HIPPA Overview

1
HIPPA Overview
Jeffrey A. WalkerWalker Mann10832 Laurel
Street, Suite 204, Rancho Cucamonga, CA.
91730Phone 909.989.3200 Fax 909.697.2182www.wa
lkermann.com
2
Who is Covered?

• Covered Entities
• Any entity that transmits any protected health
  information PHI in electronic form, set forth
  in 45 CFR 160.102-103.

3
Affiliate Covered Entities

• Covered entities under common ownership or
  control, which may designate themselves a single
  covered entity.
• For Example
• Hospitals
• Medical Centers
• HMO/PPO
• IPA

4
Entities with Multiple Covered Functions

• Such as a care provider that operates an employee
  health plan
• Must comply with the rules as affecting each one
  of its functions.
• For Example
• Blue Cross
• HealthNet
• PacifiCare

5
Health Care Clearinghouses

• Any entity that converts PHI received from third
  parties to or from its proprietary format for
  internal processing

• Liable as business associates
• Examples
• Claims processors/administrators
• Data analysis firms
• NOTE California law does not cover information
  held by clearinghouses, but their functions are.
• Both California law or Federal law can apply.

6
Health Plan

• Any individual or group plan, governmental or
  private, that provides or pays for medical care.
• Small, self-administered employee plans excluded
• Possible danger for private companies
• Government Program Exclusion

HIPAA is more inclusive than California Law
7
Health Care Providers
Any person or organization that furnishes, bills
or is paid for health care in the normal course
of business
Compliance is only required for electronic
transmission.
A provider that uses an agent (a clearinghouse or
billing service) must comply with HIPAA
California law is not as broad as HIPAA, but
it applies to all defined providers regardless of
electronic transmission.
8
Defined Providers

• Licensed individuals

• Clinics

• Health Dispensaries

• Health Facilities Corporations organized
  primarily for maintaining medical
  information/making it available to
  providers/patients.

• Medical Groups

• Pharmacy Benefits Managers

• Independent Practice Associations

9
Hybrid Entities

• Covered entities whose business activities
  include covered and non-covered functions
• These entities have to designate which portions
  must be HIPAA compliant
• Must take special care to protect against
  disclosure
• Examples

10
Organized Health Care Arrangement

• This is a label that can apply to any organized
  health care arrangement.
• Not automatic
• Examples
• Hospitals
• Preferred Medical Providers
• Medical Foundations
• Some Health Plan/Insurer Arrangements

11
Business Associates

• Any one who works for, but not as a member of the
  workforce, a HIPAA covered entity.
• Assisting with a function or activity involving
  the use or disclosure of PHI
• Claims Processing
• Data Analysis
• Quality Assurance
• Providing service or consulting to HIPAA covered
  entity
• Legal
• Financial
• Administrative

12
When do Privacy Rules Apply?
13
Use or Disclosure

• Not for Marketing Purposes
• Defined as any purpose meant to encourage others
  to purchase or use a certain product or service
  unless

• Authorized by patient, or
• Face-to-face communication between covered
  entity and individual, or
• A promotional gift of nominal value, like
  offering free bandages or pens.

14
Use or Disclosure (cont.)
Limited use or disclosure for fundraising is
permissible if

• Information is limited AND
• A notice of privacy indicates this AND
• The entity provides an opt-out option

15
Media Purposes

• If the patient has not asked that information be
  withheld, no one can obtain the location or
  condition unless that person already knows of and
  uses the patients name.
• Primary Purpose
• Special Care in Certain Situations
• Limit disclosure to General Terms
• good, fair, stable, serious, critical, or
  deceased.

16
Protected Health Information (PHI)

• Defined individually identifiable health
  information relating to a persons health, care
  received, and or payment for services.
• Covered entities must use reasonable safeguards
  to prevent disclosure of PHI, unless
• Authorized by the patient, or
• The information relates to the purposes of
  treatment, or
• Purposes of payment and health care operations

NOTE Does not include employment records for
persons employed by a covered entity
17
Privacy Rights of the Individual
18

• Patients can request restriction of use
• Except for certain limited use/full uses allowed
  or required by law
• In Facility Directories
• For Limited Public Health Activities
• Reporting abuse, neglect, domestic violence or
  other crimes
• Health agency oversight activities or law
  enforcement investigations
• Judicial/administrative proceedings
• Identifying decedents to coroners and medical
  examiners or determining cause of death
• Organ procurement
• Certain research activities
• Workers Comp programs
• Any other uses or disclosures otherwise required
  by law

19

• Access Inspection (generally)
• Summaries
• Under HIPAA
• Provider Liability
• Required Access time requirements left to states
• CA law requires hospitals to keep records for 7
  years
• Personal Representatives
• Required manner of access

20

• Reporting Disclosure
• Patients right to an accounting of disclosures,
  EXCEPT if disclosure relates to
• Carrying out treatment, payment, health care
  operations, or if part of a limited data set.
• In Facility Directories
• For Limited Public Health Activities
• Reporting abuse, neglect, domestic violence or
  other crimes
• Health agency oversight activities or law
  enforcement investigations
• Judicial/administrative proceedings
• Identifying decedents to coroners and medical
  examiners or determining cause of death
• Organ procurement
• Certain research activities
• Workers Comp programs
• ANY DISCLOSURE PRIOR TO APRIL 14, 2003

21
When Can Disclosure Occur

• When authorized
• Requirements for valid authorization
• Written/Typed
• Signed and Dated
• Indicates authorizer/authorized recipient
• Indicates the information to be disclosed and
  permitted use(s)
• States the right to revoke and entitlement to
  copies
• States no condition on treatment
• Specifies expiration date
• (continues to Minimum Necessary)

22
Minimum Necessary Standard

• reasonable efforts to limit the information
  disclosed to the minimum amount necessary to
  complete the task

• The Exception
• Identification Requirements

23
Waiver of Confidentiality

• Applicable in the research context
• 3 HIPAA criteria for waiver of consent/authorizati
  on
• PHI use and disclosure cannot pose more than
  minimal risk to the privacy of the individual
• The research could not practicably be conducted
  without the waiver or alteration of
  authorization
• The research cannot practicably be conducted
  without access to and use of the protected health
  information

24
Waiver of Confidentiality (cont.)

• Guidelines
• The entity must have an adequate plan to protect
  identifiers from improper use and disclosure
• Identifiers must be destroyed ASAP
• The entity must provide written assurances to
  subjects against reuse or re-disclosure

25
Compliance Enforcement

• The HIPAA Process
• The Department of Health and Human Services The
  Department of Justice
• HHS initially investigates all complaints
• Fines between 100 and 25,000
• No incident standards established!
• Anybody can file complaints!
• DOJ takes over when HHS finds criminal conduct

Violators face state federal enforcement!
26
Compliance Enforcement (cont.)

• California administrative fines and penalties
• No more than 25,000 when negligent/known and
  willful UNLESS
• Violator attempts to profit (i.e. by selling the
  information), then up to 250,000.
• Anyone who receives information and discloses it
  as described is liable.
• California Exceptions
• Unaware or Unfound
• Reasonable Cause/Correction
• Caused by criminal activity (DOJ takes over)
• Criminal Penalties (preclusion)
• 50,000/1 Yr
• 100,000/5 Yrs
• 250,000/10 Yrs