HIPAA Health Insurance Portability and Accountability Act - PowerPoint PPT Presentation

1 / 39

About This Presentation

Title:

HIPAA Health Insurance Portability and Accountability Act

Description:

For facility directory purposes, Incidental to an otherwise permitted use/disclosure, ... Verification Review of Trauma in Hospitals. Audits. Autopsy Report ... – PowerPoint PPT presentation

Number of Views:145

Avg rating:3.0/5.0

Slides: 40

Provided by: UAB

Learn more at: https://www.uab.edu

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA Health Insurance Portability and Accountability Act

1
HIPAAHealth Insurance Portability and
Accountability Act

Lab Disclosures
March 29, 2004
UAB Health System

2
Education Objective

Review the HIPAA Privacy law segments most
applicable to lab disclosures.
Explain the UABHS Accounting of Disclosures
electronic and manual processes.
Distribute and explain a matrix of typical
disclosures.
Answer questions and de-mystify HIPAA privacy
regulations.
Provide resources to assist with future questions.

3
HIPAA Privacy

Under the HIPAA Privacy Regulations
PHI may be used for treatment, payment,
healthcare operations (TPO).
PHI may be disclosed to other providers for
treatment.
PHI may be disclosed to other covered entities
for payment.
PHI may be disclosed to other covered entities
that have a relationship with the patient for
certain healthcare operations such as QI,
credentialing and compliance.

4
HIPAA PrivacyOther Permitted Uses Disclosures

PHI my be used or disclosed without authorization
under the following circumstances
Public health agencies for purposes such as
controlling or preventing disease or collecting
vital statistics, i.e. notifiable or communicable
diseases which must be reported to AL Dept. of
Public Health, PKU Information Reporting.
Public health or government authorities for law
enforcement purposes, such as reporting on
victims of abuse, neglect or domestic violence.

5
HIPAA PrivacyOther Permitted Uses Disclosures

Health oversight agencies for activities
authorized by law, i.e. AQAF.
Judicial and administrative proceedings, such as
compliance with a court order or subpoena.
Law enforcement officials seeking information for
the purpose of identifying a suspect, witness, or
victim of a crime.
Coroners, medical examiners, and funeral
directors to identify a deceased person or
determine a cause of death.
Organ donation.
Workers compensation.

6
HIPAA PrivacyOther Uses Disclosures

Facility Directories unless patient opts out,
their name, location and general medical
condition may be disclosed to those asking for
patient, by name.
Individuals involved in care or payment for care
PHI may be disclosed unless patient objects.

7
HIPAA Privacy Marketing Fundraising

Marketing
Covered entities are prohibited from using or
disclosing PHI for marketing purposes without the
patients express authorization.
Covered entities are prohibited from selling
patient/enrollee lists to third parties.
Providers CAN communicate with patients about
treatment options or the covered entities own
health-related products and services, common
health care communications- such as disease
management, wellness programs, prescription
refill reminders and appointment notifications,
recommending alternative treatments, therapies,
or health-care products.
Fundraising- limited PHI may be used if patient
told how to opt out.

8
HIPAA Privacy Incidental Uses and Disclosures

Uses and disclosures that are incidental to an
otherwise permitted use or disclosure may occur
and is not considered a violation of the Rule
provided that the covered entity meets reasonable
safeguards and minimum necessary requirements.
Waiting room sign-in sheets, patient charts at
bedside, physician conversations with patients in
semi-private room, and physicians conferring at
nurses stations.

9
HIPAA PrivacyResearch

HIPAA regulations do not replace or reproduce
other federal regulations (e.g. 45 CFR 46, 21 CFR
56). All existing regulations remain in force.
Unlike some other regulations, HIPAA applies
regardless of whether the research is funded by
the government.

10
HIPAA PrivacyResearch

HIPAA preempts all less stringent state laws
regarding privacy of health information unless
specific requirements are met.
These requirements involve state mandated
reporting related to health, safety, or welfare,
as well as reporting that is necessary for a
health plan to conduct auditing procedures.

11
HIPAA PrivacyResearch

Instructions for requesting an exemption - to
follow the state law instead of HIPAA - are given
in Subpart B (160.201-205).

12
HIPAA PrivacyResearch

Covered Entities are permitted to use or disclose
PHI for research if the IRB has approved the
research and one or more of the following
conditions exist
1. Patient Authorization
2. Decedent Research
3. Preparatory Research
4. Limited Data Set
5. IRB grants a waiver of required authorization.

13
Waiver of Authorization

The IRB may waive the authorization, if the
reviewing board finds that
The use or disclosure of PHI involves no more
than minimal risk to privacy.
The proposed research could not practicably be
conducted without the waiver or alteration and
The research could not practicably be conducted
without access to and use of the PHI.

14
Research with Records of Deceased Individuals

If a research subject is deceased, PHI may be
used or disclosed provided that the researcher
represents
The use or disclosure is sought solely for
research on PHI of decedents, and
PHI for which use or disclosure is sought is
necessary for research purposes.
Upon request of the covered entity, the
researcher must provide documentation of the
death of the individual.

15
Reviews Preparatory to Research

A covered entity may use or disclose PHI for
reviews preparatory to research if it obtains the
following representations from the researcher
Use and disclosure is sought solely to review PHI
as necessary to prepare a research protocol or
for similar purposes preparatory to research
(e.g. recruitment)
No PHI is removed from the covered entity by the
researcher in the course of review and
The PHI for which use or access is sought is
necessary for the research purpose.
Look to institutional policy to see if IRB
approval is required.

16
De-Identification Standard

De-identified health information is health
information that does not identify an individual
and for which there is no reasonable basis that
the information could be used to identify an
individual.
It is not considered individually identifiable
information.
There is no actual knowledge that the information
could be used to identify an individual.

17
De-Identification Standard (cont.)

The Privacy Rule does not apply to information
that has been de-identified under one or two
standards set forth in the Privacy Rule.
Removal of 18 identifiers.
Certification by a biostatistician that the
method for de-identifying the PHI has a very
small risk that the information could be used,
alone or in combination with other reasonably
available information, to identify an individual
who is the subject of the information.

18
De-Identification Standard (cont.) Information
is presumed to be de-identified, if the following
identifiers of the individual or of relatives,
employers, or household members of the
individual, have been removed

-Names
-All geographic subdivisions smaller than a
State, including street address, city, county,
precinct, zip code, and equivalent geocodes
-All elements of dates (except year), including
birth date, admission discharge dates, date of
death, and all ages over 89 and all elements of
dates (including year) indicative of such age
-Telephone numbers
-Fax numbers
-Electronic mail addresses
-Social security number
-Medical record numbers
-Health plan beneficiary numbers

-Account numbers
-Certificate/license numbers
-Vehicle identifiers and serial numbers,
including license plate numbers
-Device identifiers and serial numbers
-Web Universal Resource Locator (URL)
-Internet Protocol (IP) address numbers
-Biometric identifiers, including finger and
voice prints
-Full face photographic images and any comparable
images and
-Any other unique identifying number,
characteristic, or code, except as allowed under
the re-identification specifications 164.514(c).

19
Limited Data Sets

Similar to de-identified data sets except certain
direct identifiers must be removed.
Can be used for research, public health, and
health care operations.
Limited Data Sets can include identifiers such as
date of birth, dates of hospital admissions and
discharges, and an individuals residence by
city, county, state, and 5 digit zip codes.
Researcher may access and use the entire array of
PHI without authorizations or waivers of
authorizations.

20
Minimum Necessary Standard

When HIPAA permits use or disclosure of PHI,
providers should disclose or use only the minimum
necessary amount of PHI in order to do their
jobs.
Exceptions
Treatment
Anything for which a patient authorization is
signed.
Incidental disclosures.
Disclosures required by law.

21
HIPAA Privacy- Patient Rights

Notice to Individuals of Information Practices.
Authorization.
Request Access.
Request Accounting for Uses and Disclosures.
Request Amendment and Correction (subject to
approval by the covered entity).
Request Confidential / alternate communication.
Request Restriction on use of PHI (subject to
approval by the covered entity).
Complaints.

22
What is an Accounting of Disclosures?

Info. provided to the patient, upon request of
certain disclosures made by UAB/UABHS in the six
years prior to the date of the request, but not
prior to April 14, 2003.
Date of disclosure
Name, address (if known) of entity/person
receiving PHI
Brief description of PHI disclosed
Purpose of disclosure or copy of request

23
Accounting of Disclosures

A covered entity must provide an accounting to
the individual of any research disclosure made
pursuant to an IRB.
No accounting is needed for disclosures made
pursuant to an Authorization.

24
Accountings of Disclosures are not required for
the following