"What You Need to Know and Do to Comply with HIPAA

1

• "What You Need to Know and Do to Comply with
  HIPAA
• Howard University Hospital
• October 18, 2002
• Mary L. Kuffner, J.D.
• Senior Washington Counsel
• American Medical Association

2
HIPAA Privacy Rule

• In general, the standards and requirements in
  the Privacy Rule apply to covered entities with
  respect to protected health information.

3

• Covered entity
• A health plan
• A health care clearinghouse
• A health care provider who transmits any health
  information in electronic form in connection with
  a HIPAA transaction

4

• HIPAA transactions
• (1) Health care claims or equivalent encounter
  information
• (2) Health care payment and remittance advice
• (3) Coordination of benefits
• (4) Health care claim status
• (5) Enrollment and disenrollment in a health plan
• (6) Eligibility for a health plan
• (7) Health plan premium payments
• (8) Referral certification and authorization
• (9) First report of injury
• (10) Health claims attachments
• (11) Other transactions that the Secretary may
  prescribe by regulation

5
Am I a Covered Entity?

• Health care provider
• Conducts any HIPAA transactions electronically,
  or
• Anyone else on your behalf
• Must submit claims electronically to Medicare by
  October 16, 2003
• Exception - less than 10 FTEs

6
Protected Health Information (PHI)

• Is a subset of
• Individually Identifiable Health Information
• Information (including demographic) that
• Is created or received by a health care provider,
  health plan, employer, or health care
  clearinghouse and
• Relates to
• physical or mental health or condition of an
  individual (p,p,f)
• provision of health care to an individual or
• payment for the provision of health care to an
  individual (p,p,f) and
• identifies the individual or
• there is a reasonable basis to believe the
  information can be used to identify the
  individual.

7
Protected Health Information (PHI)

• Individually Identifiable Health Information
  that
• Is transmitted or maintained in any form or
  medium (electronic media, paper, oral)
• Excludes information in
• Education records
• Employment records held by a covered entity in
  its role as employer

8
Uses and Disclosures of PHI

• General Rule
• A covered entity may not use or disclose
  protected health information, except as permitted
  or required by the privacy Rule

9
Permitted Uses and Disclosures of PHI

• To the individual
• For treatment, payment, or health care operations
  (TPO)
• Pursuant to an authorization, or
• As specifically permitted by the Privacy Rule

10
Required Uses and Disclosures of PHI

• To the individual (right of access and accounting
  of disclosures)
• To the Secretary of HHS (to investigate or
  determine compliance)

11
Uses and Disclosures for TPO

• Uses and disclosures of PHI are permitted for a
  covered entity to carry out its own TPO
• Treatment
• Payment
• Health care operations
• Covered entities may obtain consent of the
  individual if desired

12

• Treatment
• the provision, coordination, or management of
  health care and related services by one or more
  health care providers,
• the coordination or management of health care by
  a health care provider with a third party
• consultation between health care providers
  relating to a patient or
• the referral of a patient for health care from
  one health care provider to another.

13

• Payment
• Activities undertaken by a health care provider
  or health plan to obtain premiums, provide
  benefits,or to obtain/provide reimbursement for
  the provision of health care, including, but not
  limited to
• Eligibility/coverage determinations and
  adjudication of health benefits claims
• Risk adjusting amounts due
• Billing, claims management, and collection
  activities
• Review of health care services with respect to
  medical necessity, coverage under a health plan,
  appropriateness of care, or justification of
  charges
• Utilization review activities, including
  precertification/preauthorization of services,
  concurrent and retrospective review of services
  and
• Disclosure of limited information to consumer
  reporting agencies relating to collection of
  premiums or reimbursement.

14

• Health Care Operations
• Quality assessment and improvement activities
• Population-based activities relating to improving
  health or reducing health care costs
• Reviewing the competence or qualifications of
  health care professionals, evaluating
  practitioner and provider performance, health
  plan performance, conducting training programs
  accreditation, certification, licensing, or
  credentialing activities
• Underwriting, premium rating, and other
  activities relating to the creation, renewal or
  replacement of a contract of health insurance or
  health benefits
• Conducting or arranging for medical review, legal
  services, and auditing functions, including fraud
  and abuse detection and compliance programs
• Business planning and development
• Business management and general administrative
  activities

15
Uses and Disclosures for TPO

• A covered entity may disclose PHI
• for treatment activities of another health care
  provider
• to another covered entity or health care provider
  for its payment activities
• to another covered entity for certain of its
  health care operations if each covered entity has
  or had a relationship with the individual who is
  the subject of the PHI (first 3 bullets on
  slide, or for health care fraud and abuse
  detection or compliance)
• covered entities that are part of an OHCA for
  health care operations of the OHCA

16
Exceptions

• An authorization is required for any uses or
  disclosures
• psychotherapy notes - unless
• use by the originator for treatment
• use by covered entity for its own training
• to defend a legal action brought by the
  individual
• required by law/prevent a serious threat
• HHS Secretary
• health oversight of originator
• coroner
• marketing
• unless promotional gift of nominal value or in
  person communication

17
Caveats

• Minimum Necessary rule applies
• When using or disclosing PHI or when requesting
  PHI from another covered entity, a covered entity
  must make reasonable efforts to limit PHI to the
  minimum necessary to accomplish the intended
  purpose
• Except by health care provider for treatment
• to the individual
• pursuant to an authorization
• to the Secretary
• required by law
• required for compliance with Privacy Rule

18
Notice of Privacy Practices (NPP)

• Right to adequate notice
• Uses and disclosures of PHI
• Individuals rights
• Covered Entitys legal duties

19
Content of NPP

• Plain language
• Specific header
• THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION
  ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
  CAN GET ACCESS TO THIS INFORMATION. PLEASE
  REVIEW IT CAREFULLY.

20

• Description of uses and disclosures a covered
  entity may make
• Separate statements
• If health plan intends to disclose information to
  a group health plan sponsor
• Must indicate if covered entity may contact
  individual
• for appointment reminders
• to provide information about alternative
  treatments or services
• to conduct fundraising

21

• Individual rights with respect to PHI and a brief
  description of how to exercise rights
• Covered Entities duties must be stated
• Required by law to maintain patient privacy and
  to provide NPP
• Required to abide by the terms of current NPP
• May reserve the right to change the terms of NPP
  and make changes effective for all PHI it
  maintains.
• Describe how covered entitiy will provide
  individuals with a revised NPP

22

• Complaints -
• Must state that individuals may complain to the
  covered entity and to the Secretary if they
  believe their privacy rights have been violated,
• Must describe how the individual may file a
  complaint with the covered entity,
• Must state that the individual will not be
  retaliated against for filing a complaint
• Identify Privacy Contact

23

• Effective Date
• Optional elements -
• May describe limited uses and disclosures covered
  entity will adhere to if it elects to
• Revisions to the NPP
• Must be promptly made and distributed if material
  change in privacy practices
• Must not implement change until NPP is revised
  (unless required by law)

24
Use of NPP

• All covered entities must make NPP available
  upon request to any person
• Must document compliance by maintaining a paper
  or electronic copy for 6 years (minimum)

25

• Health plans
• must provide NPP no later than the compliance
  date to individuals then covered by the HP
• time of enrollment for all others
• after revision - to all then covered by plan
• to named insured even if dependents covered

26

• Health care providers with direct treatment
  relationships with patients
• No later than the date of first service delivery
  after compliance date (4/15/03)
• Copies available at office for patients to keep
• Posted in clear and prominent location in office
• Make revised notices readily available on or
  after effective date of revision

27

• Health care providers with direct treatment
  relationships (continued)
• In emergency, provide as soon as reasonably
  practicable after the emergency situation
• In all cases except in an emergency, must make a
  good faith effort to obtain written
  acknowledgement of receipt of the NPP
• Document compliance
• maintain written acknowledgement of receipt or
• document good faith effort and reason why such
  acknowledgement was not obtained

28

• Direct treatment relationship not an indirect
  treatment relationship
• Indirect treatment relationship a relationship
  between an individual and a health care provider
  in which
• The health care provider delivers health care to
  the individual based on the orders of another
  health care provider and
• The health care provider typically provides
  services or products, or reports the diagnosis or
  results associated with the health care, directly
  to another health care provider, who provides the
  services or products or reports to the individual

29
Electronic NPP

• If a covered entity maintains a website with
  information about services
• Prominently display NPP on the website
• Make NPP available through the website
• Must still provide a paper copy of NPP to
  recipient if requested

30

• A covered entity may provide NPP by e-mail
• If the individual agrees to receive NPP by e-mail
  and has not withdrawn
• If e-mail fails, paper copy must be provided
• E-mail NPP must be delivered within same
  timeframe as paper - i.e., if service is
  electronic, must deliver NPP contemporaneously
  with first request for service
• Must still provide a paper copy of NPP to
  recipient if requested

31
Joint NPP

• Participants in Organized Health Care Arrangement
  may use same NPP
• Previously discussed requirements apply
• Joint notice is effective for all in Organized
  Health Care Arrangement
• All must abide by terms of NPP

32

• JNPP may reflect application to multiple covered
  entities
• Previously discussed requirements apply
• Provision of JNPP to an individual by any one
  covered entity included in JNPP will satisfy
  provision requirement for all entities covered by
  JNPP

33
Preemption

• HIPAA trumps if it is contrary to state law
  (cannot comply with both laws)
• Unless state law is more stringent - then state
  law trumps
• Generally, more stringent means greater privacy
  protection for the individual, i.e., more
  restrictions on uses or disclosures, or greater
  rights for patients

34

• State law trumps if the Secretary of HHS
  determines that the State law is necessary
• To prevent fraud and abuse
• To ensure appropriate State regulation of
  insurance
• For State reporting on health care delivery or
  costs or
• For purposes of serving a compelling need related
  to public health, safety, or welfare, and, the
  intrusion into privacy is warranted when balanced
  against the need to be served
• or, its principal purpose is the regulation of
  any controlled substances

35

• State law also trumps if it
• provides for the reporting of disease or injury,
  child abuse, birth, or death, or for the conduct
  of public health surveillance, investigation, or
  intervention
• or
• requires a health plan to report, or to provide
  access to, information for the purpose of
  management audits, financial audits, program
  monitoring and evaluation, or the licensure or
  certification of facilities or individuals

36
NPP Must Reflect More Stringent Law

• With respect to form or substance
• Narrows the scope or duration of use or
  disclosure
• Increases privacy protections
• Reduces coercive effect
• Retention or reporting of more detailed
  information
• Retention or reporting for a longer duration