Health Insurance Portability and Accountability Act (HIPAA) Review

1
Health Insurance Portability and Accountability
Act (HIPAA) Review

• Auburn University Harrison School of Pharmacy

2
HIPAA Basics

• HIPAA passed in 1996
• Protect and secure patient information
• Guarantee patients right to access health
  information and control its use
• Implemented April 14, 2003

3
Protected Health Information (PHI)

• Spoken, written, or electronic
• Prescription
• Fax or email
• Patient consultation
• Created or received by a covered entity (e.g.
  health care providers, pharmacies, health
  insurance plans)
• Info related to past, present, or future health

4
De-identified Data

• Data that cannot identify an individual patient
• De-identified data does not fall under HIPAA
  rules
• Often used in research

5
Patient Rights

• Limit how PHI used
• Determine when/how communicated with patient
• Review and obtain copy of PHI
• Request edits of PHI
• Know how pharmacy uses PHI

6
Rx Obligations

• Provide written notice to patients regarding
  Privacy Practices
• Patient rights
• How uses and discloses PHI
• Who to contact with complaints
• Obtain written acknowledgement from patients of
  receipt of Privacy Practices

7
Rx Obligations

• Minimum Necessary
• Limit PHI provided by pharmacy
• Provide only minimum necessary information to
  complete a task (e.g. fill prescription, counsel
  patient, file a claim)

8
Rx Obligations

• Exceptions to Minimum Necessary
• Health care provider request to aid treatment
• Disclosure directly to patient
• Disclosure according to patients written
  authorization
• Must avoid incidental uses and disclosures of PHI!

9
Acknowledgement vs. Authorization

• Acknowledgement
• Patient written acknowledgement of receipt of
  written notice of privacy practices
• Notice to include types of PHI disclosures for
  treatment, payment, operations (TPO)
• Authorization
• Signed authorization required for any disclosure
  other than that necessary for TPO

10
Authorization Exemptions

• PHI relative to the following
• Public Health
• Abuse, neglect, domestic violence
• Health oversight
• Law enforcement
• Judicial and administrative proceedings
• Decedents
• Avert serious threat to health or safety
• Specialized government
• Comply with workers compensation laws
• ADR reports to the FDA
• DEA or state Board of Pharmacy inspections

11
Authorization Exemptions

• Refer ALL authorization exemptions to Privacy
  Officer for review!

12
Rx Obligations

• Prevent incidental disclosures of PHI!
• Telephone (refills, call in Rx)
• Faxed Rx
• Info left via pharmacy voice mail
• Drive through pick up window
• Insurance requests for information
• Patient consultations
• Friend or family member requests info regarding
  patients Rx or condition

13
Penalties for HIPAA Violation

• Civil
• 100 per rule violation, up to 25,000 for
  identical violations in one calendar year
• Only 2 Exceptions (do not apply)
• Did not know violated HIPAA rule
• Failure to comply with rule not due to willful
  negligence, and corrected within 30 days

14
Penalties for HIPAA Violation

• Criminal
• Knowingly and in violation of HIPAA rules uses or
  causes to be used unique health identifiers,
  and/or obtains or discloses PHI relating to an
  individual
• 50,000 fine and/or up to 1 year imprisonment

15
Penalties for HIPAA Violation

• Criminal
• 10,000 fine and/or up to 5 years imprisonment if
  obtain PHI under false pretenses
• 250,000 and/or up to 10 years imprisonment if
  intent to sell, transfer, or use PHI for
  commercial advantage, personal gain, or malicious
  harm
• AUHSOP Honor Code Violation

16
Summary

• You will have access to PHI every day
• Access only PHI necessary to complete the task at
  hand
• Make every effort to avoid incidental disclosure
  of PHI
• If unsure about a request for PHI, do not
  disclose and contact Privacy Officer
• Treat PHI as if it is your own