hipaa privacy
DESCRIPTION
HIPAA Privacy. GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH. HIPAA Privacy. History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes. HIPAA Privacy. (What it is NOT) - PowerPoint PPT PresentationTRANSCRIPT
HIPAA Privacy
GETTING HIPAA PRIVACY TO FLY……A REALISTIC, PRACTICAL
APPROACH
Dr. Quack: Getting HIPAA to Fly
2
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
3
HIPAA Privacy
(What it is NOT) Electronic Data Interchange Medicare electronic claim regulations Computer software regulations
EDI due in October 2003
Dr. Quack: Getting HIPAA to Fly
4
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
5
Background / History
HIPAA Privacy 1996 Federal law Protects patient privacy Gives patient access to their records Allows patients to amend their
records
Dr. Quack: Getting HIPAA to Fly
6
Background / History
Constantly morphing process over years
Finally gelled last quarter of 2002 Final federal rules published in
October OCR Guidelines published in
December
Dr. Quack: Getting HIPAA to Fly
7
Background / History
AOA HIPAA Privacy Manual published 160 pages Charts (directions) Worksheets Policy suggestions
Dr. Quack: Getting HIPAA to Fly
8
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
9
Review of Notice of Privacy Practices
Policy 14B on pages 31-32 & copy for posting at end of Manual
Dr. Platypus et
al
Dr. Donald Duck and Daisy Duck
Dr. Daffy Duck and Peking Duck
THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA
Dr. Quack: Getting HIPAA to Fly
10
Review of Notice of Privacy Practices
This notice describes how medical information about you may be used (in our office) or disclosed (outside our office) and how you can gain access to this information.
Dr. Quack: Getting HIPAA to Fly
11
Treatment, Payment and Health Care Operations
The most common reason why we use or disclose your health information is for treatment, payment or health care operations
Dr. Quack: Getting HIPAA to Fly
12
Treatment, Payment and Health Care Operations
Setting up an appointment for you; Testing or examining your eyes; Prescribing glasses, contact lenses, or
eye medications and
Rx
Dr. Quack: Getting HIPAA to Fly
13
Treatment, Payment and Health Care Operations
Faxing them to be filled; showing you low vision aids;
Referring you to another doctor or clinic for eye care or low vision aids or services; or
Getting copies of your health information from another professional that you may have seen before us.
Rx
Dr. Quack: Getting HIPAA to Fly
14
Treatment, Payment and Health Care Operations
Asking you about your health or vision care plans, or other sources of payment;
Preparing and sending bills or claims; and
Collecting unpaid amounts (either ourselves or through a collection agency or attorney).
$
Dr. Quack: Getting HIPAA to Fly
15
Treatment, Payment and Health Care Operations
Administrative and managerial functions
Financial or billing audits; Internal quality assurance; Personnel decisions;
Dr. Quack: Getting HIPAA to Fly
16
Treatment, Payment and Health Care Operations
Participation in managed care plans; Defense of legal matters; Business planning; and Outside storage of our records.
Dr. Quack: Getting HIPAA to Fly
17
Treatment, Payment and Health Care Operations
We routinely use your health information inside our office for these purposes without any special permission.
If we need to disclose your health information outside of our office for these reasons, we usually will not ask you for special written permission.
Dr. Quack: Getting HIPAA to Fly
18
Treatment, Payment and Health Care Operations
We will ask for special written permission when it is required by law.
Dr. Quack: Getting HIPAA to Fly
19
Other Uses or Disclosures Without Permission
In some limited situations, the law allows or requires us to use or disclose your health information without your permission.
Not all of these situations will apply to us;
Some may never come up at our office at all.
Dr. Quack: Getting HIPAA to Fly
20
Other Uses or Disclosures Without Permission
When a state or federal law mandates that certain health information be reported for a specific purpose;
Dr. Quack: Getting HIPAA to Fly
21
Other Uses or Disclosures Without Permission
For public health purposes, such as contagious disease reporting, investigation or surveillance; and
Notices to and from the federal Food and Drug Administration regarding drugs or medical devices;
Dr. Quack: Getting HIPAA to Fly
22
Other Uses or Disclosures Without Permission
Disclosures to governmental authorities about victims of suspected abuse, neglect or domestic violence;
Uses and disclosures for health oversight activities, such as for the licensing of doctors;
For audits by Medicare or Medicaid; or for investigation of possible violations
of health care laws;
Dr. Quack: Getting HIPAA to Fly
23
Other Uses or Disclosures Without Permission
Disclosures for judicial and administrative proceedings, such as in response to Subpoenas Orders of courts Administrative agencies;
Dr. Quack: Getting HIPAA to Fly
24
Other Uses or Disclosures Without Permission Disclosures for law enforcement
purposes, such as To provide information about
someone who is or is suspected to be a victim of a crime;
To provide information about a crime at our office; or
To report a crime that happened somewhere else;
Dr. Quack: Getting HIPAA to Fly
25
Other Uses or Disclosures Without Permission Disclosure to a medical examiner to
identify a dead person or to determine the cause of death; or
To funeral directors to aid in burial; or To organizations that handle organ or
tissue donations; Uses or disclosures for health related
research; Uses and disclosures to prevent a
serious threat to health or safety;
Dr. Quack: Getting HIPAA to Fly
26
Other Uses or Disclosures Without Permission
Uses or disclosures for specialized government functions, such as For the protection of the president or
high ranking government officials; For lawful national intelligence
activities; For military purposes; or For the evaluation and health of
members of the foreign service;
Dr. Quack: Getting HIPAA to Fly
27
Other Uses or Disclosures Without Permission
Disclosures of de-identified information; Disclosures relating to worker’s
compensation programs; Disclosures of a “limited data set” for
research, public health, or health care operations;
Dr. Quack: Getting HIPAA to Fly
28
Other Uses or Disclosures Without Permission
Incidental disclosures that are an unavoidable by-product of permitted uses or disclosures;
Disclosures to “business associates” who perform health care operations for us and who commit to respect the privacy of your health information;
Other uses and disclosures affected by state law.
Dr. Quack: Getting HIPAA to Fly
29
Uses & Disclosures: Unless You Object…
Unless you object, we will also share relevant information about your care with your family or friends who are helping you with your eye care.
Dr. Quack: Getting HIPAA to Fly
30
Uses & Disclosures: Unless You Object…
Appointment Reminders We may call or write to remind you of
scheduled appointments, or that it is time to make a routine appointment.
We may also call or write to notify you of other treatments or services available at our office that might help you.
Dr. Quack: Getting HIPAA to Fly
31
Uses & Disclosures: Unless You Object…
Appointment Reminders We will mail you an appointment
reminder on a post card, and/or Leave you a reminder message on
your home answering machine or with someone who answers your phone if you are not home.
Dr. Quack: Getting HIPAA to Fly
32
Uses & Disclosures: Only With Authorization We will not make any other uses or
disclosures of your health information unless you sign a written “authorization form.” Federal law determines the content of an “authorization form”.
Sometimes, we may initiate the authorization process if the use or disclosure is our idea.
Sometimes, you may initiate the process if it’s your idea for us to send your information to someone else.
Dr. Quack: Getting HIPAA to Fly
33
Uses & Disclosures: Only With Authorization
Typically, in this situation you will give us a properly completed authorization form, or you can use one of ours.
If we initiate the process and ask you to sign an authorization form, you do not have to sign it.
If you do not sign the authorization, we cannot make the use or disclosure.
Dr. Quack: Getting HIPAA to Fly
34
Uses & Disclosures: Only With Authorization
If you do sign one, you may revoke it at any time unless we have already acted in reliance upon it.
Revocations must be in writing. Send them to the office contact person
named at the end of this Notice.
Dr. Quack: Getting HIPAA to Fly
35
YOUR RIGHTS Regarding your PHI
The law gives you many rights regarding your health information….
Dr. Quack: Getting HIPAA to Fly
36
YOUR RIGHT to ask us to restrict uses & disclosures
Ask us to restrict our uses and disclosures for purposes of treatment (except emergency treatment), payment or health care operations.
We do not have to agree to do this, but if we agree, we must honor the restrictions that you want.
To ask for a restriction, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
37
YOUR RIGHTS: Confidential Communication
Ask us to communicate with you in a confidential way, such as by phoning you at work rather than at
home, by mailing health information to a
different address, or by using E-mail to your personal E
Mail address.
Dr. Quack: Getting HIPAA to Fly
38
YOUR RIGHTS: Confidential Communication
We will accommodate these requests if they are reasonable, and if you pay us for any extra cost.
If you want to ask for confidential communications, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
39
YOUR RIGHTS: Photocopies
Ask to see or to get photocopies of your health information.
By law, there are a few limited situations in which we can refuse to permit access or copying.
Dr. Quack: Getting HIPAA to Fly
40
YOUR RIGHTS: Photocopies For the most part, however, you will be
able to review or have a copy of your health information within 30 days of asking us (or sixty days if the information is stored off-site). You may have to pay for photocopies in advance.
If we deny your request, we will send you a written explanation, and instructions about how to get an impartial review of our denial if one is legally available.
Dr. Quack: Getting HIPAA to Fly
41
YOUR RIGHTS: Photocopies By law, we can have one 30 day
extension of the time for us to give you access or photocopies if we send you a written notice of the extension. [Nebraska?]
If you want to review or get photocopies of your health information, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
42
YOUR RIGHTS: Amending your PHI
Ask us to amend your health information if you think that it is incorrect or incomplete.
If we agree, we will amend the information within 60 days from when you ask us.
We will send the corrected information to persons who we know got the wrong information, and others that you specify.
Dr. Quack: Getting HIPAA to Fly
43
YOUR RIGHTS: Amending your PHI
If we do not agree, you can write a statement of your position, and we will include it with your health information along with any rebuttal statement that we may write.
Dr. Quack: Getting HIPAA to Fly
44
YOUR RIGHTS: Amending your PHI
Once your statement of position and/or our rebuttal is included in your health information, we will send it along whenever we make a permitted disclosure of your health information.
By law, we can have one 30 day extension of time to consider a request for amendment if we notify you in writing of the extension.
Dr. Quack: Getting HIPAA to Fly
45
YOUR RIGHTS: Amending your PHI
If you want to ask us to amend your health information, send a written request, including your reasons for the amendment, to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice
Dr. Quack: Getting HIPAA to Fly
46
YOUR RIGHTS: Lists of PHI disclosed Get a list of the disclosures that we have
made of your health information within the past six years (or a shorter period if you want).
By law, the list will not include: disclosures for purposes of treatment, payment or health care operations; disclosures with your authorization; incidental disclosures; disclosures required by law; and some other limited disclosures.
Dr. Quack: Getting HIPAA to Fly
47
YOUR RIGHTS: Lists of PHI disclosed
You are entitled to one such list of disclosures per year without charge.
If you want more frequent lists, you will have to pay for them in advance.
We will usually respond to your request within 60 days of receiving it, but by law we can have one 30 day extension of time if we notify you of the extension in writing.
Dr. Quack: Getting HIPAA to Fly
48
YOUR RIGHTS: Lists of PHI disclosed
If you want a list of disclosures, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.
Dr. Quack: Getting HIPAA to Fly
49
YOUR RIGHTS: Copies of Privacy Practices Get additional paper copies of this Notice
of Privacy Practices upon request. It does not matter whether you got one
electronically or in paper form already. If you want additional paper copies, send a
written request to the office contact person named at the end of this Notice.
Use the address, fax or E Mail shown at the beginning of this Notice
Dr. Quack: Getting HIPAA to Fly
50
OUR NOTICE OF PRIVACY PRACTICES
By law, we must abide by the terms of this Notice of Privacy Practices until we choose to change it.
We reserve the right to change this notice at any time as allowed by law.
Dr. Quack: Getting HIPAA to Fly
51
OUR NOTICE OF PRIVACY PRACTICES
If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future.
If we change our Notice of Privacy Practices, we will post the new notice in our office, have copies available in our office, and post it on our Web site.
Dr. Quack: Getting HIPAA to Fly
52
COMPLAINTS
If you think that we have not properly respected the privacy of your health information, you are free to complain to us or the U.S. Department of Health and Human Services, Office for Civil Rights.
We will not retaliate against you if you make a complaint.
Dr. Quack: Getting HIPAA to Fly
53
COMPLAINTS
If you want to complain to us, send a written complaint to the office contact person named at the end of this Notice.
Use the address, fax or E Mail shown at the beginning of this Notice.
If you prefer, you can discuss your complaint in person or by phone.
Dr. Quack: Getting HIPAA to Fly
54
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
55
NOA (AOA) Manual Handout
NOA adaptations of AOA Manual HIPAA job title on policies instead of
name Tables added (Job titles, etc.) State law addressed Index added Formatted for letterhead Underline replaces brackets
Dr. Quack: Getting HIPAA to Fly
56
Inserted Tables (NOA unique)
Personnel names vs. job title Job Titles vs. PHI HIPAA Officers’ names
Dr. Quack: Getting HIPAA to Fly
57
Inserted Tables (NOA unique)
Personnel names vs. job title Every employee listed For each employee
Check each job they perform Enter date they completed HIPAA training
Dr. Quack: Getting HIPAA to Fly
58
Inserted Tables (NOA unique)
Job Titles vs. PHI Every Job Title listed Using analysis forms provided
Worksheet 6 or Dr. Quack Assessment
Worksheet 24 Check each type of PHI accessed
Dr. Quack: Getting HIPAA to Fly
59
Inserted Tables (NOA unique)
HIPAA Officers’ names List every person with HIPAA role Check HIPAA role(s) they will perform Enter date they completed HIPAA
training
Dr. Quack: Getting HIPAA to Fly
60
HIPAA and Nebraska Law
Briefly describes Nebraska state law section at the back of the manual
Inserted here to indicate that there has been a section added
Dr. Quack: Getting HIPAA to Fly
61
Policy 3A: Affiliated Covered Entities
2 or more entities (example: corporations)
Connected ownership or control Comply with HIPAA as a single unit
Dr. Quack
Dr. Quack: Getting HIPAA to Fly
62
Policy 3B: Health Care Components
Affects hybrid entities (example: retail & optometry)
Should designate portion of business as “health care component”
Only health care component must comply with HIPAA
Otherwise, entire entity must comply with HIPAA
Dr. Merganser Duck
Dr. Quack: Getting HIPAA to Fly
63
Policy 5A: Privacy Officer
Qualifications Duties Who is appointed (refers to HIPAA
Personnel Roster)
Dr. Quack: Getting HIPAA to Fly
64
Policy 5B: Public Information Officer
Qualifications Duties Who is appointed (refers to HIPAA
Personnel Roster)
Dr. Quack: Getting HIPAA to Fly
65
Worksheet 6 or Dr. Quack’s Assessment
Gather Information on use of PHI in your office Complete one form for each job
description Keep on hand, proving you made the
effort
Dr. Quack: Getting HIPAA to Fly
66
Worksheet 8: No authorization needed for some use of PHI
Treatment Payment Heath Care Operations
Dr. Quack: Getting HIPAA to Fly
67
Policy 7A 8A 10A: No Authorization Required for Certain Disclosures of PHI Treatment, Payment, Health Care Oper. Business Associates Use or Disclosure required by Law Others mentioned in Notice of Privacy
Practices (Also addressed in State Law Appendix)
Dr. Quack: Getting HIPAA to Fly
68
Policy 9A: Facility Directory
Directory policy applies to an entity where a directory is kept of patients in process of a procedure, et cetera. 9A: Describes what must take place if
you have a directory 9A No Directory: ODs who do not
maintain a directory need not comply with this section.
Dr. Quack: Getting HIPAA to Fly
69
Policy 9B: Providing Information to Family & Friends
General policy explained Oral agreement with patient okay
Dr. Quack: Getting HIPAA to Fly
70
Worksheet 10: Public Policy Disclosures
For Policy 7A, 8A, 10A (previously reviewed)
See state law section for Dr. Quack’s assessment
Dr. Quack: Getting HIPAA to Fly
71
Worksheet 11: Marketing & Advertising
Read policy 11A. Authorization not needed for
marketing described in item #4 or #7. (Covers most marketing done by ODs)
Other marketing requires individual authorization of each occurrence.
Dr. Quack: Getting HIPAA to Fly
72
Policy 11A: Marketing & Advertising
Cannot release PHI to others w/o written authorization Pictures Testimonials Patient lists to marketers
Can “market” to individual patient Services you provide Materials you provide Give promotional gifts of limited value
Dr. Quack: Getting HIPAA to Fly
73
Policy 11A: Marketing & Advertising
Can market w/o use of PHI General TV ads Brochures to occupant
Read the policy carefully
Dr. Quack: Getting HIPAA to Fly
74
Policy 11A: Marketing & Advertising
OCR Changes since AOA printing CAN leave non-specific message on
answering machine (glasses are ready, appointment tomorrow, due for exam)
CAN send postcard with appointment time
Unless patient requests otherwise
Dr. Quack: Getting HIPAA to Fly
75
Policy 12A: Disclosures for Research
Need to read carefully if you Participate in clinical trials Conduct research
Dr. Quack: Getting HIPAA to Fly
76
Worksheet 13: Prepare PHI Disclosure Authorization Form
Use as you feel necessary after reading policies
Dr. Quack: Getting HIPAA to Fly
77
Policy 13A: PHI Disclosure Authorization Form
Detailed description of what is to be released
Specific purpose Expiration date New form for every disclosure
Dr. Quack: Getting HIPAA to Fly
78
Policy 13B: Personal Representative for Patients
Addresses “standing in the shoes” of the patient regarding PHI Parents (and divorced parents) Guardians Emancipated minors (not in
Nebraska?) Deceased patients representatives
Dr. Quack: Getting HIPAA to Fly
79
Policy 13B: Personal Representative for Patients
Policy refers to state law section (p. 80) (see items #29, #68, and #69 in parts II & III)
Not specific regarding state law HIPAA does not appear to present new
problems Dr. Quack cannot give legal advice See your attorney with real questions
Dr. Quack: Getting HIPAA to Fly
80
Policy 14A: Prepare Notice of Privacy Practices
Post in reception area (back of handout) Keep stock in reception area Distribute to every patient Request patient to sign receipt (must try) Receipt/denial kept in record (verify each
visit) Update next visit if policy changes
Dr. Quack: Getting HIPAA to Fly
81
Policy 14B: Actual Notice of Privacy Practices
Reviewed earlier
Dr. Quack: Getting HIPAA to Fly
82
Policy 15A (& 16A): Defines Designated Record Set
Contents of patient’s clinical chart Contents of billing materials Contents of treatment, orders,
laboratory information
Dr. Quack: Getting HIPAA to Fly
83
Policy 15B: Patient Access to their own PHI
Nebraska Hospital Association’s evaluation of Nebraska statute vs. HIPAA (p. 82) Reasons for denial: follow HIPAA
standard Charges for copying:Nebraska statute
Dr. Quack’s evaluation: Time to respond: follow state law (30
days)
Dr. Quack: Getting HIPAA to Fly
84
Letters responding to Patient Requesting Access to PHI
Letter 1: extension (legal in Nebraska?) (toss??)
Letter 2: agree to access Letter 3: denial of access
Dr. Quack: Getting HIPAA to Fly
85
Policy 16B: Amendment of PHI
Patient can request to amend record If Dr agrees,
Amendment added New information forwarded to others with
record If Dr Disagrees and denies amendment,
Patient can submit letter of disagreement Dr can attach denial letter & rebut in writing
Dr. Quack: Getting HIPAA to Fly
86
Letters responding to Patient Requesting Amendment
Letter 1: decline to amend Letter 2: agree to amend Letter 3: delay in amending
Dr. Quack: Getting HIPAA to Fly
87
Policy 17A: Accounting for Disclosures of PHI
Don’t need to account for disclosures For treatment, payment, H. C. operations To patient To family, friends, or care givers Authorized Incidental Marketing & advertising per exceptions
Dr. Quack: Getting HIPAA to Fly
88
Policy 17A: Accounting for Disclosures of PHI
Do need to account for disclosures violating policy 11A
If you did everything right there should be nothing to disclose
Dr. Quack: Getting HIPAA to Fly
89
Letters responding to Patient Requesting An Accounting of Disclosures of PHI
Letter 1: delay of accounting
Dr. Quack: Getting HIPAA to Fly
90
Policy 18A: Restrictions to Use of PHI
Must allow patient to request to restrict use of PHI that would otherwise not be restricted
You do not have to agree to request If you do agree you must abide by
agreement Can terminate in writing May be better never to agree
Dr. Quack: Getting HIPAA to Fly
91
Policy 19A: Confidential Communication Methods
Must have policy to allow patients to specify special methods of communication with them. Examples: No answering machines No post cards Call at office only Never call at office Email only
Must comply with requests agreed to.
Dr. Quack: Getting HIPAA to Fly
92
Worksheet 20: Business Associates
AOA’s Joanne Lax J.D. recommends the following steps to determine who is a business associate.
Step One: Identify all outside companies with which you do business
Dr. Quack: Getting HIPAA to Fly
93
Worksheet 20: Business Associates
Step Two: Flag companies that perform health care services in your behalf (ie those to which you have outsourced) Billing service Optical lab Quality assurance Staff training
Dr. Quack: Getting HIPAA to Fly
94
Worksheet 20: Business Associates
Step Three: Also, flag the companies that perform the following services Legal Accounting Consulting Management (office, building,
software, etc)
Dr. Quack: Getting HIPAA to Fly
95
Worksheet 20: Business Associates
Step Four: Of the companies you have flagged, flag again those companies that need to generate, maintain, use, or disclose PHI in order to do there job. Examples: Billing agents Software support that sees PHI Collections agencies Outside medical transcriptionist service
Companies with two flags are your business associates
Dr. Quack: Getting HIPAA to Fly
96
Worksheet 20: Business Associates
Business associates that need attention right now fall into any of the following groups: You do not currently have a written services
contract with them. You have a written services contract with them,
but you entered into it after October 15, 2002. You have a written services contract, but it will
expire or need to be renewed before April 14, 2003.
Dr. Quack: Getting HIPAA to Fly
97
Worksheet 20:Business Associates
Business associates that do not need immediate action: You have an contract that existed before
October 15, 2002, that Automatically renews, or Will not expire or renewed before April 14, 2003.
You have to act on this latter group on the earlier of: The date that you will renew the contract, or April 14, 2004.
Note these business associates on the worksheet & complete the columns.
Dr. Quack: Getting HIPAA to Fly
98
Worksheet 20: Business Associates
Negotiate a business associate contract with each of your business associates, except: A business associate that only uses,
generates, maintains or discloses PHI for treatment purposes.
OCR also excludes payers…
Dr. Quack: Getting HIPAA to Fly
99
Business Associate Agreements
Policy 21A: BA agreement with AOA language
Policy 21A: BA agreement without AOA language
Your Notice of Privacy Practices must be supplied to BA
Dr. Quack: Getting HIPAA to Fly
100
BA Follow-up
Do not have to monitor BA for compliance Do not have to train BA If learn of non-compliance, must
Mitigate where possible (per subsequent policy)
Insist BA comply or terminate contract If fails to comply, must find another
vendor
Dr. Quack: Getting HIPAA to Fly
101
Worksheet 23: You must safeguard PHI
Safeguards come in many forms. The three general categories are: Administrative (policies &
procedures). Physical (physical plant). Technological (relating to electronics).
Dr. Quack: Getting HIPAA to Fly
102
Worksheet 23: You must safeguard PHI
Examples of safeguards include: Locks on records’ storage rooms or
cabinets (or monitoring). Phones in confidential locations. Closing doors.
Dr. Quack: Getting HIPAA to Fly
103
Worksheet 23: You must safeguard PHI
Computer passwords, Computer screen savers or screen
shields. Limited field access for electronic
data.
Dr. Quack: Getting HIPAA to Fly
104
Worksheet 23: You must safeguard PHI
Turning charts to face the wall in boxes outside patients’ exam rooms.
Prohibiting calls to pharmacies or other providers where they can be overheard.
Prohibiting staff from discussing clinical issues with patients where they can be overheard.
Shredding discarded PHI
Dr. Quack: Getting HIPAA to Fly
105
Worksheet 23: You must safeguard PHI
This aspect of HIPAA requires Unique, individualized solutions Based upon your office layout, Opportunities to easily make physical
plant changes, Budget for physical & technological
gadgets, Workable policies & procedures.
Dr. Quack: Getting HIPAA to Fly
106
Worksheet 23: You must safeguard PHI
You are not required to go to extremes to guarantee that no PHI will ever be inadvertently disclosed.
“Incidental” disclosures – e.g. unavoidable disclosures secondary to a permitted use or disclosure – are permitted under HIPAA, So long as you use reasonable
safeguards and You observe minimum necessary rule.
Dr. Quack: Getting HIPAA to Fly
107
Worksheet 24: Minimum Necessary PHI
Using worksheet 6 (or Quack assessment) Determine which job descriptions
must access what PHI Determine whether the minimum
necessary rule is currently being abided by
Determine what changes should be made, if any
Dr. Quack: Getting HIPAA to Fly
108
Policy 24A: Minimum Necessary Uses
Complete the table titled “Access to PHI by Job Category” found at the front of this manual
Modify records & procedure where practical so that Information for a particular task is
segregated, But clinical needs & operations are not
compromised in the process of segregation.
Dr. Quack: Getting HIPAA to Fly
109
Policy 24A: Minimum Necessary Disclosures
For routine disclosures of PHI, determine the minimum necessary amount of PHI needed to respond. Eye exam report to school (w/ authorization
or give to parent) For non-routine disclosures of PHI,
decide how your PO will determine the minimum amount of PHI necessary to respond.
Dr. Quack: Getting HIPAA to Fly
110
Policy 24A2: Confidentiality Agreement Referred to but not included in AOA
Manual Fabricated by Dr. Quack All staff should sign a confidentiality
agreement stating their commitment to accessing only the minimum amount of PHI necessary to do their job
Dr. Quack: Getting HIPAA to Fly
111
Policy 25A: Verification Before Disclosing PHI You must check the identity &
authority of someone Signing an authorization on behalf of
a patient or Seeking PHI without an authorization,
if you don’t know this information already.
Dr. Quack: Getting HIPAA to Fly
112
Policy 25A: Verification Before Disclosing PHI This should include obtaining copies of
applicable documents, such as Guardianship papers, Power of attorney for health care, or Official badge.
You can rely on documents that appear valid.
You must resolve questions or problems before you can accept the authorization or disclose requested PHI.
Dr. Quack: Getting HIPAA to Fly
113
Policy 26A: You Must Mitigate Harm from Improper Disclosure
The duty only applies if you "know" of the harm. You do not have to actively monitor for evidence of harm. You only have to mitigate harm if it is
"practical" for you to do so. You have full discretion to evaluate
each situation, & to take mitigation steps appropriate to it.
Dr. Quack: Getting HIPAA to Fly
114
Policy 26A: You Must Mitigate Harm from Improper Disclosure
Mitigation can be As simple as an apology or correction. An attempt to get back the PHI
disclosed. Obtaining a signed agreement from
receiver not to use or disclose improperly released PHI.
It's up to you in each case.
Dr. Quack: Getting HIPAA to Fly
115
Policy 27A: Complaints about Violations
Must have a written office policy to accept, thoroughly investigate, and resolve
complaints from patients who believe their privacy has not been properly respected.
Dr. Quack: Getting HIPAA to Fly
116
Policy 28A: De-Identification of PHI
Should you want to use PHI without HIPAA restrictions…
None of HIPAA’s use & disclosure rules apply to information stripped of all identifiers.
Dr. Quack: Getting HIPAA to Fly
117
Policy 28A: De-Identification of PHI
You can de-identify PHI in one of two ways: A statistical expert can give an
opinion that PHI has been de-identified; or
You can remove the specific identifiers listed in HIPAA’s “safe harbor” method.
Dr. Quack: Getting HIPAA to Fly
118
Policy 29A & 29B: Limited Data Sets
A limited data set is stripped of some identifiers
You can then disclose PHI for research, public health, or health care operations
Dr. Quack: Getting HIPAA to Fly
119
Policy 29A & 29B: Limited Data Sets
Examples of sharing for health care operations: Business planning for a health plan or
provider. Sale or merger of a health plan, or Financial management of a health plan or
provider.
Dr. Quack: Getting HIPAA to Fly
120
Policy 29B: Limited Data Set: Data Use Agreement Similar to Business Associate Agreement Describes recipient’s uses & disclosures Requires recipient to use appropriate
safeguards Requires recipient to tell you of wrongful
use or disclosure Prohibits recipient from identifying or
contacting the patient Requires recipient’s agents abide by same
conditions as the recipient
Dr. Quack: Getting HIPAA to Fly
121
Worksheet 30: Train All Employees
Work force includes more people than your payroll. Work force includes: All W2 employees. Students (all kinds). Volunteers. Any independent contractor working
on-site & under your direct control that you have not treated as a business associate. (See chart 20.)
Dr. Quack: Getting HIPAA to Fly
122
Worksheet 30: Train All Employees
Training can take any form. It can be: Live lectures. Purchased on-line training modules. Review of policies/procedures. Workbooks. Any other method that you devise.
Training needs to be job specific
Dr. Quack: Getting HIPAA to Fly
123
Worksheet 31: State Law vs. HIPAA
State law that relates to the privacy of PHI but is not contrary to HIPAA remain fully effective after HIPAA. You must
comply with both the state law & HIPAA. A state law that relates to the privacy of
PHI & is contrary to HIPAA & “less stringent than” HIPAA HIPAA wipes out the state law, which is no
longer effective.
Dr. Quack: Getting HIPAA to Fly
124
Worksheet 31: State Law vs. HIPAA
A state law that relates to the privacy of PHI & is contrary to HIPAA, but is “more stringent than” HIPAA. All such laws remain in effect after HIPAA.
You must comply with the state law, not HIPAA.
Dr. Quack: Getting HIPAA to Fly
125
Dr. Quack’s State Law Appendix
I: The concept of pre-emption II: Nebr. Hospital Assoc. Review of
Statutes 70 statutes & their relationship to HIPAA Quack comments on effect on optometry
III: More detail on statutes effecting ODs
Subpoenas & HIPAA in Nebraska
Dr. Quack: Getting HIPAA to Fly
126
State Law: Before & After HIPAA It appears little state law is truly pre-empted
based on Hospital Association evaluation State law is therefore unchanged & should
prove no greater problem that previously Optometrists should read & review last two
sections of Quack appendix: Detail on sections possibly related to optometry Subpoenas (discovery)
Seek legal advice with additional questions
Dr. Quack: Getting HIPAA to Fly
127
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
128
OCR Guidelines
The HIPAA Privacy Rule is not intended to impede these
customary & essential communications & practices &, thus,
does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.
Dr. Quack: Getting HIPAA to Fly
129
OCR Guidelines
Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses reasonable safeguards minimum necessary policies &
procedures
Dr. Quack: Getting HIPAA to Fly
130
Reasonable Safeguards
Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
Avoiding using patients’ names in public hallways & elevators
Dr. Quack: Getting HIPAA to Fly
131
Reasonable Safeguards
Posting signs to remind employees to protect patient confidentiality;
By supervising, isolating, or locking file cabinets or records rooms;
By providing additional security, such as passwords, on computers maintaining personal information.
Dr. Quack: Getting HIPAA to Fly
132
More Safeguards
Ask waiting customers to stand a few feet back from a counter used for patient counseling.
Use of cubicles, dividers, shields, curtains, or similar barriers where multiple patient-staff communications routinely occur
Dr. Quack: Getting HIPAA to Fly
133
Minimum Necessary Rule
Requires limit of access to PHI, based on needs to perform job duties.
Unimpeded access to PHI, where not necessary for the job at hand, is not applying the minimum necessary standard.
Any incidental use or disclosure that results from not applying the Minimum Necessary Standard would be an unlawful.
Dr. Quack: Getting HIPAA to Fly
134
Minimum Necessary Rule
The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes
Dr. Quack: Getting HIPAA to Fly
135
OCR Guidelines FAQs....... confidential conversations
Q: Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?
A: Yes, when using reasonable safeguards.
Dr. Quack: Getting HIPAA to Fly
136
OCR Guidelines FAQs....... confidential conversations
Free to engage in communications as required for quick, effective, & high quality health care.
Overheard communications in these settings may be unavoidable & are allowed as incidental disclosures.
Dr. Quack: Getting HIPAA to Fly
137
OCR Guidelines FAQs....... confidential conversations
When using Reasonable Safeguards: Health care staff may orally coordinate
services at hospital nursing stations. Staff may discuss a patient’s condition
over the phone with the patient, a provider, or a family member.
A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.
Dr. Quack: Getting HIPAA to Fly
138
OCR Guidelines FAQs....... confidential conversations
HIPAA Privacy does not require Private rooms. Soundproofing of rooms. Encryption of wireless or other
emergency medical radio communications
Encryption of telephone systems.
Dr. Quack: Getting HIPAA to Fly
139
OCR Guidelines FAQs....... Mailings & phone calls
Q: May physician’s offices or pharmacists leave messages at patient’s homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?
Dr. Quack: Getting HIPAA to Fly
140
OCR Guidelines FAQs....... Mailings & phone calls
A: Yes. Limit the PHI disclosed on the answering
machine. Consider leaving only name & number &
PHI necessary to confirm an appointment
Or ask the individual to call back. May leave a message with a family
member or other person who answers the phone when the patient is not home.
Dr. Quack: Getting HIPAA to Fly
141
OCR Guidelines FAQs....... Confidential Conversation
Where a patient has requested confidential communication, you must accommodate that request, if reasonable. Examples,
mailings in an envelope, not postcard.
mail sent to a P.O. box, not to home receive calls at the office, not at
home
Dr. Quack: Getting HIPAA to Fly
142
OCR Guidelines FAQs....... Sign-in sheet
Q: May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
A: Yes. But the sign-in sheet may not display medical information that is not necessary for the purpose of signing in.
Dr. Quack: Getting HIPAA to Fly
143
OCR Guidelines FAQs....... Charts on doors
Q: Are charts outside of exam rooms prohibited
A: No. Using reasonable safeguards & the minimum necessary rule, covered entities must simply
evaluate what measures make sense in their environment
tailor their practices & safeguards to their particular circumstances.
Dr. Quack: Getting HIPAA to Fly
144
OCR Guidelines FAQs....... Charts on doors
You May maintain patient charts outside of exam rooms, displaying patient names on the outside of patient charts…
Possible safeguards may include: Supervise area place patient charts facing the wall
or otherwise covered
Dr. Quack: Getting HIPAA to Fly
145
OCR Guidelines FAQs....... Announcing names
You May: Announce patient names & other information over a facility’s public announcement system.
Possible safeguards may include: limiting the information disclosed
over the system, such as referring the patients to a reception desk.
Dr. Quack: Getting HIPAA to Fly
146
OCR Guidelines FAQs....... Overheard conversation
A provider may be overheard, in the reception area, instructing staff to bill a patient for a particular procedure
A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.
Dr. Quack: Getting HIPAA to Fly
147
OCR Guidelines FAQs....... Office re-design
Q: Are covered entities required to restructure workflow systems, redesign office space & upgrading computer systems to comply with the HIPAA Privacy Rule’s?
A: The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses.
Use reasonable safeguards and minimum necessary rule listed earlier
Dr. Quack: Getting HIPAA to Fly
148
OCR Guidelines FAQs....... Configuring records
When considering record configuration, take into account your ability to configure their record
systems to allow access to only certain fields, &
the practicality of organizing systems to allow this capacity.
Dr. Quack: Getting HIPAA to Fly
149
OCR Guidelines FAQs....... Configuring records
It may not be reasonable for a small, solo practitioner using paper records to limit one employee to only some fields and other employees complete access to the record.
In this case, appropriate training of employees may be sufficient.
Dr. Quack: Getting HIPAA to Fly
150
OCR Guidelines FAQs....... Configuring records
Alternatively, a hospital [or large clinic] with an electronic patient record system may reasonably implement such controls.
Dr. Quack: Getting HIPAA to Fly
151
OCR Guidelines FAQs....... Business Associate
Examples of Business Associates. A third party administrator that assists
a health plan with claims processing. A CPA firm whose services involve
access to PHI. An attorney whose services involve
access to PHI. A consultant that performs utilization
reviews for a hospital.
Dr. Quack: Getting HIPAA to Fly
152
OCR Guidelines FAQs....... Business Associate
Examples of Business Associates. A health care clearinghouse that
translates a claim from non-standard to standard format & forwards to a payer.
An independent medical transcriptionist that provides transcription services to a physician.
Dr. Quack: Getting HIPAA to Fly
153
OCR Guidelines FAQs....... BA Agreement NOT needed
A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.
Dr. Quack: Getting HIPAA to Fly
154
OCR Guidelines FAQs....... BA Agreement NOT needed
When a health care provider discloses PHI to a health plan for payment purposes, or
when the health care provider simply accepts a discounted rate to participate in the health plan’s network.
A provider that submits a claim to a health plan & a health plan that assesses & pays the claim are each acting on its own behalf as a covered entity, & not as the “business associate” of the other.
Dr. Quack: Getting HIPAA to Fly
155
OCR Guidelines FAQs....... BA Agreement NOT needed
With persons or organizations whose functions do not involve the use or disclosure of PHI (e.g., janitorial service, copier maintenance, electrician).
With a conduit for PHI, for example, the US Postal Service, certain private couriers, & their electronic equivalents.
When a financial institution processes consumer-conducted financial transactions
Dr. Quack: Getting HIPAA to Fly
156
OCR Guidelines FAQs....... Business Associate Q: Is a software vendor a business
associate of a covered entity? A: Maybe. The mere selling or providing
of software to a covered entity does not give rise to a business associate relationship.
If the vendor has access to PHI of the covered entity in order to provide its service, the vendor would be a business associate.
Dr. Quack: Getting HIPAA to Fly
157
OCR Guidelines FAQs....…….. No permission needed
Q: Can a patient have a friend or family member pick up a prescription for her?
A: Yes. A pharmacist may use professional judgment & experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription.
Dr. Quack: Getting HIPAA to Fly
158
OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?
A: Yes. A covered entity or their business associate (e.g., a collection agency), may disclose PHI as necessary to obtain payment for health care, & there is no limit to whom such a disclosure may be made.
Dr. Quack: Getting HIPAA to Fly
159
OCR Guidelines FAQs....…….. No permission needed
However, the Privacy Rule requires you Place a reasonable limit the amount
of information disclosed, Abide by any reasonable requests for
confidential communications Honor any agreed-to restrictions on
the use or disclosure of PHI.
Dr. Quack: Getting HIPAA to Fly
160
OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule prevent health plans & providers from using debt collection agencies?
A: The Privacy Rule permits use of debt collection agencies through a business associate arrangement.
Disclosures to collection agencies are governed by provisions such as the business associate & minimum necessary requirements.
Dr. Quack: Getting HIPAA to Fly
161
OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company?
A: Yes. The disclosure of PHI by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, & is permitted under the Privacy Rule at 45 CFR 164.506.
Dr. Quack: Getting HIPAA to Fly
162
OCR Guidelines FAQs....…….. No permission needed
Q: Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization?
Dr. Quack: Getting HIPAA to Fly
163
OCR Guidelines FAQs....…….. No permission needed
A: Yes. The HIPAA Privacy Rule permits disclosure of PHI without authorization to another health care provider for treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity.
Dr. Quack: Getting HIPAA to Fly
164
OCR Guidelines FAQs... Marketing
Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes?
Dr. Quack: Getting HIPAA to Fly
165
OCR Guidelines FAQs....... Marketing
A: No. While covered entities may share PHI with “business associates”, that PHI must be used to perform or assist in the performance of certain health care operations on behalf of covered entities.
Thus, business associates, with limited exceptions, cannot use PHI for their own purposes.
Dr. Quack: Getting HIPAA to Fly
166
OCR Guidelines FAQs....... Marketing
Alternative treatment Communications about alternative
treatments are excluded from the definition of marketing & do not require a prior authorization.
Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients.
Dr. Quack: Getting HIPAA to Fly
167
OCR Guidelines FAQs....... Marketing
The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service.
Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications.
Dr. Quack: Getting HIPAA to Fly
168
OCR Guidelines FAQs....... Public Health
Q: May providers disclose PHI concerning pre-employment physicals, drug tests, or fitness-for-duty examinations to an individual’s employer?
A: In very limited circumstances, providers may disclose PHI to the individual’s employer without authorization.
Dr. Quack: Getting HIPAA to Fly
169
OCR Guidelines FAQs....... Public Health
1st, the service must be provided at the employer’s request or as a member of the employer’s workforce.
2nd, the service must relate to medical surveillance of the workplace or to detect or assess work-related illness or injury.
Dr. Quack: Getting HIPAA to Fly
170
OCR Guidelines FAQs....... Public Health
3rd, the employer must have a duty under OSHA or similar law to keep records on, or act on, such information.
Dr. Quack: Getting HIPAA to Fly
171
OCR Guidelines FAQs....... Workers’ Comp
HIPAA Privacy does not apply to workers’ compensation insurers, administrative agencies, or employers.
These entities need access to the PHI of individuals with work related injury or illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems.
Dr. Quack: Getting HIPAA to Fly
172
OCR Guidelines FAQs....... Workers’ Comp
The Privacy Rule permits disclosures of PHI for workers’ compensation purposes, sometimes requiring patient authorization, other times not.
Nebraska Law 48-120(4) [Manual pg 84] “Records relevant to the injury shall be made available on demand to employer, employee, carrier, and compensation court”
State law not pre-empted. Follow both.
Dr. Quack: Getting HIPAA to Fly
173
OCR Guidelines FAQs....... Workers’ Comp
HIPAA: Disclosures Without Individual Authorization. To provide benefits for work-related
injuries or illness without regard to fault.
Limited to what the law requires. For obtaining payment for any health
care provided to the injured or ill worker.
Dr. Quack: Getting HIPAA to Fly
174
OCR Guidelines FAQs....... Workers’ Comp
HIPAA: Disclosures With Individual Authorization. May disclose PHI when the individual
has provided authorization for the release of PHI.
The Minimum Necessary Rule applies.
Dr. Quack: Getting HIPAA to Fly
175
OCR Guidelines FAQs....... Oral Communication
Q: Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?
A: No. The term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner.
Dr. Quack: Getting HIPAA to Fly
176
OCR Guidelines FAQs....... Oral Communication
Q: Does the HIPAA Privacy Rule require that covered entities document all oral communications?
A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations
Dr. Quack: Getting HIPAA to Fly
177
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
178
Physical Changes
HIPAA does not require that you make radical, expensive changes to your office.
The following are some reasonable alterations in office layout to assist in complying with HIPAA
Dr. Quack: Getting HIPAA to Fly
179
Doors
Close doors when discussing PHI, e.g., History Pre-examination Examination
Dr. Quack: Getting HIPAA to Fly
180
Always speak quietly
Hearing impaired? Speak slowly Get closer
Take special care when speaking in hallways and other common areas
Dr. Quack: Getting HIPAA to Fly
181
Mult-patient areas (Check-in, Check-out, Dispensary)
Speak reasonably quietly Use “PLEASE WAIT HERE” signs if
appropriate Provide “PLEASE WAIT HERE”
chairs if appropriate Incidental disclosure is acceptable
Dr. Quack: Getting HIPAA to Fly
182
Business Office Areas
Place HIPAA reminder signs at work stations
Place HIPAA reminder signs on computer monitors
Place HIPAA reminder signs on file cabinets
Dr. Quack: Getting HIPAA to Fly
183
Computer Monitors
Rotate screen away from public Put a plant next to monitor Use Screen saver or “Minimize”
screen Place HIPAA reminder sign on
monitor Remember, patients can see their
own PHI!
Dr. Quack: Getting HIPAA to Fly
184
Patient Records
Keep records closed except when in use
When practical, divide each record into sections, e.g., Demographics Examination Claims
Staff should use only that portion of record needed for the task at hand
Dr. Quack: Getting HIPAA to Fly
185
Patient Record Storage
Post HIPAA reminder signs in record storage areas
Reasonably monitor record storage areas
Reasonably monitor records in hallways
Dr. Quack: Getting HIPAA to Fly
186
HIPAA Privacy
History & Background Brief Review of Notice of Privacy
Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested
changes
Dr. Quack: Getting HIPAA to Fly
187
THE END
Thank You!