HIPAA PRIVACY

1
HIPAA PRIVACY

• Office for Civil Rights
• U.S. Department of Health and Human Services
• November 8, 2002

2
The Health Insurance Portability Accountability
Act of 1996

• HIPAA
• (Public Law 104-191)
• Signed August 16, 1996
• Title II
• Subtitle F Administrative Simplification

3
Purpose of HIPAA Provisions

• To improve efficiency and effectiveness of the
  health care system by standardizing the
  electronic exchange of administrative and
  financial data

4
The Privacy Rule

• 45 CFR Parts 160 and 164

5
The Privacy Rule

• April 14, 2001 Effective Date
• April 14, 2003 Compliance Date
• April 14, 2004 Compliance Date
• (for small health plans)

6
Relationship to other laws

• First comprehensive federal health privacy
  protections
• Does not replace federal, state, or other laws
  that may guarantee individuals even greater
  privacy protections
• Other state laws might require or permit
  disclosures
• Only required disclosures under the Rule are (1)
  to the individual and (2) to HHS

7
Purpose of the Privacy Rule

• Creates for the first time, national standards to
  protect individuals medical records and other
  personal health information

8
Why is the Privacy Rule needed?
9
Do You Know Where Your Medical Information Goes?
10
Who is covered by the Rule?

• Limited by HIPAA to
• -Health plans
• -Health care clearinghouses
• -Health care providers who transmit any health
  information in electronic form in connection with
  a transaction for which the Secretary has adopted
  a standard
• Business Associates

11
What is covered by the Rule?

• Protected health information (PHI) is
• -Individually identifiable health information
• -Transmitted or maintained in ANY form or medium
• Held or transmitted by covered entities or their
  business associates
• Not PHI
• -De-identified information
• -Employment records
• -FERPA records

12
What is a business associate?

• Agents, contractors, others hired to do work on
  behalf of a covered entity that requires
  protected health information (PHI)
• Covered entity must obtain satisfactory
  assurance-usually through a contract-that a
  business associate will safeguard PHI, and limit
  its use and disclosure
• Contract transition period

13
What does the Rule mean for covered entities?

• Accountability
• Professional standards are now law
• Changes in
• -Culture
• -Processes
• -Relationships
• -Documentation

14
What must covered entities do under the Rule?

• Implement standards to protect and guard against
  the misuse of individually identifiable health
  information by the April 14, 2003 compliance date

15
What are specific requirements for covered
entities?

• Administrative Requirements
• Flexible and Scalable
• Covered entities required to
• -Designate a privacy official
• -Develop policies and procedures (on how PHI is
  going to be handled and on receiving complaints)
• -Provide privacy training to its workforce
• -Implement administrative, technical, and
  physical safeguards to protect the privacy of PHI

16
What are specific requirements for covered
entities? (Contd)

• Covered entities are required to
• -Develop a system of sanctions for employees
  who violate the entitys policies
• -Meet documentation requirements
• -Mitigate any harmful effect of a use or
  disclosure of PHI that is known to the covered
  entity
• -Refrain from intimidating or retaliatory acts
• -Not require individuals to waive their rights
  to file a complaint with HHS or their other
  rights under this rule

17
What does the Rule mean for individuals?

• Under the Privacy Rule, individuals have the
  right to
• -Notice of privacy practices
• -Access inspect and copy PHI
• -Amend
• -Accounting
• -Alternative communication
• -Request restrictions
• -Complain to covered entity and HHS

18
Personal Representatives

• Standard personal representatives. A covered
  entity must treat a personal representative as
  the individual under applicable law in situations
  involving
• -Adults and emancipated minors
• -Deceased individuals
• With respect to PHI relevant to such personal
  representation

19
Personal Representatives (Contd)

• Standard personal representatives. There are
  exceptions for
• -Unemancipated minors
• -Where the covered entity has a reasonable
  belief that there has been or may be domestic
  violence, abuse, neglect, or endangerment

20
When is a covered entity permitted to use or
disclose PHI?

• In general, there are four categories of uses and
  disclosures of PHI
• Treatment, payment and health care operations
  (TPO)
• Authorized by the individual
• Requiring the individual to agree or object
• Permissible public policy disclosures

21
BoundariesUses and disclosures

• TPO (164.502)
• -Treatment Care
• -Payment Reimbursement
• -Health care operations Running the store
• (Specific definitions in the Privacy Rule for
  each term)

22
BoundariesUses and disclosures

• Authorized by the individual (164.508)
• -Psychotherapy notes generally need an
  individuals authorization before use or
  disclosure
• -Any uses or disclosures not otherwise permitted
  or required by the Rule
• -Authorizations must be in plain language and
  contain specific elements

23
BoundariesUses and disclosures

• Requiring an opportunity for the individual to
  agree or object (164.510)
• -Facility directories (eg. hospital)
• -PHI for relatives or close personal friends
• -For notification purposes

24
BoundariesUses and disclosures

• Public Policy Disclosures (164.512)
• -Covered entities may use or disclose PHI
  without authorization only if the use or
  disclosure comes within one of the listed
  exceptions and follows its conditions

25
BoundariesUses and disclosures

• As required by law
• For health oversight
• For public health
• For research
• For law enforcement
• For judicial and administrative proceedings
• For specialized government functions

26
BoundariesUses and disclosures

• To facilitate cadaveric organ, eye and tissue
  donation and transplants
• About decedents to funeral directors, coroners
  and medical examiners
• For workers compensation
• To report abuse, neglect, domestic violence
• To avert serious and imminent threat to health or
  safety

27
Minimum necessary

• Covered entities must make reasonable efforts to
  limit the use or disclosure of PHI to minimum
  amount necessary to accomplish their purpose
• Role- based access limits
• Exceptions
• -Disclosure to individual
• -Disclosure to or request by provider for
  treatment purposes

28
Minimum Necessary (Contd)

• Exceptions
• -Use or disclosure made pursuant to an
  individuals appropriate authorization
• -Use or disclosure required for compliance with
  the Administrative Simplification Rules of HIPAA
• -Use or disclosure that is required by law
• -Disclosure to HHS for enforcement purposes

29
Oral Communication Rule

• All forms of communication covered
• Requires reasonable efforts to prevent
  impermissible uses and disclosures
• Policies and procedures to limit access/use
  (role-based)
• -Except disclosures to or request by provider
  for treatment purposes

30
Overheard, seen in passing

• Incidental disclosures
• The Rule permits uses/disclosures incident to an
  otherwise permitted use or disclosure, provided
  minimum necessary and safeguards standards are
  met
• Examples talking to patient in semi-private
  room, talking to other providers if passers-by
  are present, waiting room sign in sheets, patient
  charts at bedside, etc.
• Allow for common practices if reasonably performed

31
Frequently Asked Questions/Concerns about the
Privacy Rule
32
PATIENT My doctor needs to discuss my treatment
with other doctors and nurses. But the Privacy
Rule prohibits doctors and nurses from discussing
private health information if there is a
possibility that someone will overhear. What if
my doctor needs to discuss my condition with a
nurse at a busy nursing station, or with me over
the phone from someplace other than a private
office? The privacy rule prevents these
discussions.
The Privacy Rule does not intend to prohibit
providers from talking to each other and to their
patients.
33
PHYSICIAN The privacy rule requires me to
monitor the activities of my business associates.
I can be found in violation of the rule if my
business associate violates the contract, even if
I dont know about it.
Covered entities are not required to monitor or
oversee the means by which the business associate
carries out safeguards or the extent to which the
business associate abides by the requirements of
the contract.
34
HOSPITAL The privacy rule prohibits
semi-private rooms. With two patients in a room,
there is no way to guarantee that one wont
overhear health information about the other.
Now Ill have to rebuild my facility to include
only private rooms.
The Privacy Rule does not require these types of
structural changes be made to facilities.
Covered entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
35
PATIENT The privacy rule prevents my pharmacist
from filling my prescription before I show up and
sign that consent. Instead of having the
prescription waiting for me, I may have to come
to the pharmacy, sign a consent, and then wait
around for hours while the prescription is filled.
The Privacy Rule permits covered entities,
including pharmacists, to use identifiable health
information for treatment, payment, or health
care operations without prior patient consent.
36
HOSPITAL The privacy rule allows doctors and
nurses to see an patients entire medical record,
if the hospital thinks they need it to do their
jobs.
The Privacy Rule does not prohibit use or
disclosure of, or requests for an entire medical
record. The covered entity must document in its
policies and procedures that the entire medical
record is the amount reasonably necessary for
certain identified purposes.
37
INSURER How are we supposed to do business
under this Rule? It would prohibit doctors from
faxing information to us, or to each other, or to
their patients.
The Rule does not prohibit faxing of individually
identifiable health information. Covered
entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
38
INSURER What happens when I am required to
report information under state law? I assume
that if some other law requires me to disclose
health information, I wont have to do a big
analysis under the privacy rule, or get caught in
the middle because the privacy rule might not
allow the disclosure?
A disclosure of identifiable health information
that is required by another law is permitted by
the Privacy Rule.
39
ANYONE The Privacy Rule is delayed by the
Administrative Simplification Compliance Act that
was passed in December 2001.
This law delays compliance with the Transaction
and Code Set standards for covered entities that
file a compliance plan. This law does not apply
to the Privacy Rule. The compliance date for the
Privacy Rule is still April 14, 2003. (April 14,
2004 for small health plans).
40
PATIENT When my family member comes to pick me
up from the hospital, the doctor will still be
able to explain my condition and tell him what to
expect when I return home. Right?
The Rule permits doctors to discuss a patients
condition with family or friends involved in the
persons care, unless the patient objects.
41
A hospital customarily displays patients names
next to the door of the hospital rooms that they
occupy. Will the Rule allow the hospital to
continue this practice?
The Rule explicitly permits certain incidental
disclosures that occur as a by-product of an
otherwise permitted disclosure. In this case,
disclosure of patients names by posting on the
wall is permitted by the Rule, if the use or
disclosure is for treatment or health care
operations purposes. Minimum necessary
42
Are hospitals able to inform clergy about
parishioners in the hospital?
Yes, the Rule allows this communication to occur,
as long as the patient has been informed of this
use and disclosure and does not object.