OVERVIEW OF THEHIPAA PRIVACY RULEandPOLICIES Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers
COMPLIANCE DEADLINE HIPAA Privacy Rule April 14, 2003
What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. • It’s a Federal law • Provides continuity of healthcare coverage • Administrative Simplification ???
Recognized need to improve protection of health privacy • Response by Congress for healthcare reform • Affects all healthcare industry • HIPAA is mandatory, penalties for failure to comply
Transactions • Requires standardized transaction content, formats, diagnostic & procedure codes, national identifiers for healthcare EDI transactions. • Privacy • Establishes conditions that govern the use and disclosure of individually identifiable health information. • Establishes patient rights in regard to their protected health information (PHI). • Security • Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.
Civil • For failure to comply with transaction standards • $100 fine per occurrence; up to $25,000 per year • Criminal • For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses • Penalties higher for actions designed to generate monetary gain • up to $50,000 and one year in prison for obtaining or disclosing protected health information • up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses" • up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
Why do we need HIPAA? • 1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV. • 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care. • 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users. • Closer to Home
Title II - Administrative Simplification • Federal Law vs. State Laws • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Establish new pt rights and privacy control by establishing common transaction sets for sending and securing pt information • Improve efficiency and effectiveness of healthcare • Reduce healthcare administrative costs (electronic transactions) ???
Who must comply? HIPAA applies to all Covered Entities (CE) that transmit protected health information electronically such as.. • Health Plan • Health Care Clearinghouse • Health Care Provider
Confidentiality • The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.
Practicing Privacy • Treat all information as if it were about you or your family. • Access only those systems you are officially authorized to access. • Use only your own User ID and Password to access systems. • Access only the information you need to do your job.
Practicing Privacy • Refrain from discussing patient information in public places. • Create a “hard to guess” password and never share it. • Log-off or lock your computer workstation when you leave it.
HIPAA MYTHS • WHITE BOARDS • SIGN IN SHEETS • PAGING • CALLING OUT NAMES • NAMES ON DOORS • STRUCTURES TO PREVENT DISCLOSURES
Oral Communications • The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others: • Staff may oral communicate at the nursing stations • Health care professionals may discuss a pt’s treatment in a joint treatment area • Health care professionals may discuss a pt’s condition during patient rounds
Common Terminology/Abbreviations(not all inclusive) • Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent or authorization under TPO. • Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes for daily functions and srvcs
Terminology, Con’t • Covered Entity (CE) – A health plan, healthcare clearing house, healthcare provider who transmits any health information in connection to a transaction. • Designated Record Set (DRS) – Includes medical record and billing information, in whole or in part, by or for the covered entity to make decisions about patients
Terminology, Con’t. • Business Associate (BA) – Person, business or other entity who, on behalf of organization covered by regulations, performs or assists in performing function/activity involving use or disclosure of PHI. • Patient Health Information (PHI) – any identifying piece of info on pt –
Terminology - What is PHI? Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins) • Name • Address • Photo images • Any date • Telephone/Fax numbers • Social Security Number • Medical record number • Health plan beneficiary number • Account number • Any other unique identifying number, characteristic, or code.
Terminology, con’t • Organized Health Care Arrangement (OHCA) – A clinically integrated care setting in which individuals typically receive health care from more than one provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, clergy, etc.
Terminology, Con’tNotice of Privacy Practices (NOPP) • Disclosure of how PHI is used • Directory policy • Confidential Communications • Right to Access • Right to Amend • Accounting for Disclosures • Right to request restrictions on certain uses and disclosures • FPO contact information • Formal complaint process
When can we use PHI? We can use PHI for Treatment, Payment and Healthcare Operations (TPO). • Business Associates (BA) • Affiliated Covered Entity (ACE) • Organized Health Care Arrangement (OHCA)
Do you need to knowthis information to do your job?“need to know basis”(Appropriate Access Policies)
MINIMUM NECESSARY INFO • Facility uses and discloses the minimum amount of PHI necessary to accomplish the intended purpose. • Applies whether the hospital is sharing, examining or analyzing PHI, or whether we are responding to a request outside the facility.
POLICIES 9 CORPORATE POLICIES 23 FACILITY POLICIES
PATIENT PRIVACY PROGRAM REQUIREMENTS • HIM.PRI.001 • LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS
Privacy Official Policy • Policy HIM.PRI.002 • Barbara Lee Peace , FPO • Facility Privacy Official, • Ext 1682 • Gayla White, LSC • Local Security Coordinator • Ext 1419
PATIENT PRIVACY PROTECTION • HIM.PRI.003 • Defines individual’s responsibility in protecting PHI • “Need to Know is basis” for access
Right to Access • HIM.PRI.004 • Individuals have the right to inspect and obtain a copy of their PHI. • Facility/PASA will provide a readable hard copy of portions of DRS requested. • On-line access not available at this time • Individuals with system access are not permitted to access their record in any system. • Facility must act on request for access no later than 30 days • Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info) • May charge for copy according to GA Code
RIGHT TO AMEND • HIM.PRI.005 • Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained. • For the intent of this policy, amendis defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record. • Requests for Amendment must be forward to the FPO for processing.
RIGHT TO REQUEST PRIVACY RESTRICTIONS • HIM.PRI.006 • Patients will be provided the right to request restriction of certain uses and disclosures of PHI. • Requests for such restrictions must be made in writing to the FPO.
RIGHT TO REQUEST PRIVACY RESTRICTIONS • No other employee or physician may process such a request unless specifically authorized by the FPO. • The facility is not required to act immediately and should investigate its ability to meet the request prior to agreeing to any restriction. • 99% of the time the request will not be honored.
RIGHT TO REQUEST PRIVACY RESTRICTIONS • Facility must permit pt to request privacy restriction. FPO or designee is only person who may agree to any restriction • Should not be acted on immediately, rather after investigation to ensure facility can accommodate request • Request must be in writing from pt • If denied, pt must be notified of denial. • Request will be filed in med rec or billing • Termination of request (by facility or pt)
NOTICE OF PRIVACY PRACTICES • HIM.PRI.007 NOPP • NOPP must be given to every patient who physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt (initialing). • 4 page document outlining patient’s rights and notice of all of the ways the facility uses and shares a pt’s health info.
NOPP • Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential communications, request restrictions, request accounting of disclosures, how to file complaints, name & # of FPO, and more. • Notice must be posted throughout the facility and on facility web site.
NOPP • Company-affiliated facilities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising any rights under the HIPAA Privacy Standards
RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION • HIM.PRI.008 • Patients can request alternate means of communication for mail and telephone calls • Unacceptable means include fax, e-mail and Internet communications • Patient must complete and sign “Request for Confidential Communications” form • Form must be submitted to FPO who will give a copy of the form to the patient
CONFIDENTIAL COMMUNICATION(cont’d) • FPO must notify other parties as appropriate (PASA) • If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all applicable parties to take appropriate action • Patient must complete new form for future if original alternate info is incorrect • If revocation desired by pt, “Conf Communication Revocation” form must be completed
CONFIDENTIAL COMMUNICATION(cont’d) • Patients can request alternate means of communication for mail and telephone calls • Unacceptable means include fax, e-mail and Internet communications • Patient must complete and sign “Request for Confidential Communications” form • Form must be submitted to FPO who will give a copy of the form to the patient
ACCOUNTING OF DISCLOSURES • HIM.PRI.009 AOD • Individuals have the right to an accounting of disclosures made by the facility • Includes written and verbal disclosures • Accounting must include the date, description of what was disclosed, statement of purpose for the disclosure and to whom the disclosure was made
AOD (cont’d) • HIM.PRI.009 • EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, healthcare operations (TPO). • *** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***
AOD (cont’d) • Facility must document the AOD and retain the documentation for 6 years. • Types of uses and disclosures that must be tracked for purposes of accounting: • Required by law • Public health activities • Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury. • Health Oversight activities • Judicial and administrative proceedings • Law enforcement purposes
AOD • Decedents – Coroners and medical examiners OR funeral directors • Cadaveric organ, eye, or tissue donation purposes • Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes • In order to avert a serious threat to health or safety • Specialized gov’t functions (Military or vet activities OR Protective services for the President and others) • Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)
AOD • Meditech • Correspondence menu • On the Mox menu • Detailed instructions forthcoming
VERIFICATION OF EXTERNAL REQUESTORS • Policy assumes requestor is authorized and facility just needs to verify. • Identify verification • Valid State/Federal Photo ID • Minimum of 3 of the following: • SS#, DOB, one of the following (acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate) • Positive match signature
VERIFICATION (CONT’D) • Unacceptable forms of identification: • Employment ID card/Student ID card • Membership ID cards • Generic billing statements (utility bills) • Supplemental Security card (SSI) • Credit cards (photo or non-photo)
VERIFICATION (CONT’D) • Third –Party & Company identification methods: • Letterhead • Email address • Fax Coversheet with company logo • Photo ID • If in doubt, follow-up via telephone
OPTING OUT OF DIRECTORY • Comparable to “no press, no info” as we know it • Must be in writing by pt • Pt access will handle if requested but • Nursing may have to handle • MUST inform of patient of effects, e.g., no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of exact location, no clergy visits