HIPAA Privacy _ Security HITECH Act Accounting for Disclosures

Document Sample
HIPAA Privacy _ Security HITECH Act Accounting for Disclosures Powered By Docstoc
					          August 8, 2011

Leslie J. Pfeffer, BS, CHP
Health Insurance Portability
and Accountability Act
 HIPAA Privacy Rule
 April 14, 2003
 HIPAA Security Rule
 April 21, 2005
 February 17, 2009
 Final Rule – 2011
 Accounting of Disclosures
 NPRM June 2011
HIPAA - Terms
Covered Entity (CE)
 Healthcare Organizations who conduct financial
  and administrative transactions electronically *
   Health Plans (Anthem, Medicare, Medicaid, etc.)
   Healthcare Clearinghouses (Claims Processing)
   Healthcare Providers (Physicians, Dentists, Optometrists,
    Chiropractors, Pharmacies)
    •   Not Pharmaceutical Companies
    •   Not Physicians/Providers who bill all claims on paper

    * Qualified electronic transactions – must meet the requirements of
      the electronic code sets established by HIPAA

HIPAA - Terms
 HIPAA defines the workforce to include "employees,
  volunteers, trainees, and other persons whose conduct,
  in the performance of work for a covered entity, is
  under the direct control of such entity, whether or not
  they are paid by the covered entity.“
 Persons who do not fall in these categories, but
  nonetheless perform services on behalf of the covered
  entity, would be considered part of the workforce of a
  Business Associate
HIPAA - Terms
Business Associate
 A person or entity that performs certain functions or
 activities that involve the use or disclosure of protected
 health information on behalf of, or provides services to, a
 covered entity.
   Not a member of the CE’s workforce
   Need a Business Associate Agreement
   Another CE can be a Business Associate to a CE
   Business Associate requirements do not apply to CEs
    who disclose PHI to providers for treatment purposes

HIPAA - Terms
Protected Health Information (PHI)
   Individually identifiable health information
   Transmitted or maintained in any form or medium
   Information including demographic information
     Is collected from an individual
        Includes demographics such as name, address, insurance

     Is created or received by a covered entity
     Relates to past, present or future physical or mental health
     Relates to past, present or future payment
     Reasonable basis to believe information can be used to identify
      an individual

HIPAA - Terms
Minimum Necessary
  HIPAA requires you take reasonable steps
   to limit the
      Use of
      Disclosure of
      Request for
   PHI to the “Minimum Necessary” to accomplish the intended
  Reasonableness Standard calls for best practice

HIPAA – Indiana University
IU - Hybrid Covered Entity
   Covered components include
     School of Dentistry
     School of Optometry
     IUB Health Center (soon IUPUI Health Center)
     Speech & Hearing Clinics Bloomington
     IU Health Plan (self-administered)

   This means these areas conduct “Qualified” electronic
    transaction such as claims submissions using Indiana
    University’s Tax ID

HIPAA – Indiana University
 HIPAA Applies directly to the Covered
     IU School of Dentistry
     IU School of Optometry
     IU Speech & Hearing
     IU Health Center Bloomington
 HIPAA Applies to:
   Faculty associated with most Health Science Schools*;
   Staff associated with most Health Science Schools*;
   Researcher involved in Human Subject Research;
  * Including those in the IU School of Medicine

HIPAA – Major Concepts
 Provide Notice of Uses/Disclosures
   How the organization might use the PHI
     Treatment
     Education
     Fundraising
     Research

   Patient’s Rights Under HIPAA
     Inspect & Copy PHI
     Request an Accounting of Disclosures
     Notice of Privacy Practices
     Permission to Use PHI
     File a Complaint

   Permission to access and use PHI for Research

HIPAA – Major Concepts
 Safeguard PHI during use & disclosure
   Administrative
   Physical
   Technical

 HIPAA Awareness Training of Workforce
 All Forms of PHI
   Paper
   Electronic
   Oral Communication

HIPAA – Allowed Uses
 A Covered Entity or Covered Component may
  use/disclose PHI to carry out certain Healthcare
  Functions without a written authorization from
  their patients
   Treatment

   Payment and

   Healthcare Operations

    aka TPO

HIPAA – Allowed Uses
 Healthcare Operations
   Tasks necessary to run a business
    Quality Assurance/Assessments

    Accounting

    Consulting Services

    Transcription

    Auditing

    Education

 *Research is not part of Healthcare Operations

HIPAA – Allowed Uses
 Required Notifications
  Disclosures required by law
  Disclosures to public health authorities
    Registries

    Public Notification requirements

  Disclosures for adverse event reporting to certain
  persons subject to the jurisdiction of the FDA
  *Requires an Accounting of Disclosure

Access to PHI for Research
 Since Research is not part of:
   Treatment
   Payment or
   Healthcare Operations
 Need HIPAA Authorization (patient’s permission)
  to use health information for research; or
 IRB (Privacy Board) approved Waiver of
 Must comply with the Minimum Necessary

HIPAA – Exceptions
 De-identified Data
  Names                            Vehicle identifiers, including
  Geographic designations             license plates
     smaller than a State             Device identifiers/Serial
    Dates relating to the             Numbers
     individual                       Universal resource locators
    Telephone numbers                 (URLs)
    Fax numbers                      Internet protocol (IP)
    E-mail address                    address numbers
    Social Security number           Biometric identifiers – finger
    Medical record numbers            & voice prints
    Health plan beneficiary          Full face photographic
     numbers                           images & comparable images
    Account numbers                  Any other unique identifying
                                       number, characteristic, or
    Certificate/license numbers       code.

HIPAA – Exceptions
Limited Data Set
 Limited types of identifiers can be released for research
  purposes (a Limited Data Set).
 Limited Data Sets can only be used and released in
  accordance with a Data Use Agreement between the
  covered entity and the recipient.
 The Limited Data Set can contain:
    Elements of Dates.
    City, town, state, and ZIP.
    Other unique identifiers, characteristics and codes not previously
     listed as direct identifiers

HIPAA – Limited Data Set
  Names                            Vehicle identifiers, including
  Geographic designations             license plates
     smaller than a State             Device identifiers/Serial
    Postal Address, other than        Numbers
     town or city, state & zip        Universal resource locators
     codes                             (URLs)
    Dates relating to the            Internet protocol (IP)
     individual                        address numbers
    Telephone numbers                Biometric identifiers – finger
    Fax numbers                       & voice prints
    E-mail address                   Full face photographic
    Social Security number            images & comparable images
    Medical record numbers           Any other unique identifying
                                       number, characteristic, or
    Health plan beneficiary           code.
    Account numbers
    Certificate/license numbers
HIPAA – Other Exceptions
Reviews Preparatory to Research
Covered entity must obtain representation from the
 The use or disclosure of PHI is sought solely to
  prepare a protocol or for a similar preparatory
 PHI will not be removed from the covered entity;
 PHI is necessary for research purposes

HIPAA – Other Exceptions
Decedent Information
Researcher must represent:
 Use or disclosure solely for research on decedents'
 PHI is necessary for research, and
 Individual is a decedent, and provide
  documentation upon covered entity's request.

* Even though an authorization is not required, this access
  requires an Accounting of Disclosure

 Privacy Rule grants to a patient a right to request and
  receive an accounting for some “disclosures” of PHI,
  including disclosures made in connection with certain
  research projects.
 An accounting is a record of each disclosure of each
  patient’s PHI. A right to an accounting only applies to
  disclosures of PHI, not to uses of PHI.

Definitions: Use & Disclosure
   With respect to individually identifiable health
    information, the sharing, employment, application,
    utilization, examination, or analysis of such information
    with an entity that maintains such information.
   Disclosure means the release, transfer, provision of,
    access to, or divulging in any other manner of
    information outside the entity holding the information

 When a Covered Entity discloses PHI without the
  permission of the individual, the CE must provide the
  individual with an accounting of disclosures upon
 Accounting must include:
   Date of the Disclosure
   Name of the entity or person who received the PHI
   A brief description of the information disclosed
   A brief purpose of the disclosure (research study xyz)

 If more than 50 records accessed (used/disclosed) for
 research purposes:
   Form sent to the appropriate Medical Records
    Department to notify individuals their record may have
    been accessed.
   All the information listed on the previous page

 If less than 50 records accessed must indicate in each
 individual record the appropriate information.

HIPAA – Research Uses
 HIPAA - Recruitment is Research
  Special Rules for Research apply to Recruitment

 Authorization
   May need an authorization to recruit or
   Waiver of authorization

HIPAA - Authorization
 Must contain "core elements" & "required statements,"
 Signed copy must be given to the individual.
 May need to obtain Authorization for the use or disclosure
  of PHI to create/maintain an IRB approved repository or
 Must be for a specific research study
    Authorization for future, unspecified research is not permitted
 Must have an Expiration date
    Can be indefinite but must be identified as such
 Subject must have ability to “revoke”
   Include exceptions and process
 Minimum Necessary Rule Applies
HITECH Act 2009
 Health Information Technology for Economic and
 Clinical Health (HITECH) Act, Part of the American
 Recovery & Reinvention Act (ARRA) of 2009
   HITECH creates significant incentives for an expanded
      use of electronic health records
     Clarified Criminal & Civil Penalties
     Increased Civil Monetary Penalties
     Expansion of Privacy & Security Provisions & Penalties
      to Business Associates
     Breach Notification Requirement

HITECH Act 2009
  Increased Civil Monetary Penalties
  Violations occurring after Feb. 18, 2009
  Tier based on nature of violation:
    Unknowing (least severe)
    Willful Neglect (most severe)

  Per Violation per Person:
    $100; $1,000; $10,000 and $50,000
  Annual maximum:
    $25,000; $100,000; $250,000; and $1.5 million.

HITECH Act 2009
Business Associates
   Business Associates must comply with the HIPAA
    Privacy Rule
   Business Associates must comply with the HIPAA
    Security Rule
      The administrative, physical and technical safeguards
       of the HIPAA Regulations applies directly to Business
      Imposes additional obligations upon Business
       Associates & their subcontractors regarding policies,
       procedures and documentation

HITECH Act 2009
 Business Associates
  Will require Business Associate Agreements to be
  Criminal and Civil Penalties applied to Covered
  Entities for violations of security and privacy regulations
  now will apply directly to Business Associates

HITECH Act 2009
Notification of Breach
   Required to notify affected individual(s) of a
   breach of “unsecure” protected health
   Applies to:
      Covered Entities
      Business Associates
      Vendors of Personal Health Records (PHR)

HITECH Act 2009
Definition of Unsecure
   Unsecured protected health information is PHI that has
   not been rendered unusable, unreadable or
   indecipherable to unauthorized individuals through the
   use of a technology or methodology specified by the
   Secure PHI
       PHI which is encrypted will be considered “Secure”

HITECH Act 2009
Requirements of Notification
 Contact affected individuals in writing or electronic (with
  individual’s permission)
 Posting on website (if 10 or more individuals have outdated
  contact information and there is not a reasonable way to
  notify them)
 If more than 500 people affected
    Notice shall be provided to prominent media outlets
    Notice must be immediately sent to HHS

Notice of Proposed Rule Making
 Hybrid Entities: The non-covered components of a
  Hybrid Entity which provide services to covered
  components would be considered part of the covered
  components and HIPAA would apply directly.
 Minimum Necessary: Rule requires the Office for Civil
  Rights (OCR) to provide guidance to help define minimum
  necessary (no longer would be the discretion of the CE)
 Compound Authorization: Allow a single authorization
  to be used even when part of research might be
  conditioned and another part might be unconditioned.

Notice of Proposed Rule Making
 Authorization for Future Use: Allowing an
  authorization for future use.
 Decedents: Information would not be covered by HIPAA
  after an individual was deceased for 50 years.
 Required Restriction: If a patient pays out-of-pocket for a
  medical service and request the covered entity not share
  this information with their insurer, the CE must
  accommodate this request. (no option)
 Copy of Record: Electronic health record, the entity must
  be able to provide at the patient’s request an electronic
  version of their PHI

Notice of Proposed Rule Making
 Must account for disclosures related to treatment, payment
  and operations; and
 Must provide an access report to an individual that lists
  who accessed their designated record set – even within the
  covered entity.

Notice of Proposed Rule Making
 Accounting of Disclosures Under the HITECH Act
 (June 30, 2011)
   HITECH Act changed the Accounting Requirement by
    stating the exceptions of Treatment, Payment and
    Healthcare Operations no longer applies to an electronic
    health record (EHR).
   Under section 13405(c), an individual has a right to
    receive an accounting of such disclosures made during
    the three (3) years prior to the request.
   Must also provide disclosures by Business Associates or
    provide the names of the BA to the individuals to
Notice of Proposed Rule Making
 Further indicates to apply this same requirement to
 the entire Designated Record Set which will include
 Billing records.

 Leslie J. Pfeffer, BS, CHP
 HIPAA & Research Compliance Manager
 (317) 278-4521


Shared By: