Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.

Overview of HIPAA Administrative Simplification and Privacy Regulations

Darrel J. Grinstead, PartnerAmy B. Kiesel, AssociateHogan & Hartson L.L.P.

Outline of Presentation

HIPAA OverviewHIPAA Overview Transactions and Code Set RuleTransactions and Code Set Rule Security RuleSecurity Rule Privacy RulePrivacy Rule

HIPAA Overview ““Health Insurance Portability and Health Insurance Portability and

Accountability Act of 1996”Accountability Act of 1996” RegulationsRegulations

Facilitate electronic exchange of health Facilitate electronic exchange of health informationinformation

Protect the privacy and security of health Protect the privacy and security of health informationinformation

HIPAA Regulations

Final Form Final Form Transactions and Code Set RuleTransactions and Code Set Rule Security RuleSecurity Rule Privacy RulePrivacy Rule National Standard Employer Identifier RuleNational Standard Employer Identifier Rule

Remaining are unpublished or in proposed Remaining are unpublished or in proposed form. form.

Applicability The regulations apply to “covered The regulations apply to “covered

entities:”entities:”Health care providers that Health care providers that

electronicallyelectronically bill for services ( bill for services (e.g.e.g., , most ambulance suppliers, physicians, most ambulance suppliers, physicians, hospitals),hospitals),

Health plans, andHealth plans, andHealth care clearinghouses.Health care clearinghouses.

TRANSACTIONS AND CODE SET RULE

Transactions and Code Set Rule

PurposePurpose To encourage the use of electronic To encourage the use of electronic

exchangesexchanges To reduce the administrative burden To reduce the administrative burden

associated with using different formatsassociated with using different formats Specifies the content and format standards for Specifies the content and format standards for

eight common types of health information eight common types of health information transactions.transactions.

Standard Transactions Transactions are composed of:Transactions are composed of:

Format data – define and control the Format data – define and control the structure of the transaction (structure of the transaction (e.g.e.g., the data , the data element is a dollar amount)element is a dollar amount)

Data content – all data elements and code Data content – all data elements and code sets inherent to a transaction and not related sets inherent to a transaction and not related to the format of the transaction (to the format of the transaction (e.g.e.g., the , the actual dollar amount)actual dollar amount)

Transactions The eight standard transactions include:The eight standard transactions include:

Health care claims or equivalent encounter information,Health care claims or equivalent encounter information, Health care payment and remittance advice,Health care payment and remittance advice, Coordination of benefits,Coordination of benefits, Health care claim status,Health care claim status, Enrollment and disenrollment in a health plan,Enrollment and disenrollment in a health plan, Referral certification and authorization,Referral certification and authorization, Eligibility for a health plan, andEligibility for a health plan, and Health plan premium payments.Health plan premium payments.

No standards promulgated for first report of injury and No standards promulgated for first report of injury and health claims attachments.health claims attachments.

Compliance

Compliance required by Oct. 16, 2002, Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. compliance deadline was extended to Oct. 16, 2003.16, 2003.

Implementation HIPAA AwarenessHIPAA Awareness – understand the rule and – understand the rule and

educate workforce.educate workforce. Operational AssessmentOperational Assessment – assess and identify – assess and identify

internal implementation issues and develop a internal implementation issues and develop a work plan to address issues. work plan to address issues.

Development and TestingDevelopment and Testing - finalize development - finalize development of, install, and train staff on, applicable software of, install, and train staff on, applicable software and perform all software and systems testing.and perform all software and systems testing.

SECURITY RULE

Security Rule

Final rule published Feb. 20, 2003.Final rule published Feb. 20, 2003. Compliance required by April 21, 2005.Compliance required by April 21, 2005. Requires covered entities to:Requires covered entities to:

Assess risks and vulnerabilities,Assess risks and vulnerabilities, Maintain appropriate security measures, Maintain appropriate security measures,

andand Document these methods.Document these methods.

Security Rule

Requires covered ambulance suppliers to:Requires covered ambulance suppliers to: Apply administrative, physical, and technical Apply administrative, physical, and technical

safeguardssafeguards That reasonably and appropriately protect the That reasonably and appropriately protect the

confidentiality, integrity and availability of confidentiality, integrity and availability of electronicelectronic protected health information protected health information

That they create, receive, maintain or transmit.That they create, receive, maintain or transmit.

Examples – Required Safeguards

Administrative Administrative Sanction policySanction policy Business associate contractsBusiness associate contracts

PhysicalPhysical Disposal of device and media controlsDisposal of device and media controls Workstation securityWorkstation security

Technical Technical Person or entity authenticationPerson or entity authentication Unique user identification Unique user identification

PRIVACY RULE

Privacy Rule

ApplicabilityApplicability Uses and DisclosuresUses and Disclosures Patient RightsPatient Rights Administrative RequirementsAdministrative Requirements PenaltiesPenalties Interaction with State LawInteraction with State Law

Compliance Date

Covered ambulance suppliers must be in Covered ambulance suppliers must be in compliance with the Privacy Rule by compliance with the Privacy Rule by April 14, 2003.April 14, 2003.

Applicability of the Privacy Rule

Applies directly to covered entities.Applies directly to covered entities.

Regulates protected health Regulates protected health information maintained by covered information maintained by covered entities.entities.

Protected Health Information

Protected health information (“PHI”) is information in Protected health information (“PHI”) is information in any form that:any form that: Identifies or reasonably could be used to identify Identifies or reasonably could be used to identify

the patient,the patient, Relates to the past, present, or future health or Relates to the past, present, or future health or

condition of a patient, payment for care, or condition of a patient, payment for care, or provision of care, andprovision of care, and

Is created or received by a covered entity, provider Is created or received by a covered entity, provider or employer.or employer.

Protected Health Information

It includes:It includes: Medical informationMedical information Billing informationBilling information Patient demographic informationPatient demographic information Information stored electronicallyInformation stored electronically Information you convey on the phoneInformation you convey on the phone Information maintained on paperInformation maintained on paper

Business Associates

Requires covered entities to Requires covered entities to contractually bind their business contractually bind their business associates to some of the requirements associates to some of the requirements of the Privacy Rule.of the Privacy Rule.

Definition

A business associate is an entity that A business associate is an entity that

1.1. creates or receives PHI creates or receives PHI

2.2. to provide a service or function for to provide a service or function for or on behalf of a covered entity. or on behalf of a covered entity.

Examples - Business Associates

Disclosures of PHI to:Disclosures of PHI to: An accreditation organization perform An accreditation organization perform

accreditation services.accreditation services.

A billing and collection service to assist A billing and collection service to assist with reimbursement.with reimbursement.

A transcription service to transcribe A transcription service to transcribe notes.notes.

Examples - No Business Associate

Disclosure of PHI:Disclosure of PHI: To a provider for treatment of a patient.To a provider for treatment of a patient. Inadvertently to a janitorial agency that Inadvertently to a janitorial agency that

provides cleaning services.provides cleaning services. To researchers for research purposes.To researchers for research purposes.

No business associate relationship with your No business associate relationship with your employees.employees.

Business Associate Agreements

You must enter into You must enter into written agreements written agreements with your business associates to:with your business associates to:

Limit use and disclosure of PHI, Limit use and disclosure of PHI,

Safeguard PHI, and Safeguard PHI, and

Ensure certain patient rights (Ensure certain patient rights (e.g.e.g., , providing a patient with access to PHI).providing a patient with access to PHI).

USES AND DISCLOSURES

Overview of Uses and Disclosures Covered ambulance suppliers may Covered ambulance suppliers may

use or disclose PHI only:use or disclose PHI only:For purposes expressly required or For purposes expressly required or

permitted by the rule, orpermitted by the rule, orWith patient authorization.With patient authorization.

Examples When Authorization Required To provide a list of names of patients To provide a list of names of patients

involved in automobile accidents to a involved in automobile accidents to a company that offers automobile company that offers automobile insurance.insurance.

To provide a list of patient names to a To provide a list of patient names to a national association for the association’s national association for the association’s fundraising purposes.fundraising purposes.

Examples When Authorization Not Required

To use and disclose PHI for your own To use and disclose PHI for your own treatment, payment and health care treatment, payment and health care operations (TPO).operations (TPO).

To disclose PHI for the treatment or payment To disclose PHI for the treatment or payment activities of another covered entity. activities of another covered entity.

In limited situations, to disclose PHI for the In limited situations, to disclose PHI for the health care operations of another covered health care operations of another covered entity.entity.

Health Care Operations

Generally, no authorization required if the Generally, no authorization required if the disclosure is:disclosure is:

To a covered entity that also has a To a covered entity that also has a relationship with the patient andrelationship with the patient and

For quality assessment and For quality assessment and improvement improvement activities, case management and activities, case management and coordination, fraud and abuse detection or coordination, fraud and abuse detection or compliance, and other similar activities. compliance, and other similar activities.

Disclosures to Family Members May disclose PHI to family members or others May disclose PHI to family members or others

involved in the patient’s care or payment for care involved in the patient’s care or payment for care if:if: The patient agrees (or agreement is inferred), or The patient agrees (or agreement is inferred), or The patient is not present or is incapacitated The patient is not present or is incapacitated

and you believe that it is in the patient’s best and you believe that it is in the patient’s best interest.interest.

Also may notify of the patient’s location, general Also may notify of the patient’s location, general condition, or death.condition, or death.

Other Purposes

May use and/or disclose PHI without May use and/or disclose PHI without authorization if certain criteria are met:authorization if certain criteria are met: To avert a serious threat to health or safety To avert a serious threat to health or safety As required by lawAs required by law For limited marketing activities For limited marketing activities For public health activitiesFor public health activities For health oversight activitiesFor health oversight activities For researchFor research

Other Uses and Disclosures – Avert Serious Threat

May use or disclose PHI based on your good May use or disclose PHI based on your good faith belief that the use or disclosure is faith belief that the use or disclosure is necessary: necessary:

To prevent/lessen a serious and imminent To prevent/lessen a serious and imminent threat to the health or safety of a person or threat to the health or safety of a person or the public; orthe public; or

Under limited circumstances, for law Under limited circumstances, for law enforcement authorities to identify or enforcement authorities to identify or apprehend an individual.apprehend an individual.

Written Authorization – The Default Category

May use and disclose PHI for any May use and disclose PHI for any reason with the written authorization of reason with the written authorization of the patient.the patient.

Must be in writing and contain certain Must be in writing and contain certain statements and information that ensures statements and information that ensures patient knows how his or her patient knows how his or her information will be used and disclosed.information will be used and disclosed.

MINIMUM NECESSARY STANDARD

Minimum Necessary Standard

Covered entities may use, disclose and Covered entities may use, disclose and request only the minimum amount of request only the minimum amount of PHI necessary to accomplish the PHI necessary to accomplish the purpose of the use, disclosure or request.purpose of the use, disclosure or request.

Minimum Necessary Exceptions

Disclosures to and requests by Disclosures to and requests by providers for treatment (but it does providers for treatment (but it does apply to uses)apply to uses)

Disclosures to the patient who is the Disclosures to the patient who is the subject of the PHIsubject of the PHI

Uses and disclosures pursuant to Uses and disclosures pursuant to authorizationauthorization

INCIDENTAL USES AND DISCLOSURES

Incidental Uses and Disclosures

An incidental use or disclosure is that An incidental use or disclosure is that which occurs as a result of another use or which occurs as a result of another use or disclosure that is permitted (disclosure that is permitted (e.g.e.g., a , a conversation between EMTs treating a conversation between EMTs treating a patient overheard by another patient).patient overheard by another patient).

Incidental Uses and Disclosures

Incidental uses and disclosures are Incidental uses and disclosures are permitted as long as a covered entity has:permitted as long as a covered entity has:Applied reasonable safeguards, andApplied reasonable safeguards, and

Implemented the minimum necessary Implemented the minimum necessary standard, where applicable, with respect standard, where applicable, with respect to the primary use or disclosure.to the primary use or disclosure.

PATIENT RIGHTS

Patient Rights

Receive a notice of privacy practicesReceive a notice of privacy practices

Receive an accounting of certain disclosures of PHI Receive an accounting of certain disclosures of PHI

Access their informationAccess their information

Amend their informationAmend their information

Request a restriction on the use or disclosure of Request a restriction on the use or disclosure of informationinformation

Request confidential communicationsRequest confidential communications

Content of Notice A header indicating the purpose of the noticeA header indicating the purpose of the notice A description the uses and disclosures that you A description the uses and disclosures that you

may makemay make A statement of patient rights and how to exercise A statement of patient rights and how to exercise

themthem A statement of your dutiesA statement of your duties Instructions for filing complaintsInstructions for filing complaints Contact informationContact information

Provision of Notice - First Service Delivery

General Rule: General Rule: Provide the patient with your notice no later Provide the patient with your notice no later

than the first service delivery on or after than the first service delivery on or after April 14, 2003; and April 14, 2003; and

Make a good faith effort to obtain a Make a good faith effort to obtain a writtenwritten acknowledgment of receipt of notice.acknowledgment of receipt of notice.If not obtained, document good faith If not obtained, document good faith

efforts and reason why not obtained.efforts and reason why not obtained.

Obtaining Acknowledgment

Sign a separate sheet, list, log book, or Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be initial a cover sheet of the notice to be retained by the ambulance supplierretained by the ambulance supplier

Tear off sheet to mail back to the Tear off sheet to mail back to the ambulance supplierambulance supplier

Combine an acknowledgment with consentCombine an acknowledgment with consent

Good Faith Effort – Reason Not Obtained

Patient refusedPatient refused

Patient failed to mail back Patient failed to mail back acknowledgmentacknowledgment

Patient unconscious or agitatedPatient unconscious or agitated

Provision of Notice - First Service Delivery EXCEPTION - Emergency Treatment EXCEPTION - Emergency Treatment

SituationsSituations: : Notice:Notice: Provide the notice as soon Provide the notice as soon as as

reasonably practicable after the emergency reasonably practicable after the emergency situationsituation. .

Acknowledgment:Acknowledgment: NOT required to make a NOT required to make a good faith effort to obtain the good faith effort to obtain the acknowledgment.acknowledgment.

Provision of Notice You also must make the notice available by April You also must make the notice available by April

14, 2003:14, 2003: Upon request;Upon request; At the delivery site (notice must be posted and At the delivery site (notice must be posted and

available for individuals to take with them); andavailable for individuals to take with them); and If you maintain a web site about your services If you maintain a web site about your services

or benefits, prominently on your web site and or benefits, prominently on your web site and make the notice available electronically through make the notice available electronically through the site.the site.

Accounting

Don’t need to track disclosuresDon’t need to track disclosuresTo carry out treatment, payment, or To carry out treatment, payment, or

health care operations health care operations To patients who are the subject of the To patients who are the subject of the

PHIPHIPursuant to an authorizationPursuant to an authorization

Accounting

Must track disclosuresMust track disclosuresFor public health purposesFor public health purposesFor researchFor researchFor health oversight activitiesFor health oversight activitiesFor administrative/judicial proceedingsFor administrative/judicial proceedingsFor abuse/neglect reportingFor abuse/neglect reporting

ADMINISTRATIVE REQUIREMENTS

Administrative Requirements

Designate a privacy officialDesignate a privacy official Designate a contact person or office for complaints Designate a contact person or office for complaints

and questionsand questions Establish and implement policies and procedures Establish and implement policies and procedures Provide training to workforce membersProvide training to workforce members Apply administrative, technical and physical Apply administrative, technical and physical

safeguardssafeguards Establish a process for individuals to make complaintsEstablish a process for individuals to make complaints

Administrative Requirement—Training Must train workforce on privacy policies and procedures Must train workforce on privacy policies and procedures

necessary and appropriate to their jobs.necessary and appropriate to their jobs. Training must occur:Training must occur:

For current employeesFor current employees: no later than the compliance : no later than the compliance date, date,

For new employees after the compliance dateFor new employees after the compliance date: within a : within a reasonable time after the person joins the workforce, reasonable time after the person joins the workforce, andand

For employees whose functions change due to a For employees whose functions change due to a subsequent change in privacy policies or proceduressubsequent change in privacy policies or procedures: : within a reasonable time after the change.within a reasonable time after the change.

PENALTIES

Civil Penalties Any person who violates a provision is Any person who violates a provision is

subject to:subject to: A penalty of not more than $100 for each A penalty of not more than $100 for each

such violation andsuch violation and Total amount imposed on a person for all Total amount imposed on a person for all

violations of an identical requirement or violations of an identical requirement or prohibition during a calendar year may not prohibition during a calendar year may not exceed $25,000.exceed $25,000.

Criminal Penalties

Criminal penalties vary depending on the offense.Criminal penalties vary depending on the offense. A person can be fined not more than $250,000, A person can be fined not more than $250,000,

imprisoned not more than 10 years or both if:imprisoned not more than 10 years or both if: the offense is committed with the intent to sell, the offense is committed with the intent to sell,

transfer, or use PHI for commercial advantage, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.personal gain, or malicious harm.

INTERACTION WITH STATE LAW

Interaction with State Law Must comply with both the Privacy Rule and state laws.Must comply with both the Privacy Rule and state laws. If impossible (rare), comply with provision that provides If impossible (rare), comply with provision that provides

the patient with:the patient with: greater privacy rights, greater privacy rights, access to greater amounts of information, or access to greater amounts of information, or greater privacy protectionsgreater privacy protections..

State laws often have heightened protection for sensitive State laws often have heightened protection for sensitive information (information (e.g.e.g., HIV/STDs)., HIV/STDs).

The End.