html5
1 / 10

The Basics - Health Insurance Portability and Accountability Act (HIPAA)

The Basics - Health Insurance Portability and Accountability Act (HIPAA). Original Intent: Act passed in 1996 with two main goals: Ensure individuals would be able to maintain their health insurance between jobs (the “portability” part); and

barny
Download Presentation

The Basics - Health Insurance Portability and Accountability Act (HIPAA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Basics - Health Insurance Portability and Accountability Act (HIPAA) PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Original Intent: • Act passed in 1996 with two main goals: • Ensure individuals would be able to maintain their health insurance between jobs (the “portability” part); and • Ensure the security and confidentiality of patient information and mandate uniform standards for electronic data transmission (the “accountability” part). • Act required the Department of Health & Human Services (DHHS) to implement regulations on the specific areas of HIPAA. • Rules of Primary Concern Here - Privacy & Security Rules: • Privacy Rule: Sets limits and conditions on the uses and disclosures of protected health information without patient authorization; gives patients rights over their health information (e.g., rights to examine and obtain a copy of their health records, to request corrections). • Compliance Deadline: April 2003 • Security Rule: The ability to control access to and prevent information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. • Compliance Deadline: April 2005

  2. The Basics– HIPAA (cont’d) PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Entities subject to HIPAA (“covered entities”): • Health plans, health care clearinghouses or health care providers (e.g., hospitals, physicians, etc.) that: • transmit health information electronically • in connection with “covered transactions” (e.g., billing, transmission of health plan enrollment information). • For example, the UC Student Health & Counseling Centers (SHCs and SCCs) • Operational Consequences of Being a Covered Entity • Comply with the HIPAA rules for transactions and code sets (i.e., use certain standardized forms of transmitting electronic data) • IF the covered entity is using or disclosing Protected Health Information (PHI)  THEN it is required to comply with the HIPAA Privacy Rule (e.g., issue a notice of privacy practices, execute business associate agreements, follow the HIPAA Privacy Rule’s restrictions on the use and disclosure of PHI) • What is PHI? • Individually identifiable health information except for • “Education records” or “treatment records” of students under FERPA • Even though the SHCs and SCCs are HIPAA covered entities, they are not required to comply with the HIPAA Privacy Rule with respect to student records.

  3. The Basics – Family Educational Rights & Privacy Act (FERPA) PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Enacted in 1974 • Protects the privacy rights of students • General Rule: The University may not disclose a student’s education records without the student’s written consent. • Several exceptions to general rule (e.g., to University officials who have a legitimate educational interest, health or safety emergency). 34 CFR 99.31. • What are “Education Records”? • Directly related to a student; and • Maintained by the University or by a party acting for the University. • Exception: “Treatment Records” are excluded from the definition of “Education Records.” • Treatment Records: • Records created/maintained by a health care professional/paraprofessional; • Used, created or maintained only in the provision of treatment; and • Not disclosed to anyone other than individuals providing treatment.

  4. HIPAA & FERPA Intersect PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Post-November 2008 Analysis • Joint Guidance from the Dept of Education & the Dept of Health & Human Services on the Application of HIPAA and FERPA • The definition of PHI under HIPAA excludes both education & treatment records. • Significance: • A HIPAA covered entity is not required to comply with the HIPAA Privacy and Security Rules with respect to both “education records” and “treatment records” (i.e., student medical information). • The catch – HIPAA still applies to non-student medical information. Joint Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf

  5. Which Rules Apply When? PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Rule of Thumb: If the information relates to a student and is • Maintained by the University (education records); OR • Made, maintained by a health care professional or paraprofessional and used only in connection with the provision of treatment (treatment records) FERPA applies

  6. What About the California Confidentiality of Medical Information Act (CMIA)? PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Background • Enacted in 1979 • Enforcement Agency: CA Department of Public Health (CDPH) • Applies to: • Most health care providers (e.g., hospitals, doctors, nurses, SHCs/SCCs), plans, contractors • Exceptions: Substance abuse programs and certain mental health care providers (e.g., inpatient psychiatric facilities, county-designated psychiatric facilities) • What Information is Protected Under CMIA? • Medical Information: • individually identifiable information, • in electronic or physical form, • in possession of or derived from a provider, plan, pharmaceutical company, or contractor • regarding a patient's medical history, mental or physical condition, or treatment. • Bottom Line: Generally captures treatment records and education records maintained by the SHC/SCC.

  7. What About CMIA? (cont’d) PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Rules on Disclosure: • Generally patient authorization is required for providers, plans and contractors to make a disclosure. (Cal Civ 56.10) • Exceptions to General Rule: • Must Disclose: List of required disclosures, e.g., if the information is compelled by • Search warrant • Administrative agency • Court order • Subpoena • When otherwise specifically required by law Cal Civ 56.10(b) • May Disclose: List of permitted disclosures, e.g., • For treatment and diagnosis • If psychotherapist believes disclosure is necessary to prevent serious and imminent threat • For payment purposes • For licensure and accreditation purposes • When otherwise specifically authorized by law (e.g., when authorized by FERPA) Cal Civ 56.10(c) • Different rules apply to outpatient psychotherapy treatment information

  8. What About CMIA? (cont’d) PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • Medical Information vs. Outpatient Psychotherapy Treatment Information: (1) Standard medical information (e.g., results of physical, broken bone x-ray) • See Cal Civ 56.10 (2) Medical information that specifically relates to a patient’s treatment with an outpatient psychotherapist (“Outpatient Psychotherapy Treatment Information”) • See Cal Civ 56.104 • Rules on Disclosure of Outpatient Psychotherapy Treatment Information Under CMIA • The “Must Disclose” provisions still apply to these records; no authorization required. • Specific “May Disclose” provisions apply: • Treatment/Diagnosis: Disclosure for treatment or diagnosis • Threat: Disclosure by psychotherapist to prevent serious and imminent threat to health/safety • Threat & Law Enforcement/Target Request Information: Per request by law enforcement or target of threat after an initial disclosure has been made by the psychotherapist • Requestor: If a requestor notifies the provider and the patient of a request • The “otherwise specifically authorized by law” exception does not apply

  9. How CMIA Intersects with HIPAA & FERPA PRIVILEGED ATTORNEY-CLIENT COMMUNICATION • CMIA & FERPA: • CMIA’s “otherwise specifically authorized by law” clause • Permits providers to disclose medical information (without an authorization) if the disclosure is “otherwise specifically authorized by law” (Cal Civ 56.10(c)(14)) • CMIA & HIPAA: • HIPAA Preemption Rule: Providers must comply with whichever state or federal law is more stringent, and with whichever provision is more stringent. • In SHC/SCC context, preemption rule only applies with regard to non-student records.

  10. PRIVILEGED ATTORNEY-CLIENT COMMUNICATION Questions?

More Related