Overview of the HIPAA Privacy Rule and the

1
Overview of the HIPAA Privacy Rule and the
Organized Health Care Arrangement for Medical
Staff Members
Facility Privacy Official Marc J. Dupuis, RPh,
MHA Director, Pharmacy Services Facility Privacy
Official 1-603-421-2261
2
This Presentation

• Purpose
• To provide a brief overview of the HIPAA Privacy
  Rule and an Organized Health Care Arrangement and
  how they relate to the Medical Staff at Parkland
  Medical Center.
• Agenda
• What is HIPAA Administrative Simplification?
• What are we doing about HIPAA?
• Privacy Rule Overview.
• Organized Health Care Arrangement (OHCA) option
  and how it will help your office comply.

3
What is HIPAA Administrative Simplification?
4
HIPAA

• What is it?
• Health Insurance Portability and Accountability
  Act of 1996
• Title II Administrative Simplification
• Its a federal law
• Response by Congress for healthcare reform
• Affects all healthcare industry
• HIPAA is mandatory, penalties for failure to
  comply
• Purpose
• Protect health insurance coverage, improve access
  to healthcare
• Reduce fraud and abuse
• Provide tax incentives to promote access to
  healthcare
• Improve quality of healthcare in general
• Reduce healthcare administrative costs
  (electronic transactions)

5
HIPAA Standards - Under Title II
HIPAA
Title V Revenue Offsets
Title I Portability
Title II Fraud Abuse F. Administrative
Simplification
Title III Tax Related
Title IV Group Health Pl
Unique Identifiers
Enforcement
Medical Records
Transaction Code Sets
Privacy
Security
Transaction Sets
Limitations
AdministrativeSafeguards
Provider

• Benefit Enrollment Maintenance 834
• Premium Payment 820
• Eligibility - 270/271
• Health Care Services Review 278
• Claim 837
• Claims Status - 276/277
• Claim Payment/ Advice 835
• Claims Attachments (delayed 2002)
• First Report of Injury (delayed 2002)

• Chain of Trust Agreement
• Internal Audit
• PP

• Covers providers, health plans and health care
  clearinghouses only

Employer
PhysicalSafeguards
Health Plan

• Secure Workstations
• Physical Access Controls
• Media Controls, etc.
• Security Awareness Training

General Rules
Individual

• Individually identifiable health information
• Business Associate
• Privacy Official
• Minimum necessary
• Consent/Authorization
• Electronic, written and oral information

Technical
Data Element

• Access Control
• Authorization
• Data Authentication
• Entity Authentication

• For Transactions
• Required vs. Optional
• Format
• Codes
• Values

• Basic Network Safeguards
• Integrity
• Encryption

Final
Service and Diagnosis
To Be Finalized
Digital Signature

• ICD-9-CM
• CPT-4
• HCPCS
• CDT
• NCPDP
• No local or J codes

6
Covered Information

• Transactions
• Requires standardized transaction content,
  formats, diagnostic procedure codes, national
  identifiers for healthcare EDI transactions.
• Privacy
• Establishes conditions that govern the use and
  disclosure of individually identifiable health
  information. Establishes patient rights in
  regard to their protected health information
  (PHI).
• Security
• Establishes requirements for protecting the
  confidentiality, availability and integrity of
  individually identifiable health information.

7
Penalties

• Civil
• For failure to comply with transaction standards
• 100 fine per occurrence up to 25,000 per year
• Criminal
• For health plans, providers and clearinghouses
  that knowingly and improperly disclose
  information or obtain information under false
  pretenses
• Penalties higher for actions designed to generate
  monetary gain
• up to 50,000 and one year in prison for
  obtaining or disclosing protected health
  information
• up to 100,000 and up to five years in prison for
  obtaining protected health information under
  "false pretenses"
• up to 250,000 and up to 10 years in prison for
  obtaining or disclosing protected health
  information with the intent to sell, transfer or
  use it for commercial advantage, personal gain or
  malicious harm

8
What is our facility doing about HIPAA?
9
Action Plan High Level

• 2002
• Appoint Facility Privacy Official (FPO).
• Educate key parties physicians, management and
  facility leadership.
• Create and Implement Facility Policies on
  Privacy.
• Identify all Business Associate (e.g. vendor,
  contractor) contracts and amend to include
  required language.

10
Action Plan High Level

• 2002
• Establish internal processes.
• Complete initial privacy training for entire
  workforce.
• Begin ongoing education plan for staff and
  patients.
• Complete privacy assessment and implement changes
  based on findings.
• Implement complaint log process for patient
  privacy issues.

11
2003

• 2003
• Complaint resolution process for patients.
• Finalize all policy and procedure rollout no
  later than April 2003.
• Continue training and monitoring.
• Assess implementation completion.

12
THE Privacy Rule
13
Privacy

• What is covered?
• Protected Health Information (PHI)
• Relates to past, present or future physical or
  mental condition of an individual provisions of
  healthcare to an individual or for payment of
  care provided to an individual.
• Transmitted or maintained in any form
  (electronic, paper or oral representation).
• Identifies the individual or can be used to
  identify the individual.

14
Privacy Protected Elements
Health information may be considered individually
identifiable if any of the following are present

• Health plan beneficiary number
• Account number
• Certificate/license number
• Any vehicle or other device serial number
• Web Universal Resource Locator (URL)
• Internet Protocol (IP) address number
• Finger or voice prints
• Photographic images
• Any other unique identifying number,
  characteristic, code

• Name
• Address including street, city, county, zip code
  and equivalent geocodes
• Names of relatives
• Name of employers
• Birth date
• Telephone numbers
• Fax Numbers
• Electronic e-mail addresses
• Social Security Number
• Medical record number

15
Notice of Privacy Practices

• Must provide a notice to each patient of the uses
  and disclosures that may be made by the entity
  including examples.
• Must provide a listing of individual rights and
  facilities responsibilities.
• Must provide the notice at the first encounter
  with the patient. Patient must acknowledge they
  received the notice.
• If the physician is a part of the hospitals
  organized health care arrangement s/he can rely
  on the notice provided during the admission
  process. (More on this later in the presentation)

16
Patient Privacy Protection

• Each individual is responsible for adhering to
  this policy by using only the minimum information
  necessary to perform his or her responsibilities,
  regardless of the extent of access provided or
  available.
• This policy addresses intentional or
  unintentional breach of patient confidentiality,
  including oral, written and electronic
  communication.
• This definition will safeguard patient privacy
  and help minimize exposure and/or liability to
  individuals, facilities, and the company.
• Need to know philosophy!

17
Oral Communications

• The following practices are permissible if
  reasonable precautions (lowering voices) are
  taken to minimize inadvertent discloses to
  others
• Staff may orally communicate at the nursing
  stations
• Health care professionals may discuss a patients
  treatment in a joint treatment area
• Health care professionals may discuss a patients
  condition during training rounds

18
Business Associates General Requirements

• A business associate is a company or individual
  that
• Has access to PHI
• Performs a function on our behalf
• Is not am employee of the facility.
• The hospital must have a business associate
  contract in place for EVERY Business Associate by
  April 2003.
• Information exchanges between a hospital and
  physicians with admitting privileges at the
  hospital are not subject to the business
  associate requirements

19
Patient Rights

• Right to Confidential Communications
• Patients can request to receive communications by
  alternative means or at alternative locations.
• These requests for Confidential Communications
  should be accommodated by the facility if
  reasonable.
• Facility Privacy Officer (FPO) or designee shall
  receive the patients request to invoke
  confidential communications.
• Right to Opt Out of the Directory
• Patients may opt out of being listed in the
  hospital directory that is used by the operator
  and the volunteers.

20
Patient Rights

• Right to Access
• Individuals have the right to inspect and obtain
  a copy of their PHI
• Facility will provide a readable hard copy of
  portions of record requested
• Online access not available at this time
• Individuals with system access are not to access
  their record in any system, but must be provided
  with a paper copy per this procedure
• Right to Amend
• For the intent of this policy, amend is defined
  as the patients right to add information
  (append) with which he/she disagrees, and that
  the record is not to be changed in its content.

21
Patient Rights

• Right to an Accounting of Disclosures
• Individuals have the right to an accounting of
  disclosures made by the entity
• EXCEPTIONS from Accounting Uses and disclosures
  for treatment, payment, health care operations
• Right to Request Privacy Restrictions
• Individuals have the right to request
  restrictions on the use and disclosure of their
  PHI.
• These requests must be made IN WRITING to the
  FACILITY PRIVACY OFFICIAL.

22
How does the Medical Staff fit into the Privacy
Program?

• The hospital and medical staff will be considered
  an Organized Health Care Arrangement (OHCA),
• OHCA Definition under the Privacy Rule
• A clinically integrated care setting in which
  individuals typically receive healthcare from
  more than one healthcare provider.
• The facility and its medical staff are an
  Organized Health Care Arrangement under the rule.

23
Why use the OHCA option?

• Benefits of the Organized Health Care
  Arrangement
• The hospital can continue to share information
  with you and your practice for purposes of
  payment and your practice operations.
• There wont be a need for a complex business
  associate contract for you to serve on hospital
  committees.
• You wont have to carry around your Notice Of
  Privacy Practices to give to patients when you
  visit them in the hospital

24
Why use the OHCA option?

• Benefits of the Organized Health Care
  Arrangement
• You will be able to use the hospital HIPAA
  policies and forms at your office as you
  implement the privacy rule.
• The hospital can continue to work with you and
  share information as we do today to get you paid
  for your services.

25
Where can you get more information?

• Here are a few of the many Web sites that provide
  information about HIPAA.
• Department of Health and Human Services
  http//aspe.hhs.gov/admnsimp/
• American Medical Association
  
  http//www.ama-assn.org/
• WEDI Strategic National Implementation Process
  http//snip.wedi.org/
• HIPAAdvisory
  http//www.hipaadvisor
  y.com/
• HIPAAComply
  http//www.hipaacomply.com/
• HIPAADOCS.com for physicians
  http//www.hipaadocs.com/
• AHIMA (American Health Information Management
  Association) http//hipaa.wpc-edi.com/HIPAA_40.a
  sp
• Massachusetts Health Data Consortium
  http//www.mahealthdata.org
• Health Information and Management Systems Society
  http//www.himss.org/templates/index.asp

26
Questions?

• If you have questions about HIPAA Privacy or OHCA
  or need further information please contact the
  Facility Privacy Official.
• Marc J. Dupuis, RPh, MHA
• 1-603-421-2261