Understanding HIPAA Privacy Regulations

1
Understanding HIPAA Privacy Regulations

• A guide to company policies and procedures

Prepared by
2
The Privacy Rule is intended to

• Protect and enhance rights of consumers by
  providing them
• access to their protected health information
• control over PHI uses and disclosures
• Improve healthcare quality by restoring public
  trust and willingness to share information
• Improve efficiency and effectiveness by creating
  uniform nationwide privacy framework

3
Privacy Regulations apply to

• Covered entities, such as
• Health plans / insurance payers
• Health care clearing houses
• Health care providers i.e. HMEs, physicians,
  nursing homes, home health agencies, etc
• Whoever uses or discloses protected health
  information (PHI)
• Business associates through contracts with
  covered entities that hold them to the same
  provisions of the law

4
Basics of HIPAA

• Covers electronic, paper oral information
• Requires contracts with business associates to
  protect health information
• Emphasizes "minimum necessary" access to
  information
• Standards apply to "protected health
  information" all individually identifiable
  health information in any form

5
Basics of HIPAA

• Protected Healthcare Information (PHI) Defined
• Health information, including demographic
  information, which can reasonably identify the
  individual and relates to the persons
• Past, present or future physical health, mental
  health, or condition
• Provision of health care or
• Past, present or future payment for the provision
  of health
• General Rule
• Protected health information may not be used or
  disclosed for reasons other than treatment,
  payment or healthcare operations without specific
  patient authorization

6
Basic Patient Rights - HIPAA

• Patients must receive written notice of
  provider's information practices describing
  patient rights company must make good faith
  effort to obtain acknowledgement of receipt All
  patients to receive Privacy Notice found in
  manual
• Patients may inspect their own health information
  and obtain a copy
• Patients may request amendment to health
  information

7
Basic Patient Rights - HIPAA

• Patients may receive an accounting of disclosures
  for purposes other than treatment, payment, and
  healthcare operations
• Patients may request that uses and disclosures of
  health information be restricted
• Patients must be provided means to report a
  privacy complaint

8
Basics of Use and Disclosure

• Providers must obtain a written patient
  Authorization before releasing PHI for purposes
  other than Treatment, Payment, and Health Care
  Operations.
• Consent forms are optional when info used only
  for treatment, payment and health care operations

9
Basics of Use and Disclosure

• Providers CAN release PHI without
  authorization
• for treatment, payment or healthcare operations
  (including to business associates)
• when required by law
• for public health activities
• for victims of abuse, neglect, or domestic
  violence
• for health oversight ex. Medicare audit
• for judicial proceedings
• for specific law enforcement activities

10
Basics of Use and Disclosure

• Providers CANNOT release PHI without
  authorization when info used for
• marketing
• medical research
• fund-raising
• Authorizations generally address a specific need
  and circumstance or span of time

11
Rules Governing Business Associates

• Providers must identify all Business Associates
  that have access to or use/disclose protected
  health information of patients
• Accrediting Bodies
• Consultants
• Billing Clearinghouse and Outsource companies
• Outcomes tracking outsourcing
• Business Associate contracts must be established
  to ensure that Business Associates' practices
  support HIPAA's requirements
• Sanctions must be applied by the company for
  non-compliance by Business Associates

12
Exceptions to the rule

• Providers may release patient's location,
  condition, or death when needed to family,
  friends, others involved in the care of the
  patient
• Providers may make disclosures to family and
  others involved when in the patient's best
  interest but you still have to follow state law
  when it comes to rights of minors

13
Exceptions to the rule

• Providers may make disclosures to personal
  representatives of the patient i.e. those with
  Power of Attorney the estate of a deceased
  patient
• De-identified information is not subject to the
  privacy rules
• Defined as removal of identifiers such as
• Name
• Date
• Geographic Destinations
• Phone/Fax Numbers
• Email, etc.

14
Penalties for non-compliance

• Criminal penalties - Intentional violation
• Up to 50,000 and up to one (1) year imprisonment
  for knowing misuse
• Up to 100,000 and/or imprisonment up to five (5)
  years if offense under false pretenses
• Fine of not more than 250,000 and/or
  imprisonment of up to ten (10) years if offense
  is with intent

15
HPP1 Uses and Disclosures General

• Use of information is defined as that which is
  used WITHIN the organization
• Disclosure of information is that which is
  released OUTSIDE the organization
• Both are permitted without specific consent from
  the patient when info is used for treatment,
  payment or healthcare business operations
  consent forms are optional in these circumstances

16
HPP1 Uses and Disclosures General

• TREATMENT includes information shared between
  the referral source and the HME provider to
  accomplish patient care objectives
• PAYMENT includes information shared with
  insurance payers, billing clearinghouses, and
  outsource billing firms to obtain payment
  (billing firms are also business associates)
• OPERATIONS includes information shared with
  accrediting bodies, consultants, outcomes
  tracking firms, etc. (these are commonly also
  business associates)

17
HPP2 Uses and Disclosures Restrictions

• Patients have a right to restrict the use and
  disclosure of their PHI, even that used for
  treatment, payment, and healthcare operations
  the PRIVACY NOTICE informs them of this
• Company has the right to refuse to continue care
  for patient if restrictions interfere with
  treatment, payment, or healthcare operations, but
  must honor request until patient transferred to
  another provider

18
HPP2 Uses and Disclosures Restrictions

• Request can be verbal or in writing- both must be
  honored until company notified otherwise by
  patient (indefinitely)
• Better to have a policy to document patient
  request use Restriction Agreement Form
• Keep a log of patients requesting restriction to
  PHI
• Keep log on file for 6 years

19
HPP3 Business Associates

• A non-covered entity, defined as an organization
  or person other than a member of the companys
  workforce who receives PHI from the company in
  order to provide services to or on behalf of the
  company
• Healthcare billing clearinghouses
• Billing services
• Accreditation organizations
• Consulting firms
• Software vendors with access to company software
  systems

20
HPP3 Business Associates

• Company must complete a contract with each
  business associates that holds them to the same
  privacy standards the company is held to as a
  covered entity
• Specifies what kind of information will be
  disclosed and to whom
• Identifies the responsibilities of the business
  associate to protect healthcare information
• Specifies what measures will be taken to insure
  privacy of info upon termination of contract

21
HPP4 Deceased Patients

• Company must continue to protect info of deceased
  patients for as long as records are maintained
• State Law usually says records should be
  maintained for 7 years (or, 7 years past the age
  of majority for minors)
• PHI can be released to anyone with power of
  attorney (personal representative, to the
  patients estate)

22
HPP5 Personal Representatives

• Have the same rights as patients as defined in
  the PRIVACY NOTICE
• Defined as anyone with legal POA (healthcare or
  general) the estate of deceased patients
  guardians of un-emancipated minors
• Document the relationship of the personal
  representative to the patient in the medical /
  billing record

23
HPP5 Personal Representatives

• Recognize that some states allow minors to
  override the healthcare decisions of their
  guardians HIPAA laws do not take precedence
  over state laws that are more stringent
• Company is not obligated to disclose information
  to a personal representative if they reasonably
  believe that revealing such information may
  subject the patient to violence, abuse, or
  neglect

24
HPP6 - Confidential Communications

• Patients are provided with their PHI upon request
  treatment notes, billing information/details,
  etc.
• They do not need to provide a reason for
  receiving the information
• Verbal, faxed, or mailed responses to patient are
  permitted, based on patient request
• Hard copy communications best to document company
  response

25
HPP7 - Consent

• Use of consent form is optional if the
  information will only be used for treatment,
  payment and/or healthcare operations (whether
  information is used by the company, another
  covered entity, or a business associate)
• Most companies already have a Release of
  Information statement in their paper work this
  is adequate even for optional purposes
• A form is provided in the manual to be used if
  company policy requires separate consent

26
HPP8 Other Permitted Disclosures

• To public healthcare authorities infectious
  disease reporting Medwatch FDA requirements,
  etc.
• When required by law enforcement, or to comply
  with state laws, or to prevent abuse and neglect
  of patient
• To CMS or by CMS demand when investigating
  allegations of fraud and abuse

27
HPP9 De-identified Information

• Company is not required to comply with HIPAA
  regulations in regard to de-identified PHI
• De-identified PHI has had all identifying
  information removed name, phone, birth dates,
  addresses, HICN, SSN, etc
• Can code the patient info with a number that will
  allow it to be re-identified later, within the
  company, so long as you dont disclose coding
  methodology - common in outcomes tracking

28
HPP10 Minimum Necessary Information

• Company uses and discloses the minimum necessary
  information needed to accomplish treatment,
  payment, and healthcare operations
• Need for information should be defined, by job
  description company decides and puts in policy
• Minimum necessary information for business
  associates should be defined within individual
  contracts

29
HPP10 Minimum Necessary Information

• Full access
• Clinical staff
• Customer Service and Billing
• Operations and management personnel
• Limited access
• Delivery and warehouse personnel
• No access
• Maintenance and cleaning personnel
• This is suggested policy company decides!

30
HPP11- Notification of Privacy Policy

• Provided to all patients or their representative
  upon initiation of care see sample in manual
• Contains list of patient rights to privacy and
  explanation of typical uses and disclosures of
  PHI
• Must also provide a copy of notice upon request
  to any person requesting a copy

31
HPP11- Notification of Privacy Policy

• Always document that the patient / personal
  representative received the notice carbonless
  copy w/ signature
• If amended, all current patients must receive a
  copy of the new, amended Privacy Notice
• If amended, company must keep old versions
  (master copy) of Privacy Notice on file for 6
  years past date of retirement of previous version
  of notice

32
HPP12- Right to Restrict

• Patient has right to restrict use of information,
  even for treatment, payment, and healthcare
  operations
• Company has right to refuse to treat patient
  under those circumstances, but must abide
  patients request as long as patient continues on
  service
• Get it in writing use Restriction form in manual

33
HPP13- Responding to requests

• Ask patient / personal representative to make
  request for extensive release of PHI in writing
  so you have documentation
• Ask patient / personal representative where they
  want the information sent it can be mailed to
  someplace other than their primary address if
  they so choose it can be provided via the
  telephone or by fax
• You can charge the patient for copying and
  mailing the information

34
HPP13 14 - Responding to requests

• Patient does not need to provide reason why they
  want the information
• Respond to requests in a timely fashion 30 to
  60 days is reasonable
• See policy HPP14 for examples of when info can be
  legally withheld
• If info is legally withheld, must provide patient
  with written explanation as to why

35
HPP15 Right to amend

• Patients have a right to amend the info in their
  medical record after reviewing it, if they
  choose
• The request should be in writing, and state why
  the patient is requesting the change
• Company may deny request if
• Info requested changed was not created by the
  company
• If the employee making the entry that is to be
  changed is no longer an employee
• If the info is currently accurate and complete,
  as is

36
HPP15 Right to amend

• In case of company denial to amend put both sides
  (patient and company) in writing and include in
  patients medical record
• Release this amended information as well, as
  applicable, when disclosure to another person is
  provided at patient request
• Complete process in timely fashion 60 to 90
  days

37
HPP16 Accounting of Disclosures

• Company needs to keep track of disclosures of
  patient information so they can be provided to
  patient / personal representative upon request
• Exceptions to tracking
• Disclosures made directly to the patient
• Disclosures made for purposes of treatment,
  payment, or healthcare operations
• Provided to employees of the company
• Provided for reasons of national security
• Provided before HIPAA regulations went into
  effect

38
HPP16 Accounting of Disclosures

• Must keep track of disclosures for 6 years past
  the disclosure
• Tracking must include
• Date info released
• To whom info was released
• What info was released
• The purpose for which it was released
• Document patient requests for accounting of
  disclosures and respond to them in 60 days or less

39
HPP17 Privacy Officer

• Company must designate one individual as
  responsible for protecting privacy
• Job duties include
• Ensuring confidentiality of all PHI
• Development and implementation of company HIPAA
  policies
• Limited incidental disclosures
• Documentation tracking of disclosures, and
  responding to patient complaints
• Name, location, and phone number of Privacy
  Officer should be posted in areas where patient
  have access

40
HPP18 Employee Training

• All current employees to receive training level
  to be based on their access to confidential
  information
• Employee orientation should include privacy
  training
• Training must be documented in the employees
  personnel file

41
HPP19 Securing Medical Records

• Secured at the end of the business day, either in
  locked cabinets or a locked room
• Only individuals with permission, consistent with
  their job duties, may access medical records
• Electronic records controlled by logins and
  passwords to computer system
• Documents containing identifiable PHI must be
  shredded prior to disposal

42
HPP20 Patient Complaints

• Patients have a right to file formal complaint
  when they feel their privacy has been violated
• Complaints should be directed to the Privacy
  Officer
• Privacy Officer is to
• Document the complaint in a log
• Investigate the complaint
• Document the resolution to the complaint
• Inform the patient of findings / resolution

43
HPP21 Employee Violations

• Employees who violate patient privacy will be
  subject to company procedures for violations of
  policy
• Company response will depend on the intention of
  the employee, and the severity of the violation
• Company response may range from verbal warning,
  up to and including termination
• All company responses to violations of privacy
  will be documented in the employees file

44
HPP23 Protection of data

• Computers must be set up to insure integrity of
  information (firewalls, passwords, etc)
• Integrity of systems are routinely assessed
• Back-ups are created daily (company may change
  policy on frequency of back-up)
• Back-ups are stored off-site in a protected manner

45
HPP24 Access to data

• All individuals who need access to computer data
  are given an access code
• A list of access codes and who has one are to be
  maintained by the company / Privacy Officer
• Employees are trained re privacy regulations
  before receiving access to data
• Employees may not share their access code
  without prior approval of management

46
HPP25 Mitigation of damage

• If a breach in security is reported the Privacy
  Officer must take steps to minimize damage
• Privacy Officer must investigate breach,
  determine cause, and suggest possible resolution
• All actions on the part of the Privacy Officer
  should be documented

47
HPP26 Access logging

• The computer system should be capable of logging
  access to PHI check with billing software
  vendors
• The log should be generated routinely to check
  for unauthorized attempt to access PHI
• Unauthorized attempts to access PHI will be
  followed up by the companys Privacy Officer

48
HPP27 Contingency Plan

• The company has a contingency plan that details
  how the company will back-up, secure, and
  re-establish its electronic databases in
  emergency situations

49
HPP28 Consent to Film - Record

• The company has a policy that dictates what type
  of patient / client releases are required in
  order to film or record the patient for use in
  company training, or promotional activities that
  will be seen or heard by persons outside the
  company

50
HPP29 Sale of PHI

• With very few exceptions, the sale of PHI is
  prohibited

51
HPP30 Notice of Obligation

• The company is obligated to notify patients if
  their PHI has been breached.
• This obligation stands, regardless of whether the
  breach was made by the company or one of its
  business associates.
• This notification will be handled by the company
  owners, and/or the HIPAA privacy officer of the
  company.