hipaa and privacy an overview of the new federal requirements of the health insurance portability...
TRANSCRIPT
HIPAA and Privacy
An Overview of the New Federal Requirements of the Health
Insurance Portability and Accountability Act (HIPAA)
Reid Cushman, UM Ethics [email protected]
forces for health privacy
● a new federal law – called ”HIPAA” – adds national protections for everyone's health information
● however, there are many other sources of health privacy protection
● HIPAA, while important, is only one part of the picture
forces for health privacy
● federal law (HIPAA)
● state law
● licensing and certification bodies (JCAHO, NCQA)
● health professions' licensing organizations (AMA, ANA and many others)
● your own ethical standards
HIPAA and its goals
Health Insurance Portability and Accountability Act
● make health insurance coverage more portable between jobs
● reduce waste and fraud in the health care system
HIPAA and its goals
Health Insurance Portability and Accountability Act
● make the health system “more efficient” overall
● and encourage use of electronic record-keeping systems for health data
the connection to privacy
● paper records are very expensive (even if it seems otherwise)
● it can be difficult to find information when you need it
the connection to privacy
● paper can only be in one place at a time
● record duplication brings potential for error – and more expense
the connection to privacy
● electronic records are much cheaper (in the long run)
● it is much easier to find information -- both for those who should have it, and those who shouldn't
the connection to privacy
● so, a much greater need for security and privacy protections than with paper records
● HIPAA's standards are a national response to the health privacy issues raised by computers
HIPAA's four Standards (“Rules”)
Transactions and Code Sets
standard formats for all electronic transactions
Identifiers
Security
Privacy
HIPAA's four Standards (“Rules”)
Transactions and Code Sets
Identifiers
standard IDs for health plans, providers, employers
Security
Privacy
HIPAA's four Standards (“Rules”)
Transactions and Code Sets
Identifiers
Security
computer, communications protection technologies
Privacy
HIPAA's four Standards (“Rules”)
Transactions and Code Sets
Identifiers
Security
Privacy
procedural protections for all health information
what is covered by HIPAA?
“protected health information” (PHI)
● any identifiable information
● related to the “past, present or future physical or mental health” of a person
● used for treatment, payment or any other function
what is covered by HIPAA?
● protected health information (PHI) can be in “any form or medium”
● electronic, paper and even oral communications of PHI are covered by HIPAA's Privacy Rule
● only totally “de-identified” information is unprotected
who is covered by HIPAA?
“covered entities”
● health providers, health plans, and information clearinghouses
● organizations that provide or pay for health services
● basically, any entity that uses or discloses health data
who is covered by HIPAA?
● customers (patients) of covered entities receive protections – privacy rights – for their health information
● covered entities, and those that work in them, have privacy obligations to ensure that HIPAA protections are achieved
individual rights under HIPAA
● to receive a “Notice of Privacy Practices” outlining how one's health information may be used or disclosed ● to obtain a copy of one's full health record (except for psychotherapy notes)
● to correct – or at least note disagreement – if the record appears to be in error
individual rights under HIPAA
● to know (some of) the persons and organizations to whom one's health information has been disclosed
● to ask for extra protection or confidential communications of particularly sensitive data
● to authorize certain additional “non-standard” uses or disclosures
individual rights under HIPAA
● to be assured that the institution follows appropriate privacy and security practices
● to complain to the covered entity's Privacy Officer – or directly to DHHS Office of Civil Rights – if one believes HIPAA rights have been violated
covered entities' responsibilities
● to give each patient (customer) the Notice that outlines their privacy rights
● the Notice must describe planned uses and disclosures, including the “basic” ones for treatment, payment and health care operations
● written acknowledgment of Notice must be obtained
covered entities' responsibilities
● to provide an opportunity for individuals to discuss any privacy concerns
● all individuals should understand their rights, including what to do if they feel their rights have been violated
● a process must be in place to handle problems and complaints
covered entities' responsibilities
● to get authorization for certain additional kinds of uses and disclosures, beyond those for treatment, payment or basic health care operations
● to undertake the additional uses and disclosures permitted by law in an appropriate manner
covered entities' responsibilities
● to develop reasonable, appropriate privacy and security policies ● to train all members of the workforce in those policies “as necessary and appropriate” to their job duties ● to get assurances from any business associates that handle PHI on the covered entity's behalf
● to use or disclose protected health information only for work-related purposes ● to limit uses and disclosures to the “minimum necessary” to achieve those work purposes
● and to otherwise exercise reasonable caution, to protect all PHI under their control
obligations of health facility workers
obligations of health facility workers
● to understand the facility's privacy and security policies, and follow them
● to try to remedy any privacy problems – or report them to the facility Privacy Officer or DHHS Office of Civil Rights
● HIPAA prohibits covered entities from retaliating or discriminating against a worker who files a complaint
obligations of health facility workers
● note that “incidental uses and disclosures” are considered inevitable, and do not violate HIPAA
● reasonable limits and efforts – appropriate to the circumstances, and the nature of the information – are all that HIPAA requires
compliance timetable
● HIPAA Privacy Rule takes effect on 14 April 2003 for covered entities with more than $5M in annual revenues
● 14 April 2004 is the Privacy Rule deadline for smaller covered entities
● HIPAA Rules for security, transactions and identifiers take effect over the next few years
HIPAA and state law
HIPAA “preempts” state health privacy law unless
● “more stringent” (protective)
● for public health purposes
● for oversight or regulation of the state's health system
Florida health privacy protections
● general right to privacy, and to a notice of one's rights
● right to see, copy records
● right to an accounting of disclosures (from providers)
● right to extra limitations on certain kinds of information (genetic, HIV, mental health, substance abuse)
Florida health privacy protections
● most of Florida's privacy protections are as strong as – or stronger than – HIPAA's
● these protections will remain in force after April 14
● they are in force NOW
sanctions for privacy failures
● Federal civil and criminal penalties for HIPAA violations from $100 per incident up to $250,000 and 10 years in prison
● civil and criminal penalties for state law violations
● institutional reputation and market share
● employee suspension and termination
● loss of professional license
you are also a patient
● with networked computer systems, security of health information anywhere depends on privacy practices everywhere
● thousands of persons may have access to an individual's health record
you are also a patient
● try to treat others' health information the way you'd like yours to be treated, or that of a family member or a close friend
you are also a patient
● that includes attention to safe practices for the new electronic records, the old paper ones, as well as faxes, photocopies and printouts, telephone calls and email
University of Miami Ethics Programs © 2002
Historic computer and electronic equipment images are provided courtesy of the University of Virginia Computer Museum.
All other images are from the UM Ethics Program digital image collection and
are in the public domain.
This presentation may be re-used for non-commercial, educational purposes, with appropriate credit to the source. Any other use requires prior written permission. Information presented herein is believed to be correct at the time of posting. However, these materials are intended for education purposes only; they are not intended or represented as legal advice.
UM Ethics Programs, PO Box 016960 (M-825), Miami FL 33101