©2002 fcg proprietary and confidential hipaa 201: privacy october 2002 first consulting group an...

©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential

HIPAA 201: Privacy

October 2002First Consulting Group

An Introduction to the HIPAA Privacy Regulations - with Final Rule Updates

2 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group2 www.fcg.com©2002 First Consulting Group

Privacy Introduction

Privacy Requirements and Impacts– Use and Disclosure– Notice of Privacy Practices– Patient Rights – Administrative Requirements

Summary

Presentation Agenda


At the end of this presentation, you should:

Understand the specific HIPAA Privacy requirements (both in final rule and with changes)

Understand the business process impacts of the HIPAA Privacy requirements

Understand the intent of the standards and the “reasonable” application of them in your organization

Be able to determine your own organizational strategies and next steps for tackling HIPAA Privacy

Presentation Objectives


Key Definitions - Covered Entities

HIPAA directly covers: Health Plans – an individual plan or group health plan that

provides, or pays for the cost of, medical care Healthcare Providers – any person or organization who

furnishes, bills, or is paid for health care in the normal course of business such as hospitals, physician services, diagnostic services, outpatient and home health

Healthcare Clearinghouses – any public or private entity, including billing services, repricing companies, community health management information systems or community health information systems that process or facilitates the processing of health information received from another entity

HIPAA indirectly covers: Business Associates - a person or organization who performs

or assists in the performance of a function or activity on behalf of a covered entity


Key Definitions - PHI

Protected Health Information (PHI) is that information which: Is created or received by a health care provider, health plan,

employer or health care clearinghouse Relates to the past, present or future health of an individual,

or the past, present or future payment for health care Identifies an individual either outright or could give rise to

identify an individual– Eighteen specific identifying elements

Is transmitted or is maintained electronically or in any other form or medium– Explicitly includes Internet, Extranet, leased line, dial-up line and

private network transmission– Includes information which is stored on paper– Read from a computer screen and discussed orally– Person to person telephone calls, video conferencing or voicemail


Key Concept - Reasonableness

The reasonableness standard allows covered entities to: Apply the rules as appropriate Incur minimal costs Define “reasonable precautions” based on service, location,

or setting Eliminate structural changes

– Soundproofing– Private rooms– Telephone encryption

Implement acceptable alternatives– Low voice tones– Privacy curtains– Cubicles


Intent of Privacy Rule

The final Privacy Rule seeks to:

Protect patients while encouraging them to seek care Establish a floor of national privacy standards for healthcare

providers, health plans and clearinghouses Create a framework that can be strengthened by both federal

and state government as health information systems evolve; leaves more stringent state law in place

Balance the needs of the individual with the needs of the society

Improve the quality of healthcare in the U.S. Improve the efficiency and effectiveness of healthcare


Key Points of Privacy Rule

The Privacy Rule:

Covers electronic, paper and oral communications Allows PHI to be used and disclosed for treatment, payment and

health care operations Requires patient authorization for use and disclosure of health

information for non-routine purposes Gives consumers greater access to and control over their health

information Requires organizations to maintain safeguards for protecting

the confidentiality and integrity of health information and protect against unauthorized access of PHI

Designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care


Structure

The current HIPAA Privacy regulations are organized into four categories:

1. Use and Disclosure2. Notice of Privacy Practices3. Patient Rights4. Administrative Requirements


Use and Disclosure

RulesImpacts


Consent for uses and disclosures:– A covered entity may obtain a consent of the individual to

use or disclose protected health information to carry out treatment, payment and healthcare operations (TP0)

Authorizations: A covered entity must obtain an authorization for uses and disclosures that are not covered by the consent for TPO

– A valid authorization must contain defined core elements– Generally, an authorization for use or disclosure of

protected health information may not be combined with any other document to create a compound authorization

– A covered entity must document and retain any signed authorizations

– Patients have to grant permission in advance for each type of non-routine use or disclosure

– Providers may use a standardized authorization form

Use and Disclosure - Rules



Parents and Minors: Provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice

– If a state has explicitly addressed disclosure of a minor/s health information to a parent, or access to a child’s medical record by a parent, the final rule clarifies that state law governs

– In special cases in which the minor controls his or her own health information under such law and that law does not define the parent’s ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law


Business Associates: PHI may be disclosed to business associates only to help providers and plans complete their healthcare functions

– Covered entities (except small health plans) are given up to an additional year to change existing written contracts to come into compliance with the business associate requirements

– Members of a provider, health plan, or other covered entity’s workforce are not considered business associates

– Covered entities who exchange PHI for treatment purposes are not considered business associates, such as a physician who discloses information to a hospital where he has admitting privileges

– The Privacy Rule doesn’t “pass through” its requirements to business associates; it has no authority to do so

– In general, covered entities are not liable for privacy violations of business associates, but if they become aware of a “pattern or practice” that is a material breach of the business associate’s contract, they must take “reasonable steps” to correct the problem (subject to legal interpretation)




An Opportunity for the Individual to Agree/Object is Required:

The final rule requires covered entities to use or disclose protected health information provided that the patient: – Is informed in advance of the use and disclosure; and – Has the opportunity to agree to or prohibit or restrict the

use or disclosure under certain circumstances

§164.510 (a) Facility Directories §164.510 (b) For Involvement in the Individual’s Care and Notification Purposes


An Opportunity for the Individual to Agree/Object is Required:

Facility Directories:– Covered entities must inform patients:

• That it may include certain information in a directory; and • To whom it may disclose this information (including clergy)

– Patients must be given the opportunity to restrict or prohibit some or all of these uses and disclosures

– Provisions are outlined for disclosing this information without the patient’s consent under certain emergency circumstances

Individual’s Care:– Covered entities may disclose to a family member or friend

protected health information related to the patient’s care:• By obtaining the patient’s agreement when he/she is present;• Under certain circumstances using professional judgment

when the patient is not present or is otherwise unable to object.




Authorization or Opportunity to Agree/Object are Not Required:164.512 (a) Required by Law164.512 (b) Public Health Activities164.512 (c) Victims of Abuse, Neglect or Domestic Violence164.512 (d) Health Oversight Activities164.512 (e) Judicial and Administrative Proceedings164.512 (f) Law Enforcement Purposes164.512 (g) Decedents164.512 (h) Cadaveric Organ, Eye or Tissue Donation Purposes164.512 (i) Research Purposes164.512 (j) Aversion of a Serious Threat to Health or Safety164.512 (k) Specialized Government Functions164.512 (l) Workers' Compensation


Authorization or Opportunity to Agree/Object are Not Required:

Use and Disclosures Regarding Food and Drub Administration (FDA):– The final rule permits covered entities to disclose

protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products.



Authorization or Opportunity to Agree/Object are Not Required:

Incidental Use and Disclosure: – The final rule acknowledges that uses or disclosures that

are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met:

• doctors' offices may use waiting room sign-in sheets, • hospitals may keep patient charts at bedside, • doctors can talk to patients in semi-private rooms, and • doctors can confer at nurse's stations without fear of violating

the rule if overheard by a passerby.



Other Requirements Relating to Uses and Disclosures of PHI:

De-identified Health Information:– Health information for which there is no reasonable basis to

believe that the information can be used to identify an individual

– De-identified data may be distributed openly

Re-identification:– With certain restrictions, a covered entity may assign a code or

other means of record identification to allow de-identified information to be re-identified by the covered entity

Limited Data Set:– The final rule permits the creation and dissemination of a

limited data set that does not include directly identifiable information for research, public health, and health care operations

– A Covered entity and the recipient of the data must enter into a date use agreement, in which the recipient agrees to:

• limit the use of the data set for the purposes for which it was given• ensure the security of data • not to identify the information or use it to contact any individual



Name Street address, city, county,

precinct, zip code, and geo-codes

Electronic e-mail address Social security number Telephone number Fax number Medical record number- All elements of dates (e.g.

birth date, admission date, discharge date)

Health plan beneficiary numbers

Account numbers Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

Internet Protocol (IP) address numbers

Biometric identifiers, including finger and voice prints

Full face photographic images and any comparable images

- Any other unique identifying number, characteristic, or code

Requirements for De-identification of PHI:


= information that must be excluded to create a limited data set


Minimum Necessary: Intended to restrict access and use of PHI to only the minimum necessary amount of information necessary to perform a requested action

– The “minimum necessary” use and disclosure of PHI does NOT apply to:

• Disclosures to providers for treatment purposes;• Disclosures directly to the patient;• Uses or disclosures for which an individual has signed an

authorization;• Uses or disclosures required to comply with HIPAA transactions;• Disclosures to DHHS that are needed in order to enforce HIPAA;• Uses or disclosures that are required by other law.

– The final rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization.

– Minimum necessary requirements are still in effect to ensure individual’s privacy for most other uses and disclosures

– Minimum necessary standard is not intended to impede disclosures necessary for worker’s compensation programs



Research: Covered entities may use or disclose protected health

information for research purposes provided that: – The organization has received IRB or privacy board approval

for a waiver of patient authorization• The IRB and waiver decision process must be documented;• No more than minimal risk exists to individuals for use or

disclosure of their information and their privacy rights and welfare will not be adversely affected;

• No other practicable method exists for conducting the research absent the waiver or access to the protected information

– The researcher is using the information solely for preparing a research protocol

– The information will not be removed from the covered entity, – The information sought is necessary for the research

purposes; – The information will be adequately protected and will not be

reused, and identifiers will be destroyed at the earliest opportunity



Marketing Activities:– Covered entities are required to obtain an individual's prior

written authorization to use his or her protected health information for marketing purposes except:

• for a face-to-face encounter• or a communication involving a promotional gift of nominal value

– Covered entities are prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization

– Doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing

• For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.



Fundraising:– A covered entity may use or disclose to a business

associate or to an institutionally related foundation certain protected health information for the purpose of raising funds for its own benefit, without an authorization (name, address, phone number, date of episode)

Verification Requirements:– Prior to any disclosure, a covered entity must verify the

identity and authority of any person requesting protected health information, if the identify and/or authority are unknown



Use and Disclosure - Impacts

In Summary:

The final rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity.

The rule also allows consent requirements already in place to continue.

Covered entities can disclose protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another covered

A covered entity may use and disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure


Notice of Privacy Practices

RulesImpacts


Notice of Privacy Practices - Rules

Content of Notice:– Must provide a written Notice in plain language and

contains:– Header: “This Notice describes how medical information

about you may be used and disclosed and how you can get access to this information. Please review it carefully.”

– Uses and disclosures (Example treatment, third party audits and special studies)

– Separate statements for certain uses or disclosures– Individual rights– Covered entity’s duties– Optional requirement to elect to limit the uses of

disclosures Revisions to the Notice

– Must promptly revise and distribute its Notice whenever there is a material change to the uses and disclosures



Specific Requirements:– Must be provided no later than the date of the first service

delivery, including service delivered electronically– In an emergency treatment situation, as soon as

reasonably practicable after the emergency treatment situation

– Except in an emergency treatment situation, a covered entity must make a good faith effort to obtain a written acknowledgement of the receipt of the notice

– If not obtained, a covered entity must document its good faith efforts to obtain why the acknowledgment was not obtained

– A covered entity must document compliance with the notice by retaining copies of the notices issued by the covered entity and any written acknowledgments of the receipt of the notice or documentation of good faith efforts to obtain such written acknowledgements



Provision of Notice:– Notice must be made available upon request– Health plans must provide Notice:

• no later than the compliance date for the health plan• at the time of enrollment• within 60 days of material revision of the Notice• at least once every three years

– Healthcare Providers must provide Notice:• no later than the date of the first service delivery• have Notice available at physical delivery site• post Notice in a clear and prominent location • upon revision make Notice available

– Electronic Notice:• E-mail notification is acceptable• If covered entity knows the email failed, a paper copy of the

Notice must be provided



Joint Notice by Separate Covered Entities:– Covered entities who participate in an organized health

care arrangement may comply with provision of Notice by a joint Notice provided they:

• Abide by the terms of the Notice with respect to PHI created or received by the covered entity

• Provide Notice of revisions• Must describe the covered entities to which the joint Notice

applies


Notice of Privacy Practices - Impacts

In Summary:

DHHS makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional

The rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity

The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices


Patient Rights

RulesImpacts


Patient Rights - Rules

Under the section, patients have the following rights:– Access to Protected Health Information– Request amendments to their Protected Health Information– Request restriction of uses and disclosures:

• On PHI to carry out treatment, payment, and/or healthcare operations

• Covered entity not required to agree to restrictions• If restrictions are agreed to, covered entity may not use or

disclose PHI unless in emergency treatment, then that information can not be further disclosed

• Terminating a restriction– may terminate if individual agrees to or requests in writing– individual agrees orally then oral agreement is written– after the covered entity has notified the individual in writing

• Documentation– a covered entity must place its agreement to a restriction in

writing


Patient Rights - Rules

Accounting of Disclosures– The authorization process itself adequately protects individual

privacy by assuring that the individual's permission is given both knowingly and voluntarily.

– The final rule exempts disclosures made pursuant to an authorization from the accounting requirements.

– The final rule also exempts from the accounting requirements incidental disclosures, and disclosures that are part of a limited data set.

– The rule provides a simplified alternative approach for accounting for multiple research disclosures that includes providing a description of the research for which an individual's protected health information may have been disclosed and the researcher's contact information

Confidential Communications Requirements:– Covered entity must make reasonable efforts to allow the

individual to received communications of PHI from alternative means/locations• May request reasons for alternate locations for requests to review

records from a health plan, but not provider• Requests may be made under extreme circumstances or if individual

is incapacitated in some way


Patient Rights - Impacts

In Summary:

Individuals have the right to request access to their PHI, offer amendments and receive an accounting of disclosure from the covered entity

Prompt action must be taken on request (no later than 30 days)

Covered entities must determine grounds for denial of access to requests

Access must be made to accommodate individuals in confidential setting

Fees may be assessed for reasonable costs- copying, postage, etc.

Organizations must have procedure for complaints to such access

Documentation must be kept for all processing of requests


Administrative Requirements

RulesImpacts


Administrative Requirements - Rules

Personnel Designations:– Covered entities must designate a Privacy Official– Contact person/office responsible for receiving complaints– Must document personnel designations

Privacy Awareness Training:– Must train all members of workforce on P&P’s– Training must occur before compliance date- 4/14/2003– All training must be documented

Safeguards:– Administrative - (example: policies and procedures)– Technical - (example: passwords)– Physical safeguards - (example: office locks, access areas)– Must reasonably safeguard PHI from any intentional or

unintentional use or disclosure



Complaints to the Covered Entity:– Must have process for individuals to make complaints– Document received complaints and their disposition– Complaint procedure must be in place regarding covered entity’s

policies and procedures

Sanctions:– Must have and apply sanctions against members of its workforce for

violations or breaches of policies/procedures– All sanctions that are applied must be documented

• Examples: oral reprimand, written warning and/or termination

Mitigation: – A covered entity must mitigate to the extent possible, any harmful

effect known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures



Refraining From Intimidating or Retaliatory Acts:– A covered entity must not intimidate, threaten, coerce,

discriminate against or take other retaliatory action against:• Individuals for the exercise of the individual of any right under

or for participation by the individual • Individuals and others for filing a complaint, testifying,

assisting or participating in an investigation, compliance review

Waiver of Rights:– A covered entity may not require individuals to waive their rights

as a condition of the provision of treatment, payment, enrollment in health plan, or eligibility for benefits


Administrative Requirements - Impacts

Policies and Procedures:– Must implement policies and procedures with respect to PHI – Changes to policies and procedures are necessary to comply with

changes in law– Changes in law must be promptly documented within covered

entity’s policies and procedures– Changes to privacy practices stated in the Notice must be

documented

Documentation:– Maintain the policies and procedures in written or electronic form– Must retain copy of the documentation for 6 years from the date

of its creation or when it was last effective


Summary

SummaryThe Bottom LineQuestions


Summary

The biggest areas of impact of HIPAA Privacy on an organization:

– Developing and documenting policies and procedures– Designating a privacy official– Identifying and contracting with business associates– Developing, distributing and acknowledging patient

receipt of the Notice of Privacy Practices– Capturing and providing patients access to the uses and

disclosures of their health information not for treatment, payment or healthcare operations

– Training workforce members who have access to patient identifiable information

– Altering the oral communication culture of the organization


The Bottom Line

Compliance will be required by April 14, 2003

Civil monetary and criminal penalties for breach of privacy– If knowingly providing information

• $50,000 and/or up to 1 year imprisonment– Under false pretenses

• $100,000 and/or up to 5 years imprisonment– Intent to sell, transfer, or use health information for

commercial advantage, personal gain, or malicious harm• $250,000 and/up to 10 years imprisonment

Delegated responsibility to the Department’s Office for Civil Rights– Includes responsibility for enforcement– Comprehensive Enforcement Rule still expected,

encompassing all of the Administrative Simplification provisions


Questions / Comments?

Name

Telephone Number

©2002 fcg proprietary and confidential hipaa 201: privacy october 2002 first consulting group an...

Documents