SullyMed Informatics 2003 4
What is HIPAA
A Federal Law intended to Improve portability and continuity of health
insurance coverageCombat waste, fraud and abuse in health
insurance and health care deliveryPromote use of medical savings account Improve access to long term care servicesSimplify administration
SullyMed Informatics 2003 5
HIPAA
TITLE I--HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY
TITLE II--PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL LIABILITY REFORM
TITLE III--TAX-RELATED HEALTH PROVISIONS TITLE IV--APPLICATION AND ENFORCEMENT OF
GROUP HEALTH PLAN REQUIREMENTS TITLE V--REVENUE OFFSETS
SullyMed Informatics 2003 6
HIPAA
TITLE I--HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY
TITLE II--PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL LIABILITY REFORM
TITLE III--TAX-RELATED HEALTH PROVISIONS TITLE IV--APPLICATION AND ENFORCEMENT OF
GROUP HEALTH PLAN REQUIREMENTS TITLE V--REVENUE OFFSETS
SullyMed Informatics 2003 9
Scene I
Monday morning 10 A.M.Waiting room full, phones ringing, conversations
going on all overReceptionist sitting at in window
Phone on shoulder on hold Monitor in view of patient
“Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?”
SullyMed Informatics 2003 10
Scene 2
MA comes to get Mrs. Jones Says hello to another patient she knows
Inquires about her daughterHow did husband’s lab test come back
Patient surprised he had any test
Brings Mrs. Jones back to exam room
SullyMed Informatics 2003 11
Scene 3
Records room and clerks all working and talking
Filing labs and asks coworker if they saw the results on Mr. Smith
Notices duplicate copies of results and throws one in trash can
SullyMed Informatics 2003 12
Scene 4
Billing rep on phoneMrs. Jones we cannot send bill to a work
addressYou want to change the diagnosis in your
chart? We cannot do that!
SullyMed Informatics 2003 13
Scene 5
End of dayCharts all over countertops, desks etc.Wastebaskets full of duplicate copies of
reports, letters etc.Filing cabinets openComputer screens remain on open to practice
management system
SullyMed Informatics 2003 14
Do We Need a Privacy Regulation
No Federal law or national standard State laws inadequate and inconsistent False sense of privacy with paper charts Now the sharing of health information with
millions is only a mouse click away
SullyMed Informatics 2003 15
Harm from Inappropriate Disclosure of PHI Mental anguish Personal Discrimination Economic harm Non-disclosure of important medical info is
important to physicians Core of health care today Harms patient – physician relationship Harms quality of care
SullyMed Informatics 2003 16
Who does it apply to?
Health Plans Health Care Clearinghouses Health Care Providers
No distinction between small office and large tertiary care hospital
Same rule apply, only implementation differs
SullyMed Informatics 2003 18
Health Information
Any information in any form which Is created or received by the practiceRelates to past, present, future physical or
mental health or condition of an individualRelates to past, present, future payment for
providing health care Includes oral, written, electronic information
SullyMed Informatics 2003 19
I I H I
Individually Identifiable Health Information Information that is a subset of health information
collected from an individual and that Is created or received by a provider Relates to past, present, future physical or mental
health of individ, payment for providing the health care or providing the health care
AND Identifies the individual OR There is a reasonable basis to believe it can be used to
identify the individual
SullyMed Informatics 2003 20
Protected Health InformationPHI Individually Identifiable Health Information
that is transmitted or maintained in any form Excludes IIHI in
Educational records Family Educational Right and Privacy Act 20 U.S.C. 1232g
Employment records held by the office in its role as employer
SullyMed Informatics 2003 22
Use and Disclosure
UseSharing, analysis, utilization or examination of
IIHI within the office
DisclosureRelease, transfer, providing access to or
divulging IIHI outside the office holding the information
SullyMed Informatics 2003 23
Confidentiality
Carried out or revealed in the expectation that anything done or revealed will be kept private
Entrusted with somebody’s personal or private matters
SullyMed Informatics 2003 24
Privacy
Freedom from observation, intrusion or attention of others
The state of being kept secret About controlling access to information
SullyMed Informatics 2003 26
Now……..
How does it apply to us What we can and cannot do Office’s privacy practices Patient Rights When do we have to do all this What are the penalties if we don’t do this
SullyMed Informatics 2003 27
Privacy Rule Intent
To protect IIHI from being wrongfully used or disclosed
To protect IIHI from being used or disclosed without an individual’s knowledge
SullyMed Informatics 2003 28
Uses and Disclosures
Required Permitted Minimum Necessary Special Circumstances
SullyMed Informatics 2003 29
Required Disclosures
To the individual when they request access to their information or they request an accounting of disclosures
When requested by the Secretary to investigate compliance with the Privacy Rule
SullyMed Informatics 2003 30
Permitted Uses-Disclosures
To the individual For TPO Incident to another permitted use-discl Pursuant to a valid authorization As permitted under special circumstances
SullyMed Informatics 2003 32
Minimum Necessary
Must make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure
SullyMed Informatics 2003 33
Minimum Necessary
Must use, disclose and request only the smallest amount of PHI needed to accomplish the purposeAccess only needed informationFollow office policies and procedures for
disclosuresBe careful about disclosing entire medical
records
SullyMed Informatics 2003 34
When Minimum Necessary Does not apply Treatment
Provider requests PHI for treatment purposes
Individual Disclosures made to
the individual
Authorization Pursuant to a valid
authorization
Secretary When requests
Law When required
Compliance When required for
compliance with these requirements
SullyMed Informatics 2003 36
Special CircumstancesUse and Disclosure PHI
Personal representatives Deceased individuals Whistleblowers Victims of a crime
SullyMed Informatics 2003 37
Personal Representatives
Must treat a personal representative as the individual except Unemancipated minorAbuse or neglect
SullyMed Informatics 2003 38
Adults and Emancipated Minor
If a person has authority to act on behalf of adult or emancipated minor in making decisions related to health care, must treat that person as the individual with respect to PHIDurable Power of AttorneyAdult with Dementia
SullyMed Informatics 2003 39
Unemancipated Minors
If parent or guardian has authority to act on behalf of unemancipated minor in making decisions about health care, must treat that person as the individual
SullyMed Informatics 2003 40
Unemancipated Minors
May be able to act as individual when:Consents to health care and no law requires
other consent and has not requested the person to act as a personal rep
The personal rep agrees to confidentiality between minor and provider
Minor may lawfully obtain health care services and consents e.g. birth control, STD
SullyMed Informatics 2003 41
Deceased Individuals
Must comply with all requirements regarding PHI of a deceased individual
Same rules apply to uses and disclosures Personal Representatives become
important
SullyMed Informatics 2003 42
Deceased Individuals
If an executor, administrator, or person has the authority to act on behalf of a deceased individual, must treat that person as the personal representative of the deceased individual.
SullyMed Informatics 2003 43
Abuse – Neglect - Endangerment
May elect not to treat a person as a personal representative if you believe Individual is or may be subject to domestic violence,
abuse or neglect by the person ORTreating the person as a personal rep would
endanger the individual AND Exercising professional judgment, decides it is
not in the best interest of the individual to treat the person as the personal rep
SullyMed Informatics 2003 44
Whistleblowers
The organization is not in violation if a member of its workforce or discloses PHI provided that:The person or believes the organization is in
violation of the rule ANDDisclosure is to either
Health oversight agency or public health authority OR An attorney
SullyMed Informatics 2003 45
Victims of a Crime
Organization is not in violation if a member of it’s workforce who is the victim of a crime discloses PHI to a law enforcement official provided that: PHI is about the suspected perpetrator AND PHI disclosed is limited to
Name, address, DOB, SSN, blood type Date and time of treatment or death Description of identifying characteristics
Ht, wt, gender, race, color eyes/hair, scars, tattoos
SullyMed Informatics 2003 47
Authorization
Must obtain from the individual for any use/disclosure of PHI other than the following:TPOWhen required by lawAs listed in the Privacy Notice
SullyMed Informatics 2003 48
Valid Authorization
Must include specific elementsCore elementsRequired statements
Use the office Authorization FormPreviously used authorization forms will not
be valid under new rules as they lack the necessary specific elements
SullyMed Informatics 2003 49
Authorizations
Have right to revoke at any time In writing using office revocation form
Must document and retain signed authorization forms
Must give copy of signed authorization form to individual
SullyMed Informatics 2003 51
Use-Disclosures Allowed outside of TPO Required by Law Public Health
Activities Victims Abuse-
Neglect, Domestic Violence
Health Oversight Activities
Administrative Proceedings
Law Enforcement Funeral Homes and
Coroners Organ Donations Specialized Govt
Functions
SullyMed Informatics 2003 53
Prior to any disclosure must
Verify identity of person receiving PHI and authority to do so Ask for verification when on phone e.g. if lab calling
for info ask them for your tax id # Obtain any document, statement or
representation from the person requesting the info when such a statement is a condition of the disclosure Subpoena
SullyMed Informatics 2003 55
Notice of Privacy Practices
Every employee must read the office’s Notice of Privacy Practice
Must make a good faith effort to give Notice once to every patient and document that effort
Must be prominently displayed in the office
SullyMed Informatics 2003 56
Good Faith Effort
Must make good faith effort to give Notice to every patientGet written receipt of individual getting the
Notice Retain that receipt
If individual refuses, simply document your efforts and why they failed
E.g. ‘patient refused to take the Notice’
SullyMed Informatics 2003 58
Six Patient Rights
To request restrictions To receive confidential communication To inspect and copy PHI To amend PHI To receive accounting of disclosures To obtain a paper copy of notice
SullyMed Informatics 2003 59
Patient Rights
Must know them all Must know how to implement them Each has a specific office policy and a
procedure on how to implement If ever in doubt, ask your Privacy Officer
SullyMed Informatics 2003 61
Right to Request Restriction
Must allow individual to request a restriction on Uses and disclosures for TPO Uses and disclosures for involvement in the
individual’s care and notification purposes Other uses and disclosures in Privacy Notice
Not required to agree to the restriction request Must document agreed upon restrictions
SullyMed Informatics 2003 62
Right to Request Restriction
If agree to restriction must abide by itMay use or disclose PHI during emergency
treatment when necessary butMust request provider receiving the info not
use or disclose the information any further An agreed upon restriction not effective to
prevent uses and disclosures permitted or required without authorization
SullyMed Informatics 2003 63
Terminating a Restriction
May terminate agreement to a restriction if Individual agrees or requests the termination
in writing Individual orally agrees and this is
documented Inform individual you are terminating the
restriction effective after the notification
SullyMed Informatics 2003 64
How to Request a Restriction
Follow policies and procedures Must be done in writing using the form
provided by the office Staff cannot agree to or deny the request,
only the Privacy Officer can do so.
SullyMed Informatics 2003 66
Confidential Communications
Must permit individuals to request receiving PHI by alternative means or at alternative locations Must accommodate if reasonable
Follow office policy and procedures Use proper form to obtain the request in writing
Only the Privacy Officer can determine if the request will be approved or rejected
SullyMed Informatics 2003 69
Requests for Access
Follow office policy and procedureMust be made in writing
Staff members may not approve or reject the requestOnly Privacy Office can do so
SullyMed Informatics 2003 70
Fees for Providing Copy of PHI
If individual requests copy or agrees to a summary of the PHI can charge reasonable, cost-based fees
This is described in the form individual completes to request access
SullyMed Informatics 2003 71
Denial of Access
To the extent possible, must give access to PHI other than PHI to which there is a ground for denial
Must provide written denial in plain languageBasis for denialStatement of right to review if applicableDescription of how to complain
SullyMed Informatics 2003 73
Right to Amend
Follow office policy and procedureUse proper form
May deny the request if the PHIWas not created by the organization Is not part of a designated record set Is excluded from the right to access the PHI Is accurate and complete
SullyMed Informatics 2003 75
Right to Accounting of Disclosures
Individual has right to receive accounting of disclosures made in the 6 years prior to date on which accounting requestedCan be for a shorter time period if requested
SullyMed Informatics 2003 76
Concept of Disclosure Accounting
That every patient should be aware of disclosures of their PHI
If they are already aware of the disclosure then you need not keep track of it Authorizations
If they are not aware of the disclosure then you need to keep track of it so can tell them if they ever ask subpoenas
SullyMed Informatics 2003 77
Accounting of Disclosures
Must keep track of disclosures as they are done
Follow office policy and proceduresUse proper form to document the disclosures
as they occur
SullyMed Informatics 2003 79
Complaints
Must provide a way patients can file a complaintConcerning policy and proceduresConcerning compliance
Must document all complaints Follow office policy and procedures
SullyMed Informatics 2003 81
Physical Safeguards
Shred all documents with PHI prior to disposal Non-employees are not allowed in the medical
records area unless escorted Non-employees are not allowed in the patient
care areas unless escorted All printers and fax machines will be located in
non-public areas of the office
SullyMed Informatics 2003 82
Technical Safeguards
Password based log in procedure to computer system
Limiting PHI access to the minimum necessary to perform job functionsRole Based Access Control
Automatic logoff after inactivity
SullyMed Informatics 2003 83
Administrative Safeguards
Remind employees to protect patient confidentiality
Enforce use of strong passwords to access computer system
No sharing of passwords Limit information left on answering
machines or with family members
SullyMed Informatics 2003 84
Administrative Safeguards
Have sender of a fax verify the number is correct for the intended recipient before sending the fax
Sanctions have been developed for employees violating the office’s privacy policy and procedures
SullyMed Informatics 2003 86
Sanctions
Sanctions have been developed for employees who fail to comply with the office’s Privacy Policies and Procedures
All sanctions applied will be documented and retained for 6 years
SullyMed Informatics 2003 87
Violations
Level 1 Inadvertent or accidental unauthorized use or
disclosure of PHI Level 2
Purposeful or intentional unauthorized use or disclosure of PHI
More than two Level 1 violations Level 3
Malicious unauthorized use or disclosure PHI More than two Level 2 violations
SullyMed Informatics 2003 88
Sanctions
Level 1 violationVerbal warning
Level 2 violationWritten warning in employee file
Level 3 violationEmployee termination immediately
SullyMed Informatics 2003 89
Sanctions
Will not apply To whistleblowersFor filing a complaintFor participating in an investigation
SullyMed Informatics 2003 91
Refraining from Intimidating or Retaliatory Acts May not intimidate, threaten, coerce,
discriminate against or take retaliatory action against Individual for filing a complaint Testifying, assisting or participating in investigation,
compliance review or hearing Opposing any practice that individual believes is
unlawful and does not involve PHI disclosure
SullyMed Informatics 2003 93
Civil Penalties
Up to $100 per person per violation Up to $25,000 per person per violation of a
single standard for a calendar year
SullyMed Informatics 2003 94
Criminal Penalties
Up to $50,000 and/or imprisonment for 1 year
If offense is under false pretenses, up to $100,000 and/or 5 years in prison
If offense is with intent to sell, transfer or use info for commercial advantage, personal gain or harm, then up to $250,000 and 10 years in prison
SullyMed Informatics 2003 96
Compliance Date for Initial Implementation of Privacy Rule Health Care Providers
April 14, 2003 Health Plans
April 14, 2003Small Health Plans – April 14, 2003
Health Care ClearinghousesApril 14, 2003
SullyMed Informatics 2003 98
HIPAA Scene 1 Monday morning 10 A.M.
Waiting room full, phones ringing, conversations going on all over
Receptionist sitting at in window Phone on shoulder on hold (put patient on hold) Monitor in view of patient (monitor should be facing in
direction so only employee can see it)
“Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?” (can ask if she brought records but not be specific)
SullyMed Informatics 2003 99
HIPAA Scene 2
MA comes to get Mrs. Jones Says hello to another patient she knows
Inquires about her daughter (OK if done so in general terms)
How did husband’s lab test come back (cannot share PHI unless have authorization from husband; if she inquired about results simply say cannot share that information without written permission from him)
Brings Mrs. Jones back to exam room
SullyMed Informatics 2003 100
HIPAA Scene 4
Records room and clerks all working and talking
Filing labs and asks coworker if they saw the results on Mr. Jones (should not be looking at PHI unless necessary to do job)
Notices duplicate copies of results and throws one in trash can (must shred all documents with PHI before disposing)
SullyMed Informatics 2003 101
HIPAA Scene 5
Billing rep on phone Mrs. Jones we cannot send bill to a work address
(must have first identified who you are talking to is the correct person; if patient requesting then should accommodate but get request in writing from patient)
You want to change the diagnosis in your chart? We cannot do that! (you are right, you cannot change the info but you need to inform patient of their right to request an amendment to their PHI)
SullyMed Informatics 2003 102
HIPAA Scene 6
End of day Charts all over countertops, desks etc. (charts need
to be filed properly) Wastebaskets full of duplicate copies of reports,
letters etc. (these should have all been shredded) Filing cabinets open (if possible, they should all be
closed) Computer screens remain on open to practice
management system (computers should all be logged off from the system)