HIPAAHIPAA

The Privacy Rule 2003

Health Insurance Portability and Health Insurance Portability and Accountability Act of 1996 (HIPAA)Accountability Act of 1996 (HIPAA)

The 104th Congress passed the Act, Public Law 104-191, in 1996

U.S. Department of Health and Human Services (HHS) drafted privacy regulations after Congress failed to within three years of the Act’s passage

President Bush and HHS Secretary Tommy G. Thompson allowed the rule to take effect April 14, 2001.

HIPAA requires covered entities to comply with the final rule’s provisions by April 14, 2003(45 CFR 164.534)

What is HIPAA?What is HIPAA?

HIPAA is a federally enacted law containing five provisions designed to:

Assure portability of health insurance;Decrease health care fraud and abuse;Improve efficiency and effectiveness of

health care; andGuarantee security and privacy of patient

health information

Organizational HIPAAOrganizational HIPAA

Sharron Stevens

Privacy OfficerPat W. Myrick, CCRP, CIP

Compliance OfficerBarbara Love

Credentialing Officer

HIPAA Privacy RuleHIPAA Privacy Rule(65 Fed. Reg. 82462)(65 Fed. Reg. 82462)

Title II: Administrative Simplification– Transaction Standards– Standard Code Sets– Unique Health Identifiers– Security– PrivacyPrivacy

Privacy code includes: Research & Privacy code includes: Research & Public HealthPublic Health

Who Must Comply?Who Must Comply?

The Code refers to, “Covered Entities”“Covered Entities,” include health plans,

health care clearinghouses and health care providers who conduct financial and administrative transactions – such as electronic billing and funds transfers – electronically. (45 CFR 160.103)

What Does HIPAA Protect?What Does HIPAA Protect?

ALL medical records and other individually identifiable health information used or disclosed by a covered entity in any form – electronic, paper, oral – are covered by the final Privacy Rule.

(45 CFR 164.501 and 45 CFR 164.502)

Minimum Disclosure . . .Minimum Disclosure . . .

Disclosures of patient information will be limited to the minimum necessary for the purpose of the disclosure, except for purposes of treatment.

45 CFR 164.502(b)(1)

Permitted DisclosuresPermitted Disclosures

The Privacy Rule permits, but does not require, covered entities to disclose health information without authorization for certain public responsibilities:– Emergencies– Identity of deceased, determine cause of death– Public Health needs– Judicial and administrative proceedings– Law enforcement– National defense and security

New Patient Rights IssuedNew Patient Rights Issued

Privacy Notice: Covered entities must notify patients in writing how they may use or disclose their patient’s protected health information (PHI).

45 CFR 164.520

Access: Patients will be able to access and get copies of their heath records. They may also request amendments to those records. A history of non-routine disclosures must also be accessible to patients. 45 CFR 164.526

New Patient RightsNew Patient Rights

Consent = Authorization: Health care providers who see patients must obtain patient consent (authorization) before sharing their information for treatment, payment and health care operations. Treatment may be conditioned on receiving consent unless other legal obligations exist, such as the Federal Emergency Medical Treatment and Active Labor Act (EMTALA), also known as COBRA. 45 CFR 164.506(a)(1)

New Patient RightsNew Patient Rights

Authorization: A separate patient authorization must be obtained by non-routine disclosures – such as Public Relations activities, marketing, fundraising – and most non-health care purposes.

Treatment may not be conditioned upon receiving authorization. 45 CFR 164.508(a)(1)

New Patient RightsNew Patient Rights

Restrictions: Patients will have the right to request restrictions on the uses and disclosures of their information.

45 CFR 164.522

Recourse: Patients may file formal complaints with a covered entity or with the Department of Health and Human Services (HHS).

45 CFR 160.306(a)

Three Mandates Under HIPAAThree Mandates Under HIPAA

Adopt written privacy policies and procedures detailing:– Who has access to protected information;– How protected information will be used within

the covered entity;– When protected information may be disclosed;– And ways to ensure business associates protect

privacy of health information.

Three Mandates Under HIPAAThree Mandates Under HIPAA Train employees in privacy procedures.

– Design and implement training plan– Track and audit employee training

45 CFRF 164.530(b)(1)

Designate privacy officer to ensure policies and procedures are followed. The ETSU Privacy Officer is Sharron Stevens, stevenss@mail.etsu.edu. The VAMC Privacy Officer is Angela Mullins, Angela.Allen@med.va.gov.

– Develop and implement a method to report complaints– Investigate complaints– Conduct routine and random audits

45 CFR 164.530(a)(1)

Ensure Business Associates Ensure Business Associates Safeguard InformationSafeguard Information

A covered entity may disclose protected health information to a “business associate” and allow it to receive health information on its behalf ONLY after the covered entity is assured the business associate will safeguard the information. Even though business associates aren’t covered directly under the law, covered entities are liable for their business associates’ actions if they disclose protected health information.

45 CFR 164.502(e)(1)

Penalties for Covered EntitiesPenalties for Covered Entities

Civil Penalties: $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated

(65 Fed. Reg. At 82470)

Federal criminal penalties for knowing violations:– Up to $50,000 and one year in prison– Under “false pretenses” – up to $100,000 and up to five

years in prison– Intent to sell, transfer or use – up to $250,000 and up to

10 years in prison

Pre-emption of State LawPre-emption of State Law State laws which may be contrary to the rule are

preempted unless one of four conditions are met. Legal counsels will be tasked with evaluating how HIPAA will impact state law.

– DHHS determined that the state law is necessary to prevent fraud and abuse, to regulate insurance or health plans, is for reporting health care delivery or costs, or is serving a compelling need related to health, safety and welfare, or its principal purpose is regulation of controlled substances.

– State law is more stringent than the privacy rule.– State law provides for reporting of disease, injury, child abuse, birth or

death, or provides for conduct of public health surveillance.– State law requires a health plan to report or provide access to info. for

management of financial audits, program monitoring and evaluation, or licensure or certification of people or facilities. (45CFR160.203)

EnforcementEnforcement

The DHHS Office for Civil Rights (OCR) will enforce the Privacy Rule. The agency is using a $3.2 million budget allocation to hire new agents. Enforcement will likely be compliance driven and investigations will be conducted by one of 10 regional offices. OCR is still faced with clarifying terms on hearing and appeal procedures and defining civil (monetary) penalties for violations.

65 Fed. Reg. At 82472

This Introduction to HIPAA, This Introduction to HIPAA, PowerPoint presentation is PowerPoint presentation is

made available for made available for educational purposes only.educational purposes only.

AcknowledgementsAcknowledgements

45 CFR 164 45 CFR 160 65 Fed. Reg. At 82462 65 Fed. Reg. At 82470 65 Fed. Reg. At 82472 Hall, E., (2002). Privacy Officer, A301 Kentucky Clinic, Lexington,

KY, 40536-0284 Irvine, K., & Hilton, E. (2003). Ensuring a HIPAA-compliant

informed consent process. A guide for clinical research professionals. Boston, MA: Thomson-Centerwatch