted or required by this subpart
  • Covered entity must act on the request within 60
    days

18
APPOINTMENT OF PRIVACY OFFICER
  • A covered entity must appoint a privacy officer
    who is in charge of developing and implementing
    policies and procedures
  • It must also designate a person/office for
    receiving complaints

19
WORKFORCE TRAINING
  • All members of the workforce must be trained by
    the compliance date
  • New members must be trained within a reasonable
    time
  • If material changes are made, all workforce
    members affected by the change must be trained
    within a reasonable time.

20
PENALTIES AND ENFORCEMENT
  • Individuals can lodge complaints with the
    attorney general, state insurance commissioner,
    state medical board or the United States
    Department of Health and Human Services (DHHS)
    Office for Civil Rights
  • DHHS can impose civil penalties between 100,000
    to 250,000
  • Civil penalties can only be imposed for willful
    violations
  • If a reasonable cause is found, no penalties are
    given as long as the covered entity corrects the
    non-compliance within 30 days
  • Civil penalties cannot be imposed if criminal
    penalties have already been imposed
  • Criminal penalties
  • Knowing violations of HIPAA 50,000 or less
    and/or 1 year or less in prison
  • Using false pretenses to violate HIPAA 100,000
    or less and/or 5 years or less in prison
  • Intent to gain personally or commercially or with
    intent to cause malicious harm by the misuse of
    IIHI 250,000 or less and/or 10 years or less
    in prison.

21
COMPLIANCE DATES
  • Health care providers, health care
    clearinghouses, and health plans must comply by
    April 14, 2003
  • Small health plans must comply by April 14, 2004

22
BUSINESS ASSOCIATES
  • A person or organization outside the covered
    entity that performs, or assists in the
    performance of, function and activities of HIPAA.
    Ex legal, actuarial, accounting, etc.
  • HIPAA does not apply directly to a business
    associate, but may apply to them indirectly if
    there is a business associate agreement
  • A business associate agreement is a contract
    between a covered entity and a business associate
    and must contain the following required elements
  • Establish permitted uses and disclosures
  • State that the business associate will not use
    information for further uses and disclosures not
    in the agreement
  • State that the business associate will use
    appropriate safeguards to prevent the use or
    disclosure of information other than as provided
    by the contract
  • The business associate will report to the covered
    entity regarding any use or disclosure not in the
    agreement
  • Business associate must agree to get all of its
    subcontractors to comply with the business
    associate agreement
  • Business associate must make PHI available for
    inspection and copying
  • Business associate must make PHI available for
    amendment
  • Business associate must make its records
    available to the Secretary of DHHS to check the
    covered entitys compliance with HIPAA
  • Business associate must agree to return or
    destroy all information at the end of the
    contract if feasible to do so
  • Agreement must establish that the covered entity
    can terminate the contract with the business
    associate for any violations

23
STATE PREEMPTION
  • HIPAA preempts any state law unless the state law
    is more stringent.

24
HIPAA WEB SITES
  • Association of American Medical Colleges,
    www.aamc.org
  • American Health Information Management
    Association, www.ahima.org/journal
  • Department of Health and Human Services,
    www.aspe.dhhs.gov
  • Health Privacy Project, www.healthprivacy.org
  • United States Department of Health and Human
    Services, www.hhs.gov/news/facts/privacy.html
  • Phoenix Health Systems HIPAAdvisory,
    www.hipaadvisory.com

25
REFERENCES
  • Alex Bednar, HIPAA Implications for
    Attorney-Client Privilege, St. Marys University
    Law Journal, 35 St. Marys L. J. 871 (2004)
  • Texas Administrative Agencies Tackle Compliance
    with the Health Insurance Portability and
    Accountability Acts Privacy Rule, Texas Tech
    Journal of Texas Administrative Law, 5 Tex. Tech
    J. Tex. Admin. L. 87 (2004)
  • Nancy A. Lawson, Jennifer M. Orr and Doedy
    Sheehan Klar, The HIPAA Privacy Rule An
    Overview of Compliance Initiatives and
    Requirements, Defense Counsel Journal, 70 Def.
    Couns. J. 127 (2003)
  • Department of Health and Human Services,
    www.aspe.dhhs.gov
  • Health Privacy Project, www.healthprivacy.org
  • United States Department of Health and Human
    Services, www.hhs.gov/news/facts/privacy.html
  • 45 C.F.R. 160 and 164
About PowerShow.com