HIPAA Aaron K Owada Northcraft Bigby Owada PC 720 Olive Way Suite 1905 Seattle WA 98101 Health Insurance Portability and Accountability Act of 1996 September 23 2004 by wzx45739


Hipaa Form for Contract Labor document sample

More Info
Aaron K. Owada
Northcraft, Bigby & Owada PC
720 Olive Way, Suite 1905
Seattle, WA 98101
Health Insurance
Portability and
Accountability Act of 1996
        September 23, 2004
           Seattle, WA
A Matter of Perspective…
Where C is the hypotenuse and A and B
are the sides of a right triangle,

 A2 + B2 = C2
21 words…
Archimedes’ Principle

 A body
                    20 words
 immersed in a
 fluid is buoyed
 up by a force
 equal to the
 weight of the
 displaced fluid…
The Ten Commandments

              179 words
Lincoln’s Gettysburg Address

                  286 words
US Declaration of

                    1,300 words
HIPAA Privacy

  “The Privacy Rule establishes, for the first
  time, a foundation of Federal protections for
  the privacy of protected health information.
  The Rule does not replace Federal, State, or
  other law that grants individuals even greater

  OCR Guidance, December 3, 2002
  HIPAA Privacy Standards became
  enforceable on April 14, 2003
  Established standards to ensure
  privacy and established rules for:

    When patient permission is required

    What type of permission is required
  Rights that patients have to:
    Access their own information
    Control the flow of their information
    Find out who else has seen their
Who is a Covered Entity (CE)?
  HIPAA Standards apply to:

    Health care providers who transmit
    any health care information in
    connection with certain kinds of
    transactions electronically
    Health plans
    Health care clearinghouses
Are All Health Care Providers
  YES. All health care providers are
  covered only if they transmit health
  information electronically in
  connection with a transaction covered
  by the HIPAA Transaction Rule
What is “electronically”?
  Electronic modes include, but are not
  limited to:
  Creating a file and submitting it by way
  of disks, tapes, or data lines
  Using a clearinghouse or billing service
  to transmit data
What is NOT “electronically”?

  Mailing a paper form

  Faxing a paper from a dedicated fax
  machine (but not a computer desktop
  fax system)

  Calling to obtain information
Are you a Covered Entity?
  Go to: www.hhs.gov/ocr/hipaa
  Click on “What’s New?”
  Scroll down page to:
  “10/25/02 Am I a Covered Entity”
Are there any “loopholes” to
being a Covered Entity?


   Covered entities must comply with national
   standards when conducting the named
   transactions electronically with a covered
   health plan
For purposes of HIPAA Privacy

    Covered entity must protect all
    individually identifiable health
    information, regardless of the
    method in which the data is
    maintained or transmitted (paper,
    electronically or orally)
Should you comply even if you
are not a Covered Entity?
   At some point, HIPAA it is likely that if you
  have protected health information, someone
  will likely argue that HIPAA applies to you.
  See, US ex rel. Stewart v. The Louisiana Clinic
  (E.D. La., December 2002)
  Even before HIPAA was in force, Court
  applied HIPAA anyway by holding that HIPAA
  “demonstrates a strong federal policy of
  protection for patient medical records.”
Pre-emption: State or Federal
  The more stringent law that provide the
  greatest privacy controls, or access to
  their own information.

  45 CFR 160.202(1)
Copying Costs
  HIPAA allows for “reasonable cost-based fee”
  for the cost of actual copying, postage, and
  preparing a summary explanation. “Handling
  fees, chart pulling fees, and “per page fees in
  excess of the direct cost of material are
  specifically not allowed.

  WAC 246-08-400 allows a provider to charge
  $.83 per page for the first 30 pages, and $.63
  per page thereafter. This now serves as a
  cap under HIPAA.
Copying Costs…
  WAC allows a charge of up to $19.00
  for chart pulling or as a clerical/labor
  charge but this is preempted by HIPAA
  which does not allow for this kind of
PHI: Protected Health
  Privacy and security rules address the
  confidentiality and security of PHI.
     PHI can be in any form (paper,
      electronically orally)
     Created or received by a covered entity
PHI: Privacy Health
     Anything that relates to an
      individual’s mental or physical
      condition, treatment, or payment for
      services that identifies the individual
      or could reasonably be used to
      identify the individual

  Employment records of the Covered

  School Records under FERPA (Family
  Educational Rights and Privacy Act)
  Information that does not identify
  individual. However the following
  information must be removed:
   *Geographic subdivisions or references
   that are less than at the State level
   *All elements of dates
   *SSNs or other identifiers
    *Anything else that could identify the
Authorization to Release PHI
  Authorization to give permission to use
  PHI by patient

  Authorization to release is still governed
  by the Washington Uniform Health Care
  Information Act (“WHCIA”) RCW
Consent for Treatment is not
Affected by HIPAA
  Consent for treatment is still governed
  by state law regarding informed
  Consent addresses the concept of a
  patient giving permission to treat
  Authorization addresses the concept of
  a patient giving permission to use their
Authorization to Disclose
Health Care Information
  A health care provider (or anyone who
  assists a health care provider) may not
  disclose health care information without
  written permission from the patient,
  EXCEPT as authorized by RCW
Washington Health Care
Information Act (WHCIA)
Statute provides 12 situations where
  authorization is NOT required
  1. Ongoing health care
  2. Health care education/operations
  3. Prior health care provider
  4. Safety of patients or others
WHCIA cont…
 5. Family members/Close relationships

 Provider knows of the immediate family
 relationship or close relationship,
 unless directed in writing by the patient
 not to make the disclosure.
WHCIA cont…
 6. Successor in Interest
 7. Research
 8. Performance of an “audit”
 9. Correctional Institutions
 10.Directory Information
WHCIA cont…
 11. Media

 Impacted by HIPAA. State law allows name,
 age, sex, residence, occupation, condition,
 and diagnosis to be reported if the patient is
 brought to a health care provider by police,
 fire, sheriff, etc. HIPAA only allows this
 information to be released if the media
 inquires about the patient by name.
WHCIA cont…
 12.Federal or State enforcement
 monitoring or legal authorities
Requirements to Validly
Authorize Disclosure
  1. Be in writing, dated, and signed by
     the patient

  2. Identify the nature of the information that
     may be disclosed

  3. Identify the name, address and
     institutional affiliation of the person to
     whom the information is to be disclosed
Requirements to Validly
Authorize Disclosure
  4. Except for third party payors,
     identify the provider who is to make
     the disclosure; and,

  5. Identify the patient

     RCW 70.02.030(3)

  Medical services provided by health
  care provider

  Very broad, all encompassing definition
 Payment encompasses the various
 activities associated with health care
 providers obtaining payment or
 reimbursement for their professional
Privacy Rule Examples
  Determining the eligibility or coverage
  Risk adjustment
  Billing and collection activities
  Reviewing health care services for
  medical necessity, coverage,
  justification for charges, etc.
  Utilization Review
Business Associate Agreement
  With limited exceptions, a Covered Entity may
  NOT disclose PHI to a Business Associate
  without first obtaining “satisfactory
  assurances” that the PHI will be appropriately
  safeguarded from disclosure.
  A business associate is a person who
  performs a function or activity involving the
  use or disclosure of PHI on behalf of the
  Covered Entity.
Business Associate

  Certain specified services are automatically
  considered business associates if they are not
  part of the Covered Entities workforce and
  they handle or process PHI for the Covered
Business Associate
  Claims Processing (45 CFR Sec.
  Financial consultants
  Lawyers who must review PHI
Business Associate
  Written Contractual Provisions
  Satisfactory Assurance that PHI will be
  Provisions for violation of HIPAA,
  reasonable steps to cure the breach,
  terminate the contract, or to report the
  conduct to HHS
12 Elements for Business
Associate Agreement
  1. Identify permitted use and disclosure of
  2. Prohibit use or disclosure that would
     violate the Privacy Rules
  3. Limit use and disclosure
  4. Safeguard PHI
  5. Report unauthorized use or disclosure
  6. Ensure that agents have the same
Business Associate Agreement
  7. Make PHI available to individuals to
  8. Make PHI available for amendment
  9. Provide an accounting of disclosures
  10. Make internal practice, books, and records
  11. Return or destroy PHI at end of contract
  12. Authorize termination for material breach
Other Considerations
  Hold harmless clause
  Using the Business Associate
  Agreement to change the underlying
Complaint and Grievances
  Final rule at Sec. 160.306(a) provides that
  any person, not just an individual may file a
  complaint with the Secretary
  Complaints must be filed with 180 days of the
  date the complainant became aware of the
  possible violation. Time to file the complaint
  may be extended for good cause by the
Complaints and Grievances
  Provider has a duty to document both
  the complaint and the response,
  resolution or disposition of the
  Complaint must identify the person that
  will address and respond to the
Reply must be in writing…
  A monetary penalty may be not be
  imposed where the failure to comply is
  for a reasonable cause, corrected within
  30 days, and there is no willful neglect.
  $100 for each violation
  Maximum of $25,000 per month
Criminal Penalties
  $25,000 fine
  Up to one year in prison
Governmental Agencies
  Auditors and Enforcers
  HHS Office for Civil Rights (Privacy)
  CMS (Center for Medicare and Medicaid
  Services) for transaction compliance
  HHS OIG for audits and investigations
Governmental Agencies
  DOJ (referral by OIG or they have
  independent authority to investigation
  and indict for civil or criminal violations)
  FTC for Inernet privacy poicy violations
  FBI for criminal enforcement in multi
  state cases
OCR Investigations
  You will be contacted in writing if OCR
  determines that you have violated HIPAA.
  You may be notified that a response is
  Under the enforcement rule, OCR is supposed
  to try to resolve the compliant informally
  “whenever possible.”
  If no resolution is obtained, DHHS has the
  authority to issue a written noncompliance
If No Violations are found…
  OCR is not required to notify you in
  writing that no violation has been

  Confirm the “no violation” assessment
  yourself in writing.
Employee Discipline
  If you find that one of your employees
  has violated HIPAA, you must discipline
  that employee.

  Update your Employee Handbook and
  personnel policies to reflect HIPAA

To top