1 / 38

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

TRICARE Management Activity. HEALTH AFFAIRS. TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project. HIPAA Privacy - Briefing for Line Leadership. TMA HIPAA Office October 2002. Objectives. Provide a general overview of the HIPAA legislation

bernie
Download Presentation

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TRICARE Management Activity HEALTH AFFAIRS TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project HIPAA Privacy - Briefing for Line Leadership TMA HIPAA Office October 2002

  2. Objectives • Provide a general overview of the HIPAA legislation • Describe the HIPAA Privacy Rule and related concepts • Provide examples that translate the DoD Health Information Privacy Regulation into everyday policies and procedures • Describe TMA HIPAA implementation activities • Outline MTF responsibilities • Explain the role of Service Representatives and provide contact information

  3. HIPAA Legislation • Improve portability & continuity of health insurance coverage • Improve access to long-term care services and coverage • Simplify the administration of health care Compliance within two years of effective dates of final rules

  4. HIPAA Legislation (cont’d) HIPAA under PL 104-191 requires compliance with several standards, including: • Standards for Electronic Transactions and Code Sets • Privacy • Security Standards • Electronic Signature Standards • National Standard Employer Identifier • National Standard Health Care Provider Identifier • National Standard Health Plan Identifier

  5. MHS Roles and Responsibilities • HA – Establish/Maintain Policy and Oversight Responsibilities • TMA – Integrate Policy into MHS Implementation Plan • Primary for TRICARE Contract HIPAA Impacts • Primary for Transactions & Code Sets • Secondary for Direct Care System HIPAA Impacts • Services/MTFs – Actual Implementation of HIPAA Requirements within Direct Care System • Lead Agents • Oversee Implementation of HIPAA Rules for Contracted Networks in their Region • Maintain a “Foot in Both Camps” to Ensure Regional HIPAA Compliance

  6. Components of the Privacy Rule Final Rule Published: August 2002 Rule Effective: April 14, 2001 Compliance Date: April 14, 2003 • Consumer control = Rights for individual patient • Boundaries on use and release • Ensuring security • Accountability and penalties • Balancing public responsibility with protections • Preserving strong state laws

  7. Preemption of State Law The DoD HIPAA Privacy regulation preempts state law except: • When disclosing PHI about a minor to a parent, guardian, or person acting in loco parentis of such minor. In this case the laws of the state where treatment is provided applies. • When DoD rules, procedures, or other applicable policy call for DoD components to follow state law with respect to the matter.

  8. Acronyms & Definitions IIHI - Individually Identifiable Health Information PHI - Protected Health Information TPO - Treatment, Payment and Healthcare Operations Treatment - provision, coordination, consultation and referral Payment - billing, reimbursement, eligibility, utilization review Healthcare Operations - QA, credentialing, legal, medical review, auditing, and regular business and management Use - Internal utilization or sharing IIHI Disclosure - External release of IIHI

  9. Who & What is Covered? Who? Covered entities (CEs) • Health care providers who transmit health information in (standard) electronic transactions • Health Plans, e.g., TRICARE • Health care clearinghouses, e.g., companies that perform electronic billing on behalf of MTFs • Our business associates, e.g., managed care support contractors, are not CEs. However, we must contractually bind them to the same standards. What? Protected Health Information (PHI) • Individually identifiable health information including demographics, in electronic, paper or oral medium • Held by covered entities or their business associates

  10. Patient Rights Patients have a right to: A written notice of information practices from health plans and providers Request to access, inspect and obtain a copy of their protected health information Request an accounting of disclosures Request amendment or correction of their records Request restrictions on uses and disclosures (authorizations) Accommodation of reasonable communications requests Complain to the covered entity and to HHS

  11. Notice of Privacy Practices • Includes: • Uses and disclosure of PHI for TPO • Individual’s rights to access, control and request restrictions on use • Covered entities’ duties • Complaints procedures • Contact information • Effective date

  12. Notice of Privacy Practices MHS-wide notice developed Release to MTFs in December 2002 Distribution to beneficiaries Mail to home addresses TRICARE & MTF websites Retiree organizations Centralized electronic tracking of acknowledgement

  13. Minimum Necessary • “Role-based” access limits • categorize users by their “need to know” profile and align with IT systems • Limit requests for disclosure from other entities to the minimum needed. • May rely on judgment of requestor if: • public official for permitted disclosure • covered entity • professional within covered entity • business associate for provision of professional service for covered entity • researcher with Institutional Review Board documentation

  14. Permitted Uses & Disclosures For the permitted uses and disclosures listed below, a patient’s opportunity to agree or object is not required. • as required by law • avert serious threats to health or safety • specialized government functions • judicial and administrative proceedings • law enforcement purposes • cadaver organ, eye or tissue donation purposes • victims of abuse, neglect or domestic violence • inmates in correctional institutions or in custody • workers’ compensation • research purposes • public health activities • health oversight activities • about decedents

  15. Permitted Use: Required By Law A covered entity may use or disclose PHI to the extent that such use/disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

  16. Permitted Use: Avert Serious Threats • A covered entity may use or disclose PHI if: • The covered entity in good faith believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, to identify or apprehend an individual who has made a statement admitting participation in a violent crime; • The disclosure is made to a person(s) reasonably able to prevent or lessen the threat; AND • The disclosure is consistent with applicable law and standards of ethical conduct.

  17. Permitted Use: Avert Serious Threats (cont’d) • Exception: Disclosure may not be made if the covered entity learns the information in the course of treatment, counseling, or therapy to affect the propensity to commit the criminal conduct that is the basis for the disclosure or through a request by the individual to initiate or to be referred for such treatment, counseling, or therapy • Limitation: Disclosure is limited to the following information: • name and address • date and place of birth • social security number • ABO blood type and Rh factor • type of injury • date and time of treatment • date and time of death, if applicable • description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos

  18. Permitted Use: Specialized Government Functions • PHI may be used or disclosed: • For individual who are Armed Forces personnel for activities military command authorities have deemed to be necessary to assure the proper execution of the military ; • A U.S. Department of Defense or Transportation covered entity may disclose to the Department of Veterans Affairs (DVA) the PHI of an Armed Forces member upon the member’s separation or discharge from service for the purpose of determining eligibility for federal veterans’ benefits; • A DVA covered entity may use and disclose PHI within the DVA to determine eligibility for or provide veterans’ benefits; • To authorized federal officials for the conduct of lawful intelligence, counterintelligence, or other national security activities authorized by the National Security Act;

  19. Permitted Use: Specialized Government Functions (cont’d) • To authorized federal officials for the provision of protective services to the President and other persons under protection of the Secret Service and related federal entities or for the conduct of investigations into threats; • To the Department of State to make medical suitability determinations and may disclose whether an individual was found to be medically suitable to Department of State officials who need the information for the purpose of 1) a required security clearance; 2) determine worldwide availability or availability for mandatory service abroad under the Foreign Service Act; OR 3) for a family member to accompany a Foreign Service member abroad;

  20. Permitted Use: Specialized Government Functions (cont’d) • By a health plan that is a government program providing public benefits may disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if a statute or regulation authorizes 1) the sharing of eligibility or enrollment information among agencies, or 2) the maintenance of eligibility or enrollment information in a single or combined data system accessible to all agencies; • By a covered entity that is a government agency administering a government program providing public benefits may disclose PHI relating to the program to another covered entity that is also a government agency administering a government program providing public benefits, provided 1) the programs serve the same/similar populations, and 2) disclosure of PHI is necessary to coordinate the covered functions or to improve administration and management relating to the programs’ covered functions.

  21. Permitted Use: Judicial and Administrative Proceedings • PHI may be disclosed: • In response to a court order or administrative tribunal, provided that the covered entity discloses only the PHI authorized by the order; • In response to a subpoena, discovery request, or other lawful process, in the absence of a court order, provided one of the following circumstances applies: • satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to ensure that the individual who is the subject of the PHI has been given notice of the request; OR • satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to secure a qualified protective order • as an alternative to either of the above, the covered entity may itself give written notice to the individual or seek a qualified protective order that meet the rule’s requirements

  22. Permitted Use: Law Enforcement Proceedings • PHI may be disclosed to a law enforcement official: • When required by law, including to report certain types of wounds or other physical injuries (excludes laws pertaining to the reporting of child abuse or neglect or other victims of abuse, neglect, or domestic violence); • In compliance with a court order or by a court-ordered warrant, or a subpoena or summons issued by a judicial officer; • In compliance with a grand jury subpoena; • In compliance with an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

  23. Permitted Use: Law Enforcement Proceedings (cont’d) • the information sought is relevant and material to a legitimate law enforcement inquiry; • the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; • De-identified information could not reasonably be used. • To identify or locate a suspect, fugitive, material witness, or missing person, limited to the types of information listed on page 17; • If the covered entity believes in good faith that the PHI constitutes evidence of criminal conduct that occurred on the covered entity’s premises;

  24. Permitted Use: Law Enforcement Proceedings (cont’d) • About an individual who is or is suspected to be a victim of a crime if a law enforcement official requests the information and either the individual agrees to the disclosure or, in the event the individual is unable to give consent due to incapacitation or some other emergency circumstance, the law enforcement official represents that 1) the information is needed to determine whether a violation by law has occurred and the information will not be used against the victim; 2) immediate law enforcement activity would be materially and adversely affected by waiting for the individual to agree to the disclosure; AND 3) the covered entity, in the exercise of professional judgment, determines that the disclosure is in the best interest of the individual; • In response to a medical emergency, other than an emergency on the provider’s own premises, if the disclosure appears necessary to alert law enforcement to the commission and nature of a crime; the location of the crime or of its victims; and the identity, description, and location of the perpetrator.

  25. Permitted Use: Victims of Abuse, Neglect, or Violence • PHI may be disclosed about an individual believed to be the victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of abuse, neglect, or domestic violence. This section does not to apply to reporting of child abuse or neglect, which is covered above. • Conditions of Disclosure: • the individual must agree to the disclosure; OR • the covered entity, in the exercise of professional judgment, must determine that the disclosure is necessary to prevent serious harm to the individual or other potential victims OR • if the individual is unable to agree due to incapacity, the authorized government authority receiving the PHI must represent that the PHI will not be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be adversely and materially affected by waiting for the individual to agree to the disclosure

  26. Permitted Use: Victims of Abuse, Neglect, or Violence (Cont’d) • Informing the individual: the covered entity must promptly inform the individual of a disclosure as permitted above, except when: • the covered entity believes that informing the individual would place the individual at risk of serious harm, OR • the covered entity would be informing a personal representative who is believed to be responsible for the abuse, neglect, or other injury, and informing the personal representative would therefore not be in the best interest of the individual.

  27. Permitted Use: Workers’ Compensation PHI may be disclosed to the extent necessary to comply with workers’ compensation laws or other similar laws that provide benefits for work-related injuries or illness without regard to fault.

  28. Permitted Use: Inmates in Correctional Institutions • PHI may be disclosed about an inmate or other person in lawful custody to a correctional institution, if the PHI is necessary for: • the provision of health care to the individual; • the health and safety of the individual or other inmates; • the health and safety of the officers, employees, or others at the correctional institution; • the health and safety of the individual and officers or other persons responsible for transporting inmates or for their transfer from one facility or setting to another; • law enforcement on the premises of the correctional institution; • the administration and maintenance of the safety, security, and good order of the correctional institution

  29. Permitted Use: About Decedents • PHI may be disclosed: • To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. • Any official of the DoD authorized to perform functions under the authority of the Armed Forces Medical Examiner system under DoD Directive 5154.24 is a medical examiner. • To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.

  30. Permitted Use: Public Health Activities • PHI may be disclosed: • To a public health authority for the purpose of preventing/controlling disease, injury or disability, including but not limited to the reporting of disease, injury, vital events (i.e., birth, death), and the conduct of public health surveillance, investigations, and interventions; • To a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; • To a person subject to the jurisdiction of the Food and Drug Administration (FDA), with respect to an FDA-regulated product or activity for which that person has responsibility. The purposes of such disclosure include:

  31. Permitted Use: Public Health Activities (cont’d) • To collect or report adverse events, product defects or problems, or biological product deviations • To track FDA-regulated products • To enable product recalls, repairs, replacement, or “lookback” • To conduct post-marketing surveillance • To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, provided the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;

  32. Permitted Use: Public Health Activities (cont’d) • To an employer about an individual who is a member of the workforce of the employer, provided: • The covered entity is a health care provider who is a member of the employer’s workforce or who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury • The PHI disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance • The employer needs the findings in order to comply with its obligations under the regulations of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration, or under state law, AND • The covered health care provider provides written notice to the individual that the PHI relating to the medical surveillance of the workplace and work-related illnesses/injuries is disclosed to the employer by giving a copy of the notice to the individual at the time the health care is provided or by posting the notice in a prominent place at the location where the health care is provided.

  33. Business Associates Definition: “A person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information.” Cannot be a member of the health care provider, health plan, or other covered entity's workforce. Can be a health care provider, health plan, or another covered entity Excludes covered entities who disclose protected health information to providers for treatment purposes

  34. BA Contracts—Required Terms • Use and disclose PHI only as authorized in the contract • No further uses and disclosures • Such uses and disclosures may not exceed what the covered entity may do under HIPAA • Implement appropriate privacy and security safeguards • Report unauthorized disclosures to covered entity • Meet all patient rights provisions • Make available PHI under access, amendment and accounting of disclosures rights • Incorporate any amendments to PHI

  35. Managing Business Associates MHS/MTFs must obtain “satisfactory assurance” that business associates will reasonably safeguard disclosed information and only use the information for the purposes for which the business associate was engaged. Memorandums of Understanding (MOUs) Dept of Veterans Affairs Dept of Transportation/Coast Guard DoD Medical Privacy Regulation Contract addendum/amendment MCSC contract modification MHS/MTFs are not required to monitor or oversee the means by which their business associates carry out privacy safeguards. However, if a material violation of the contract is discovered, the violation must be cured or the contract terminated.

  36. MTF Requirements • Designate a Privacy Officer • Train workforce to protect privacy • Assess compliance using TMA tool • Review DoD Health Information Privacy Regulation • Map protected health information flow • Conduct gap analysis & adjust policies/procedures • Introduce Notice of Privacy Practices • Institute authorization form • Establish patient privacy complaint and inquiry procedure • Identify and brief responsibilities of communities of interest

  37. MTF Privacy Officer • Oversee activities related to compliance with the HIPAA Privacy Rule • Establish procedures to track access, use and disclosure of PHI • Ensure adherence to MHS policies and procedures at MTF level • Train workforce • Monitor business associate agreements related to privacy concerns • Investigate patient complaints regarding privacy infractions

  38. Resources www.tricare.osd.mil/hipaa hipaamail@tma.osd.mil MTF Information Papers Beneficiary Pamphlet MTF Posters Authorization form template Updated PO training materials (CD content)

More Related