HIPAA Privacy

About This Presentation

Title:

HIPAA Privacy

Description:

HIPAA Privacy GETTING HIPAA PRIVACY TO FLY ... or when the health care provider simply accepts a discounted rate to participate in the health plan s network. – PowerPoint PPT presentation

Number of Views:20

Avg rating:3.0/5.0

Slides: 188

Provided by: EdSchn6

Learn more at: http://nebraska.aoa.org

more less

Transcript and Presenter's Notes

Title: HIPAA Privacy

1
HIPAA Privacy

GETTING HIPAA PRIVACY TO FLY
A REALISTIC, PRACTICAL APPROACH

2
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

3
HIPAA Privacy

(What it is NOT)
Electronic Data Interchange
Medicare electronic claim regulations
Computer software regulations
EDI due in October 2003

4
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

5
Background / History

HIPAA Privacy
1996 Federal law
Protects patient privacy
Gives patient access to their records
Allows patients to amend their records

6
Background / History

Constantly morphing process over years
Finally gelled last quarter of 2002
Final federal rules published in October
OCR Guidelines published in December

7
Background / History

AOA HIPAA Privacy Manual published
160 pages
Charts (directions)
Worksheets
Policy suggestions

8
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

9
Review of Notice of Privacy Practices

Policy 14B on pages 31-32 copy for posting at
end of Manual

Dr. Platypus et al
Dr. Donald Duck and Daisy Duck
Dr. Daffy Duck and Peking Duck
THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA
10
Review of Notice of Privacy Practices

This notice describes how medical information
about you may be used (in our office) or
disclosed (outside our office) and how you can
gain access to this information.

11
Treatment, Payment and Health Care Operations

The most common reason why we use or disclose
your health information is for treatment, payment
or health care operations

12
Treatment, Payment and Health Care Operations

Setting up an appointment for you
Testing or examining your eyes
Prescribing glasses, contact lenses, or eye
medications and

Rx
13
Treatment, Payment and Health Care Operations

Faxing them to be filled showing you low vision
aids
Referring you to another doctor or clinic for eye
care or low vision aids or services or
Getting copies of your health information from
another professional that you may have seen
before us.

Rx
14
Treatment, Payment and Health Care Operations

Asking you about your health or vision care
plans, or other sources of payment
Preparing and sending bills or claims and
Collecting unpaid amounts (either ourselves or
through a collection agency or attorney).

15
Treatment, Payment and Health Care Operations

Administrative and managerial functions
Financial or billing audits
Internal quality assurance
Personnel decisions

16
Treatment, Payment and Health Care Operations

Participation in managed care plans
Defense of legal matters
Business planning and
Outside storage of our records.

17
Treatment, Payment and Health Care Operations

We routinely use your health information inside
our office for these purposes without any special
permission.
If we need to disclose your health information
outside of our office for these reasons, we
usually will not ask you for special written
permission.

18
Treatment, Payment and Health Care Operations

We will ask for special written permission when
it is required by law.

19
Other Uses or Disclosures Without Permission

In some limited situations, the law allows or
requires us to use or disclose your health
information without your permission.
Not all of these situations will apply to us
Some may never come up at our office at all.

20
Other Uses or Disclosures Without Permission

When a state or federal law mandates that certain
health information be reported for a specific
purpose

21
Other Uses or Disclosures Without Permission

For public health purposes, such as contagious
disease reporting, investigation or surveillance
and
Notices to and from the federal Food and Drug
Administration regarding drugs or medical devices

22
Other Uses or Disclosures Without Permission

Disclosures to governmental authorities about
victims of suspected abuse, neglect or domestic
violence
Uses and disclosures for health oversight
activities, such as for the licensing of doctors
For audits by Medicare or Medicaid or
for investigation of possible violations of
health care laws

23
Other Uses or Disclosures Without Permission

Disclosures for judicial and administrative
proceedings, such as in response to
Subpoenas
Orders of courts
Administrative agencies

24
Other Uses or Disclosures Without Permission

Disclosures for law enforcement purposes, such as
To provide information about someone who is or is
suspected to be a victim of a crime
To provide information about a crime at our
office or
To report a crime that happened somewhere else

25
Other Uses or Disclosures Without Permission

Disclosure to a medical examiner to identify a
dead person or to determine the cause of death
or
To funeral directors to aid in burial or
To organizations that handle organ or tissue
donations
Uses or disclosures for health related research
Uses and disclosures to prevent a serious threat
to health or safety

26
Other Uses or Disclosures Without Permission

Uses or disclosures for specialized government
functions, such as
For the protection of the president or high
ranking government officials
For lawful national intelligence activities
For military purposes or
For the evaluation and health of members of the
foreign service

27
Other Uses or Disclosures Without Permission

Disclosures of de-identified information
Disclosures relating to workers compensation
programs
Disclosures of a limited data set for research,
public health, or health care operations

28
Other Uses or Disclosures Without Permission

Incidental disclosures that are an unavoidable
by-product of permitted uses or disclosures
Disclosures to business associates who perform
health care operations for us and who commit to
respect the privacy of your health information
Other uses and disclosures affected by state law.

29
Uses Disclosures Unless You Object

Unless you object, we will also share relevant
information about your care with your family or
friends who are helping you with your eye care.

30
Uses Disclosures Unless You Object

Appointment Reminders
We may call or write to remind you of scheduled
appointments, or that it is time to make a
routine appointment.
We may also call or write to notify you of other
treatments or services available at our office
that might help you.

31
Uses Disclosures Unless You Object

Appointment Reminders
We will mail you an appointment reminder on a
post card, and/or
Leave you a reminder message on your home
answering machine or with someone who answers
your phone if you are not home.

32
Uses Disclosures Only With Authorization

We will not make any other uses or disclosures of
your health information unless you sign a written
authorization form. Federal law determines the
content of an authorization form.
Sometimes, we may initiate the authorization
process if the use or disclosure is our idea.
Sometimes, you may initiate the process if its
your idea for us to send your information to
someone else.

33
Uses Disclosures Only With Authorization

Typically, in this situation you will give us a
properly completed authorization form, or you can
use one of ours.
If we initiate the process and ask you to sign an
authorization form, you do not have to sign it.
If you do not sign the authorization, we cannot
make the use or disclosure.

34
Uses Disclosures Only With Authorization

If you do sign one, you may revoke it at any time
unless we have already acted in reliance upon it.
Revocations must be in writing.
Send them to the office contact person named at
the end of this Notice.

35
YOUR RIGHTS Regarding your PHI

The law gives you many rights regarding your
health information.

36
YOUR RIGHT to ask us to restrict uses
disclosures

Ask us to restrict our uses and disclosures for
purposes of treatment (except emergency
treatment), payment or health care operations.
We do not have to agree to do this, but if we
agree, we must honor the restrictions that you
want.
To ask for a restriction, send a written request
to the office contact person named at the end of
this Notice. Use the address, fax or E Mail
shown at the beginning of this Notice.

37
YOUR RIGHTS Confidential Communication

Ask us to communicate with you in a confidential
way, such as
by phoning you at work rather than at home,
by mailing health information to a different
address, or
by using E-mail to your personal E Mail address.

38
YOUR RIGHTS Confidential Communication

We will accommodate these requests if they are
reasonable, and if you pay us for any extra cost.
If you want to ask for confidential
communications, send a written request to the
office contact person named at the end of this
Notice. Use the address, fax or E Mail shown at
the beginning of this Notice.

39
YOUR RIGHTS Photocopies

Ask to see or to get photocopies of your health
information.
By law, there are a few limited situations in
which we can refuse to permit access or copying.

40
YOUR RIGHTS Photocopies

For the most part, however, you will be able to
review or have a copy of your health information
within 30 days of asking us (or sixty days if the
information is stored off-site). You may have to
pay for photocopies in advance.
If we deny your request, we will send you a
written explanation, and instructions about how
to get an impartial review of our denial if one
is legally available.

41
YOUR RIGHTS Photocopies

By law, we can have one 30 day extension of the
time for us to give you access or photocopies if
we send you a written notice of the extension.
Nebraska?
If you want to review or get photocopies of your
health information, send a written request to the
office contact person named at the end of this
Notice. Use the address, fax or E Mail shown at
the beginning of this Notice.

42
YOUR RIGHTS Amending your PHI

Ask us to amend your health information if you
think that it is incorrect or incomplete.
If we agree, we will amend the information within
60 days from when you ask us.
We will send the corrected information to persons
who we know got the wrong information, and others
that you specify.

43
YOUR RIGHTS Amending your PHI

If we do not agree, you can write a statement of
your position, and we will include it with your
health information along with any rebuttal
statement that we may write.

44
YOUR RIGHTS Amending your PHI

Once your statement of position and/or our
rebuttal is included in your health information,
we will send it along whenever we make a
permitted disclosure of your health information.
By law, we can have one 30 day extension of time
to consider a request for amendment if we notify
you in writing of the extension.

45
YOUR RIGHTS Amending your PHI

If you want to ask us to amend your health
information, send a written request, including
your reasons for the amendment, to the office
contact person named at the end of this Notice.
Use the address, fax or E Mail shown at the
beginning of this Notice

46
YOUR RIGHTS Lists of PHI disclosed

Get a list of the disclosures that we have made
of your health information within the past six
years (or a shorter period if you want).
By law, the list will not include disclosures
for purposes of treatment, payment or health care
operations disclosures with your authorization
incidental disclosures disclosures required by
law and some other limited disclosures.

47
YOUR RIGHTS Lists of PHI disclosed

You are entitled to one such list of disclosures
per year without charge.
If you want more frequent lists, you will have to
pay for them in advance.
We will usually respond to your request within 60
days of receiving it, but by law we can have one
30 day extension of time if we notify you of the
extension in writing.

48
YOUR RIGHTS Lists of PHI disclosed

If you want a list of disclosures, send a written
request to the office contact person named at the
end of this Notice. Use the address, fax or E
Mail shown at the beginning of this Notice.

49
YOUR RIGHTS Copies of Privacy Practices

Get additional paper copies of this Notice of
Privacy Practices upon request.
It does not matter whether you got one
electronically or in paper form already.
If you want additional paper copies, send a
written request to the office contact person
named at the end of this Notice.
Use the address, fax or E Mail shown at the
beginning of this Notice

50
OUR NOTICE OF PRIVACY PRACTICES

By law, we must abide by the terms of this Notice
of Privacy Practices until we choose to change
it.
We reserve the right to change this notice at any
time as allowed by law.

51
OUR NOTICE OF PRIVACY PRACTICES

If we change this Notice, the new privacy
practices will apply to your health information
that we already have as well as to such
information that we may generate in the future.
If we change our Notice of Privacy Practices, we
will post the new notice in our office, have
copies available in our office, and post it on
our Web site.

52
COMPLAINTS

If you think that we have not properly respected
the privacy of your health information, you are
free to complain to us or the U.S. Department of
Health and Human Services, Office for Civil
Rights.
We will not retaliate against you if you make a
complaint.

53
COMPLAINTS

If you want to complain to us, send a written
complaint to the office contact person named at
the end of this Notice.
Use the address, fax or E Mail shown at the
beginning of this Notice.
If you prefer, you can discuss your complaint in
person or by phone.

54
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

55
NOA (AOA) Manual Handout

NOA adaptations of AOA Manual
HIPAA job title on policies instead of name
Tables added (Job titles, etc.)
State law addressed
Index added
Formatted for letterhead
Underline replaces brackets

56
Inserted Tables (NOA unique)

Personnel names vs. job title
Job Titles vs. PHI
HIPAA Officers names

57
Inserted Tables (NOA unique)

Personnel names vs. job title
Every employee listed
For each employee
Check each job they perform
Enter date they completed HIPAA training

58
Inserted Tables (NOA unique)

Job Titles vs. PHI
Every Job Title listed
Using analysis forms provided
Worksheet 6 or Dr. Quack Assessment
Worksheet 24
Check each type of PHI accessed

59
Inserted Tables (NOA unique)

HIPAA Officers names
List every person with HIPAA role
Check HIPAA role(s) they will perform
Enter date they completed HIPAA training

60
HIPAA and Nebraska Law

Briefly describes Nebraska state law section at
the back of the manual
Inserted here to indicate that there has been a
section added

61
Policy 3A Affiliated Covered Entities

2 or more entities (example corporations)
Connected ownership or control
Comply with HIPAA as a single unit

Dr. Quack
62
Policy 3B Health Care Components

Affects hybrid entities (example retail
optometry)
Should designate portion of business as health
care component
Only health care component must comply with HIPAA
Otherwise, entire entity must comply with HIPAA

Dr. Merganser Duck
63
Policy 5A Privacy Officer

Qualifications
Duties
Who is appointed (refers to HIPAA Personnel
Roster)

64
Policy 5B Public Information Officer

Qualifications
Duties
Who is appointed (refers to HIPAA Personnel
Roster)

65
Worksheet 6 or Dr. Quacks Assessment

Gather Information on use of PHI in your office
Complete one form for each job description
Keep on hand, proving you made the effort

66
Worksheet 8 No authorization needed for some use
of PHI

Treatment
Payment
Heath Care Operations

67
Policy 7A 8A 10A No Authorization Required for
Certain Disclosures of PHI

Treatment, Payment, Health Care Oper.
Business Associates
Use or Disclosure required by Law
Others mentioned in Notice of Privacy Practices
(Also addressed in State Law Appendix)

68
Policy 9A Facility Directory

Directory policy applies to an entity where a
directory is kept of patients in process of a
procedure, et cetera.
9A Describes what must take place if you have a
directory
9A No Directory ODs who do not maintain a
directory need not comply with this section.

69
Policy 9B Providing Information to Family
Friends

General policy explained
Oral agreement with patient okay

70
Worksheet 10 Public Policy Disclosures

For Policy 7A, 8A, 10A (previously reviewed)
See state law section for Dr. Quacks assessment

71
Worksheet 11 Marketing Advertising

Read policy 11A.
Authorization not needed for marketing described
in item 4 or 7. (Covers most marketing done by
ODs)
Other marketing requires individual authorization
of each occurrence.

72
Policy 11A Marketing Advertising

Cannot release PHI to others w/o written
authorization
Pictures
Testimonials
Patient lists to marketers
Can market to individual patient
Services you provide
Materials you provide
Give promotional gifts of limited value

73
Policy 11A Marketing Advertising

Can market w/o use of PHI
General TV ads
Brochures to occupant
Read the policy carefully

74
Policy 11A Marketing Advertising

OCR Changes since AOA printing
CAN leave non-specific message on answering
machine (glasses are ready, appointment tomorrow,
due for exam)
CAN send postcard with appointment time
Unless patient requests otherwise

75
Policy 12A Disclosures for Research

Need to read carefully if you
Participate in clinical trials
Conduct research

76
Worksheet 13 Prepare PHI Disclosure
Authorization Form

Use as you feel necessary after reading policies

77
Policy 13A PHI Disclosure Authorization Form

Detailed description of what is to be released
Specific purpose
Expiration date
New form for every disclosure

78
Policy 13B Personal Representative for Patients

Addresses standing in the shoes of the patient
regarding PHI
Parents (and divorced parents)
Guardians
Emancipated minors (not in Nebraska?)
Deceased patients representatives

79
Policy 13B Personal Representative for Patients

Policy refers to state law section (p. 80)
(see items 29, 68, and 69 in parts II III)
Not specific regarding state law
HIPAA does not appear to present new problems
Dr. Quack cannot give legal advice
See your attorney with real questions

80
Policy 14A Prepare Notice of Privacy Practices

Post in reception area (back of handout)
Keep stock in reception area
Distribute to every patient
Request patient to sign receipt (must try)
Receipt/denial kept in record (verify each visit)
Update next visit if policy changes

81
Policy 14B Actual Notice of Privacy Practices

Reviewed earlier

82
Policy 15A ( 16A) Defines Designated Record Set

Contents of patients clinical chart
Contents of billing materials
Contents of treatment, orders, laboratory
information

83
Policy 15B Patient Access to their own PHI

Nebraska Hospital Associations evaluation of
Nebraska statute vs. HIPAA (p. 82)
Reasons for denial follow HIPAA standard
Charges for copyingNebraska statute
Dr. Quacks evaluation
Time to respond follow state law (30 days)

84
Letters responding to Patient Requesting Access
to PHI

Letter 1 extension (legal in Nebraska?)
(toss??)
Letter 2 agree to access
Letter 3 denial of access

85
Policy 16B Amendment of PHI

Patient can request to amend record
If Dr agrees,
Amendment added
New information forwarded to others with record
If Dr Disagrees and denies amendment,
Patient can submit letter of disagreement
Dr can attach denial letter rebut in writing

86
Letters responding to Patient Requesting Amendment

Letter 1 decline to amend
Letter 2 agree to amend
Letter 3 delay in amending

87
Policy 17A Accounting for Disclosures of PHI

Dont need to account for disclosures
For treatment, payment, H. C. operations
To patient
To family, friends, or care givers
Authorized
Incidental
Marketing advertising per exceptions

88
Policy 17A Accounting for Disclosures of PHI

Do need to account for disclosures violating
policy 11A
If you did everything right there should be
nothing to disclose

89
Letters responding to Patient Requesting An
Accounting of Disclosures of PHI

Letter 1 delay of accounting

90
Policy 18A Restrictions to Use of PHI

Must allow patient to request to restrict use of
PHI that would otherwise not be restricted
You do not have to agree to request
If you do agree you must abide by agreement
Can terminate in writing
May be better never to agree

91
Policy 19A Confidential Communication Methods

Must have policy to allow patients to specify
special methods of communication with them.
Examples
No answering machines
No post cards
Call at office only
Never call at office
Email only
Must comply with requests agreed to.

92
Worksheet 20 Business Associates

AOAs Joanne Lax J.D. recommends the following
steps to determine who is a business associate.
Step One Identify all outside companies with
which you do business

93
Worksheet 20 Business Associates

Step Two Flag companies that perform health care
services in your behalf (ie those to which you
have outsourced)
Billing service
Optical lab
Quality assurance
Staff training

94
Worksheet 20 Business Associates

Step Three Also, flag the companies that perform
the following services
Legal
Accounting
Consulting
Management (office, building, software, etc)

95
Worksheet 20 Business Associates

Step Four Of the companies you have flagged,
flag again those companies that need to generate,
maintain, use, or disclose PHI in order to do
there job. Examples
Billing agents
Software support that sees PHI
Collections agencies
Outside medical transcriptionist service
Companies with two flags are your business
associates

96
Worksheet 20 Business Associates

Business associates that need attention right now
fall into any of the following groups
You do not currently have a written services
contract with them.
You have a written services contract with them,
but you entered into it after October 15, 2002.
You have a written services contract, but it will
expire or need to be renewed before April 14,
2003.

97
Worksheet 20Business Associates

Business associates that do not need immediate
action
You have an contract that existed before October
15, 2002, that
Automatically renews, or
Will not expire or renewed before April 14, 2003.
You have to act on this latter group on the
earlier of
The date that you will renew the contract, or
April 14, 2004.
Note these business associates on the worksheet
complete the columns.

98
Worksheet 20 Business Associates

Negotiate a business associate contract with each
of your business associates, except
A business associate that only uses, generates,
maintains or discloses PHI for treatment
purposes.
OCR also excludes payers

99
Business Associate Agreements

Policy 21A BA agreement with AOA language
Policy 21A BA agreement without AOA language
Your Notice of Privacy Practices must be supplied
to BA

100
BA Follow-up

Do not have to monitor BA for compliance
Do not have to train BA
If learn of non-compliance, must
Mitigate where possible (per subsequent policy)
Insist BA comply or terminate contract
If fails to comply, must find another vendor

101
Worksheet 23 You must safeguard PHI

Safeguards come in many forms. The three general
categories are
Administrative (policies procedures).
Physical (physical plant).
Technological (relating to electronics).

102
Worksheet 23 You must safeguard PHI

Examples of safeguards include
Locks on records storage rooms or cabinets (or
monitoring).
Phones in confidential locations.
Closing doors.

103
Worksheet 23 You must safeguard PHI

Computer passwords,
Computer screen savers or screen shields.
Limited field access for electronic data.

104
Worksheet 23 You must safeguard PHI

Turning charts to face the wall in boxes outside
patients exam rooms.
Prohibiting calls to pharmacies or other
providers where they can be overheard.
Prohibiting staff from discussing clinical issues
with patients where they can be overheard.
Shredding discarded PHI

105
Worksheet 23 You must safeguard PHI

This aspect of HIPAA requires
Unique, individualized solutions
Based upon your office layout,
Opportunities to easily make physical plant
changes,
Budget for physical technological gadgets,
Workable policies procedures.

106
Worksheet 23 You must safeguard PHI

You are not required to go to extremes to
guarantee that no PHI will ever be inadvertently
disclosed.
Incidental disclosures e.g. unavoidable
disclosures secondary to a permitted use or
disclosure are permitted under HIPAA,
So long as you use reasonable safeguards and
You observe minimum necessary rule.

107
Worksheet 24 Minimum Necessary PHI

Using worksheet 6 (or Quack assessment)
Determine which job descriptions must access what
PHI
Determine whether the minimum necessary rule is
currently being abided by
Determine what changes should be made, if any

108
Policy 24A Minimum Necessary Uses

Complete the table titled Access to PHI by Job
Category found at the front of this manual
Modify records procedure where practical so
that
Information for a particular task is segregated,
But clinical needs operations are not
compromised in the process of segregation.

109
Policy 24A Minimum Necessary Disclosures

For routine disclosures of PHI, determine the
minimum necessary amount of PHI needed to
respond.
Eye exam report to school (w/ authorization or
give to parent)
For non-routine disclosures of PHI, decide how
your PO will determine the minimum amount of PHI
necessary to respond.

110
Policy 24A2 Confidentiality Agreement

Referred to but not included in AOA Manual
Fabricated by Dr. Quack
All staff should sign a confidentiality agreement
stating their commitment to accessing only the
minimum amount of PHI necessary to do their job

111
Policy 25A Verification Before Disclosing PHI

You must check the identity authority of
someone
Signing an authorization on behalf of a patient
or
Seeking PHI without an authorization,
if you dont know this information already.

112
Policy 25A Verification Before Disclosing PHI

This should include obtaining copies of
applicable documents, such as
Guardianship papers,
Power of attorney for health care, or
Official badge.
You can rely on documents that appear valid.
You must resolve questions or problems before you
can accept the authorization or disclose
requested PHI.

113
Policy 26A You Must Mitigate Harm from Improper
Disclosure

The duty only applies if you "know" of the harm.
You do not have to actively monitor for evidence
of harm.
You only have to mitigate harm if it is
"practical" for you to do so.
You have full discretion to evaluate each
situation, to take mitigation steps appropriate
to it.

114
Policy 26A You Must Mitigate Harm from Improper
Disclosure

Mitigation can be
As simple as an apology or correction.
An attempt to get back the PHI disclosed.
Obtaining a signed agreement from receiver not to
use or disclose improperly released PHI.
It's up to you in each case.

115
Policy 27A Complaints about Violations

Must have a written office policy to
accept,
thoroughly investigate, and
resolve
complaints from patients who believe their
privacy has not been properly respected.

116
Policy 28A De-Identification of PHI

Should you want to use PHI without HIPAA
restrictions
None of HIPAAs use disclosure rules apply to
information stripped of all identifiers.

117
Policy 28A De-Identification of PHI

You can de-identify PHI in one of two ways
A statistical expert can give an opinion that PHI
has been de-identified or
You can remove the specific identifiers listed in
HIPAAs safe harbor method.

118
Policy 29A 29B Limited Data Sets

A limited data set is stripped of some
identifiers
You can then disclose PHI for
research,
public health, or
health care operations

119
Policy 29A 29B Limited Data Sets

Examples of sharing for health care operations
Business planning for a health plan or provider.
Sale or merger of a health plan, or
Financial management of a health plan or
provider.

120
Policy 29B Limited Data Set Data Use Agreement

Similar to Business Associate Agreement
Describes recipients uses disclosures
Requires recipient to use appropriate safeguards
Requires recipient to tell you of wrongful use or
disclosure
Prohibits recipient from identifying or
contacting the patient
Requires recipients agents abide by same
conditions as the recipient

121
Worksheet 30 Train All Employees

Work force includes more people than your
payroll. Work force includes
All W2 employees.
Students (all kinds).
Volunteers.
Any independent contractor working on-site
under your direct control that you have not
treated as a business associate. (See chart 20.)

122
Worksheet 30 Train All Employees

Training can take any form. It can be
Live lectures.
Purchased on-line training modules.
Review of policies/procedures.
Workbooks.
Any other method that you devise.
Training needs to be job specific

123
Worksheet 31 State Law vs. HIPAA

State law that relates to the privacy of PHI but
is not contrary to HIPAA
remain fully effective after HIPAA. You must
comply with both the state law HIPAA.
A state law that relates to the privacy of PHI
is contrary to HIPAA less stringent than
HIPAA
HIPAA wipes out the state law, which is no longer
effective.

124
Worksheet 31 State Law vs. HIPAA

A state law that relates to the privacy of PHI
is contrary to HIPAA, but is more stringent
than HIPAA.
All such laws remain in effect after HIPAA. You
must comply with the state law, not HIPAA.

125
Dr. Quacks State Law Appendix

I The concept of pre-emption
II Nebr. Hospital Assoc. Review of Statutes
70 statutes their relationship to HIPAA
Quack comments on effect on optometry
III More detail on statutes effecting ODs
Subpoenas HIPAA in Nebraska

126
State Law Before After HIPAA

It appears little state law is truly pre-empted
based on Hospital Association evaluation
State law is therefore unchanged should prove
no greater problem that previously
Optometrists should read review last two
sections of Quack appendix
Detail on sections possibly related to optometry
Subpoenas (discovery)
Seek legal advice with additional questions

127
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

128
OCR Guidelines

The HIPAA Privacy Rule
is not intended to impede these customary
essential communications practices , thus,
does not require that all risk of incidental use
or disclosure be eliminated to satisfy its
standards.

129
OCR Guidelines

Privacy Rule permits certain incidental uses
disclosures of PHI when the covered entity uses
reasonable safeguards
minimum necessary policies procedures

130
Reasonable Safeguards

Speaking quietly when discussing a patients
condition with family members in a waiting room
or other public area
Avoiding using patients names in public hallways
elevators

131
Reasonable Safeguards

Posting signs to remind employees to protect
patient confidentiality
By supervising, isolating, or locking file
cabinets or records rooms
By providing additional security, such as
passwords, on computers maintaining personal
information.

132
More Safeguards

Ask waiting customers to stand a few feet back
from a counter used for patient counseling.
Use of cubicles, dividers, shields, curtains, or
similar barriers where multiple patient-staff
communications routinely occur

133
Minimum Necessary Rule

Requires limit of access to PHI, based on needs
to perform job duties.
Unimpeded access to PHI, where not necessary for
the job at hand, is not applying the minimum
necessary standard.
Any incidental use or disclosure that results
from not applying the Minimum Necessary Standard
would be an unlawful.

134
Minimum Necessary Rule

The minimum necessary standard does not apply to
disclosures, including oral disclosures, among
health care providers for treatment purposes

135
OCR Guidelines FAQs....... confidential
conversations

Q Can health care providers engage in
confidential conversations with other providers
or with patients, even if there is a possibility
that they could be overheard?
A Yes, when using reasonable safeguards.

136
OCR Guidelines FAQs....... confidential
conversations

Free to engage in communications as required for
quick, effective, high quality health care.
Overheard communications in these settings may be
unavoidable are allowed as incidental
disclosures.

137
OCR Guidelines FAQs....... confidential
conversations

When using Reasonable Safeguards
Health care staff may orally coordinate services
at hospital nursing stations.
Staff may discuss a patients condition over the
phone with the patient, a provider, or a family
member.
A health care professional may discuss lab test
results with a patient or other provider in a
joint treatment area.

138
OCR Guidelines FAQs....... confidential
conversations

HIPAA Privacy does not require
Private rooms.
Soundproofing of rooms.
Encryption of wireless or other emergency medical
radio communications
Encryption of telephone systems.

139
OCR Guidelines FAQs....... Mailings phone calls

Q May physicians offices or pharmacists leave
messages at patients homes, either on an
answering machine or with a family member, to
remind them of appointments or to inform them
that a prescription is ready? May providers
continue to mail appointment or prescription
refill reminders to patients homes?

140
OCR Guidelines FAQs....... Mailings phone calls

A Yes.
Limit the PHI disclosed on the answering machine.
Consider leaving only name number PHI
necessary to confirm an appointment
Or ask the individual to call back.
May leave a message with a family member or other
person who answers the phone when the patient is
not home.

141
OCR Guidelines FAQs....... Confidential
Conversation

Where a patient has requested confidential
communication, you must accommodate that request,
if reasonable. Examples,
mailings in an envelope, not postcard.
mail sent to a P.O. box, not to home
receive calls at the office, not at home

142
OCR Guidelines FAQs....... Sign-in sheet

Q May physicians offices use patient sign-in
sheets or call out the names of their patients in
their waiting rooms?
A Yes. But the sign-in sheet may not display
medical information that is not necessary for the
purpose of signing in.

143
OCR Guidelines FAQs....... Charts on doors

Q Are charts outside of exam rooms prohibited
A No. Using reasonable safeguards the minimum
necessary rule, covered entities must simply
evaluate what measures make sense in their
environment
tailor their practices safeguards to their
particular circumstances.

144
OCR Guidelines FAQs....... Charts on doors

You May maintain patient charts outside of exam
rooms, displaying patient names on the outside of
patient charts
Possible safeguards may include
Supervise area
place patient charts facing the wall or otherwise
covered

145
OCR Guidelines FAQs....... Announcing names

You May Announce patient names other
information over a facilitys public announcement
system.
Possible safeguards may include
limiting the information disclosed over the
system, such as referring the patients to a
reception desk.

146
OCR Guidelines FAQs....... Overheard conversation

A provider may be overheard, in the reception
area, instructing staff to bill a patient for a
particular procedure
A health plan employee discussing a patients
health care claim on the phone may be overheard
by another employee who is not authorized to
handle patient information.

147
OCR Guidelines FAQs....... Office re-design

Q Are covered entities required to restructure
workflow systems, redesign office space
upgrading computer systems to comply with the
HIPAA Privacy Rules?
A The Department generally does not consider
facility redesigns as necessary to meet the
reasonableness standard for minimum necessary
uses.
Use reasonable safeguards and minimum necessary
rule listed earlier

148
OCR Guidelines FAQs....... Configuring records

When considering record configuration, take into
account your
ability to configure their record systems to
allow access to only certain fields,
the practicality of organizing systems to allow
this capacity.

149
OCR Guidelines FAQs....... Configuring records

It may not be reasonable for a small, solo
practitioner using paper records to limit one
employee to only some fields and other employees
complete access to the record.
In this case, appropriate training of employees
may be sufficient.

150
OCR Guidelines FAQs....... Configuring records

Alternatively, a hospital or large clinic with
an electronic patient record system may
reasonably implement such controls.

151
OCR Guidelines FAQs....... Business Associate

Examples of Business Associates.
A third party administrator that assists a health
plan with claims processing.
A CPA firm whose services involve access to PHI.
An attorney whose services involve access to PHI.
A consultant that performs utilization reviews
for a hospital.

152
OCR Guidelines FAQs....... Business Associate

Examples of Business Associates.
A health care clearinghouse that translates a
claim from non-standard to standard format
forwards to a payer.
An independent medical transcriptionist that
provides transcription services to a physician.

153
OCR Guidelines FAQs....... BA Agreement NOT
needed

A physician is not required to have a business
associate contract with a laboratory as a
condition of disclosing PHI for the treatment of
an individual.
A hospital laboratory is not required to have a
business associate contract to disclose PHI to a
reference laboratory for treatment of the
individual.

154
OCR Guidelines FAQs....... BA Agreement NOT
needed

When a health care provider discloses PHI to a
health plan for payment purposes, or
when the health care provider simply accepts a
discounted rate to participate in the health
plans network.
A provider that submits a claim to a health plan
a health plan that assesses pays the claim
are each acting on its own behalf as a covered
entity, not as the business associate of the
other.

155
OCR Guidelines FAQs....... BA Agreement NOT
needed

With persons or organizations whose functions do
not involve the use or disclosure of PHI (e.g.,
janitorial service, copier maintenance,
electrician).
With a conduit for PHI, for example, the US
Postal Service, certain private couriers, their
electronic equivalents.
When a financial institution processes
consumer-conducted financial transactions

156
OCR Guidelines FAQs....... Business Associate

Q Is a software vendor a business associate of a
covered entity?
A Maybe. The mere selling or providing of
software to a covered entity does not give rise
to a business associate relationship.
If the vendor has access to PHI of the covered
entity in order to provide its service, the
vendor would be a business associate.

157
OCR Guidelines FAQs...... No permission needed

Q Can a patient have a friend or family member
pick up a prescription for her?
A Yes. A pharmacist may use professional
judgment experience with common practice to
make reasonable inferences of the patients best
interest in allowing a person, other that the
patient, to pick up a prescription.

158
OCR Guidelines FAQs...... No permission needed

Q Does the HIPAA Privacy Rule permit a covered
entity or its collection agency to communicate
with parties other than the patient (e.g.,
spouses or guardians) regarding payment of a
bill?
A Yes. A covered entity or their business
associate (e.g., a collection agency), may
disclose PHI as necessary to obtain payment for
health care, there is no limit to whom such a
disclosure may be made.

159
OCR Guidelines FAQs...... No permission needed

However, the Privacy Rule requires you
Place a reasonable limit the amount of
information disclosed,
Abide by any reasonable requests for confidential
communications
Honor any agreed-to restrictions on the use or
disclosure of PHI.

160
OCR Guidelines FAQs...... No permission needed

Q Does the HIPAA Privacy Rule prevent health
plans providers from using debt collection
agencies?
A The Privacy Rule permits use of debt
collection agencies through a business associate
arrangement.
Disclosures to collection agencies are governed
by provisions such as the business associate
minimum necessary requirements.

161
OCR Guidelines FAQs...... No permission needed

Q Does the HIPAA Privacy Rule permit an eye
doctor to confirm a contact prescription received
by a mail-order contact company?
A Yes. The disclosure of PHI by an eye doctor
to a distributor of contact lenses for the
purpose of confirming a contact lens prescription
is a treatment disclosure, is permitted under
the Privacy Rule at 45 CFR 164.506.

162
OCR Guidelines FAQs...... No permission needed

Q Is a hospital permitted to contact another
hospital or health care facility, such as a
nursing home, to which a patient will be
transferred for continued care, without the
patients authorization?

163
OCR Guidelines FAQs...... No permission needed

A Yes. The HIPAA Privacy Rule permits
disclosure of PHI without authorization to
another health care provider for treatment or
payment purposes, as well as to another covered
entity for certain health care operations of that
entity.

164
OCR Guidelines FAQs... Marketing

Q Can contractors (business associates) use PHI
to market to individuals for their own business
purposes?

165
OCR Guidelines FAQs....... Marketing

A No. While covered entities may share PHI with
business associates, that PHI must be used to
perform or assist in the performance of certain
health care operations on behalf of covered
entities.
Thus, business associates, with limited
exceptions, cannot use PHI for their own purposes.

166
OCR Guidelines FAQs....... Marketing

Alternative treatment
Communications about alternative treatments are
excluded from the definition of marketing do
not require a prior authorization.
Similarly, it is not marketing when a doctor or
pharmacy is paid by a pharmaceutical company to
recommend an alternative medication to patients.

167
OCR Guidelines FAQs....... Marketing

The simple receipt of remuneration does not
transform a treatment communication into a
commercial promotion of a product or service.
Furthermore, covered entities may use a
legitimate business associate to assist them in
making such permissible communications.

168
OCR Guidelines FAQs....... Public Health

Q May providers disclose PHI concerning
pre-employment physicals, drug tests, or
fitness-for-duty examinations to an individuals
employer?
A In very limited circumstances, providers may
disclose PHI to the individuals employer without
authorization.

169
OCR Guidelines FAQs....... Public Health

1st, the service must be provided at the
employers request or as a member of the
employers workforce.
2nd, the service must relate to medical
surveillance of the workplace or to detect or
assess work-related illness or injury.

170
OCR Guidelines FAQs....... Public Health

3rd, the employer must have a duty under OSHA or
similar law to keep records on, or act on, such
information.

171
OCR Guidelines FAQs....... Workers Comp

HIPAA Privacy does not apply to workers
compensation insurers, administrative agencies,
or employers.
These entities need access to the PHI of
individuals with work related injury or illness
to process or adjudicate claims, or to coordinate
care under workers compensation systems.

172
OCR Guidelines FAQs....... Workers Comp

The Privacy Rule permits disclosures of PHI for
workers compensation purposes, sometimes
requiring patient authorization, other times not.
Nebraska Law 48-120(4) Manual pg 84 Records
relevant to the injury shall be made available on
demand to employer, employee, carrier, and
compensation court
State law not pre-empted.
Follow both.

173
OCR Guidelines FAQs....... Workers Comp

HIPAA Disclosures Without Individual
Authorization.
To provide benefits for work-related injuries or
illness without regard to fault.
Limited to what the law requires.
For obtaining payment for any health care
provided to the injured or ill worker.

174
OCR Guidelines FAQs....... Workers Comp

HIPAA Disclosures With Individual Authorization.
May disclose PHI when the individual has provided
authorization for the release of PHI.
The Minimum Necessary Rule applies.

175
OCR Guidelines FAQs....... Oral Communication

Q Does the HIPAA Privacy Rule require that
covered entities provide patients with access to
oral information?
A No. The term designated record set does not
include oral information rather, it connotes
information that has been recorded in some manner.

176
OCR Guidelines FAQs....... Oral Communication

Q Does the HIPAA Privacy Rule require that
covered entities document all oral
communications?
A No. The Privacy Rule does not require covered
entities to document any information, including
oral information, that is used or disclosed for
treatment, payment or health care operations

177
HIPAA Privacy

History Background
Brief Review of Notice of Privacy Practices
NOA (AOA) Manual Handout
OCR Guidelines
Office Physical Layout suggested changes

178
Physical Changes

HIPAA does not require that you make radical,
expensive changes to your office.
The following are some reasonable alterations in
office layout to assist in complying with HIPAA

179
Doors