HIPAA HIPAA Health Information Privacy and Health Information Privacy and Accountability Act Accountability Act
Jan 16, 2016
HIPAAHIPAA
Health Information Privacy and Health Information Privacy and Accountability ActAccountability Act
What is HIPAAWhat is HIPAA
In 1996 Congress passed Health In 1996 Congress passed Health Information Privacy and Accountability ActInformation Privacy and Accountability Act- Full compliance required since 10/16/03Full compliance required since 10/16/03
Mandates Federal privacy protections for Mandates Federal privacy protections for individual identifiable health informationindividual identifiable health information
Primary purpose was to provide insurance Primary purpose was to provide insurance coverage for workers who change jobscoverage for workers who change jobs
The Security, Privacy, and standards for The Security, Privacy, and standards for electronic transactions are part of the Actelectronic transactions are part of the Act
CostCost
American Hospital Association American Hospital Association estimates costs to be 22.5 billion estimates costs to be 22.5 billion dollars over the first 5 yearsdollars over the first 5 years- Physical changes to departmentsPhysical changes to departments- Staff trainingStaff training
State law vs. Federal – most State law vs. Federal – most restrictive law takes precedencerestrictive law takes precedence
Protected Health InformationProtected Health Information
Created or received by a healthcare Created or received by a healthcare provider, health plan, public health provider, health plan, public health authority, employer, life insurer, school or authority, employer, life insurer, school or university or healthcare clearinghouse in university or healthcare clearinghouse in normal course of businessnormal course of business
Relates to past, present or future physical or Relates to past, present or future physical or mental health or condition of an individualmental health or condition of an individual
Relates to provision of healthcare to an Relates to provision of healthcare to an individualindividual
Past, present or future payment for Past, present or future payment for provision of health care to an individualprovision of health care to an individual
What is considered Protected What is considered Protected Health Information (PHI)?Health Information (PHI)?
NameName Name of Name of Relatives/HouseholRelatives/Householdd
Medical Medical Record Record NumberNumber
AddressAddress EmployerEmployer Account/Account/Health Plan Health Plan NumberNumber
SSNSSN Telephone Telephone NumbersNumbers
Vehicle or Other Vehicle or Other Device Serial Device Serial NumberNumber
FingerprintFingerprint FaxFax DOBDOB
PhotographPhotograph E-mail E-mail addressaddress
Certificate/Certificate/License NumberLicense Number
De-Identified Health InformationDe-Identified Health Information
No restrictions on use or disclosure of No restrictions on use or disclosure of de-identified health informationde-identified health information
Does not identify the individualDoes not identify the individual Does not provide a reasonable Does not provide a reasonable
means to ID a personmeans to ID a person
How Do I De-Identify Health How Do I De-Identify Health Information?Information?
Formal determination by a qualified Formal determination by a qualified statisticianstatistician
Removal of specific identifiers of Removal of specific identifiers of individual and that individual’s individual and that individual’s family, household members, family, household members, employeremployer
When can I disclose PHI without the When can I disclose PHI without the person’s authorization?person’s authorization?
When sharing information with that personWhen sharing information with that person Information may be disclosed to doctors, nurses, Information may be disclosed to doctors, nurses,
technicians, health care providers and hospital technicians, health care providers and hospital personnel who are involved in the patient’s carepersonnel who are involved in the patient’s care
Use for billing, treatment, or other health care Use for billing, treatment, or other health care operationsoperations
Facility directory – includes name, location in the Facility directory – includes name, location in the facility and general conditionfacility and general condition
An individual may give informal permission to An individual may give informal permission to discuss with family, relatives or other identified discuss with family, relatives or other identified people PHI directly relevant to that person’s people PHI directly relevant to that person’s involvement in the individual’s care or payment involvement in the individual’s care or payment for care for care i.e. a pharmacist can give a filled i.e. a pharmacist can give a filled prescription to a person acting on behalf of the prescription to a person acting on behalf of the patientpatient
When can I disclose PHI without the When can I disclose PHI without the person’s authorization?person’s authorization?
When required by federal or state law: When required by federal or state law: - Public HealthPublic Health- Law enforcement agenciesLaw enforcement agencies- Appropriate government agenciesAppropriate government agencies- In response to a court order or subpoenaIn response to a court order or subpoena
Health Oversight Agencies: for legally authorized Health Oversight Agencies: for legally authorized audits, investigations, inspections, licensure, etc.audits, investigations, inspections, licensure, etc.
To report child/elder abuse or neglect or domestic To report child/elder abuse or neglect or domestic violenceviolence
When can I disclose PHI without the When can I disclose PHI without the person’s authorization?person’s authorization?
Law enforcement purposes: Law enforcement purposes: - criminal investigations, identify or locate a criminal investigations, identify or locate a
suspect, fugitive, or missing personsuspect, fugitive, or missing person- alert regarding death of a personalert regarding death of a person- PHI is evidence of a crime that occurred on its PHI is evidence of a crime that occurred on its
premisespremises- emergency situation where the health care emergency situation where the health care
provider needs to communicate to law provider needs to communicate to law enforcement regarding location, nature, and enforcement regarding location, nature, and perpetrator of the crimeperpetrator of the crime
When can I disclose PHI without the When can I disclose PHI without the person’s authorization?person’s authorization?
Coroners, Funeral Directors, Medical Examiners for Coroners, Funeral Directors, Medical Examiners for identification purposesidentification purposes
Facilitate organ donationFacilitate organ donation Some researchSome research Threat to health or safety – to either person or publicThreat to health or safety – to either person or public Essential Government Functions: national security, Essential Government Functions: national security,
medical suitability for service, health and safety of medical suitability for service, health and safety of inmates or employers in correctional facilities, inmates or employers in correctional facilities, eligibility for enrollment in government benefit eligibility for enrollment in government benefit programsprograms
When consulting with other health care providers When consulting with other health care providers about a patient’s treatmentabout a patient’s treatment
All Other Disclosure of PHI All Other Disclosure of PHI Must have Authorization Must have Authorization
from Personfrom Person
Minimum NecessaryMinimum Necessary
Key aspect of the privacy lawKey aspect of the privacy law Make reasonable effort to disclose Make reasonable effort to disclose
and/or request only that information and/or request only that information which is needed to effectively treat, which is needed to effectively treat, receive payment, or conduct receive payment, or conduct businessbusiness
DME exampleDME example
HOW WILL HIPAA HOW WILL HIPAA IMPACT YOUR PT IMPACT YOUR PT
PRACTICE?PRACTICE?
Privacy Practice NoticePrivacy Practice Notice Notice of privacy practices must be Notice of privacy practices must be
provided to patient no later than the provided to patient no later than the firstfirst service encounterservice encounter
Notice must include the following:Notice must include the following:- Ways your clinic may use and disclose PHIWays your clinic may use and disclose PHI- How your clinic will protect the patient’s privacy, How your clinic will protect the patient’s privacy,
legal requirements to protect privacy, and legal requirements to protect privacy, and written notice of privacy practice including written notice of privacy practice including individual rights including right to complain to individual rights including right to complain to HHSHHS
- Posted notice that is clearly visible to all patientsPosted notice that is clearly visible to all patients- Patient must sign that notice was provided, Patient must sign that notice was provided,
reviewed or received – recommend have the reviewed or received – recommend have the patient sign the actual noticepatient sign the actual notice
Safeguards to implementSafeguards to implement Speak quietly while discussing patient’s Speak quietly while discussing patient’s
treatment/condition in waiting room with family treatment/condition in waiting room with family members or patientmembers or patient
Avoid using patient’s name in public hallwaysAvoid using patient’s name in public hallways Lock all file cabinets, record/chart rooms – limit Lock all file cabinets, record/chart rooms – limit
access to these keys to only staff that need access to these keys to only staff that need access to recordsaccess to records
Lock staff offices when emptyLock staff offices when empty Computer disc when not in use should be locked Computer disc when not in use should be locked
up in desks, cabinets or disc storageup in desks, cabinets or disc storage Computers should be only accessed by Computers should be only accessed by
appropriate staff (via passwords)appropriate staff (via passwords)
Safeguards to implementSafeguards to implement Patient sign in sheets should not include reason for Patient sign in sheets should not include reason for
visitvisit OK to call out patient’s name in waiting rooms – OK to call out patient’s name in waiting rooms –
limit information sharedlimit information shared Keeping charts outside exam room or at bedside Keeping charts outside exam room or at bedside
allowable as long as access limited to information – allowable as long as access limited to information – face chart to wall or face down on bed, limit access face chart to wall or face down on bed, limit access to exam/treatment areas by staff or by escorting to exam/treatment areas by staff or by escorting non- employeesnon- employees
Leaving messages for patients on their answering Leaving messages for patients on their answering machines is ok – but limit what you disclosemachines is ok – but limit what you disclose
Shred documents containing PHI before throwing Shred documents containing PHI before throwing outout
Keep all privacy policies, records, complaints, other Keep all privacy policies, records, complaints, other activities related to HIPAA for at least 6 yearsactivities related to HIPAA for at least 6 years
You do not have toYou do not have to
Retrofit your clinic with sound proof Retrofit your clinic with sound proof rooms – curtains or cubicles may rooms – curtains or cubicles may constitute reasonable safe guard constitute reasonable safe guard
Discussing details of patient’s Discussing details of patient’s treatment in a “gym” allowable as treatment in a “gym” allowable as long as detailed discussions occur in long as detailed discussions occur in more private settingmore private setting
Get consent from patient when Get consent from patient when consulting on a patient’s treatment consulting on a patient’s treatment with another providerwith another provider
What happens if patient refuses to What happens if patient refuses to sign notice?sign notice?
Document your efforts to get Document your efforts to get signaturesignature
Document why patient would not Document why patient would not signsign
THE PATIENT HAS THE PATIENT HAS RIGHT OF ACCESS TO RIGHT OF ACCESS TO
ALL THEIR ALL THEIR DESIGNATED RECORD DESIGNATED RECORD SET – ANY RECORDS SET – ANY RECORDS
WITH PHIWITH PHI
Designated Record SetDesignated Record Set
Group of records maintained by CE Group of records maintained by CE used in whole or part to make used in whole or part to make treatment decisionstreatment decisions
Providers medical and billing records Providers medical and billing records about an individual’s health plan about an individual’s health plan enrollment, payment, claims enrollment, payment, claims adjustment, case management adjustment, case management recordsrecords
Restriction RequestRestriction Request
Patients have the right to request your Patients have the right to request your clinic restrict who gets or how PHI is usedclinic restrict who gets or how PHI is used
Your clinic does not have to agree to Your clinic does not have to agree to additional restrictions requested by additional restrictions requested by patientpatient
If you do agree – your agreement is If you do agree – your agreement is legally bindinglegally binding
Patients have the right to request their Patients have the right to request their information be amendedinformation be amended
What about minors?What about minors?
Most cases parents are personal Most cases parents are personal representatives for minor childrenrepresentatives for minor children
Professional judgment is allowable (if Professional judgment is allowable (if made by a licensed health provider) made by a licensed health provider) if state law is silent about sharing if state law is silent about sharing information with parentsinformation with parents
What happens if you violate What happens if you violate HIPAA?HIPAA?
$100 fine per failure to comply with a $100 fine per failure to comply with a requirementrequirement
Not to exceed $25,000 for multiple Not to exceed $25,000 for multiple violations of same rule in calendar violations of same rule in calendar yearyear
No fine if violation due to reasonable No fine if violation due to reasonable cause and did not involve willful cause and did not involve willful neglect and if corrected within 30 neglect and if corrected within 30 days of knowledge of violationdays of knowledge of violation
What happens if you violate What happens if you violate HIPAA?HIPAA?
Knowingly obtain or discloses PHI in Knowingly obtain or discloses PHI in violation of HIPAA – fine up to $50,000 violation of HIPAA – fine up to $50,000 and one year in prisonand one year in prison
Fine increases to $100,000 and 5 years Fine increases to $100,000 and 5 years in prison if involves false pretensein prison if involves false pretense
Increases to $250,000 and 10 years in Increases to $250,000 and 10 years in prison if involves selling and transfer of prison if involves selling and transfer of PHI for profit, commercial advantage, PHI for profit, commercial advantage, personal gain or malicious harmpersonal gain or malicious harm