HIPAA PRIVACY: A PRACTICAL APPROACH

1
HIPAA PRIVACY A PRACTICAL APPROACH
April 14, 2003 is the deadline for health care
providers to develop formal privacy procedures
and to notify patients of their privacy rights.
The following presentation outlines an approach
for the smaller practice to access reasonable
compliance solutions.
2
HIPAA COMPLIANCE WHAT IT MEANS FORYOUR
OFFICEPAUL A. GILMAN, ESQ.ANDREW S. WILLIAMS,
ESQ.ARONBERG GOLDGEHN DAVIS GARMISAONE IBM
PLAZA SUITE 3000CHICAGO, ILLINOIS 60611(312)
828-9600
3
WHAT IS HIPAA?

• Health Insurance Portability Accountability Act
  of 1996
• Sets standards and requirements for maintenance
  and electronic transmission of patient health
  information
• Covers 4 areas
• Privacy of information
• Security of data
• Transactions and code set standards for
  electronic transactions
• Identifiers for providers, employers, and payers

4
TO WHOM DOES HIPAA APPLY?

• Covered Entities
• Health Plans
• Health care clearing houses
• Health care providers who transmit any health
  information (including billing) in electronic
  form
• Who is a health care provider
• A provider of medical or health services and any
  other person organization who furnishes, bills or
  is paid for health care in the normal course of
  business.
• Includes physicians, dentists, chiropractors,
  podiatrists, etc.
• Others dealing with covered entities, such as
  Business Associates, will be impacted by HIPAA

5
WHAT INFORMATION IS COVERED?

• HIPAA Regulates Protected Health Information
  (PHI)
• PHI is information, oral or recorded, in any
  form or medium, that
• Is created or received by a provider, plan, etc.
  and
• Relates to past, present or future physical or
  mental health or condition of an individual, the
  provision of health care to an individual, or
  past, present or future payment for the provision
  of health care

6
WHAT IS THE PRIVACY RULE?

• A Covered Entity may only use or disclose PHI
• With notice to the individual and acknowledgement
  of how that information will be used (Notice of
  Privacy Practices) but only for treatment,
  payment or healthcare operations (TPO)
• Without Notice of Privacy Practices under certain
  circumstances, such as per subpoena, to avert
  serious threat to health or safety
• With a specific written authorization for
  disclosure for use permitted for other than TPO
• Even with Notice of Privacy Practices, Covered
  Entity must make reasonable efforts to limit use
  or disclosure of PHI to the minimum necessary
  amount to accomplish the intended purpose of the
  use or disclosure of the PHI

7
WHAT IS THE SECURITY RULE?

• Applies to physical, technical and administrative
  requirements to protect maintenance, availability
  and confidentiality of PHI
• Closely intertwined with Privacy Rule
• Requires appropriate technological measures and
  physical security safeguards to maintain the
  security of PHI
• Final rules expected in October, 2002
• Compliance mandated 26 months after publication
  of final rules.
• Will require Policies and Procedures and training
  for
• Password Maintenance
• Access Controls
• Physical Controls
• Logging off computers
• Screensavers
• Locking doors and files cabinets
• E-Mail Risks
• Other

8
WHAT IS THE TRANSACTIONS AND CODE SET RULE?

• Covers 8 EDI transactions between or within
  Covered Entities (or their Business Associates)
• Claims
• Remittances
• COB
• Eligibility
• Referral Certification
• Claim Status
• Enrollment
• Premiums
• Providers conducting electronic transactions must
  conduct standard transactions
• Standard Codes
• Minimum data sets

9
KEY COMPLIANCE DATES

• RULE COMPLIANCE DATE
• Transactions and Code Set October 16, 2002
  (October 16, 2003 if extension requested by
• October 15, 2002)
• Identifiers Summer/Fall, 2004 (est.)
• Privacy April 14, 2003
• Security Summer/Fall 2004 (est.)

10
SANCTIONSWHY DO WE CARE ABOUT HIPAA?

• 100 Per violation, up to 25,000 per year for
  each offense
• Wrongful disclosure may result in fine of 50,000
  or jail
• Enforcement by Office of Civil Rights (OCR)
• May be next hotbed of consumer litigation

11
OTHERS IMPACTED BY HIPAABUSINESS ASSOCIATES

• Disclosure to Business Associates (BA) is
  generally permitted
• A person or organization that performs a function
  or activity on behalf of a Covered Entity and has
  access to PHI in the course of performing the
  function or activity, but is not part of the
  Covered Entitys workforce
• Examples of Business Associates
• ?Accountants ?Accreditation Services
• ?Non-owned Providers ?Attorneys
• ?On Call
• ?Locum Tenens
• ?Billing Service Companies ?Coding Providers
• ?Collection Agencies ?Collection Agencies
• ?Consultants ?Copy Services
• ?DME ?Document Shredding Services
• ?Laboratories ?Lawyers
• ?Management Services ?Marketing Services
• ?Medical Record Storage ?Transcription Services
• ?Vendors (software, hardware, etc.)

12
BUSINESS ASSOCIATE CONTRACTS

• Required by HIPAA
• Specify permitted uses and disclosures of PHI
• Require Business Associates to report improper
  use and disclosure to Covered Entity
• Authorize Contract termination for material
  breach
• Require subcontractor compliance
• Allow patient access, amendment and disclosure
  accounting
• Allow Department of Health and Human Services to
  access BAs books and records
• Return or destroy PHI, if feasible, and otherwise
  ensure no disclosure or improper use when
  contract ends
• Written contract existing with BA before 10/13/02
  and not modified or concluded before 4/13/03,
  will be compliant until earlier of
• Modification or conclusion before 4/14/04 or
• 4/14/04

13
KEY PRIVACY COMPLIANCE POINTS

• Requires a cultural change
• PRIVACY IS ABOUT CONSCIOUSNESS-RAISING THINK
  PRIVACY BEFORE USE OR DISCLOSURE
• If its not documented, it didnt happen
• HIPAA does not require a complete overhaul of
  business

14
STEPS TO COMPLIANCE

• Appoint a Privacy Officer and Contact Person (can
  be the same person)
• Required
• Responsible for development and implementation of
  privacy-related programs, policies and procedures
• Identify all categories of persons whose duties
  require access to PHI (by job functions)
• Conduct GAP Analysis
• Gather Baseline information
• Hardware
• Software
• Networks
• Data location, access, flow
• Current policies and procedures
• Identify and document GAPs in actual uses and
  disclosures of PHI against HIPAAs requirements
• Assess the GAP What is needed to close the GAP

15

• Identify Business Associates
• Draft Business Associate Agreements
• Communicate with and enter into agreements with
  Business Associates
• Develop Required Forms, Policies and
  Procedures
• Forms Examples
• Notice of Privacy Practices
• Consents
• Authorization
• Request for Restriction on Use or Disclosure
• Request to inspect and copy PHI
• Request to amend or correct PHI
• Request to receive an accounting of uses and
  disclosure
• Accounting of uses and disclosure of PHI
• Complaint forms

16

• Policies
• Notice of privacy practices
• Minimum necessary use and disclosures
• De-identification of health information
• Other Policies
• Workforce training
• Patient privacy compliance
• Marketing
• Release of information
• Patient requests
• Information access control
• Disciplinary action
• Media controls Access levels
• Disaster recovery plan
• Facility security plan
• Develop and implement privacy training program
• For existing employees, training must occur by
  April 14, 2003
• For new employees, within a reasonable period
  after hire
• Monitor Compliance On-Going Basis

17
HIPAA TRAINING

• Assess own culture for best learning
  opportunities.
• Key Questions
• Who gets trained on which aspects of HIPAA? Does
  everyone get trained on all of HIPAA or just
  parts?
• When do we begin?
• How will we conduct on-going training?
• What form will training take?
• How do we track who got what training?

18
WHAT DO I TRAIN?

• Privacy Rule requires that a Covered Entity train
  all members of its workforce on its policies and
  procedures with respect to PHI as necessary and
  appropriate to carry out their function with the
  Covered Entity
• Training must be scaled to size of office and
  workforce
• No one size fits all solution
• All employees must understand requirements of the
  Privacy Rule
• Rights of individuals
• Duties and responsibilities of BA
• Impact of requirements on their day-to-day work
• Policies and Procedures
• Sanctions for Violations
• Security Rule Training Train in Conjunction
  with Privacy Training
• Password Management
• Physical Access
• Virus Protection
• Backup and Disaster Recovery Procedure
• Locking drawers, bins and files
• Clean desk awareness
• Faxes, printouts and reports
• Visitor access to records area

19
PRIVACY TRAINING DEADLINES

• Existing Employees before 4/14/03 Must
  develop Policies and Procedures before training
  can begin
• New Hires within a reasonable period of time
  after hire date
• On-Going Training as changes to law or policies
  and procedures affect job function

20
HOW DO I TRAIN?

• Determine the best way to reach employees.
• Classroom style
• Audio conference
• Web-based
• Self-directed learning manuals, videos, etc.
• Simple approach distribute manual, including
  Policies and Procedures, distribute tips FAQs,
  etc.

21
CONCLUSION

• Dont Panic
• Resources are available
• Web Sites
• Seminars
• Guide Books (ADA, etc.)
• Trade Associations
• Remember what is necessary for a large office may
  not apply to a smaller office