1 / 39

Objectives

HIPAA The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Impact on Pathologist Trina Shanks University Pathology Services, Inc. & The OSU Department of Pathology. Objectives. HIPAA Historical Background Privacy Rule Purposes of the Privacy Rule

anastasia-owens
Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAAThe Health Insurance Portability and Accountability Act of 1996(Public Law 104-191)Impact on PathologistTrina ShanksUniversity Pathology Services, Inc. & The OSU Department of Pathology

  2. Objectives • HIPAA Historical Background • Privacy Rule • Purposes of the Privacy Rule • Privacy Rule affects on Pathologists • Privacy assessment gaps • Research Provisions

  3. HIPAA Historical Background • Enacted in August 1996, HIPAA included a wide array of provisions designed to make health insurance more affordable and accessible. With support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS to adopt national standards for certain health care transactions, codes, identifiers and security. HIPAA also set a three-year deadline for Congress to enact comprehensive legislation to protect medical records and other personal health information. When Congress did not enact such legislation by August 1999, HIPAA required HHS to issue health privacy regulations.

  4. Title I Portability • Protects Americans with pre-existing conditions from losing health insurance when changing jobs. • Prevents discrimination in health care coverage.

  5. Title II Administrative Simplification • Standardization of electronic patient health, administrative and financial data • Unique health identifiers for individuals, employers, health plans and health care providers • Security standards protecting the confidentiality and integrity of “individually identifiable health information (PHI-Protected Health Information),” past, present or future

  6. HIPAA Administration Simplification RulesEach rule is being approved individually. Once each rule is approved, there is a 2 month comment period and a 24 month implementation window = 26 months to live

  7. Who is affected? • All healthcare organizations. • This includes all health care providers, even 1 doctor physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and medical universities.

  8. Privacy Rule Provisions • Limit the non-consensual use and release of private health information • Give patients new rights to access their medical records and to know who else has accessed them • Restrict most disclosure of health information to the minimum needed for the intended purpose • Establish new criminal and civil sanctions for improper use or disclosure • Establish new requirements for access to records by researchers and others

  9. Purpose of the Privacy Rule • Protect and enhance rights of consumers to their health information and control the inappropriate use of the information. • Improve the quality of health care in the U.S. by restoring trust in the health care system.

  10. As Modified, Privacy Rule is: • Flexible and Scalable • Workable • Balanced The Privacy Rule “strikes a common sense balance by providing consumers with personal privacy protections and access to high quality health care.” HHS Secretary Thompson

  11. Treatment, Payment & Health Care Operations (TPO) • Covered Entities may use/disclose Protected Health Information (PHI) to carry out essential health care functions.

  12. Treatment • Treatment-the provision, coordination, or management of health care by one or more health care providers.

  13. Payment • Payment-activities of health care providers to obtain payment or reimbursement for their services. Health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care.

  14. Health Care Operations • Health Care Operations-administrative, financial, legal and quality improvement activities. Necessary to run business and to support core functions of treatment and payment. Quality assessment and improvement activities. Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance. Fraud and abuse detection. Underwriting, rating, other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits. Conducting or arranging for medical review, legal services, or auditing. Business planning and development. Business management and general administrative activities.

  15. The HIPAA privacy regulations affect pathologists in three ways. • 1. HIPAA requires that a pathologist or laboratory develop and implement policies and procedures to govern their use and disclosure practices with respect to PHI. • 2. Must establish and implement policies and procedures to provide for certain rights that must be afforded to patients. • 3. Must establish and implement policies and procedures to document certain administrative steps that the pathologist must take to ensure that PHI is properly protected.

  16. Privacy Assessment Gaps • Submitted self-assessments • Direct observation • Reports from staff

  17. Medical Information Access • Finding: PCs, printers, faxes in areas accessed by the public • Concern: Personal information accessible by unauthorized individuals • Action: Review your environment. Do not place equipment that collects/receives PHI in areas where the information can be seen by visitors or other patients

  18. Medical Information Disposal • Finding: Printouts are not properly discarded • Concern: Paper reports disposed of in the trash can resurface • Action: Instruct staff never to place legible patient identifiable reports in the trash. Use bins for shredding, or shred before disposing.

  19. Medical Information Storage • Finding: Medical records are not secured • Concern: Patient records are not to be accessed by anyone who is not involved in the treatment, payment or hospital operations related to the patient except as authorized by the patient. • Recommendation: Records are to be kept in secure medical record storage areas, with limited access. Sign off of the system before leaving the area.

  20. Conversations • Finding: Healthcare conversations are overheard • Concern: Patient information is to be discussed in private • Action: Remind staff of the need to use conference room, step away from public settings, be discreet when speaking on the telephone

  21. Patient Communications • Finding: Patient care areas have various practices related to contacting patients • Concern: Patients have the right to control release of information • Recommendation: Do not leave messages or speak to family member or friend without giving notice to the patient or obtaining consent. • Note: When patient is not present or incapacitated-uses and disclosures are permissible using professional judgment to determine if in best interest of individual. Consider minimal necessary.

  22. Need More Info? • http://www.cms.gov/hipaa/hipaa2/ • http://www.hhs.gov/ocr/hipaa • OSUMC Newsline, Progressline, Connections, Med Staff News & Webster • OSUMC posters with monthly tips • Medical Center Privacy Office via email at “Privacy Office” or 293-4477

  23. Questions?

  24. Research • Research Provisions- Covered entities may use and disclose PHI for research: -with individual authorization, or -without individual authorization under limited circumstances

  25. What Research is Affected? • Records research that uses existing PHI, such as: Research databases and repositories • Research that includes treatment of research participants, such as: Clinical trials

  26. Relationship to Other Research Rules • The Privacy Rule does not override the Common Rule or FDA’s human subject protection regulations

  27. Common Rule/FDA Regulated IRB review of research and informed consent Privacy Rule Valid authorization Common Rule vs. Privacy RuleResearch WITH patient permission

  28. Privacy Authorization • Research participant authorization to use or disclose PHI is required for most clinical trials and some records research -May be no expiration date or event or may continue until “end of research study” -May be combined with informed consent to participate in research

  29. Common Rule vs. Privacy RuleResearch WITHOUT patient permission • Common Rule IRB Review- 4 waiver criteria • Privacy Rule -IRB/Privacy Board Review-3 wavier criteria -Preparatory research; -Research on decedents; or -Limited data set

  30. Use and Disclosure of PHI of Research WITHOUT Individual Authorization Four Options: Option 1: Obtain documentation that an IRB or Privacy Board has approved an alteration to or waiver of authorization based on the following 3 wavier criteria;

  31. 3 Waiver Criteria 1. The use of disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements

  32. Minimal Risk Elements a. An adequate plan to protect the identifiers from improper use/disclosure b. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law; and c. Adequate written assurances that PHI will not be reused/disclosed to any other person or entity, with certain exceptions.

  33. Wavier criteria… 2. The research could not practicably be conducted without the alteration or waiver 3. The research could not practicably be conducted without access to and use of the PHI

  34. Use and Disclosure of PHI of Research WITHOUT Individual Authorization Option 2: Obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research -No PHI removed from Covered Entity

  35. Use and Disclosure of PHI of Research WITHOUT Individual Authorization Option 3: Obtain representation that the use or disclosure is solely for research on decedents protected health information

  36. Use and Disclosure of PHI of Research WITHOUT Individual Authorization Option 4: Only use or disclose limited data set/”indirect identifiers” (e.g. zip codes, dates of service, age, death) -Requires a data use agreement

  37. Accounting for Research Disclosures • Upon request, must provide accounting for research disclosures made without individual authorization (except for disclosures of the limited data set). • For 50+ records: -List of protocols for which PHI may have been disclosed, and -Researcher contact information

  38. Ongoing Research at Time of Compliance Date (4/14/03) • Grandfathers in use or disclosure of PHI as permitted by the following if obtained prior to the compliance date: -Legal permission for the use or disclosure of PHI; -Informed consent for the research; or -An IRB waiver of informed consent under the Common Rule.

  39. Questions?

More Related