HIM and Privacy Practices

1
HIM and Privacy Practices

• Alison Nicklas, RHIA, CCS
• Privacy Officer HIM Director
• Saint Francis Care
• June 1o, 2009

2
Objective

• To assist new and existing Privacy Officers in
  their role under the HIPAA regulations

3
Agenda

• Privacy vs. Security
• Basic Requirements for Privacy Official
• Facility Education
• Handling Complaints
• American Recovery and Reinvestment Act

4
Privacy Rule vs Security Rule

• Privacy Rule
• Focuses on the right of an individual to control
  the use of his/her PHI
• Should not be used or disclosed against the
  patient wishes
• Covers confidentiality in all formats
• Electronic Paper Oral
• Confidentiality An assurance that information
  will be safeguarded from unauthorized disclosures
• Physical Security - an element of the Privacy
  Rule

5
Privacy Rule vs Security Rule

• Security Rule
• Focuses on administrative, technical and physical
  safeguards specifically as they relate to
  electronic PHI (ePHI)
• Protection of ePHI data from unauthorized access,
  whether external or internal, stored or in transit

6
Basic Requirements for the Privacy Officer
7
Personnel designations

• Covered Entity must
• Designate a Privacy Official
• Responsible for development and implementation of
  policies and procedures necessary for compliance
• Designate a contact person or office to
• Receive complaints
• Provide assistance in understanding the
  information covered in the Notice of Privacy
  Practices

8
Personnel designations

• Covered Entity Responsible for the
  administration of tasks to include
• Creating, posting and distributing the Notice of
  Privacy Practices and securing an
  acknowledgement of receipt
• Processing authorizations for research, marketing
  and fundraising
• Completing requests for correction/amendment of
  records
• Considering requests for additional protection
  for particularly sensitive health information
• Providing information to patients (or staff) who
  have questions about HIPAA or state privacy
  protections and
• Handling any complaints from patients (or others
  staff, family, regulators, etc.) about possible
  HIPAA violations

9
Personnel Designations

• Privacy Official
• Ideal candidate
• Comfortable with both HIPAA Privacy Requirements
  AND State Law or can be trained quickly /
  easily
• Background in clinical care, management of health
  records, IT security, compliance and risk
  management
• Daily tasks should be routine minimize problems
  if
• Appropriate privacy and security policies in
  place
• Appropriate workforce training
• Organization responsibility

10
Standard Training

• Complete initial HIPAA Privacy and Security
  training
• Each new member of the workforce appropriate to
  job role (Orientation)
• At time of material change (impact on job role)
• Routinely reviewed annual evaluation
• Document the training
• Sign a confidentiality, privacy, and security
  statement at completion of training / retraining

11
Standard Safeguards

• HIPAA Security
• Username and Password changed at a minimum
  every 6 months
• Level of access appropriate to job role
• Audit trail
• Encryption
• HIPAA Privacy
• Safeguard PHI
• Minimum necessary
• Limit incidental uses or disclosures

12
Standard Complaints

• HIPAA Hotline
• Provide a process for complaints
• Concerning policies and procedures
• Concerning compliance with policies and procedure
• Document complaints with disposition

13
Standard Sanctions

• Determine sanctions
• Appropriate to action
• Applied with consistency
• Perform complete investigation
• Document sanctions that are applied

14
Standard Mitigation

• Mitigate any harmful effect from use or
  disclosure of protected health information in
  violation of policies and procedure by
• Covered Entity
• Business Associate(s)

15
Standard Refrain from Intimidation or Retaliation

• Against any individual exercising right /
  participation in the filing of a complaint

16
Standard Waiver of Rights

• May not require waiver of rights as a condition
  of treatment, payment, enrollment in health plan,
  or eligibility of benefits

17
Standard Policies and Procedures

• Designed to comply with standards
• Meet required specifications
• Reasonably designed based on size and type of
  activities relating to PHI
• Not to be construed to permit or excuse any
  violation

18
Standard Changes to Policies and Procedures

• Make changes
• To comply with any changes in the law
• Changes to privacy practice stated in the Notice
• May result in corresponding changes to policies
  and procedures
• May make the change effective for PHI created or
  received prior to the effective date of the
  revision of the notice if a statement was
  previously made reserving the right to make such
  a change

19
Standard Changes to Policies and Procedures

• Make changes
• Other changes to policies and procedures may be
  made at any time
• Must document the change
• Must implement the change according to guidelines

20
Standard Changes to Policies and Procedures

• Implementation Specifications
• Changes in the Law that requires change to
  policies or procedures
• Promptly document and implement the revised
  policy or procedure
• If the change in the law materially affects the
  content of the notice promptly make revisions
  to the notice

21
Standard Changes to Policies and Procedures

• Implementation Specifications
• Changes to Privacy Practices
• Ensure that the policy and procedure complies
  with standards
• Document the policy or procedure as revised
• Revise the notice as required to state the
  changed practice and make the revised notice
  available
• May not implement a change prior to the effective
  date of revised notice

22
Standard Changes to Policies and Procedures

• Implementation Specifications
• Changes to Privacy Practices
• If rights were not reserved by covered entity
• PHI created or received while the notice was in
  effect the entity is bound by the practice
  stated in the notice unless
• The change meets the required guidelines
• The change is effective only with regard to PHI
  created / received after the effective date of
  the notice

23
Standard Changes to Policies and Procedures

• Implementation Specifications
• Changes to other Policies or Procedures
• May happen at any time as long as it does not
  materially affect the content of the notice
• Must comply with the standards
• Must be documented as required

24
Standard Documentation

• Policies and Procedures, Communication and
  Actions, Activities, or Designations required
• Must be documented and maintained in paper or
  electronic form
• Documentation must be retained
• Six years from the date of creation or last
  date in effect (whichever is latest)

25
Privacy Officer

• Activities

26
Facility Education

• WHO
• All members of the workforce appropriate to the
  organization and the role
• Employees
• Volunteers
• Trainees / Students
• Contractors
• Includes even those that are NOT paid by the
  organization

27
Facility Education

• WHAT
• Not prescribed by HHS design, approach and
  specific content is left to the discretion of the
  covered entity
• At the least with ALL members
• Principles and objectives of HIPAA Privacy
• Background What is PHI?
• Need for privacy of PHI
• Overview of HIPAA privacy regulations, including
  penalties
• Individuals rights regarding privacy
• Individuals rights regarding control of uses and
  disclosures
• Individuals right to request access, accounting,
  amendments

28
Facility Education

• WHAT
• At the least with ALL members
• New organization privacy policies and procedures
• Sanction policy
• Notice of Privacy Practices
• Authorizations for use and disclosure
• Privacy Officer role and contact information

29
Facility Education

• WHAT
• At the least with ALL members
• Complaint policies and procedures
• Cooperating with investigations or audits
• How to report a violation, and the whistleblower
  policies
• Organizations commitment to patient privacy
  integration with transactions and standards and
  security mandates

30
Facility Education

• WHAT
• Specific to Job Responsibilities
• Registration
• Notice of Privacy Practices
• Obtaining Authorizations
• Clinical Units
• Family / Friends and Patient Information
• Discarding confidential information
• Conversations with other Clinicians

31
Facility Education

• WHEN
• Reasonable period of time for new hires
  generally performed at orientation easily fits
  into discussions regarding organization mission
  and infrastructure
• Change in job responsibility to meet the needs
  of the position
• Material change Requires retraining for anyone
  affected
• Must document that the training has been provided
  it is suggested (not required) that each member
  sign a certificate at completion of the training
  for verification

32
Facility Education

• HOW
• Tailor to the organization
• Assign responsibility to an individual or team
  with
• Training development expertise
• Strong understanding of HIPAA Privacy principles
  and mandates
• May be necessary to train the trainer in larger
  organizations
• Team should include various departmental
  representatives to tailor to their function

33
Facility Education

• HOW
• Incorporate into Corporate Compliance Program
  incorporating new employee orientation and
  refresher training
• Cost savings
• Builds on organizations experience with
  compliance and related cultural changes
• Role specific / Job specific
• Enables demonstration of mastery discussions,
  quizzes, case study problem solving

34
Facility Education

• HOW
• Formal and informal methods based on size and
  nature of audience
• Enable interaction and feedback
• Small in-person workshops
• Computerized learning systems
• If workforce size requires large-scale group
  training follow-up with smaller group meetings
  to reinforce the program

35
Facility Education

• HOW
• Make the program user-friendly
• Gear lessons to comprehension levels of
  participants
• Break up training into manageable modules
• Avoid technical or regulatory content that is
  more than what they need-to-know
• Provide follow-through material that can be taken
  away and used for reference

36
Facility Education

• HOW
• Provide mechanism for evaluating the
  effectiveness of the training comparing
  baselines from initial assessment with final
  exam results
• Provide on-going reinforcement and informational
  updates periodic newsletter articles, poster
  campaigns, etc.
• Use Annual Privacy and Security week to provide
  further opportunities

37
Handling Complaints

• Timing
• A complaint must be filed with DHHS 45 C.F.R.
  160.306 within 180 days from the date of
  becoming aware of the suspected violation.
• Best Practice
• Establish a timeline within the 180-days to
  resolve complaints internally before the
  complainant elevates their complaint to the
  federal government

38
Handling Complaints

• Decision Point Time to Handle Complaints
  Establishment of processing time?
• Not required to investigate and/or resolve
  complaints therefore not required to act within
  a given timeframe.
• Recommend the establishment of a timeframe less
  than the 180 days provided by federal regulations
  to avoid complainant filing at that level
• Required to mitigate harm to individuals
  resulting from violation of HIPAA rules.
• No timeframe within which to mitigate complaints,
  take into consideration the federal filing period
  for complaints.

39
Handling Complaints

• Document the complaint
• May inform individual filing what the results of
  the investigation was what changes were made to
  prevent further violations
• Determine a reasonable time from date of filing
  to response keep in mind the 180 day time limit
  for filing with DHHS from date of discovery of
  alleged violation

40
Handling Complaints

• Providing results?
• If lodged against an employee know
• State laws
• Local agency policies
• Union contract requirements (if appropriate)
• If lodged against employee of Business Associate
• Depends on the type of organization
• Laws / regulations / other rules that may apply
  to the BA and its employees

41
Handling Complaints

• Providing Results?
• If lodged against privacy procedures
• Depends on any changes / lack of changes made
• A policy change may take longer than the time
  limit for filing with DHHS
• If there is a need to mitigate harmful effects to
  individual
• Determine what information you want to provide to
  the individual may help to ask other
  organizations what they do check with Civil
  Rights Offices, or boards and bureaus within the
  Department of Consumer Affairs

42
Handling Complaints

• Follow-up Procedure
• Review the change / correction in 60 to 90 days
  to determine if the solution is working no more
  violations occurring
• Are business practice changes effective and
  workable
• Provide support / encouragement to those
  employees who have been successful in making a
  change in business practice

43
Handling Complaints

• Decision Point
• Follow-up
• Whatever the decision it become part of Privacy
  Policies and procedures
• Example If it is determined not to provide
  results that must be stated in policies and
  procedures will not contact the complainant
  after investigation with the results of findings.

44
Examples
45
Sample Complaints / Issues

• Failure to appropriately dispose of unnecessary
  paper copies of PHI
• Removing from facility
• Appointment reminder

46
Sample Complaints

• Verbal conversations
• Minimum Necessary / Information Specified
• Proper authorization

47
Sample Complaints / Issues

• Accessing records of friends / co-workers
• To visit in the hospital
• To send information
• To determine if test results were available
• At the request of the friend / co-worker
• To identify the reason for the visit
• To follow-up on patient transferred off unit

48
Sample Complaints / Issues

• Sharing Username / Password Information
• Providing username and password to colleague
• Forgotten
• Not yet received
• Suspension
• Allowing access under username and password for
  convenience saving time with sign-out / sign-in
  process

49
Investigation Process

• Issue identified
• Complaint
• Rumor
• Random audit
• OIG notice
• Investigation
• Determine access levels (paper and electronic
  record)
• Review for appropriateness of access in the
  course of doing business?
• Interview with individual making complaint /
  sharing rumor / identified in random audit

50
Investigation Process

• Determine level of breach
• No intent to harm
• Curiosity Family Member Friend Co-worker
• Additional sharing of information
• For personal gain
• At the request of another
• Review of Personal Record frequently identified
  during investigation of a separate complaint

51
Investigation Process

• Determine level of discipline with Human
  Resource Representative and Employee Supervisor
• Verbal warning
• Written warning level
• Termination
• Reporting to regulators / Patient / etc.
• BE CONSISTENT - DOCUMENT

52
Closing the Loop

• Meet with employee
• Discuss HIPAA Privacy and Security regulations
• File action in employee file

53
Closing the Loop

• Log all complaints / investigations
• Date issue identified
• Reported by
• Responsible individual
• What was reported
• What the investigation identified
• What action was taken

54
Considerations

• Opportunity for internal education
• Identification of additional / revised policies
  and procedures

55
American Recovery and Reinvestment Act

• ARRA

56
ARRA

• Breach of unsecured PHI
• Required to notify EACH individual of breach
• No later than 60 days after discovery
• First-class mail / e-mail / conspicuous posting
  on entitys web site or major print or broadcast
  media (if 10 or more individuals with out-of-date
  contact information)
• Secretary of Health and Human Services if breach
  involves 500 (to be posted on HHS web site)
• Keep log of breaches less than 500 and submits to
  Secretary annually

57
ARRA

• Breach of unsecured PHI
• Content of Notice
• What happened
• Type(s) of unsecured information breached
• Steps individuals should take to protect
  themselves
• Description of what CE is doing to investigate /
  mitigate / protect future breaches
• Contact procedures including toll-free number,
  email address, web site, postal address

58
ARRA

• Business Associates
• Tighter link between BA and HIPAA provisions
• Impose direct civil and criminal penalties for
  privacy and security violations (not just
  contractual)
• Must notify CE of breach include identification
  of individuals affected
• HIE / RHIO Must have BA contract with CE

59
ARRA

• Restriction on Release
• If individual pays for care out of pocket
• To be answered If lab test paid for out of
  pocket treatment submitted to carrier how to
  identify medical necessity
• Other issues include Portion of care paid for
  out of pocket other portions covered by entity
• Plastic surgery during other service

60
ARRA

• Minimum Necessary Restricts uses, disclosures,
  and requests for PHI for payment and healthcare
  operations
• Unclear definition under current standards
• CE or BA disclosing determines minimum necessary
  to accomplish intended purpose
• Limited Data Set De-Identified
• Must be defined within 18 months of ARRA
  enactment (August 2010)

61
ARRA

• Accounting of Disclosures
• Expansion for disclosures made through an EHR
• Treatment / Payment / Operations Under HIPAA no
  requirement for these disclosures
• If CE uses EHR disclosures to carry out TPO do
  NOT apply
• Only going back 3 years (6 for paper)
• Requests on or after 1/1/14 (CEs acquiring EHR
  after 1/1/09)
• Secretary to set regulations on what information
  is collected about each disclosure by 8/1/09
• DOES NOT affect use, disclosure or request of PHI
  that has been de-identified

62
ARRA

• Sale, Marketing, Fundraising
• Prohibition on Sale of EHRs or PHI
• CE / BA shall not directly or indirectly receive
  remuneration in exchange for PHI without
  individual authorization except
• Public health activities, research, treatment,
  operations
• Regulations by 8/1/10 to include price charged
  effective February 2011

63
ARRA

• Communication about product or service
  encouraging recipient to purchase or use will
  require patient authorization if CE or BA
  received direct or indirect payment except
• Communication describes only a drug or biologic
  that is currently being prescribed
• Payment received is reasonable in amount (to be
  defined by Secretary) and made by CE with
  authorization from individual or made by BA with
  BA Contract
• Effective 2/17/10
• Opt Out Patient right to opt-out of fundraising
  (may not be a change from HIPAA)

64
ARRA
65
References

• 65 FR 82802, Dec. 28, 2000, as amended at 67 FR
  53272, Aug. 14, 2002 71 FR 8433, Feb. 16, 2006
• http//www.hipaadvisory.com/regs/compliancecal.htm
  
• http//www.hipaadvisory.com/action/privacy/daytoda
  y.htm

66
References

• 65 FR 82802, Dec. 28, 2000, as amended at 67 FR
  53272, Aug. 14, 2002 71 FR 8433, Feb. 16, 2006

67
QUESTIONS