proprietary and confidential and may not be reproduced or distributed without the express consent of...
TRANSCRIPT
![Page 1: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/1.jpg)
Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP
Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP
HIPAA Executive Office Training January 2003
Cindy Fillman
Department of Public Welfare
Office of General Counsel
![Page 2: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/2.jpg)
2
HIPAA – How did we get here?
Health Insurance Portability and Accountability Act
Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions).
Intended to “improve the efficiency and effectiveness of the health care system.”
Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise.
![Page 3: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/3.jpg)
3
HIPAA – How did we get here?
REGULATIONS
Electronic Transactions and Code Sets
Unique Employer Identifier
National Provider Identifier
Security and Electronic Signature
Privacy
![Page 4: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/4.jpg)
4
COVERED ENTITIES
• Health care providers who engage in covered transactions
• Health plans
Includes Medicare and Medicaid and other specified government programs
Includes government programs that do not fall out with specific exclusion for those programs:
Whose principal purpose is other than providing or paying the cost of health care, OR
Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care
• Health care clearinghouses
![Page 5: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/5.jpg)
5
BUSINESS ASSOCIATES
A Person or entity who on behalf of a Covered Entity
Uses
Accesses
Rediscloses
PHI either
To provide services to a Covered Entity OR
To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity
![Page 6: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/6.jpg)
6
DPW Priorities
How the Department Prioritized
Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates)
Master Client Index Drove some Decision making
![Page 7: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/7.jpg)
7
What are we doing?
Appointing Privacy Officials for affected Offices/Bureaus.
Training all members of the workforce
Drafting policy and procedures and beginning new business practices
Rewriting Contracts and Quasi-Contracts (Business Associate Language)
Drafting/Revising Consents and Authorizations
Documenting Decisions and Activities
![Page 8: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/8.jpg)
8
Training
Committee comprised of personnel of impacted bureaus
Basic format created by the committee
Combination training to allow for flexibility
Kickoff-October-December
Computer and Blended Training-April
Stand up (job specific)-June
![Page 9: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/9.jpg)
9
Policy and procedures
High level HIPAA Handbook
Adaptations made by each program office to meet their own needs
Business processes changes to be phased in by April, 2002.
![Page 10: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/10.jpg)
10
Privacy Standards
Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI)
Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic)
![Page 11: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/11.jpg)
11
Privacy Standards (PHI)
Individually identifiable
About an individual’s physical or mental health or condition
About provision of or payment for health care
Created or received by a provider, health plan, clearinghouse, or employer
Transmitted or maintained in any medium (verbal, written, or electronic)
![Page 12: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/12.jpg)
12
Privacy Standards
Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates
Give consumers greater control over use, and disclosure of PHI
Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law
![Page 13: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/13.jpg)
13
Privacy Standards
Rules restrict use and sharing of PHI Higher security and protection levels Greater individual control and access Greater accountability
Rules apply to covered entities
Compliance deadline is April 14, 2003
Limit disclosures to the “minimum necessary”
![Page 14: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/14.jpg)
14
Minimum Disclosure
Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure
We must determine the minimum amount needed
![Page 15: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/15.jpg)
15
Privacy Obligations
Plans and providers must create privacy-conscious business practices and disclose only the minimum information required
Department must:
ensure internal protection of PHI
monitor external disclosures of PHI
Complete employee training, and
establish procedures for addressing clients’ privacy complaints
![Page 16: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/16.jpg)
16
Plans and providers must inform clients of their business practices (privacy notice)
Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations
A separate, specific authorization is required for non-routine disclosure
Privacy Obligations
![Page 17: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/17.jpg)
17
Consent vs. Authorization
Consents cover T/P/O–authorizations cover most other uses and disclosures
Authorizations are for specific disclosures
May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization
![Page 18: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/18.jpg)
18
Use and Disclosure may use or disclose PHI without consent, an authorization, or
giving an opportunity to agree or object, including:
• For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs.
• When required by law
• For public health activities
• Reporting domestic violence or abuse and neglect
• For health oversight activities
• For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained
![Page 19: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/19.jpg)
19
De-Identified Information
De-Identified Information is not subject to HIPAA requirements
A Covered Entity may determine that health information is not individually identifiable by:
Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information
Removing specified identifiers of the individual or of relatives, employers, or household members
![Page 20: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/20.jpg)
20
De-Identified Information
Names
All geographic subdivisions (address, zip code)
All elements of dates (incl. birthdate and date of admission
Telephone/Fax numbers
E-mail addresses
SSN
Medical record number
Health plan number
Account number
Certificate/license number
VIN/serial number
Device identifier/serial #
URL
IP address
Biometric identifiers (voice/finger prints)
Photos
Other unique characteristics
![Page 21: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/21.jpg)
21
Client Rights
Request restrictions on use and disclosure of PHI
Obtain a disclosure history Review and copy their own medical records Request amendments or corrections the
record Complain to the Department and to the
Secretary of DHHS if privacy rights are violated
![Page 22: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/22.jpg)
22
Business Associate Agreements
Terms and Template
Other Agreements
Trading Partner
Chain of Trust
User Agreements
![Page 23: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/23.jpg)
23
Enforcement ENFORCER: Office of Civil Rights, HHS
Complaint Driven Process(but indicate willingness to provide “guidance” first).
PENALTIES:
For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES
CRIMINAL PENALTIES:
Knowing only: $50,000, one year in prison, or both
False pretenses: $100,000, five years, or both
Use for commercial or personal gain or malicious harm: $250,000, ten years, or both
![Page 24: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/24.jpg)
24
Practical Steps to Compliance
Shred all PHI to be discarded
Log off terminal when not in use
Do not discuss specific cases in public places
Verify fax locations
Be mindful of sharing only “minimum necessary” information
![Page 25: Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young](https://reader036.vdocuments.site/reader036/viewer/2022081511/56649e175503460f94b03355/html5/thumbnails/25.jpg)
25
Practical Steps to Compliance Be aware of with whom you are sharing
PHI
Report breaches to Privacy
Assure adequate safeguards/paperwork is in place
Check with IT staff to be sure dial-in is secure
Read and follow Privacy and Security Policies and Procedures