1 / 56

HIPAA

Health Insurance Portability and Accountability Act of 1996 . September 23, 2004Seattle, WA. A2 B2 = C2. Pythagoream Theorem. Where C is the hypotenuse and A and B are the sides of a right triangle, . A Matter of Perspective?. 21 words?. Archimedes' Principle. 20 words. A body immersed in a fluid is buoyed up by a force equal to the weight of the displaced fluid? .

boaz
Download Presentation

HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. HIPAA Aaron K. Owada Northcraft, Bigby & Owada PC 720 Olive Way, Suite 1905 Seattle, WA 98101

    2. Health Insurance Portability and Accountability Act of 1996

    5. Archimedes’ Principle 20 words

    6. The Ten Commandments 179 words

    7. Lincoln’s Gettysburg Address 286 words

    8. US Declaration of Independence 1,300 words

    9. HIPAA Privacy 401,034 words

    10. Overview “The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater protections...” OCR Guidance, December 3, 2002

    11. Overview HIPAA Privacy Standards became enforceable on April 14, 2003

    12. Overview Established standards to ensure privacy and established rules for: When patient permission is required   What type of permission is required

    13. Overview Rights that patients have to: Access their own information Control the flow of their information Find out who else has seen their information

    14. Who is a Covered Entity (CE)? HIPAA Standards apply to: Health care providers who transmit any health care information in connection with certain kinds of transactions electronically Health plans Health care clearinghouses

    15. Are All Health Care Providers Covered? YES. All health care providers are covered only if they transmit health information electronically in connection with a transaction covered by the HIPAA Transaction Rule

    16. What is “electronically”? Electronic modes include, but are not limited to: Creating a file and submitting it by way of disks, tapes, or data lines Using a clearinghouse or billing service to transmit data

    17. What is NOT “electronically”? Mailing a paper form Faxing a paper from a dedicated fax machine (but not a computer desktop fax system) Calling to obtain information

    18. Are you a Covered Entity? Go to: www.hhs.gov/ocr/hipaa Click on “What’s New?” Scroll down page to: “10/25/02 Am I a Covered Entity”

    19. Are there any “loopholes” to being a Covered Entity? NO. Covered entities must comply with national standards when conducting the named transactions electronically with a covered health plan

    20. For purposes of HIPAA Privacy Covered entity must protect all individually identifiable health information, regardless of the method in which the data is maintained or transmitted (paper, electronically or orally)

    21. Should you comply even if you are not a Covered Entity? YES.  At some point, HIPAA it is likely that if you have protected health information, someone will likely argue that HIPAA applies to you. See, US ex rel. Stewart v. The Louisiana Clinic (E.D. La., December 2002) Even before HIPAA was in force, Court applied HIPAA anyway by holding that HIPAA “demonstrates a strong federal policy of protection for patient medical records.”

    22. Pre-emption: State or Federal Law? The more stringent law that provide the greatest privacy controls, or access to their own information. 45 CFR 160.202(1)

    23. Copying Costs HIPAA allows for “reasonable cost-based fee” for the cost of actual copying, postage, and preparing a summary explanation. “Handling fees, chart pulling fees, and “per page fees in excess of the direct cost of material are specifically not allowed. WAC 246-08-400 allows a provider to charge $.83 per page for the first 30 pages, and $.63 per page thereafter. This now serves as a cap under HIPAA.

    24. Copying Costs… WAC allows a charge of up to $19.00 for chart pulling or as a clerical/labor charge but this is preempted by HIPAA which does not allow for this kind of charge.

    25. PHI: Protected Health Information Privacy and security rules address the confidentiality and security of PHI. PHI can be in any form (paper, electronically orally) Created or received by a covered entity

    26. PHI: Privacy Health Information Anything that relates to an individual’s mental or physical condition, treatment, or payment for services that identifies the individual or could reasonably be used to identify the individual

    27. Not PHI Employment records of the Covered Entity School Records under FERPA (Family Educational Rights and Privacy Act) records

    28. Not PHI Information that does not identify individual. However the following information must be removed: *Geographic subdivisions or references that are less than at the State level *All elements of dates *SSNs or other identifiers *Anything else that could identify the individual

    29. Authorization to Release PHI Authorization to give permission to use PHI by patient Authorization to release is still governed by the Washington Uniform Health Care Information Act (“WHCIA”) RCW 70.02.020

    30. Consent for Treatment is not Affected by HIPAA Consent for treatment is still governed by state law regarding informed consent Consent addresses the concept of a patient giving permission to treat Authorization addresses the concept of a patient giving permission to use their PHI

    31. Authorization to Disclose Health Care Information A health care provider (or anyone who assists a health care provider) may not disclose health care information without written permission from the patient, EXCEPT as authorized by RCW 70.02.050

    32. Washington Health Care Information Act (WHCIA) Statute provides 12 situations where authorization is NOT required 1. Ongoing health care 2. Health care education/operations 3. Prior health care provider 4. Safety of patients or others

    33. WHCIA cont… 5. Family members/Close relationships Provider knows of the immediate family relationship or close relationship, unless directed in writing by the patient not to make the disclosure.

    34. WHCIA cont… 6. Successor in Interest 7. Research 8. Performance of an “audit” 9. Correctional Institutions 10. Directory Information

    35. WHCIA cont… 11. Media Impacted by HIPAA. State law allows name, age, sex, residence, occupation, condition, and diagnosis to be reported if the patient is brought to a health care provider by police, fire, sheriff, etc. HIPAA only allows this information to be released if the media inquires about the patient by name.

    36. WHCIA cont… 12. Federal or State enforcement monitoring or legal authorities

    37. Requirements to Validly Authorize Disclosure 1. Be in writing, dated, and signed by the patient 2. Identify the nature of the information that may be disclosed 3. Identify the name, address and institutional affiliation of the person to whom the information is to be disclosed

    38. Requirements to Validly Authorize Disclosure 4. Except for third party payors, identify the provider who is to make the disclosure; and, 5. Identify the patient   RCW 70.02.030(3)

    39. Treatment Medical services provided by health care provider Very broad, all encompassing definition

    40. Payment Payment encompasses the various activities associated with health care providers obtaining payment or reimbursement for their professional services.

    41. Privacy Rule Examples Determining the eligibility or coverage Risk adjustment Billing and collection activities Reviewing health care services for medical necessity, coverage, justification for charges, etc. Utilization Review

    42. Business Associate Agreement With limited exceptions, a Covered Entity may NOT disclose PHI to a Business Associate without first obtaining “satisfactory assurances” that the PHI will be appropriately safeguarded from disclosure. A business associate is a person who performs a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity.

    43. Business Associate Certain specified services are automatically considered business associates if they are not part of the Covered Entities workforce and they handle or process PHI for the Covered Entity:

    44. Business Associate Claims Processing (45 CFR Sec. 160.103) Financial consultants Auditors Clearinghouses Accountants Lawyers who must review PHI

    45. Business Associate Written Contractual Provisions Satisfactory Assurance that PHI will be safeguarded Provisions for violation of HIPAA, reasonable steps to cure the breach, terminate the contract, or to report the conduct to HHS

    46. 12 Elements for Business Associate Agreement 1. Identify permitted use and disclosure of PHI 2. Prohibit use or disclosure that would violate the Privacy Rules 3. Limit use and disclosure 4. Safeguard PHI 5. Report unauthorized use or disclosure 6. Ensure that agents have the same restrictions

    47. Business Associate Agreement 7. Make PHI available to individuals to inspect/copy 8. Make PHI available for amendment 9. Provide an accounting of disclosures 10. Make internal practice, books, and records available 11. Return or destroy PHI at end of contract 12. Authorize termination for material breach

    48. Other Considerations Hold harmless clause Indemnification Using the Business Associate Agreement to change the underlying agreement

    49. Complaint and Grievances Final rule at Sec. 160.306(a) provides that any person, not just an individual may file a complaint with the Secretary Complaints must be filed with 180 days of the date the complainant became aware of the possible violation. Time to file the complaint may be extended for good cause by the Secretary.  

    50. Complaints and Grievances Provider has a duty to document both the complaint and the response, resolution or disposition of the complaint. Complaint must identify the person that will address and respond to the complaint.

    51. Reply must be in writing… A monetary penalty may be not be imposed where the failure to comply is for a reasonable cause, corrected within 30 days, and there is no willful neglect. $100 for each violation Maximum of $25,000 per month

    52. Criminal Penalties $25,000 fine Up to one year in prison

    53. Governmental Agencies Auditors and Enforcers HHS Office for Civil Rights (Privacy) CMS (Center for Medicare and Medicaid Services) for transaction compliance HHS OIG for audits and investigations

    54. Governmental Agencies DOJ (referral by OIG or they have independent authority to investigation and indict for civil or criminal violations) FTC for Inernet privacy poicy violations FBI for criminal enforcement in multi state cases

    55. OCR Investigations You will be contacted in writing if OCR determines that you have violated HIPAA. You may be notified that a response is required Under the enforcement rule, OCR is supposed to try to resolve the compliant informally “whenever possible.” If no resolution is obtained, DHHS has the authority to issue a written noncompliance finding

    56. If No Violations are found… OCR is not required to notify you in writing that no violation has been found. Confirm the “no violation” assessment yourself in writing.

    57. Employee Discipline If you find that one of your employees has violated HIPAA, you must discipline that employee. Update your Employee Handbook and personnel policies to reflect HIPAA

More Related