HIPAA PRIVACY - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

HIPAA PRIVACY

Description:

... (on how PHI is going to be handled and on receiving complaints) ... to waive their rights to file a complaint with HHS or their other rights under this rule ... – PowerPoint PPT presentation

Number of Views:178
Avg rating:3.0/5.0
Slides: 43
Provided by: kristina85
Category:
Tags: hipaa | privacy

less

Transcript and Presenter's Notes

Title: HIPAA PRIVACY


1
HIPAA PRIVACY
  • Office for Civil Rights
  • U.S. Department of Health and Human Services
  • November 8, 2002

2
The Health Insurance Portability Accountability
Act of 1996
  • HIPAA
  • (Public Law 104-191)
  • Signed August 16, 1996
  • Title II
  • Subtitle F Administrative Simplification

3
Purpose of HIPAA Provisions
  • To improve efficiency and effectiveness of the
    health care system by standardizing the
    electronic exchange of administrative and
    financial data

4
The Privacy Rule
  • 45 CFR Parts 160 and 164

5
The Privacy Rule
  • April 14, 2001 Effective Date
  • April 14, 2003 Compliance Date
  • April 14, 2004 Compliance Date
  • (for small health plans)

6
Relationship to other laws
  • First comprehensive federal health privacy
    protections
  • Does not replace federal, state, or other laws
    that may guarantee individuals even greater
    privacy protections
  • Other state laws might require or permit
    disclosures
  • Only required disclosures under the Rule are (1)
    to the individual and (2) to HHS

7
Purpose of the Privacy Rule
  • Creates for the first time, national standards to
    protect individuals medical records and other
    personal health information

8
Why is the Privacy Rule needed?
9
Do You Know Where Your Medical Information Goes?
10
Who is covered by the Rule?
  • Limited by HIPAA to
  • -Health plans
  • -Health care clearinghouses
  • -Health care providers who transmit any health
    information in electronic form in connection with
    a transaction for which the Secretary has adopted
    a standard
  • Business Associates

11
What is covered by the Rule?
  • Protected health information (PHI) is
  • -Individually identifiable health information
  • -Transmitted or maintained in ANY form or medium
  • Held or transmitted by covered entities or their
    business associates
  • Not PHI
  • -De-identified information
  • -Employment records
  • -FERPA records

12
What is a business associate?
  • Agents, contractors, others hired to do work on
    behalf of a covered entity that requires
    protected health information (PHI)
  • Covered entity must obtain satisfactory
    assurance-usually through a contract-that a
    business associate will safeguard PHI, and limit
    its use and disclosure
  • Contract transition period

13
What does the Rule mean for covered entities?
  • Accountability
  • Professional standards are now law
  • Changes in
  • -Culture
  • -Processes
  • -Relationships
  • -Documentation

14
What must covered entities do under the Rule?
  • Implement standards to protect and guard against
    the misuse of individually identifiable health
    information by the April 14, 2003 compliance date

15
What are specific requirements for covered
entities?
  • Administrative Requirements
  • Flexible and Scalable
  • Covered entities required to
  • -Designate a privacy official
  • -Develop policies and procedures (on how PHI is
    going to be handled and on receiving complaints)
  • -Provide privacy training to its workforce
  • -Implement administrative, technical, and
    physical safeguards to protect the privacy of PHI

16
What are specific requirements for covered
entities? (Contd)
  • Covered entities are required to
  • -Develop a system of sanctions for employees
    who violate the entitys policies
  • -Meet documentation requirements
  • -Mitigate any harmful effect of a use or
    disclosure of PHI that is known to the covered
    entity
  • -Refrain from intimidating or retaliatory acts
  • -Not require individuals to waive their rights
    to file a complaint with HHS or their other
    rights under this rule

17
What does the Rule mean for individuals?
  • Under the Privacy Rule, individuals have the
    right to
  • -Notice of privacy practices
  • -Access inspect and copy PHI
  • -Amend
  • -Accounting
  • -Alternative communication
  • -Request restrictions
  • -Complain to covered entity and HHS

18
Personal Representatives
  • Standard personal representatives. A covered
    entity must treat a personal representative as
    the individual under applicable law in situations
    involving
  • -Adults and emancipated minors
  • -Deceased individuals
  • With respect to PHI relevant to such personal
    representation

19
Personal Representatives (Contd)
  • Standard personal representatives. There are
    exceptions for
  • -Unemancipated minors
  • -Where the covered entity has a reasonable
    belief that there has been or may be domestic
    violence, abuse, neglect, or endangerment

20
When is a covered entity permitted to use or
disclose PHI?
  • In general, there are four categories of uses and
    disclosures of PHI
  • Treatment, payment and health care operations
    (TPO)
  • Authorized by the individual
  • Requiring the individual to agree or object
  • Permissible public policy disclosures

21
BoundariesUses and disclosures
  • TPO (164.502)
  • -Treatment Care
  • -Payment Reimbursement
  • -Health care operations Running the store
  • (Specific definitions in the Privacy Rule for
    each term)

22
BoundariesUses and disclosures
  • Authorized by the individual (164.508)
  • -Psychotherapy notes generally need an
    individuals authorization before use or
    disclosure
  • -Any uses or disclosures not otherwise permitted
    or required by the Rule
  • -Authorizations must be in plain language and
    contain specific elements

23
BoundariesUses and disclosures
  • Requiring an opportunity for the individual to
    agree or object (164.510)
  • -Facility directories (eg. hospital)
  • -PHI for relatives or close personal friends
  • -For notification purposes

24
BoundariesUses and disclosures
  • Public Policy Disclosures (164.512)
  • -Covered entities may use or disclose PHI
    without authorization only if the use or
    disclosure comes within one of the listed
    exceptions and follows its conditions

25
BoundariesUses and disclosures
  • As required by law
  • For health oversight
  • For public health
  • For research
  • For law enforcement
  • For judicial and administrative proceedings
  • For specialized government functions

26
BoundariesUses and disclosures
  • To facilitate cadaveric organ, eye and tissue
    donation and transplants
  • About decedents to funeral directors, coroners
    and medical examiners
  • For workers compensation
  • To report abuse, neglect, domestic violence
  • To avert serious and imminent threat to health or
    safety

27
Minimum necessary
  • Covered entities must make reasonable efforts to
    limit the use or disclosure of PHI to minimum
    amount necessary to accomplish their purpose
  • Role- based access limits
  • Exceptions
  • -Disclosure to individual
  • -Disclosure to or request by provider for
    treatment purposes

28
Minimum Necessary (Contd)
  • Exceptions
  • -Use or disclosure made pursuant to an
    individuals appropriate authorization
  • -Use or disclosure required for compliance with
    the Administrative Simplification Rules of HIPAA
  • -Use or disclosure that is required by law
  • -Disclosure to HHS for enforcement purposes

29
Oral Communication Rule
  • All forms of communication covered
  • Requires reasonable efforts to prevent
    impermissible uses and disclosures
  • Policies and procedures to limit access/use
    (role-based)
  • -Except disclosures to or request by provider
    for treatment purposes

30
Overheard, seen in passing
  • Incidental disclosures
  • The Rule permits uses/disclosures incident to an
    otherwise permitted use or disclosure, provided
    minimum necessary and safeguards standards are
    met
  • Examples talking to patient in semi-private
    room, talking to other providers if passers-by
    are present, waiting room sign in sheets, patient
    charts at bedside, etc.
  • Allow for common practices if reasonably performed

31
Frequently Asked Questions/Concerns about the
Privacy Rule
32
PATIENT My doctor needs to discuss my treatment
with other doctors and nurses. But the Privacy
Rule prohibits doctors and nurses from discussing
private health information if there is a
possibility that someone will overhear. What if
my doctor needs to discuss my condition with a
nurse at a busy nursing station, or with me over
the phone from someplace other than a private
office? The privacy rule prevents these
discussions.
The Privacy Rule does not intend to prohibit
providers from talking to each other and to their
patients.
33
PHYSICIAN The privacy rule requires me to
monitor the activities of my business associates.
I can be found in violation of the rule if my
business associate violates the contract, even if
I dont know about it.
Covered entities are not required to monitor or
oversee the means by which the business associate
carries out safeguards or the extent to which the
business associate abides by the requirements of
the contract.
34
HOSPITAL The privacy rule prohibits
semi-private rooms. With two patients in a room,
there is no way to guarantee that one wont
overhear health information about the other.
Now Ill have to rebuild my facility to include
only private rooms.
The Privacy Rule does not require these types of
structural changes be made to facilities.
Covered entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
35
PATIENT The privacy rule prevents my pharmacist
from filling my prescription before I show up and
sign that consent. Instead of having the
prescription waiting for me, I may have to come
to the pharmacy, sign a consent, and then wait
around for hours while the prescription is filled.
The Privacy Rule permits covered entities,
including pharmacists, to use identifiable health
information for treatment, payment, or health
care operations without prior patient consent.
36
HOSPITAL The privacy rule allows doctors and
nurses to see an patients entire medical record,
if the hospital thinks they need it to do their
jobs.
The Privacy Rule does not prohibit use or
disclosure of, or requests for an entire medical
record. The covered entity must document in its
policies and procedures that the entire medical
record is the amount reasonably necessary for
certain identified purposes.
37
INSURER How are we supposed to do business
under this Rule? It would prohibit doctors from
faxing information to us, or to each other, or to
their patients.
The Rule does not prohibit faxing of individually
identifiable health information. Covered
entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
38
INSURER What happens when I am required to
report information under state law? I assume
that if some other law requires me to disclose
health information, I wont have to do a big
analysis under the privacy rule, or get caught in
the middle because the privacy rule might not
allow the disclosure?
A disclosure of identifiable health information
that is required by another law is permitted by
the Privacy Rule.
39
ANYONE The Privacy Rule is delayed by the
Administrative Simplification Compliance Act that
was passed in December 2001.
This law delays compliance with the Transaction
and Code Set standards for covered entities that
file a compliance plan. This law does not apply
to the Privacy Rule. The compliance date for the
Privacy Rule is still April 14, 2003. (April 14,
2004 for small health plans).
40
PATIENT When my family member comes to pick me
up from the hospital, the doctor will still be
able to explain my condition and tell him what to
expect when I return home. Right?
The Rule permits doctors to discuss a patients
condition with family or friends involved in the
persons care, unless the patient objects.
41
A hospital customarily displays patients names
next to the door of the hospital rooms that they
occupy. Will the Rule allow the hospital to
continue this practice?
The Rule explicitly permits certain incidental
disclosures that occur as a by-product of an
otherwise permitted disclosure. In this case,
disclosure of patients names by posting on the
wall is permitted by the Rule, if the use or
disclosure is for treatment or health care
operations purposes. Minimum necessary
42
Are hospitals able to inform clergy about
parishioners in the hospital?
Yes, the Rule allows this communication to occur,
as long as the patient has been informed of this
use and disclosure and does not object.
Write a Comment
User Comments (0)
About PowerShow.com