hipaa privacy and media
DESCRIPTION
HIPAA Privacy and Media. Ed Goldman, J.D. Health System Legal office May 12, 2003. It’s HIPAA Not HIPPO!. HIPPA (NO, it’s HIP AA !) stands for: Help Impoverished Plaintiff Attorneys Aggrandize? No because there is no private right of action. - PowerPoint PPT PresentationTRANSCRIPT
HIPAA Privacy and Media
Ed Goldman, J.D.Health System Legal officeMay 12, 2003
It’s HIPAA Not HIPPO!HIPPA (NO, it’s HIPAA!) stands for:Help Impoverished Plaintiff Attorneys
Aggrandize? No because there is no private right of action.
Help Improve Privacy Across America? Yes because it’s a Federal regulation designed to establish one set of rules for privacy.
BackgroundHIPAA (Health Insurance Portability and
Accountability Act of 1996)Administrative Simplification Section:
Purpose is to standardize electronic transmission of health data.
Includes: Provider/Employer Identifiers (pending); Electronic Transactions (09/16/03); Security (04/21/05); e signature (10/01/00) and Privacy (04/14/03).
Philosophy“A journey of a thousand miles must
begin with a single step.” -Chinese Proverb
New Philosophy“A journey to protect the privacy and
security of protected health information must begin with a single step, a dedicated committee and a lot of money.”
-HIPAA Proverb
Important DatesHIPAA Privacy regulations were final
04/14/01 and effective 04/14/03.HIPAA Security regulations are
effective 04/21/05.HHS can modify once per year. Last
modification was 08/02.
OverviewRegulations. Apply to Covered Entities
(CE):1. Health Plans-provide or pay for health
care including HMO’s, benefit plans.2. Health Care Clearinghouses3. Health Care providers who transmit
any health information in electronic form.
OverviewRegulations cover: Individually
identifiable health/billing information. AKA: Protected Health Information (PHI):
Information kept in any form (oral, written, electronic) created or received by CE relating to a persons physical/mental health or payment for health care. Covers both living and deceased patients.
OverviewRegulations also include: Business
Associates (BA): Non-employees who, on behalf of a CE, perform a service involving PHI. Ex: Claim processing; record copy; malpractice defense; audit; consulting; software development; quality assurance.
Included entities: NCQA; UHC; JCAHO; non-covered portions of UM
Preemption of State LawState law is preempted except if:HHS determines it serves to prevent
fraud or serve a compelling State interest,
it is “more stringent” (provides more privacy protection),
it is a disease reporting law,it is a State audit/licensing law.
EnforcementPatients can file complaints with the
HHS Office of Civil Rights (www.hhs.gov/ocr/hipaa)
CE must keep records and allow HHS access to audit
Civil fines: $100/violationCriminal fines: $250,000/up to 10 years
(Disclosure for commercial purposes)
The Privacy RuleRule: CE cannot disclose PHI except:to the patientwith a general consent to the treatment
team (Emergency exception)as specifically authorized by the patientas required by lawin a directory (if follow the rules) and
allow for opt-out
The “Minimum Necessary” Rule
Disclosure must be limited to the “minimum necessary to accomplish the intended purpose” except all PHI can be disclosed to treatment team and to patient and to HHS for audit or as required by law.
NOTE: De-identified information (removal of 19 elements) is not PHI.
Elements of the Regulation1. Notice of Privacy Rights2. General acknowledgement for
treatment, payment, health care operations
3. Specific authorizations4. Exceptions for required reporting5. Patient access, amendt and audit rights6. Privacy officer and administrative rules
Notice of Privacy RightsMust be provided to all patients
(except emergency).Must include all the rules with
examples of uses of PHI.Must have person to contact for
complaints.Lots of specific requirements. Posted at: med.umich.edu/hipaa.
General AcknowledgementMust be signed prior to rendering treatment,
payment, health care operations (TPO).Health care operations include:QACredentialingCompliance; business planningEducation of students, trainees, workforce
(but not research)
Specific AuthorizationsRequired for all disclosures for any
other purposes (research, disclosure to 3rd party, release of “psychotherapy notes”, etc.)
Care cannot be conditioned on obtaining an authorization (exception for research coupled with treatment or enrollment in health care plan)
Required ReportingDisclosures required by law (child
abuse, FDA, product recalls, communicable diseases)
To employer for workers comp with written notice to employee
In response to a Court orderFor law enforcement purposesTo Coroner, funeral directors, organ
donation.
Patient 3A’s RightsPatient may access PHI, obtain copy (for
fee)Patient may request amendments and Facility needs a process to review request
Patient may (for 6 years) request and obtain an accounting of all persons who have seen the patients’ PHI for other then TPO.
Therefore, CE needs a reliable audit system.
Disclosure to Business AssociatesOnly pursuant to a written
agreement with assurances of protection and no re-disclosure.
PHI returned or destroyed at end of contract
Rules have lots of specific requirements for the contract.
Facility DirectoriesPatients name, location, condition in
general terms can be provided IF Notice says so and IF patient has opportunity to restrict/prohibit use (opt out) Except: Emergency.
Family, close personal friends, press (if ask by name), clergy or those identified by the patient can have this information.
What to Tell the Press?Except if the patient has been notified
and has objected the CE can, upon request with patient name, disclose:
1. Patient name2. Location3. Condition in general terms that do
not communicate specific medical information
Marketing/FundraisingMarketing: Need Authorization except if:
face to face encounter for products of nominal value which may be useful to patient and any financial remuneration to CE is disclosed, or description of UMHS services.
Fundraising: Need Authorization except if fundraising for CE only and use only demographic information or service dates.
ExamplesGeneral newsletter OKGeneral mailing to all patients OKIf CE wants to target all cancer
patients then a specific Authorization is needed because CE will need to look at information about the patients’ specific disease.
Fundraising/marketing need opt-out.
Referring PhysiciansIf part of the treatment team then
full PHI can be shared pursuant to the Notice of Privacy.
If referral with no expectation of providing further care to the patient then written authorization from patient required to disclose information.
Administrative RulesCE must:designate a Privacy Officerestablish a complaint officehave safeguards for PHI protectiontrain staffdocument complaintscreate contracts with BA’s
Administrative Rules 2Discipline workforce members who
violate the rulesmitigate any harmful effects of disclosurerefrain from intimidation of patients who
exercise their rights under the regulations
allow access to HHS for auditCreate amendment/audit system
“How Can PR help?”UMHS will need editing and website
help. See website at med.umich.edu/hipaa
Also need publications/publicity about the new regulation.
And, any other help you can think of will be cheerfully accepted!
Where to Find Out More?Http://aspe.os.dhhs.gov/admnsimp
gets you to the administrative simplification page.
Www.hhs.gov/ocr/hipaa gets you to the Office of Civil Rights page with lots of current information.
www.epicurious.com gets you to some great food.
Question and AnswerCurrently most useful answer is: These
regulations are complex and evolving but the institution must comply for the benefit of our patients. For media we must be sure to protect privacy. No use of images without permission. No disclosure of PHI without full compliance with the regulations.