Slide 1 NC DHHS HIPAA PMO

1
Presented By NC DHHS HIPAA Office Julie Burton,
CPM September 26, 2002
2
Its Final !

• On August 14, 2002 final modifications to the
  HIPAA Privacy Regulations were published.
• The modifications represent some fairly
  significant changes to the Privacy Rule.
• The modifications are substantially the same as
  those proposed in the NPRM that was published on
  3-27-02, with a few changes and additions.
• Modifications effective date is October 15, 2002
• The following slides will point out key subject
  areas affected by the modifications.

3
Accounting of Disclosures

• Modifications
• Exempts disclosures made whenever an
  authorization has been obtained.
• Exempts incidental disclosures.
• Exempts disclosures that are part of a Limited
  Data Set.
• Rationale
• The authorization process itself adequately
  protects an individuals privacy by assuring that
  permission is given knowingly and voluntarily.
• As long as reasonable safeguards and minimum
  necessary requirements are followed, incidental
  disclosures are not considered a violation of the
  Privacy Rule.
• Individual and covered component must enter into
  a data-use agreement that limits the use of the
  data set.

4
Authorizations

• Modifications
• One authorization form for all purposes
• Required elements that must be included in a
  valid authorization
• Requires authorization before any use or
  disclosure for most marketing-related purposes.
• Rationale
• Although consent requirement is now optional for
  treatment, payment and other health care
  operations (TPO), authorization is still required
  for non-TPO uses of protected health information
  (PHI).
• Simplifies authorization process by using one
  form rather than several different forms.

5
Business Associates

• Modifications
• Allows covered components to continue to operate
  with business associates under existing contracts
  that are in effect on Oct 15, 2002 (modifications
  effective date) and are not renewed or modified
  before April 14, 2004. Such contracts will be
  deemed to be in compliance until the covered
  component has either renewed or modified the
  contract after April 14, 2003 or by April 14,
  2004, whichever is sooner.
• Provides model business associate agreement.
• Rationale
• Change is designed to ease some of the
  administrative and financial burdens associated
  with re-negotiating existing contracts.

6
Consent

• Modifications
• Direct treatment providers are no longer required
  to obtain consent prior to the use or disclosure
  of PHI.
• The decision of whether or not to obtain consent,
  and the form of that consent, will now be
  entirely optional and left to the providers
  discretion, unless such consent is required by
  state law.
• Strengthening of the Notice of Privacy Practices
  requirement by requiring covered components to
  make a good faith effort to obtain clients
  written acknowledgement of the Notice.
• Rationale
• Promotes access to care by removing mandatory
  consent requirements that would inhibit client
  access to treatment while providing covered
  components the option of developing a consent
  process that works for that component.

7
Employment Records

• Modifications
• Employment records held by a covered component in
  its role as an employer, are not covered under
  the protected health information standard in the
  Privacy Rule.
• However, employees who are also patients or
  enrollees of the covered component are covered
  under the protected health information standard
  in the Privacy Rule.
• Rationale
• Further clarification due to concerns that
  employment records may contain individually
  identifiable health information.

8
Incidental Use and Disclosure

• Modification
• Clarification Incidental disclosures are not
  considered a violation of the Privacy Rule as
  long as reasonable safeguards and minimum
  necessary requirements are met.
• Rationale
• An incidental use or disclosure would be a
  secondary use or disclosure that cannot
  reasonably be prevented, is limited in nature,
  and occurs as a by-product of an otherwise
  permitted use or disclosure. Such use and
  disclosure is permissible only to the extent that
  reasonable safeguards are applied and a minimum
  necessary standard has been implemented.

9
Limited Data Set

• Modifications
• Permits creation and implementation of Limited
  Data Set which may contain
• Admission, discharge, and service dates
• Date of death
• Age (including 90 or over)
• Five-digit zip code
• Permits use of Limited Data Set for
• Research
• Public health activities
• Health care operations
• Must develop a Data Use Agreement that
  includes
• Use of PHI only as permitted under Privacy Rule
• Limit who can use or receive the data
• Agree not to re-identify the data or contact the
  client
• Apply safeguards to prevent unauthorized use or
  disclosure of data

10
Limited Data Set (cont.)

• Rationale
• Compromise to many concerns that the
  de-identification standard under the unmodified
  Privacy Rule would curtail important research,
  public health activities, and health care
  operations.
• Limited Data Sets do not include direct
  identifiers such as name, street address,
  telephone, and social security numbers.
• The Data Use Agreement is an understanding
  between the covered component and the recipient
  of the data that data will be used for the
  purpose for which it was given and that data will
  be secured (similar to a Business Associate
  Agreement).

11
Minimum Necessary Standard

• Modification
• All uses and disclosures made pursuant to an
  authorization are exempt from the minimum
  necessary standard.
• Rationale
• The Privacy Rule previously exempted only certain
  types of authorizations from the minimum
  necessary requirement, but since the rule has
  been modified and now requires only one type of
  authorization, the exemption now applies to all
  authorizations.
• The minimum necessary requirements are still in
  effect to ensure a clients privacy for most
  other uses and disclosures.

12
Notice of Privacy Practices

• Modifications
• A good faith effort should be made, at the time
  of the first delivery of the Notice of Privacy
  Practices, to obtain a clients written
  acknowledgement of receipt of the Notice, except
  in emergency situations.
• Failure to obtain the acknowledgement does not
  restrict the providers ability to provide
  services or otherwise use and disclose PHI for
  TPO.
• Documentation of acknowledgement or the effort
  made to obtain acknowledgement must be
  maintained.
• Rationale
• Since the requirement for consent for use and
  disclosure of PHI has been deleted, it is more
  important than ever that clients be informed of
  the covered components practices regarding use
  and disclosure of PHI through reading of the
  Notice of Privacy Practices. In lieu of signing
  a consent form, written acknowledgement of
  receiving the Notice should be obtained whenever
  possible.

13
Whats Next?

• HIPAA Privacy Requirements must be implemented by
  April 14, 2003.
• US HHS will update its guidance document to
  reflect the modifications in the final Privacy
  Rule.
• NC DHHS policies procedures will also reflect
  the modifications .