HIPAA PRIVACY - PowerPoint by malj


Office for Civil Rights U.S. Department of Health and Human Services November 8, 2002
Office for Civil Rights 1

The Health Insurance Portability & Accountability Act of 1996
“HIPAA” (Public Law 104-191) Signed August 16, 1996
Title II Subtitle F – Administrative Simplification

Office for Civil Rights


Purpose of HIPAA Provisions

 To improve efficiency and effectiveness of

the health care system by standardizing the electronic exchange of administrative and financial data

Office for Civil Rights


The Privacy Rule
45 CFR Parts 160 and 164

Office for Civil Rights


The Privacy Rule
 April 14, 2001 = Effective Date
 April 14, 2003 = Compliance Date  April 14, 2004 = Compliance Date

(for small health plans)

Office for Civil Rights


Relationship to other laws
 First comprehensive federal health privacy

protections  Does not replace federal, state, or other laws that may guarantee individuals even greater privacy protections  Other state laws might require or permit disclosures  Only required disclosures under the Rule are (1) to the individual and (2) to HHS
Office for Civil Rights 6

Purpose of the Privacy Rule
 Creates for the first time, national standards

to protect individual’s medical records and other personal health information

Office for Civil Rights


Why is the Privacy Rule needed?

Office for Civil Rights


Do You Know Where Your Medical Information Goes?

Who is covered by the Rule?
 Limited by HIPAA to:

-Health plans -Health care clearinghouses -Health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard  Business Associates
Office for Civil Rights 10

What is covered by the Rule?
 Protected health information (PHI) is:

-Individually identifiable health information -Transmitted or maintained in ANY form or medium  Held or transmitted by covered entities or their business associates  Not PHI: -De-identified information -Employment records -FERPA records
Office for Civil Rights 11

What is a business associate?
 Agents, contractors, others hired to do work

on behalf of a covered entity that requires protected health information (PHI)  Covered entity must obtain satisfactory assurance-usually through a contract-that a business associate will safeguard PHI, and limit its use and disclosure  Contract transition period
Office for Civil Rights 12

What does the Rule mean for covered entities?
 Accountability

 “Professional standards” are now law
 Changes in:

-Culture -Processes -Relationships -Documentation
Office for Civil Rights 13

What must covered entities do under the Rule?
 Implement standards to protect and guard

against the misuse of individually identifiable health information by the April 14, 2003 compliance date

Office for Civil Rights


What are specific requirements for covered entities?
Administrative Requirements Flexible and Scalable  Covered entities required to: -Designate a privacy official -Develop policies and procedures (on how PHI is going to be handled and on receiving complaints) -Provide privacy training to its workforce -Implement administrative, technical, and physical safeguards to protect the privacy of PHI
Office for Civil Rights 15

What are specific requirements for covered entities? (Cont’d)
 Covered entities are required to:

-Develop a system of sanctions for employees who violate the entity’s policies -Meet documentation requirements -Mitigate any harmful effect of a use or disclosure of PHI that is known to the covered entity -Refrain from intimidating or retaliatory acts -Not require individuals to waive their rights to file a complaint with HHS or their other rights under this rule
Office for Civil Rights 16

What does the Rule mean for individuals?
 Under the Privacy Rule, individuals have the right

to: -Notice of privacy practices -Access : inspect and copy PHI -Amend -Accounting -Alternative communication -Request restrictions -Complain to covered entity and HHS

Office for Civil Rights


Personal Representatives
 Standard: personal representatives. A

covered entity must treat a personal representative as the individual under applicable law in situations involving: -Adults and emancipated minors -Deceased individuals With respect to PHI relevant to such personal representation
Office for Civil Rights 18

Personal Representatives (Cont’d)
 Standard: personal representatives. There

are exceptions for:
-Unemancipated minors -Where the covered entity has a reasonable belief that there has been or may be domestic violence, abuse, neglect, or endangerment
Office for Civil Rights 19

When is a covered entity permitted to use or disclose PHI?
 In general, there are four categories of

uses and disclosures of PHI:
1. Treatment, payment and health care

operations (TPO) 2. Authorized by the individual 3. Requiring the individual to agree or object 4. Permissible public policy disclosures
Office for Civil Rights 20

Boundaries: Uses and disclosures
 TPO (164.502)

-Treatment = Care -Payment = Reimbursement -Health care operations = Running the store
(Specific definitions in the Privacy Rule for each term)

Office for Civil Rights


Boundaries: Uses and disclosures
 Authorized by the individual (164.508)

-Psychotherapy notes generally need an individual’s authorization before use or disclosure -Any uses or disclosures not otherwise permitted or required by the Rule -Authorizations must be in plain language and contain specific elements

Office for Civil Rights


Boundaries: Uses and disclosures
 Requiring an opportunity for the individual

to agree or object (164.510) -Facility directories (eg. hospital) -PHI for relatives or close personal friends -For notification purposes

Office for Civil Rights


Boundaries: Uses and disclosures
 Public Policy Disclosures (164.512)

-Covered entities may use or disclose PHI without authorization only if the use or disclosure comes within one of the listed exceptions and follows its conditions:

Office for Civil Rights


Boundaries: Uses and disclosures
 As required by law

 For health oversight
 For public health  For research  For law enforcement  For judicial and administrative proceedings  For specialized government functions

Office for Civil Rights


Boundaries: Uses and disclosures
 To facilitate cadaveric organ, eye and tissue

donation and transplants  About decedents to funeral directors, coroners and medical examiners  For worker’s compensation  To report abuse, neglect, domestic violence  To avert serious and imminent threat to health or safety
Office for Civil Rights 26

Minimum necessary
 Covered entities must make reasonable

efforts to limit the use or disclosure of PHI to minimum amount necessary to accomplish their purpose  “Role- based” access limits  Exceptions:
-Disclosure to individual -Disclosure to or request by provider for treatment purposes
Office for Civil Rights 27

Minimum Necessary


 Exceptions: -Use or disclosure made pursuant to an individual’s appropriate authorization -Use or disclosure required for compliance with the Administrative Simplification Rules of HIPAA -Use or disclosure that is required by law -Disclosure to HHS for enforcement purposes

Office for Civil Rights


Oral Communication: Rule
 All forms of communication covered

 Requires reasonable efforts to prevent

impermissible uses and disclosures  Policies and procedures to limit access/use (“role-based”) -Except disclosures to or request by provider for treatment purposes

Office for Civil Rights


Overheard, seen in passing…
 “Incidental disclosures”  The Rule permits uses/disclosures incident to an

otherwise permitted use or disclosure, provided minimum necessary and safeguards standards are met  Examples: talking to patient in semi-private room, talking to other providers if passers-by are present, waiting room sign in sheets, patient charts at bedside, etc.  Allow for common practices if reasonably performed
Office for Civil Rights 30

Frequently Asked Questions/Concerns about the Privacy Rule

Office for Civil Rights


PATIENT: My doctor needs to discuss my treatment with other doctors and nurses. But the Privacy Rule prohibits doctors and nurses from discussing private health information if there is a possibility that someone will overhear. What if my doctor needs to discuss my condition with a nurse at a busy nursing station, or with me over the phone from someplace other than a private office? The privacy rule prevents these discussions.

The Privacy Rule does not intend to prohibit providers from talking to each other and to their patients.

Office for Civil Rights


PHYSICIAN: The privacy rule requires me to monitor the activities of my business associates. I can be found in violation of the rule if my business associate violates the contract, even if I don’t know about it.

Covered entities are not required to monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
Office for Civil Rights 33

HOSPITAL: The privacy rule prohibits semiprivate rooms. With two patients in a room, there is no way to guarantee that one won’t overhear health information about the other. Now I’ll have to rebuild my facility to include only private rooms.

The Privacy Rule does not require these types of structural changes be made to facilities. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
Office for Civil Rights 34

PATIENT: The privacy rule prevents my pharmacist from filling my prescription before I show up and sign that consent. Instead of having the prescription waiting for me, I may have to come to the pharmacy, sign a consent, and then wait around for hours while the prescription is filled.

The Privacy Rule permits covered entities, including pharmacists, to use identifiable health information for treatment, payment, or health care operations without prior patient consent.

Office for Civil Rights


HOSPITAL: The privacy rule allows doctors and nurses to see an patient’s entire medical record, if the hospital thinks they need it to do their jobs.

The Privacy Rule does not prohibit use or disclosure of, or requests for an entire medical record. The covered entity must document in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes.
Office for Civil Rights 36

INSURER: How are we supposed to do business under this Rule? It would prohibit doctors from faxing information to us, or to each other, or to their patients.

The Rule does not prohibit faxing of individually identifiable health information. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
Office for Civil Rights 37

INSURER: What happens when I am required to report information under state law? I assume that if some other law requires me to disclose health information, I won’t have to do a big analysis under the privacy rule, or get caught in the middle because the privacy rule might not allow the disclosure?

A disclosure of identifiable health information that is required by another law is permitted by the Privacy Rule.

Office for Civil Rights


ANYONE: The Privacy Rule is delayed by the Administrative Simplification Compliance Act that was passed in December 2001.

This law delays compliance with the Transaction and Code Set standards for covered entities that file a compliance plan. This law does not apply to the Privacy Rule. The compliance date for the Privacy Rule is still April 14, 2003. (April 14, 2004 for small health plans).
Office for Civil Rights 39

PATIENT: When my family member comes to pick me up from the hospital, the doctor will still be able to explain my condition and tell him what to expect when I return home. Right?

The Rule permits doctors to discuss a patient’s condition with family or friends involved in the person’s care, unless the patient objects.

Office for Civil Rights


A hospital customarily displays patients’ names next to the door of the hospital rooms that they occupy. Will the Rule allow the hospital to continue this practice?

The Rule explicitly permits certain incidental disclosures that occur as a byproduct of an otherwise permitted disclosure. In this case, disclosure of patients’ names by posting on the wall is permitted by the Rule, if the use or disclosure is for treatment or health care operations purposes.for Civil Rights *Minimum necessary Office


Are hospitals able to inform clergy about parishioners in the hospital?

Yes, the Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure and does not object.

Office for Civil Rights


To top