Docstoc

Public Policy Memorandum Format

Document Sample
Public Policy Memorandum Format Powered By Docstoc
					                                                                                         Policy Memorandum 2003-27
                                                                                                          Exhibit 1




                              Health Insurance Portability
                                          and
                                  Accountability Act
                                        (HIPAA)



                          CHAPTER 1
                            OVERVIEW
          USE AND DISCLOSURE
                  OF
     PROTECTED HEALTH INFORMATION




The tools and templates provided in CalOHI Policy and Information Memoranda have generally been authored by HIPAA
workgroups. Users should view the information presented in the context of their own organizations and environments.
Legal opinions and/or decision documentation may be needed when interpreting and/or applying this information.


                                                              1
                                                                                             Policy Memorandum 2003-27
                                                                                                              Exhibit 1




                                               TABLE OF CONTENTS

GENERAL INFORMATION ............................................................................................ 3
  Document Design ........................................................................................................ 3
  Federal and State Laws and Regulations .................................................................... 3
  Decision Points ............................................................................................................ 4
  Regulations .................................................................................................................. 5
  Examples and Hyperlinks ............................................................................................ 6
STRUCTURE OF THE USE AND DISCLOSURE OF PHI GUIDELINES ....................... 7
  General Approach........................................................................................................ 7
  Distribution of Use and Disclosure ............................................................................... 8
THE RULE .................................................................................................................... 10
  Use and Disclosure of PHI ......................................................................................... 10
  Authorizations ............................................................................................................ 11
  TPO ........................................................................................................................... 11
  Incidental Disclosures ................................................................................................ 11
  Required Disclosures................................................................................................. 12
  Agreement ................................................................................................................. 12
  Public Policy .............................................................................................................. 12
  Public Policy .............................................................................................................. 13
  Verification of Identity ................................................................................................ 13
  Other Requirements .................................................................................................. 13
  Minimum Necessary .................................................................................................. 13
  Safeguards ................................................................................................................ 13
  Accounting of Disclosures ......................................................................................... 14
  Key Points ................................................................................................................. 14
DECISION POINTS....................................................................................................... 15




                                                                 2
                                                             Policy Memorandum 2003-27
                                                                              Exhibit 1




                        GENERAL INFORMATION


Document      This document presents the process for permitted use and disclosure of
Design        PHI for treatment, payment and health care operation activities. Each
              section provides the HIPAA requirements followed by the general State
              law requirements. Much of the narrative and examples provided are
              derived directly from the preamble, comments and response in the
              November 3, 1999, December 28, 2000, March 27, 2002 and August 14,
              2002 Federal Registers transmitting the Notices of Proposed
              Regulations and Notices of Final Regulations, as well as the July 2001
              Frequently Asked Questions and the October 2002 Guidance document.
              All these documents may be found on the CalOHI website on the
              privacy page at: CalOHI - Privacy.


Federal and   The only State laws discussed in this document are those general laws
State Laws    applying to health care providers and state government agencies. We
and           have not researched nor provided program or function specific federal or
Regulations   State laws. You will need to review the specific State laws and
              regulations, as noted below, in relation to your programs,
              functions, and business practices; and incorporate those into your
              Use and Disclosure Privacy Policies and Procedures.

                            Federal Laws
                            Federal Regulations
                            State Laws
                            State Regulations and
                            State Administrative Procedure Manuals

              When you have developed your Privacy Policies and Procedures, you
              may want to incorporate these into your organization’s administrative
              manual.




                                          3
                                                            Policy Memorandum 2003-27
                                                                             Exhibit 1




           DECISION POINT: Other Laws. What other federal and State laws and
           regulations apply to your program for treatment, payment or health care
           operations use or disclosure of protected health information (PHI)? You
           need to identify any federal laws or regulations or State laws or
           regulations that apply to the use or disclosure of PHI for purposes of
           treatment, payment or health care operations. A preemption analysis will
           need to be completed for State laws and a determination about which law
           applies for other federal laws and regulations. You should contact your
           legal counsel for this activity. This becomes part of your Privacy Policies
           and Procedures.

           You may find the federal regulations on the CalOHI website on the
           Privacy page at: CalOHI - Privacy [www.ohi.ca.gov]. The State laws can
           be found at the California Law page at: Find California Code
           [www.leginfo.ca.gov], or at the CalOHI website on the Legal page at:
           CalOHI - HIPAA Rules - Legal Issues [www.ohi.ca.gov]


Decision   Throughout this document, you will find red boxes containing Decision
Points     Points. Some of these decisions are only for covered entities with
           specific business practices or specific categories of individuals they
           serve. You should review the decision points to determine which apply to
           your business practices. You may consider different alternative solutions
           to each issue and weigh the positive and negative effects of the
           alternatives based on your business practices and applicable federal and
           State laws.

           We have provided a sample decision tool in the Access Process Package
           (Policy Memorandum 2003-22, Exhibit 3) you may use as a format when
           making your decisions. When determining your privacy policies and
           procedures you need to take into consideration the impact of your
           alternative solutions to:
                        Current business practices
                        Organizational strategic plan
                        Public perceptions
                        Clientele, customers or patients




                                        4
                                                              Policy Memorandum 2003-27
                                                                               Exhibit 1




Decision                 Political, if any
Points                   Financial, and
Continued                Legal liability

             You should also consider your liability for each alternative. We
             recommend you discuss the analyses and recommendations with your
             legal counsel.

             Once you have established your policies related to these decision
             points, these policies become part of your Privacy Policies and
             Procedures. As part of HIPAA documentation, you should maintain the
             rationale behind your decisions that become part of your Privacy Polices
             and Procedures. This documentation may assist you if DHHS ever
             inquires into your policies.

             We have provided a checklist of these decision points at the end of each
             chapter. You should evaluate each decision point to see if it applies to
             your HIPAA status and/or business practices. You can use the checklist
             to check off those decisions you will need to make. Once you have
             established your policies related to these decision points, these policies
             become part of your Privacy Policies and Procedures.


Regulations As you review the decision points in this document, keep in mind that
            any policies and procedures that affect the public will need to be
            regulated. The Government Code provides that each state agency shall
            issue regulations that implement, interpret, or make specific the law
            enforced or administered by the agency or that govern the agency’s
            procedures. [Government Code § 11340.5 and 11342.600] This will be
            true for any of your Privacy Policies and Procedures that affect the
            public or your clientele, even if the effect results from interactions
            through your business associates. You should discuss the need for
            regulations with your legal counsel. See CalOHI Policy Memorandum
            2003-19 on the Legal Issues page of the CalOHI website: CalOHI -
            California Implementation - Policies and Informational Memos.




                                              5
                                                              Policy Memorandum 2003-27
                                                                               Exhibit 1




Examples     We have provided examples (in blue ink) to assist in understanding the
and          requirements. When you are using Microsoft Word and are referred to
Hyperlinks   another location in the document or a website, you can click on the
             hyperlink and it will send you to the section. If you store all the
             documents in the same folder, the hyperlinks between documents will
             function. In addition, you can click on one of the subjects listed in the
             table of contents and it will take you to the section.




                                          6
                                                             Policy Memorandum 2003-27
                                                                              Exhibit 1




              STRUCTURE OF THE USE AND
             DISCLOSURE OF PHI GUIDELINES
           The HIPAA Privacy Rule requires that covered entities restrict the use
           and disclosure of PHI for only specified purposes. In designing the
           minimum expectations for this process, the Privacy Rule incorporates
           privacy protection for the individual while still allowing the business uses
           of this information (use and disclosure).

General    When looking at protected health information (PHI) within a covered
Approach   entity, there are several determinations that need to be made before
           applying any use or disclosure requirements. These include:

                        What is the activity
                        Who is doing the activity (what type of covered entity)
                        What is the purpose of the activity

           After making this determination, you may then look at the limitations for
           use or disclosure. When defining what activity is being conducted,
           several major activities must be examined. These include treatment,
           payment, health care operations, and public policy. Activities performed
           within these areas are exempt from the need of an authorization for use
           or disclosure by the covered entity.

           When determining if you may use or disclose PHI for an activity, one
           should look at the key factors of:
               Authorizations
               Treatment
               Payment
               Health care operations
               Incidental Disclosures
               Required Disclosures
               Agreement, and
               Public policy

           These considerations are addressed below in the Rule Section of this
           document.
           _________________________________________________________


                                         7
                                                             Policy Memorandum 2003-27
                                                                              Exhibit 1




Distribution Because of the volume of information that will be distributed as part of
of Use and the Use and Disclosure package, it will be issued in separate chapters.
Disclosure The first chapters to be released are noted below with an asterisk. Each
             different permitted purpose for use and disclosure of PHI and other
             requirements will be issued in separate chapters. When all the chapters
             have been released, the chapters will be merged into one document and
             posted on the CalOHI website. The chapters include:

                  Chapter                                  Title
               Chapter 1 *        Overview of Use and Disclosure
               Chapter 2          Glossary
               Chapter 3 *        Authorizations
               Chapter 4 *        Psychotherapy Notes
               Chapter 5 *        Marketing
               Chapter 6          Verification of Identity
               Chapter 7          Treatment, Payment, and Health Care Operations
               Chapter 8          Required Disclosures
               Chapter 9          Opportunity to Agree or Object
               Chapter 10         Required by Law
               Chapter 11         Public Health Activities
               Chapter 12         Health Care Oversight
               Chapter 13         Judicial or Administrative Hearings
               Chapter 14         Law Enforcement
               Chapter 15         Decedents
               Chapter 16         Organ Donations
               Chapter 17         Research
               Chapter 18         Health and Safety
               Chapter 19         Government Functions
               Chapter 20         Fundraising
               Chapter 21         Victims of Abuse, Neglect, or Domestic Violence
               Chapter 22         Pre-Enrollment Underwriting
               Chapter 23         Workers’ Compensation
               Chapter 24         Restricted Use and Disclosure
               Chapter 25         Incidental Disclosures
               Chapter 26         Minimum Necessary
               Chapter 27         Safeguards
               Chapter 28         Accounting of Disclosures




                                          8
                                               Policy Memorandum 2003-27
                                                                Exhibit 1




Each chapter may have separate exhibits included. For example, the
chapter on authorizations will contain a sample authorization form. The
chapter on research will include a sample data use agreement, and an
authorization form for research. Sample Notice of Privacy Practices
language will be supplied with most chapters. Where other tools are
needed to implement the chapter, they will be included.




                            9
                                                               Policy Memorandum 2003-27
                                                                                Exhibit 1




                                     THE RULE

These are generalizations of the different provisions permitting use and disclosure of
PHI by covered entities. You must review the entire rule to determine exactly what is
allowed, when and how. Details about each activity are in the different Chapters as
indicated. The chapters will be issued on a flow basis and posted to the CalOHI
website on the Privacy Page at: CalOHI - Privacy.



Use and           Use applies to covered entities; for members of the covered entities’
Disclosure of     workforce and the business associates’ workforce to use or disclose PHI
PHI               to accomplish their purposes. Minimum necessary applies to all uses
                  except for treatment.

                  Disclosure applies to anyone else; for persons or organizations who
                  receive PHI from covered entities or the covered entities’ business
                  associates. Minimum necessary applies to most disclosures.

                  HIPAA permits covered entities to use or disclose PHI for limited
                  purposes. [45 C.F.R. § 164.506] These purposes include:

                      Authorizations
                      Treatment, Payment and Health Care Operations
                      Incidental Disclosures
                      Required Disclosures
                      Agreement
                      Public Policy
                  _________________________________________________________




                                           10
                                                            Policy Memorandum 2003-27
                                                                             Exhibit 1




Authorizations    HIPAA allows a covered entity to use or disclosure PHI with an
                   authorization from the individual. An authorization must be used
                   for disclosure of:
                       o Psychotherapy notes or
                       o Marketing activities

                 And in all circumstances where:
                     o HIPAA does not permit use or disclosure,
                     o The covered entity has determined that an authorization is
                         required as part of their Privacy Policies and Procedure, or
                     o As required by law.
                     [45 C.F.R. § 164.508]
               (Chapter 3, 4 and 5)



TPO               Use or disclosure for purposes of:
                      o Treatment
                      o Payment, or
                      o Health Care Operations
                      [45 C.F.R. § 164.506]

               (Chapter 7)


Incidental     HIPAA allows use or disclosure of PHI that is incidental in nature and
Disclosures    is otherwise permitted or required by HIPAA provided that the covered
               entity has complied with minimum necessary and safeguarding PHI.
               [45 C.F.R. § 164.502(a)(1)(iii)

               (Chapter 25)




                                        11
                                                              Policy Memorandum 2003-27
                                                                               Exhibit 1




Required           Required disclosure to:
Disclosures           o Individuals
                      o The Secretary of the U.S. Department of Health and Human
                          Services (DHHS)
                      [45 C.F.R. § 164.502(a)(2)]

                (Chapter 8)


Agreement          Use or disclosure requiring the individual to be given an
                    opportunity to agree or object for:
                       o Facility directories
                       o Relatives and friends involved with treatment, or
                       o Disaster relief
                       [45 C.F.R. §164.510]

                (Chapter 9)


Public Policy      Use or disclosure for purposes of public policy for:
                       o Activities required by law
                       o For public health activities
                       o For health oversight activities
                       o For judicial or administrative proceedings
                       o For law enforcement
                       o For limited or deceased individuals
                       o For organ donations
                       o For research with Institutional Review Boards/Policy Board
                          Approval or Data Use Agreements




                                          12
                                                               Policy Memorandum 2003-27
                                                                                Exhibit 1




Public Policy           o  For health and safety
(Continued)             o  For specific government functions
                        o  For fundraising for own organization
                        o  Concerning victims of abuse, neglect, or domestic violence,
                           or
                        o Concerning workers’ compensation.
                        [45 C.F.R. § 164.512]
                  (Chapters 10-22)


Verification of   Before any disclosure of PHI a covered entity must verify the identity
Identity          of a person requesting the PHI and the authority of any such person
                  to have access to PHI if the identity or authority is not known to the
                  covered entity.
                  [45 C.F.R. 164.514(h)]
                  (Chapter 6)


Other             HIPAA provides other requirements that relate to use and disclosure
Requirements      of PHI.
                   De-identification of PHI [45 C.F.R. § 164.514(a) (Chapter 17)]
                   Limited Date Set [45 C.F.R. § 164.514(e) (Chapter 17)
                   Underwriting [45 C.F.R. § 164.514(g) (Chapter 22)
                   Verification of Identify [45 C.F.R. § 164.514(h) (Chapter 6)


Minimum           A covered entity must make reasonable efforts to limit the access to
Necessary         the minimum amount of PHI for the persons in its workforce who need
                  access to PHI to carry out their duties.
                  [45 C.F.R. § 164.514(d)
                  (Chapter 26)


Safeguards        A covered entity must have in place appropriate administrative,
                  technical, and physical safeguards to protect the privacy of PHI.
                  [45 C.F.R. § 164.530(c)]
                  (Chapter 27)




                                           13
                                                             Policy Memorandum 2003-27
                                                                              Exhibit 1




Accounting of   HIPAA provides that an individual has the right to an accounting of
Disclosures     disclosures of PHI made by a covered entity in the six-year period
                prior to the date on which the accounting is requested. There are
                exceptions to what must be tracked and accounted.
                [45 C.F.R. § 164.528]
                (Chapter 28)


Key Points      When looking at use and disclosure of PHI allowed without an
                authorization, other than for treatment, payment or health care
                operations (TPO), remember:

                   Use and disclosure of PHI for public policy purposes are designed
                    to permit and promote key national health care priorities and to
                    ensure the health care system operates smoothly.
                   HIPAA cannot be used to provide use or disclosure of PHI if
                    another law prohibits it.




                                         14
                                                                   Policy Memorandum 2003-27
                                                                                    Exhibit 1




                                 DECISION POINTS
                     COMPLETED




                                 COMPLETED
                      PERCENT
IIMPACTS



           STARTED
  ISSUE



             DATE




                                   DATE


                                                            ITEM DESCRIPTION



                                             Applicable federal and State laws and
                                             regulations




                                                15

				
DOCUMENT INFO
Description: Public Policy Memorandum Format document sample