hipaa

An Overview of HIPAA





Presented by the Office of the General Counsel

HIPAA

• Health

• Insurance

• Portability and

• Accountability

• Act

HIPAA‟s Goals

• Simplify the Administration of

Electronic Health Information



• Protect an Individual‟s Privacy

Rights with regard to Health

Information

When is HIPAA effective?

• First Deadline: October 2002

– Possible Extension until Oct. 2003

– AU must have Compliance plan





• Privacy Regulations: April 2003

– AU target date for compliance

Who Must Comply?

“ Each Covered Entity who

maintains or transmits

health information”

• Health Plans

• Health Care Clearinghouse

• Health Care Providers

Who is a Provider?

“Any person or entity that

furnishes, bills, or is paid for

health care in the normal course

of business.”

– Health Care = any “care, services, or

supplies related to the health of an

individual”

Examples of

Providers / Plans

• Student Health • Athletic

Center Department

• Psychology • Hearing / Eye

Clinics Clinics

• EAP • Self – Insurance

Health Plans

4 Key HIPAA Elements

• Electronic Transaction & Code

Set Standards

• Security Standards

• Privacy Regulations

• National Identifiers

Electronic Transaction &

Code Set Standards

• General Rule:

“If a covered entity (either itself or

through an agent) conducts a

Covered Transaction electronically,

the transaction must be conducted

using the HIPAA form.”

Electronic Transaction &

Code Set Standards

Required Elements

1. Covered Entity

2. Electronically transmits

3. Covered Transaction

Covered Transactions

• Submission of • Referrals and pre-

Claims for certification

payment • Claims

• Checking attachments

eligibility • Payment & claims

• Enrollment & remittance

Disenrollment • Coordination of

Benefits

• Checking claims‟

status

Electronic Transaction &

Code Set Standards

Requirements of ETS

• Standard Formats

• Standard Data Content

• Standard Codes

Electronic Transaction &

Code Set Standards

Where to find the ETS standards:

• http://aspe.hhs.gov/admnsimp

• www.wpc-edi.com/HIPAA

• www.afehct.org

Security Standards

• Intended to protect against

• Unauthorized access

• Accidental / Intentional

disclosure to unauthorized

persons

• Alteration, destruction, or loss

Security Standards

Who is Covered?

• Any covered entity

• That Stores information

electronically

• Does not have to be a

covered transaction

Security Standards

- Elements -

• Administrative Procedures

– Protects health info

– Manages personnel Conduct



• Physical Safeguards

– Protects physical systems / buildings



• Technical Security

– Controls access to health information

Administrative Procedures

• Security Analysis

• Information access privileges

• Password & Authentication policies

• Plans for disasters & security breaches

• Disciplinary process & penalties

• Employee & Vendor Training

• Security Officer

Physical Safeguards

• Document ways computer &

physical records are protected

• Use of keys, locks, etc. to

control access to computers

• Restriction of access to

authorized persons

• Tracking of medical records

• Workstation location policy

Technical Security

• Single sign-on technology

• New user ID‟s, passwords

• Audit trails for health info

Security Standards

General Comments

• Still in proposed form

• Not technically specific

• Amount of security required

is scalable based on dept.

size and resources

Privacy Regulations

• General Rule:

“A covered entity may not use

or disclose Protected Health

Information (PHI) except as

permitted by the privacy

regulations.”

Privacy Regulations

• PHI – Protected Health Information

– Individually Identifiable

– Any form or medium

• Electronic, Oral, or Written

– Created or Received

– Relates to past, present, future condition

or payment of individual

– Exception: FERPA records

Privacy Regulations

• General Requirement:



“Must make reasonable efforts to

limit the use and disclosure of

PHI to the minimum necessary to

accomplish intended purpose.”

Privacy Regulations

Main Elements

• Rules for Use & Disclosure of PHI

• Patient‟s Rights to Health Info

• Administrative Procedures

• Business Partner Requirement

Rules for Use & Disclosure

Consent vs. Authorization

Consent: If a general written consent is

obtained, a provider may use/disclose

PHI for “TPO”

Authorization: If use/disclosure is not

for “TPO”, use/disclosure forbidden

without a more specific authorization

“TPO” = Treatment/Payment/Health

Care Operations

Rules for Use & Disclosure

“TPO” = Treatment / Payment /

Health Care Operations

Treatment: Provision, coordination,

management of healthcare

Payment: Actions to obtain payment

Operations: Internal day-to-day business

Ex: QA, Peer Review, Customer Service

Rules for Use & Disclosure

Consent

• Must be in plain language

• Must specify use of PHI

• Can make a prerequisite to

treatment (Can refuse treatment)

• Exceptions: Emergency, Required

by Law, Communication barriers,

Rules for Use & Disclosure

Authorization

• Cannot be a condition of treatment

• Must Inform about specific use and

right to refuse, revoke, and inspect

• Psychotherapy Notes require

Authorization

• Examples

• Research

• Marketing

• Fundraising

Patient‟s Rights

• Right to Notice of Privacy

Practices

• Right of Access to PHI

• Right to Accounting of

Disclosures for 6 years

• Right to request restriction of

TPO use to family members

– Not required to agree if TPO

Administrative Procedures

• Document policies, procedures, &

systems to achieve compliance

• Complaint Mechanisms

• Employee Sanctions

• Documented training of employees

• Mitigation of harmful effects

• Designated Privacy officer

Business Associates

• General Rule:

– A covered entity must have a

business associate contract to

ensure that its business associates

also are in compliance with HIPAA‟s

protection of PHI.

Business Associates

• Business Associates…

– Perform a function involving use /

disclosure of PHI on behalf of the

covered entity

– Perform legal, accounting,

consulting, data aggregation,

administrative, management, or

financial services involving PHI for

the covered entity

Business Associates

• Examples:

– Billing companies

– Computer Vendors

– Attorneys, Accountants, Auditors

– Consultants

– Document storage / destruction

companies

Business Associates

• Business Associate Contracts:

– Restrict use & disclosure of PHI

– Require appropriate safeguards

– Require similar requirements of

subcontractors

– Require B.A. to disclose breaches

– Require B.A. to remedy breaches or

risk termination of contract

Hybrid Entity

• Requirements

– Single Legal Entity

– Primary business is not healthcare

• Advantages

– Only “Healthcare Components”

must comply with HIPAA

• Disadvantage

– Firewall between HC Components

and Non-Components

Hybrid Entity

• Auburn must…

– Identify Healthcare Components

– Identify Business Associates of the

HC Components

– Erect the „firewalls‟ between HC

Components & Non-Components

Penalties for Non-Compliance

** Both Individuals & Entities can

incur criminal and/or civil penalties



Civil Penalties: $100 - $25,000



Criminal Penalties: Max 10 yrs. Prison

Max $250,000 fine

HIPAA Timeline

• ETS Standards: October 16, 2002

– Extended to Oct. 2003 w/

University extension

• Privacy Regs: April 14, 2003

• Security Regs: Date expected by

August 2002

Next Steps toward Compliance

1. Fill out the AU HIPAA Survey

2. Review how PHI is stored,

accessed, protected, & destroyed

3. Think about easy steps to better

protect PHI

4. Designate 1+ person to review

specific HIPAA policies

For more HIPAA info…

• www.hipaa.org

– Links to complete final rules &

proposed rules

• www.hipaadvisory.com

– News, primers, and complete rules

• www.hrm.uab.edu/HIPAA

– UAB‟s training site

Additional Questions?

Contact the Provost’s Office