Module 2: HIPAA Privacy Fundamentals - · PDF fileModule 2: HIPAA Privacy Fundamentals HIPAA Enforcement Training for State Attorneys General. Module Introduction Module 2: Introduction

Module 2: HIPAA Privacy Module 2: HIPAA Privacy FundamentalsFundamentalsFundamentalsFundamentals

HIPAA Enforcement Training for State Attorneys General

Module IntroductionModule Introduction

Module 2: Introduction

This module of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training for State Attorneys General (SAG) provides:Training for State Attorneys General (SAG) provides:

• Term and concepts used in the HIPAA Privacy Rule

A i f th i t f th HIPAA P i R l• An overview of the requirements of the HIPAA Privacy Rule

• Description of certain changes to the Rule made under the ARRA/HITECH Act of 2009ARRA/HITECH Act of 2009

• Questions to ask when conducting an investigation

HIPAA Enforcement Training for State Attorneys General 2

Module ObjectivesModule Objectives

Module 2: Objectives

After completing this module, you will be able to:

• Define terms used in the HIPAA Privacy Rule

• Summarize the requirements of the HIPAA Privacy Rule

• Describe the Privacy Rule’s administrative requirements for covered entities and business associates

• Develop investigatory questions to apply to your cases


Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and DefinitionsConcepts and DefinitionsConcepts and Definitions


Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions

Module 2

Lesson 1: Objectives

After completing this lesson, you will be able to:


• Apply this terminology when investigating HIPAA violations



Module 2

Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule

Use and Disclosure of PHI

Covered entities may only use or disclose PHI i d i d b h P iPHI as permitted or required by the Privacy Rule.

Use is the sharing employment applicationUse is the sharing, employment, application, utilization, examination, or analysis of …information within the entity…

Disclosure is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity.

References: 45 CFR §§ 160.103, 164.502



Module 2

Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)

Covered Entities

A covered entity is:

(continued)

A covered entity is:

• A health plan

• A health care clearinghouse• A health care clearinghouse

• A health care provider who transmits any health information in electronic form in connection with a ycovered transaction—one for which the Secretary has adopted standards.



Module 2


Organizational Structures

Covered entities may be organized using structures

(continued)

Covered entities may be organized using structures that affect their obligations under the HIPAA Privacy and Security Rules. Organizational structures include:

– Hybrid entities

– Affiliated Covered Entities (ACEs)Affiliated Covered Entities (ACEs)

– Organized Health Care Arrangements (OHCAs) (O s)



Module 2

Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)( )

Hybrid Entities

A h b id tit i i l l l titA hybrid entity is a single legal entity:

• That is a covered entity • Whose business activities include both covered and• Whose business activities include both covered and non‐covered functions, and

• That designates its health care components in g paccordance with the HIPAA Privacy Rule



Module 2


Hybrid Entities (continued)

Hybrid entities may designate parts of themselves as health

(continued)

Hybrid entities may designate parts of themselves as health care components, and must:

• Comply with the HIPAA Privacy and Security RulesComply with the HIPAA Privacy and Security Rules

• Refrain from disclosing PHI inappropriately, including to another component of the hybrid entityanother component of the hybrid entity

May disclose as otherwise allowed if they were separate legal entities.

References: 45 CFR §§ 164.103, 164.105(a)(2)(iii)HIPAA Enforcement Training for State Attorneys General 10


Module 2


Examples of Hybrid Entities

• A state health department whose business practices include

(continued)

A state health department whose business practices include both covered and non‐covered functions

• A correctional facility with a health care clinic that transmits yone or more HIPAA‐covered transactions electronically

• A data processing center that conducts health care l i h ti iti ll h lth d t tclearinghouse activities as well as non‐health care data entry

• A university health clinic that is a HIPAA covered entity and has health information to which the Privacy Rule does nothas health information to which the Privacy Rule does notapply



Module 2


Affiliated Covered Entities

Affiliated covered entities:

(continued)

Affiliated covered entities:

• Legally separate covered entities undercovered entities under the same ownership or control

• May participate in a single HIPAA compliance program



Module 2


Affiliated Covered Entities (continued):

• Must have documented status as an affiliated covered entity

(continued)

Must have documented status as an affiliated covered entity

• All entities must comply with the HIPAA Privacy and Security Rules

• Common examples include chains of hospitals or clinics

Reference: 45 CFR §164.105(b)(2)



Module 2


Organized Health Care Arrangements (OHCA)

Organized Health Care Arrangements

(continued)

Organized Health Care Arrangements (OHCA) are organizational structures under which:

• Two or more covered entities work together

• Common examples: Integrated health centers containing independent legal entities; multiple health plans with the same sponsor



Module 2


Organized Health Care Arrangements (OHCA) (continued)

(continued)

OHCA members may:

• Disclose PHI to each other for health care operations activities of the OHCA

U j i t ti f i• Use a joint notice of privacy practices

• Share a common business• Share a common business associate



Module 2

Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)(continued)



Module 2


Minimum Necessary

Th i i t d d li it

(continued)

The minimum necessary standard limits uses, disclosures, and requests for PHI to the minimum necessary amount of PHI needed to carry out the purposes of the use or disclosure.



Module 2


Minimum Necessary (continued)

Exceptions to this include:

(continued)

Exceptions to this include:• Disclosures to, or requests by, a health care provider for treatment purposesp p p

• Uses or disclosures made to the individual or pursuant to the individual’s authorization

• Disclosures to HHS for HIPAA compliance purposes

• Uses or disclosures required by lawq y

Reference: 45 CFR § 164.502(b)HIPAA Enforcement Training for State Attorneys General 18


Module 2



The standard for minimum necessary uses

(continued)

The standard for minimum necessary usesrequires covered entities to make reasonable efforts to limit access to PHI to those in the workforce that need access to it based on their roles in the covered entity.



Module 2



Minimum necessary disclosures and

(continued)

Minimum necessary disclosures and requests for PHI:

For routine disclosures and requests, q ,a covered entity must implement policies and procedures/standard protocols.

For others, the entity must review individual requests for disclosure to ensure they meet developed criteria to limit PHI di l d t h t i bl f th i t d ddisclosed to what is reasonably necessary for the intended purpose.



Module 2



The Privacy Rule safeguards standards and the Security Rule work

(continued)

The Privacy Rule safeguards standards and the Security Rule work in concert to fulfill the Privacy Rule’s minimum necessary standard.



Module 2


Examples of Minimum Necessary Disclosure

When leaving a message for a patient i hi fion an answering machine to confirm an

upcoming doctor’s appointment, there is no need to state the reason for the doctor’s visit.

In sending a bill to a health plan for payment, normally there i d i l d h l f h id d d fis no need to include the results of the tests provided and for which the payment is being requested.

When scheduling appointments front office staff will probablyWhen scheduling appointments, front office staff will probably not need to have access to a patient’s entire health record.



Module 2

Activity 1: National Pharmacy Chain Extends Protections for PHI Case StudyWorking together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion questions and provide your answers during the class

ireview.

Case Study:

A pharmacy employee placed a customer’s insurance card in another p y p y pcustomer’s prescription bag. When contacted by OCR, the pharmacy argued that no inappropriate disclosure had taken place because it did not consider the customer’s insurance card to contain PHI.

Discussion Questions:Discussion Questions:

1. Which is the covered entity in this case study—the pharmacy chain's headquarters or the local store? What considerations will help you make this determination?help you make this determination?

2. Do you think the customer’s insurance card was PHI?



Module 2

Activity 2: Dentist Changes Process to Protect PHI Case Study

Working together as a group at your table take a few minutesWorking together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion question and provide your answer during the class reviewreview.

Case Study:

An OCR investigation confirmed allegations that a coveredAn OCR investigation confirmed allegations that a covered dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover, and that

d h dl d th t th ti t d t ff ith trecords were handled so that other patients, and staff without need to know, could read the sticker and the patient name.

Discussion Question:


Q

Did the dentist violate the Privacy Rule?


Module 2

Topic 1: Terms Used in the HIPAA Privacy Rule (continued)

Minimum Necessary and Limited Data Sets

Under HITECH a covered entity is treated as in compliance with the minimum necessary standard only if the covered entity limits theminimum necessary standard only if the covered entity limits the use and disclosure of PHI to:• The “limited data set” as currently defined in the HIPAA

privacy regulations; or, if needed• The minimum necessary to accomplish the intended purpose

HHS ill i id h t tit t “ i i ”HHS will issue guidance on what constitutes “minimum necessary.”

Reference: ARRA/HITECH Subtitle D Privacy § 13405(b)(1)Reference: ARRA/HITECH, Subtitle D, Privacy, § 13405(b)(1)



Module 2


Minimum Necessary and Limited Data Sets (continued)

• Most potentially identifiable data elements is

( )

p yremoved, except for dates and geographic information as specified in the Privacy Rule

• Data recipients must sign a Data Use Agreement stating the information will be used only for the specified purposes, no attempt will be made to re identify it and it will not beattempt will be made to re‐identify it, and it will not be re‐disclosed

• Information may be used only for research public health or• Information may be used only for research, public health, or health care operations purposes



Module 2


De‐identification of PHI

• Removal of certain identifiers so that

(continued)

• Removal of certain identifiers so that the individual who is the subject of the PHI may no longer be identified

• De‐identified information is not protected, and can be shared without limit



Module 2

Topic 1: Terms Used in the HIPAA Privacy Rule (continued)

De‐identification of PHI (continued)

Two methods:

• Expert determination method likelihood• Expert determination method – likelihoodof identifying an individual is very small

OR

• Safe harbor method – stripping of listed identifiers, such as:– Names– Geographic subdivisions < state

f– All elements of dates– Social Security numbersAND

d h k l d h h f b d– Covered entity has no knowledge that the information can be used to identify the individual



Module 2

b i i f f i i f

Lesson 1: Recap• A business associate performs a function or service for or

on behalf of the covered entity

• Covered entities and business associates haveCovered entities and business associates have obligations under HIPAA regarding the use and/or disclosure of PHI

• All organizations subject to the HIPAA Privacy Rule must request, use, or disclose only the minimum necessary PHI

• Covered entities may be organized using structures that affect how they address the HIPAA Privacy and Security Rules including hybrid entities affiliated entities andRules including hybrid entities, affiliated entities, and organized health care arrangements.


Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy Rule


Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2



• Describe the general requirements of the HIPAA P i R lHIPAA Privacy Rule

• Identify uses and disclosures that may violate the P i R lPrivacy Rule

• Summarize the rights of individuals under the HIPAA Privacy RuleHIPAA Privacy Rule



Topic 1: Federal Floor of Privacy Protections

The HIPAA Privacy Rule:

• Sets the federal floor for health information privacyprivacy

• Sets forth minimum privacy protections

• Establishes individual rights• Establishes individual rights

• Establishes administrative requirements

• Does not prevent covered entities from establishing internal• Does not prevent covered entities from establishing internal policies that provide greater protections, or that offer consumers greater rights

• Does not preempt more stringent state laws



Topic 2: Requirements for Uses and Disclosures of PHI

A covered entity must not use or disclose PHI, except as specifically permitted or required by the HIPAApermitted or required by the HIPAA Privacy Rule.

References: 45 CFR § 164.502(a)§ ( )



Topic 3: Required Disclosures of PHI

The HIPAA Privacy Rule requires disclosure in two instances:

T th i di id l h th i di id l• To the individual when the individual exercises the right to access PHI in designated record sets or the right to andesignated record sets or the right to an accounting of disclosures

• To HHS for HIPAA investigative and genforcement purposes

Reference: 45 CFR § 164.502(a)(2)§ ( )( )



Topic 4: Permitted Uses and Disclosures of PHI

The Rule permits uses and disclosures without individual authorization including those:

T th i di id l• To the individual

• For treatment, payment, and health care operations (TPO)

• Incidental uses/disclosures

• To business associates with a business associate agreement



l h

Topic 4: Permitted Uses and Disclosures of PHI (continued)Health care operations are:• Certain administrative, financial, legal, and quality improvement

activities of a covered entity,activities of a covered entity,

• Necessary to run its business, or support the core functions of treatment and payment



Topic 4: Permitted Uses and Disclosures of PHI (continued)

Incidental uses and disclosures are: • “Incident to” another use or disclosure that is permitted or

required by the Rulerequired by the Rule • Those that occur even though the minimum necessary and

safeguard standards are metsafeguard standards are met



l f d l d d l

Topic 4: Permitted Uses and Disclosures of PHI (continued)Examples of incidental uses and disclosures:

• A hospital inpatient in a shared room overhears two health care providers discuss the other patient’s care at her bedsideproviders discuss the other patient s care at her bedside.

• Hospital staff and other patients hear a patient’s name when an ambulatory patient is paged.

• A visitor or non‐treatment staff at a hospital sees the name of the patient on a folder containing the patient’s chart kept immediately outside of the patient’s exam roomimmediately outside of the patient s exam room.

• An administrative worker in a nurses’ station sees the names of patients on a whiteboard used to inform staff of which patients p pare in which rooms.



/


Uses/disclosures requiring an opportunity for the individual to agree or object include:agree or object include:

• For facility directories

T i l d i th i di id l’• To a person involved in the individual’s care and notification purposes (i.e., when a friend is involved in ( ,patient care or payment for care)

• For notification & disaster relief purposes



/


Other uses/disclosures that do not require an authorization:

• Required by law

• Public health activities

• About victims of abuse, neglect, or domestic violence

• Health oversight activities

• Judicial and administrative proceedingsJudicial and administrative proceedings

• Law enforcement purposes



/


…other uses/disclosures that also explicitly do not require an authorization:

Ab t d d t• About decedents

• Cadaveric organ, eye, or tissue donation

• Research purposes

• To avert a serious threat to health or safety

• Specialized government functions

• Workers’ compensationo e s co pe sa o



/


Permitted uses/disclosures where written authorization is required include:

M k ti• Marketing

• Psychotherapy notes

• All uses or disclosures not otherwise permitted (examples: disclosure to life insurance drug test results to employer and disclosureinsurance, drug test results to employer, and disclosure of child’s physical results to school)



Topic 5: Authorization

Elements of a Written Authorization

Required elements of a written authorization i l dinclude:

• Specific description of PHI to be used/disclosedused/disclosed

• Who can use/disclose PHI

• To whom the PHI can be used/disclosedTo whom the PHI can be used/disclosed

• Purpose of the use/disclosure

• Expiration date or eventp

• Signature of patient, with dateHIPAA Enforcement Training for State Attorneys General 43


Topic 5: Authorization (continued)

Elements of a Written Authorization (continued)• Right to revoke in writing; and the exceptions and instructions

regarding the procedure, or a reference to the Notice if this g g p ,information is there

• A statement about the covered entity’s ability/inability to condition the authorization on treatment, payment, eligibility, or enrollmentthe authorization on treatment, payment, eligibility, or enrollment

• A statement that once disclosed, the PHI may no longer be protected by the HIPAA Privacy Rule, or an alternative statement if the disclosure is to another covered entitythe disclosure is to another covered entity

• If use or disclosure is for marketing purposes, and the covered entity will receive remuneration, a statement must be includedto that effectto that effect



Topic 5: Authorization (continued)

Defective Authorizations

Key items to look for when reviewing an authorization form during the investigation of a HIPAA violationinvestigation of a HIPAA violation:

• Was the authorization in effect at the time of the disclosure?

• Does it contain all the required elements to be valid? Is theDoes it contain all the required elements to be valid? Is the authorization free from unlawful conditions?

• To the best of the covered entity’s knowledge, is all information in the authorization not false?

If the answer is “no” to any of the above, the authorization is defective and the covered entity cannot request use or disclose PHI based on thatand the covered entity cannot request, use, or disclose PHI based on that authorization. A covered entity must retain authorizations it acts upon.



Read the scenario and review the authorization which is is

Activity 3: Authorization ScenarioRead the scenario, and review the authorization, which is is located on page 5 in your Appendix. Working with your your Table Group, answer the discussion questions, and provide your answers during the class review.

Scenario:

An individual signs an authorization giving his health care provider permission to disclose certain information to his personal trainer at thepermission to disclose certain information to his personal trainer at the gym. The individual is upset because the trainer learned from the medical record sent from the health care provider that he has a mental disorder, and shared that information with a friend—who happened to be the i di id l' lindividual's employer.

Discussion Questions:

1. Did the health care provide make an authorized disclosure?1. Did the health care provide make an authorized disclosure?

2. Is this a valid authorization?



Topic 6: Individual Rights

• Notice of Privacy Practice

• Inspect and Copy

• Accounting

• Request Amendment

• Request Restriction

• Request Confidential CommunicationRequest Confidential Communication

• File a Complaint



Topic 6: Individual Rights

Notice of Privacy Practices

A Notice of Privacy Practices for PHI id tifi ti t i di id l th tprovides notification to individuals that

includes:

• Required header and content in plain• Required header and content, in plain language

• How their PHI will be used and/or disclosedHow their PHI will be used and/or disclosed by a covered entity

• Their individual rights

• The covered entity’s duties



Topic 6: Individual Rights (continued)

Notice of Privacy Practices (continued)

…provides notification that includes:

• How the individual can file a complaint with the covered entity and/or the Secretary of HHS

• Contact information for a person or office who is responsible• Contact information for a person or office who is responsible for receiving HIPAA complaints and who is able to provide further information about matters covered by the notice

• Effective date There are varying distribution, acknowledgement, and posting requirements for the different types of covered entitiesrequirements for the different types of covered entities.



Ri ht t I t d CTopic 6: Individual Rights (continued)Right to Inspect and Copy

Right of access enables individuals to inspect and copy their PHI in a designatedinspect and copy their PHI in a designated record set.

A designated record set is a group of records g g pmaintained by or for a covered entity, and includes:

• An individual’s medical and billing records E ll t t l i dj di ti t• Enrollment, payment, claims adjudication, case management record systems of a health plan

• Other records used by covered entities to make decisions about individuals




Right to Inspect and Copy (continued)

The right of access does NOT apply to:• PHI that is subject to the Clinical

Laboratories Improvements Amendment of 1988of 1988

• Psychotherapy notes• Information being compiled for a legalInformation being compiled for a legal

proceeding

Certain other exceptions also applyCertain other exceptions also apply.




Right to Inspect and Copy (continued)

The covered entity must act on a request for access no later than 30 days after receipt of theaccess no later than 30 days after receipt of the request (and within 60 days if information requested is not maintained or accessible to the covered entity on‐site). A covered entity may have only one 30‐day extension of this 30 (or 60) day deadline, provided that:deadline, provided that:

• The patient is provided a written statement of the reasons for the delay, and the date by which th d tit ill l t it tithe covered entity will complete its action on the request




Right to an Accounting of Disclosures

Individuals have a right to receive an ti f di l f th i PHI d baccounting of disclosures of their PHI made by

the covered entity within the past six years.

Thi i ht li ith t i ti tThis right applies, with certain exceptions, to:• Disclosures made for most “public policy” purposes• Disclosures that violate the rule that the CE knows about• Per HITECH, TPO disclosures through an electronic

health recordThe first accounting within a 12‐month period is free of chargeThe first accounting within a 12‐month period is free of charge.




Right to Request Amendment

Patients have the right to request that the d tit d th i PHI icovered entity amend their PHI in a

designated record set.

A d tit i i d th tA covered entity may require in advance that individuals make requests for the amendment in writing and provide supporting rationale.p pp g




Right to Request Amendment (continued)

A covered entity may deny an amendment if th i f ti th t th i di id l k tthe information that the individual seeks to amend:

W t t d b th d tit• Was not created by the covered entity, unless the originator is no longer available

• Is not part of the designated record setIs not part of the designated record set• Would not be available under the individual’s right to

inspect and copy • Is accurate and complete




Right to Request Restrictions on Uses or DisclosuresIndividuals have a right to request restrictions on uses and disclosures otherwise permitted for:p• Treatment, payment, or healthcare operations• Next of kin/caregiver notificationsThe covered entity is not required to agree to requested restrictions. If the covered entity does agree, it must y g ,document the agreement and abide by its terms.The covered entity can break the agreement in certain emergency situationssituations.




Right to Request Confidential Communications An individual has the right to request that the covered entity communicate PHI to him or her via specified y pconfidential means, including restricting communications to one method or receiving communications at an alternative location:

• A covered entity may require that the request be in writing

• A covered health care providermust accommodate• A covered health care providermust accommodate reasonable requests and must not require the patient to explain why the request is being made

A d h lth l t d t bl t if th• A covered health planmust accommodate reasonable requests if the individual clearly states that disclosure could endanger the individual




Right to Request Confidential Communications (continued)

The covered entity may condition the i i f bl d tiprovision of a reasonable accommodation on:

• The individual specifying an alternative th d f t tmethod of contact

• The individual providing information on how payment if any will be handledhow payment, if any, will be handled




Right to File a Complaint

• A person who believes that a covered entity i t l i ith HIPAA iis not complying with HIPAA privacy provisions may file a complaint with the Secretary of HHSSecretary of HHS

• A covered entity must advise patients in its Notice of Privacy Practices how complaints y pmay be filed with the Secretary and with the covered entity itself



k f i d h d d i

Activity 4: Hospital Implements New Policies for Telephone Messages Case StudyTake a few minutes to read the case study. As you read it, think about the patient’s right to request confidential communication, and other rights to privacy that have been discussed. Working in your Table Group, answer the discussion question, and provide your answer during the class review.

Case Study:Case Study:

A hospital employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. The patient had requested that the hospital use only her office telephone number.

Discussion Question:Discussion Question:

What Privacy Rule provisions were violated?HIPAA Enforcement Training for State Attorneys General 60


Lesson 2: Recap


• “Federal Floor” of Privacy Protections

• First set of comprehensive federal health privacy protections

• Restricts uses and disclosures of PHI

• Provides rights for individuals who are the subject of PHI


Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilitiesResponsibilitiesResponsibilities


Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities

Module 2



• Recognize potential violations

• Identify the fundamental responsibilities

• Describe the relationship of business associates to covered entities

• List a covered entity’s administrative responsibilities related to protecting individuals’ PHI



Module 2

Topic 1: Identifying Business Associates and Executing Business Associate AgreementsA business associate is a person or entity that performs a function or activity on behalf of a covered entity, or provides

Business Associate Agreements

function or activity on behalf of a covered entity, or provides certain services to a covered entity that involve the use or disclosure of PHI.

Business associates include individuals or organizations that conduct:• Legal services

• Accounting services

Cl i i d i i i• Claims processing or administration



Module 2

Topic 1: Identifying Business Associates and Executing Business Associate Agreements (continued)A Business Associate Agreement (BAA) establishes the permitted and required uses and disclosures of PHI by businessand disclosures of PHI by business associates. Its purpose is to obtain promises from the business associates about how PHI may and may not be used.

A BAA also authorizes termination of the contract or other relationship by thecontract or other relationship by the covered entity if it is determined that the business associate has violated the contract’s terms.



Module 2

Topic 2: Privacy Policies and Procedures

Covered entities and business associates must institute and maintain privacy policies and procedures to protect PHIpolicies and procedures to protect PHI.



Module 2

Topic 3: Privacy Officers’ Roles and Responsibilities

Privacy Officer:

• Responsible for the development d i l t ti f iand implementation of privacy

policies and procedures

M i l i t di• May receive complaints regarding privacy

• May be able to provide information to patients• May be able to provide information to patients on their privacy rights



Module 2

Topic 4: Safeguards

Covered entities must:• Put in place administrative, technical, and

physical safeguards to protect againstphysical safeguards to protect against intentional or unintentional use or disclosure of PHI that violates the Rule

• Reasonably safeguard PHI to limit incidental• Reasonably safeguard PHI to limit incidental uses or disclosures

HIPAA Security Rule:HIPAA Security Rule: • Also requires administrative, technical, and physical safeguards• Provides more detail on the safeguards requiredg q• Is limited to electronic PHI (ePHI)



Module 2

Topic 5: Established Complaint Process

Covered entities must:

• Have an established complaint process

• Have an established process for documentation of the complaints and th i l titheir resolution

• Have an employee designated to receive and document the complaintsdocument the complaints



Module 2

Topic 6: Workforce Training


• Provide training to their workforce

• Document that the training occurred



Module 2

Topic 7: Workforce Sanctions


Have and apply appropriate ti h b f thsanctions when a member of the

workforce does not comply with privacy policies and proceduresprivacy policies and procedures or with the Privacy Rule



Module 2

Topic 8: Mitigating Harmful Effects of Improper Uses or Disclosures


Mitigate to the extentMitigate to the extent practicable harmful effects caused by their improper use or disclosure of a patient’s PHI that is known to the covered entity



Module 2

Topic 9: Prohibition Against Retaliatory Acts

Covered entities may not retaliate in any form against anyone who:

Fil l i t f i• Files a complaint of a privacy violation

E i i ht d th R l• Exercises a right under the Rule

• Participates in a process established by the Ruleestablished by the Rule



Module 2

Topic 10: Prohibitions Against Requiring Individuals to Waive HIPAA Rights as a Condition of Payment, Treatment,

Covered entities may not require

g yEligibility, or Enrollment

individuals to waive their HIPAA rights as a condition of their receiving treatment being foundreceiving treatment, being found eligible for or being allowed to enroll in a health plan, or as a condition of their provider receiving payment.



Module 2

Topic 11: Documentation


• Maintain policies and procedures in paper or electronic formor electronic form

• If a communication is required to be in writing, maintain such writing, or an electronic copy as documentationelectronic copy, as documentation

• If an action, activity, or designation is required to be documented, maintain a paper

l i d f h i i i d i ior electronic record of such action, activity, or designation

A covered entity must retain required documents for six years from the date of their creation or the date when they were lastfrom the date of their creation or the date when they were last in effect, whichever is later.



Module 2

Activity 5: Private Practice Changes Patient Consent Form Case StudyTake a few minutes to read the case study. Workingin your Table Group, answer the discussion question, and provide your answer during the class reviewand provide your answer during the class review.

Case Study: A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintainagreement entitled Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his

ti d/ t t t i h f th h i i ’expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule.

Discussion Question: Did the doctor violate any requirements orDiscussion Question: Did the doctor violate any requirements or prohibitions of the Privacy Rule?



Module 2

Lesson 3: Recap


• Spells out administrative responsibilities

• Discusses written agreements between covered entities and business associates

• Discusses the need for privacy policies and procedures

• Describes employer responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI


Lesson 4: Identifying andLesson 4: Identifying andLesson 4: Identifying and Lesson 4: Identifying and Investigating Potential Privacy Rule Investigating Potential Privacy Rule

Violations Violations


Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations

Module 2



• Discuss how to identify potential Privacy Rule i l tiviolations

• Describe what constitutes a violation of the Privacy Rule



Module 2

Topic 1: Events and Conditions Constituting Privacy Rule Violations

Privacy Rule questions for investigation:

• Did the covered entity use or discloseDid the covered entity use or disclose PHI for a purpose other than treatment, payment, or health care operations, or other uses or disclosures permitted under 164.502, without proper authorization?without proper authorization?

• If an authorization was required and was executed, was it complete and valid?


was it complete and valid?


Module 2

Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued)

…Privacy Rule questions for investigation:

• Did a use and/or disclosure requiringDid a use and/or disclosure requiring an opportunity for the individual to agree or to object occur without the individual’s input?

• Did the covered entity fail to provide an adequate notice of privacy practices?

• Was an individual’s right to request that the covered entity li i di l f i l d?


limit use or disclosure of PHI violated?


Module 2

Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued)


• Was an individual inappropriatelyWas an individual inappropriately denied the right to access or amend his or her PHI?

• Was an individual inappropriately denied an accounting of disclosures of his or her PHI?

• Was PHI provided to a business associate without an i b i i i l ?


appropriate business associate agreement in place?


Module 2

Topic 1: Events and Conditions Constituting HIPAA Violations (continued)


• Had the entity implementedHad the entity implemented appropriate internal protections for the PHI, such as minimum necessary, and administrative standards, such as training and safeguards?



Module 2

Topic 2: Violation of the HIPAA Privacy Ruleh bl f h d lThere are many possible fact patterns that may indicate violations of the HIPAA Rules. The following example is a strong indicator of the absence of required policies, or that policies were not q p , pfollowed. Either would be a violation of the HIPAA Privacy and Security Rules.

Example: A workforce member of a covered entity simply disposes of PHI in an unsecureddisposes of PHI in an unsecured, easily accessible dumpster.

Reference: 45 CFR §164.310(d)(2)(i)


Reference: 45 CFR §164.310(d)(2)(i)


Module 2

Lesson 4: Recapl k f d l dKey items to look for during an investigation include:

• Was the PHI used or disclosed? By or to whom?

• What documentation regarding the use and disclosure was maintained?

• Were the other administrative requirements followed?

• Were individual rights protected?

• Were the requirements of the Privacy Rule met?

Answers to these questions may lead an investigator to determine


that multiple violations exist.

Module ActivityModule Activity

Module 2 Activity: State of CT Privacy Rule Violations

Working in your Table Group:

• Read Section IV of the complaint, which is l t d 2 f A dilocated on page 2 of your Appendix

• Draft a list of Privacy Rule violations

• Provide your answers during the class review

86HIPAA Enforcement Training for State Attorneys General

Module ActivityModule Activity

Module 2 Activity: State of CT Privacy Rule Violations

Violations identified by the class include:1.


Module RecapModule Recap

Module 2: Recap

The HIPAA Privacy Rule provides guidance on:

• What information needs to be protected (PHI)

• Who must protect PHI (covered entities, business associates)

• Responsibilities in protecting PHI


Module SummaryModule Summary

Module 2: Summary

Having completed this module, you are able to:


• Summarize the requirements of the HIPAA Privacy Rule

• Describe the Privacy Rule’s administrative requirements for covered entities and business associates

• Develop investigatory questions to apply to your case


Module 2: HIPAA Privacy Fundamentals - · PDF fileModule 2: HIPAA Privacy Fundamentals HIPAA Enforcement Training for State Attorneys General. Module Introduction Module 2: Introduction

Documents