HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

1
HIPAA Overview (Health Insurance Portability and
Accountability Act 1996)

• PCS HIPAA Privacy Rule Training - 8/25/2015

2
What is HIPAA?

• Health Insurance Portability Accountability
• Act of 1996
• Public Law 104-191
• Sponsored by - Kennedy Kassebaum
• Five Titles
• Title 1 Insurability and Portability
• Title 2 Administrative Simplification
• Title 3 Tax Implications
• Title 4 Group Health
• Title 5 Revenue

3
What is the purpose of HIPAA ?

• Reduce health care costs/fraud/abuse
• Control use/disclosure of protected health
  information (PHI)
• Identify provider responsibilities and
  accountability
• Increase consumers rights - PHI
• Regulate how PHI is transferred/managed by
  technology, individuals, and agencies
• Provide consistent standards
• Assure privacy and security of confidential
  protected healthcare information (PHI)

4
Administrative Simplification HIPAA Regulations
and Deadlines

• Privacy Regulations - Identifies what health care
  information is protected. Deadline April 14,
  2003
• Electronic Transaction/Code Sets - Sets uniform
  standards. Deadline October 2003 with Extension
• Security Regulations - Identifies how information
  is to
• be protected. Deadline April 21, 2005
• Identifier Standards - Employer, Payer, National.
• Deadline Employer ID finalized/Others Pending

5
HIPAA Definitions

• The nuts and bolts!

6
Healthcare Operations

• Includes general administrative and business
• functions necessary for a covered entity to
• remain a viable business (i.e., audits, quality
• improvement functions, assessments)

7
Health Information

• Any information recorded in any form or
• medium which
• Is created/received by a Covered Entity that
  creates, receives, uses, or transmits PHI
• Relates to the past, present, or future
  physical/mental health condition of an
  individual, their participation in, or payment
  for such services, and
• Identifies the individual.

8
Individually Identifiable Health Information

• Identifies the individual, or
• There is a reasonable basis to believe that the
  information can be used to identify the individual

9
Protected Health Information (PHI)

• All individually identifiable health care data or
  information collected, maintained, or transferred
  by a Covered Entity

10
Protected Health Information (PHI) Examples

• Health Plan
• License/Certificate
• Vehicle identifiers
• Bio-metric identifiers
• Telephone numbers
• Place of employment
• Account numbers

• Name
• Address
• Social Security
• Birth Date
• Demographic info. (some)
• Email address

11
Protected Health Information (PHI)

• Consumer full-face photograph and any comparable
  images
• Fax number
• Device identifiers and serial numbers

• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) Address Numbers

12
De-identified information

• Health information which is stripped of
  individual identifying elements
• Someone with sufficient statistical expertise,
  using accepted statistical standards, says the
  probability is very low that the information
  would identify a consumer
• In this form, remaining data would not be
  sufficient to identify the consumer

13
Privacy Notice

• Written document in plain language
• Posted shared with consumers at intake
• Explains how their PHI will be used/disclosed by
  agency
• Identifies consumers rights
• Lists agency/provider duties to protect PHI,
  abide by the Privacy Notice
• Identifies how changes in notice will be
  communicated

14
Designated Record Set

• A group of records maintained by or for a covered
  entity/agency
• Includes any records used, in whole or in part,
  to make decisions, about the consumers treatment
  (medical record,
• billing, etc.)
• PCS Clinical Records Policy

15
Use vs. Disclosure

• Use
• Sharing, utilization,
• examination,
• analysis of PHI
• maintained internally
• within the agency

• Disclosure
• Release, transfer,
• access to, or sharing
• in any manner PHI
• outside the agency
• maintaining the
• information

16
Minimum Necessary Rule

• Rule applies to Uses/Disclosures
• Covered Entities must make reasonable efforts to
  limit use, disclosure, requests for PHI to the
  minimum necessary in order to accomplish the
  intended purpose except when an authorization is
  obtained

17
Minimum Necessary Rule

• Amount of information needed to achieve the
  purpose
• Applies to all forms of communication
• Use - Requires policies procedures classifying
  staff by role/position and the PHI to which they
  may have access
• Disclosure - Requires policies procedures
  addressing criteria to limit disclosure
  reviewing of requests
• Must limit requests to that which is necessary
• Does not apply to consumer requests/authorizations
  , disclosures required by law or healthcare
  provider for treatment purposes

18
Access to PHI (Protected Health Information)

• Opportunity to approach, inspect, review,
• and make use of data or information
• Actions by a consumer or healthcare
• provider with appropriate
• authorization

19
HIPAAs Privacy Rule
20
Privacy Rule

• Applies to all protected healthcare
• information (PHI)
• Does not prohibit the exchange of PHI for
  treatment, payment, or health care operations
  (TPO) within the agency
• Written Acknowledgement required

21
Privacy Rule Impacts

• Acknowledgement/Authorization
• Privacy Notifications
• Uses Disclosures of PHI
• Healthcare Operations
• Consumer Rights
• Consumer Access/Amendment of PHI
• Business Associate Agreements
• Provider Responsibilities

22
Privacy Rule Highlights

• Protects privacy of medical records and covers
• Electronic records printouts of records
• Written records
• Oral communications
• Consumer acknowledgement that PHI may be used for
• routine purposes (TPO)
• Privacy Notice - Documents consumers rights and
  the
• agencys responsibilities to protect and manage
  PHI

23
Consumers Rights under HIPAA

• Consumers may
• Inspect/copy their medical record information
• Request to amend information if they believe it
  to be inaccurate or incomplete
• Request must to be in writing
• Agency must respond within 15 days (VA law)
• If request is denied - consumer may appeal this
  decision to the CSB or federal government

24
Consumers Rights under HIPAA
Consumers may

• Request a Disclosure History
• Request confidential communications through
  alternative addresses/phone numbers
• Have access to a designated individual or Office
  of Civil Rights at Health Human Services to
  report violations of their rights
• Request restriction on use/disclosure of their PHI

25
Privacy Regulations

• Allow flow of PHI for treatment, payment,
  related health care operations (TPO)
• Prohibit flow of PHI unless voluntarily
  authorized by the consumer
• Allow consumer to know who is accessing their PHI
  outside of TPO use
• Allow consumers to obtain access to their records
  request amendment of records if the consumer
  feels they are inaccurate or incomplete

26
Provider Responsibilities

• Provide formal complaint handling system
• Allow use of de-identified data
• Follow minimum necessary requirements
• Establish Business Associate Agreements
• Duty to mitigate damage if violations occur
• Establish sanctions for HIPAA violations

27
Privacy Penalties

• Wrongful Disclosure Offense 50,000 fine,
• imprisonment of not more than one year,
• or both.
• Offense Under False Pretenses 100,000,
• imprisonment, or not more than 5 years, or both.
• Offense with Intent to Sell Information
• 250,000 fine, imprisonment of not more
• than 10 years, or both.

28
Uses/Disclosures not requiring Authorization

• To the consumer or legally authorized
  representative of the consumer
• To health oversight agencies
• To the Department of Health Human Services for
  investigation and enforcement purposes
• By court order (as outlined in CFR 42 - strictest)

29
Uses/Disclosures not requiring Authorization

• To U.S. Public Health Authorities - to prevent or
  control disease, injury, or disability
• In following disclosure procedures for deceased
  consumers as outlined in VA law
• To consumers exposed to communicable disease or
  at risk of contracting or spreading disease -
  under law public health intervention/investigati
  on

30
Uses/Disclosures not requiring Authorization

• For reports of suspected child abuse or neglect
  to
• the appropriate authority
• For reports about an adult victim of abuse,
  neglect,
• or domestic violence
• States mandatory reporting laws
• Inform the individual of the report
• Seek the individuals agreement when possible
• Can report without the individuals agreement

31
Uses/Disclosures not requiring Authorization

• Healthcare Oversight Activities
• Authorized by Law
• Audits
• Investigations (as permitted by CFR 42)
• Inspections (i.e., Health Inspection of
  facilities)
• Civil/criminal/administrative proceeding/action
  by a properly executed court order (CFR 42)
• Other appropriate oversight actions
• Government regulatory programs
• Government benefit programs - for eligibility

32
Privacy Preemption

• HIPAA
• Will preempt
• other federal or
• state laws relating
• to PHI
• (Except for those
• more stringent
• than HIPAA)

33
HIPAA is not added red tape but...

• Applying BEST PRACTICES to protect Mr. Hipps
  confidential healthcare information in a world
  where inappropriate sharing of PHI could result
  in
• Identity theft
• Loss of privacy and control over healthcare
  information
• Possible discrimination practices
• Consumer Rights violations

34
How does the Privacy Rule affect Piedmont CSB?
35
New HIPAA Forms Policies

• Privacy Notice
• Right to Access Policy
• Request For Amendment Policy
• Minimum Necessary Policy Procedure
• Tele-facsimile Policy
• Email Policy
• Business Associates Agreement
• Authorization to Release Information

36
Privacy Notice

• Replaces the Your Rights Form
• Describes use and disclosure of health
  information.
• Special circumstances for disclosure.
• Other uses and disclosure only with
  authorizations.
• Describes revisions to policy.
• Lists, Privacy Officer, Regional Advocate and
  Office of Health Human Services contact
  numbers.
• MUST BE POSTED AT ALL SERVICE SITES

37
Right to Access PHI

• All individuals and/or legally appointed
  representatives have a right to inspect and/or
  obtain a copy of their medical record.
• Exceptions
• Use in civil, criminal proceeding
• Inmate of correctional facility and if could
  jeopardize health safety
• Involved in research that includes treatment
  he/she agreed not to have access to the
  information.
• The individuals psychiatrist or psychologist has
  determined that the information could be
  injurious to the individuals mental or physical
  well-being.
• Procedures outlined in policy

38
Request to Amend Medical Record

• All consumer have a right to request an amendment
  to his/her medical record.
• Must be requested in writing to the primary
  clinician.
• PCS has 60 days to respond to the request. Can
  request an extension of 30 days.

39
Denial of Request to Amend

• a. May deny the request if the information was
  not created by the agency
• b. May deny the request if the individual who
  created the information that the individual
  served wants amended is no longer an employee of
  the agency 
• c. May deny the request if the information in the
  record is currently accurate and complete.

40
Amendment Approved

• a. The agency shall make the amendment. The
  minimum amendment accepted is identifying the
  information to be amended then providing a link
  to the amended information. 
• b. Inform the individual served that the
  amendment(s) is accepted.
• c. Obtain from the individual served the names
  and addresses of individuals who need to have the
  amended information.
• d. Attempt to reach those individuals who need
  to have the amended information.
• e. Attempt to contact other persons or business
  associates regarding the amended information if
  the information was detrimental to the client.

41
Minimum Necessary Policy

• Privacy Rule requires that covered entities take
  reasonable steps to limit the use and disclosure
  of PHI.
• Only the information necessary to meet the
  request is to be released.
• The medical record in its entirety will not
  routinely be released.
• All release of information must be approved by
  the lead clinician.

42
Fax Policy

• All personnel must strictly observe fax policies.
• May be faxed under certain circumstances
• May not be faxed under certain circumstances
• Protocol for faxing PHI.
• Security of PHI when faxing.

43
Email Policy

• The e-mail system and all messages generated or
  handled by PCSs equipment is considered part of
  business operations.
• PCS reserves the right to monitor, audit, delete
  email messages.
• It is not the policy of PCS to routinely monitor
  the contents of email. Only when a situation
  warrants such an action.
• All emails containing PHI MUST BE encrypted
  before sending.
• Email encryption procedures will be forthcoming.
  Until then, no PHI should be sent via email.

44
Business Associates Agreement

• Business Associates - An entity that does things
  on our behalf and with whom we share/give access
  to PHI
• Business Associate Agreement - Establishes
  permitted uses, disclosures, and safeguards for
  PHI
• Examples
• CSB Attorney, CARF, social services, auditors

45
Authorization to Release Info

• Changes made to the disclaimer statement.
• Authorizations must be on file before any
  information can be released.
• All releases of information must be recorded and
  made available to consumers upon request.

46
Frequently Asked Questions

• Documentation on PCS Intranet.
• Other questions, contact Kippy Cassell
• HIPAA is basically instituting best practices to
  protect the consumers privacy and confidentially.