1. HIPAA: �Federal Regulations Governing Patient Privacy�
2. Why are privacy protections needed? Increasing public concern about loss of privacy
Broad availability of information stored and exchanged in electronic format
Concerns about genetic information
A conflicting patchwork of state laws
3. Source: Health Privacy Project Exchanging Health Information in the 21st Century
4. HIPAA The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes comprehensive protections for medical privacy.
5. The Privacy Rule governs a provider’s use and disclosure of health information and grants individuals new rights of access and control. The regulation also establishes civil and criminal penalties for violations of patient privacy.
6. The Privacy Rule is Founded on Two Very Basic Principles: Health information belongs to the patient.
Patients have a right to know how their information is being used.
7. Under the Privacy Rule, patients have the following new rights: Receive a Notice of Privacy Practices from their provider
Access, inspect and copy their medical records
Request corrections to their medical record
Request special accommodations on how their health information is communicated (such as alternate addresses and phones)
Request restrictions on how their information is used
Receive an accounting of non-routine disclosures
“Opt-out” of inclusion in facility directories and fundraising efforts
File a complaint to the institution and to the federal Department of Health and Human Services Notice of Privacy Practices §164.520
Uses and disclosures of PHI that may occur Individual’s rights
Covered entity’s duties Plain language
Specified elements Complaints
Contact Revisions
Date of first service delivery p/ effective date - provide, post, have available, website, e-mail
Access - § 164.524
See and get copies of their medical records;
Request amendments
Denial of access/correction permitted
Psychotherapy notes Subject to Privacy Act requirements
Endangerment of health or safety of self,others Likely to cause “harm” to another
Confidential information if reveals source Information compiled for a legal proceeding
Accounting of disclosures - § 164.528
6 years prior (after compliance date) Doesn’t include uses made for payment, treatment or ops
Includes disclosures to or by business associates Reply w/n 60 days of receipt of request
One accounting per 12 months @ No charge Documentation
Disclosures, written accounting, titles of persons accountable for processing request
Right to have covered entity amend PHI - �§ 164.526
May deny if
Not created by covered entity Not part of the designated record set
Not available for inspection Is accurate and complete
Right to request restriction of uses and disclosures - § 164.522(a)
Covered entity not required to agree
Termination
Documentation
Right to request confidential communication by alternative means and at alternate places - § 164.522(b)
Covered entity must accommodate reasonable requestsNotice of Privacy Practices §164.520
Uses and disclosures of PHI that may occur Individual’s rights
Covered entity’s duties Plain language
Specified elements Complaints
Contact Revisions
Date of first service delivery p/ effective date - provide, post, have available, website, e-mail
Access - § 164.524
See and get copies of their medical records;
Request amendments
Denial of access/correction permitted
Psychotherapy notes Subject to Privacy Act requirements
Endangerment of health or safety of self,others Likely to cause “harm” to another
Confidential information if reveals source Information compiled for a legal proceeding
Accounting of disclosures - § 164.528
6 years prior (after compliance date) Doesn’t include uses made for payment, treatment or ops
Includes disclosures to or by business associates Reply w/n 60 days of receipt of request
One accounting per 12 months @ No charge Documentation
Disclosures, written accounting, titles of persons accountable for processing request
Right to have covered entity amend PHI - § 164.526
May deny if
Not created by covered entity Not part of the designated record set
Not available for inspection Is accurate and complete
Right to request restriction of uses and disclosures - § 164.522(a)
Covered entity not required to agree
Termination
Documentation
Right to request confidential communication by alternative means and at alternate places - § 164.522(b)
Covered entity must accommodate reasonable requests
8. HIPAA: The Terminology Covered entity
Protected Health Information (PHI)
Use and disclosure
Role-based access
Minimum necessary
9. “Covered Entities” are the groups or individuals who have to comply �with the law* Health plans
Health care clearinghouses
Health care providers who conduct electronic transactions related to third-party billing
*Regulations also apply to vendors who perform a business function using the covered entity’s patient information.
Health plan
HMO
Insurance company
Employee welfare benefit plan
50 or more participants
TPA
May be fully insured or self-insured
If plan documents are amended to protect information from being used inappropriately in employment-related decisions, the HMO or insurer can exchange information without a business associate agreement and without having to address the minimum necessary standard
Amended plan docs--to describe permitted uses/disclosures, require certification by plan sponsor, and provide adequate firewalls
Health Care Clearinghouse
Billing services
Repricing companies
Information systems or community health information systems
“Value added” networks and switches Processes health information received in a nonstandard format or containing nonstandard data elements or vice versa
Health care providers
Must transmit health information in electronic form in connection with a standard transaction
Providers become covered entities if they use another entity to conduct standard transactions on their behalf
Health plan
HMO
Insurance company
Employee welfare benefit plan
50 or more participants
TPA
May be fully insured or self-insured
If plan documents are amended to protect information from being used inappropriately in employment-related decisions, the HMO or insurer can exchange information without a business associate agreement and without having to address the minimum necessary standard
Amended plan docs--to describe permitted uses/disclosures, require certification by plan sponsor, and provide adequate firewalls
Health Care Clearinghouse
Billing services
Repricing companies
Information systems or community health information systems
“Value added” networks and switches Processes health information received in a nonstandard format or containing nonstandard data elements or vice versa
Health care providers
Must transmit health information in electronic form in connection with a standard transaction
Providers become covered entities if they use another entity to conduct standard transactions on their behalf
10. The Privacy Rule Governs Protected Health Information (PHI) PHI is any information that is:
Created or received by a covered entity; and
Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual and which:
identifies the individual; or
offers a reasonable basis for identification of the individual
Significance of the term “covered entity” --- information collected at the front end of a hybrid entity will not be considered PHISignificance of the term “covered entity” --- information collected at the front end of a hybrid entity will not be considered PHI
11. The law establishes rules about the use and disclosure of PHI “Uses” take place within the organization holding the medical information.
“Disclosures” are releases to parties external to the organization.
12. Health Care Providers are required to ensure “Role-based Access” Covered entities must identify which persons in the organization need access to PHI in order to fulfill their duties.
Covered entities must limit the PHI used or disclosed to the minimum necessary to achieve the purpose of the use or disclosure.
Note: The minimum necessary standard does not apply to disclosures made for treatment purposes or disclosures to the individual patient.
Example: If the facility can accomplish the same purpose by disclosing only a portion of an individual’s medical record, as opposed to the entire medical record, it should do so.
Reasonableness
Limit unnecessary sharing
Consistent with professional judgment and standards
Substantial discretion
Does not apply to uses or disclosures for treatment or disclosures to the individual directly.
For routine or recurring requests or disclosures, facility must develop policies and procedures to limit information to the minimum necessary.
Example: If the facility can accomplish the same purpose by disclosing only a portion of an individual’s medical record, as opposed to the entire medical record, it should do so.
Reasonableness
Limit unnecessary sharing
Consistent with professional judgment and standards
Substantial discretion
Does not apply to uses or disclosures for treatment or disclosures to the individual directly.
For routine or recurring requests or disclosures, facility must develop policies and procedures to limit information to the minimum necessary.
13. KU Medical Center must meet HIPAA requirements in four major areas: Clinical requirements
Research requirements
Computer security
Institutional requirements
14. Basic Requirements:�Clinical Issues Deliver the KUMC Notice of Privacy Practices to our patients.
Limit uses and disclosures in accordance with legal requirements
Accommodate privacy requests from patients
Maintain an accounting system to track non-routine disclosures
15. Basic Requirements:�Research Issues The KUMC Human Subjects Committee must make a privacy determination when conducting the ethical review of each study.
HSC approval will include HIPAA approval.
The informed consent form must include required statements about privacy protections.
HIPAA requires new approval criteria for database studies and retrospective chart reviews.
16. Basic Requirements: �Computer Security Locate computer systems containing PHI
Install firewalls for data integrity
Encrypt internet transmissions of PHI
Maintain password protections on files containing PHI
Limit access to patient files, based upon job duties
17. Basic Requirements:�Institutional Issues Designate a Privacy Official
Develop policies and procedures
Train all workforce members
Establish a complaint mechanism
Enforce sanctions (civil and criminal penalties)
18. �The “Take-Home” Message Remember that patient information ultimately belongs to the patient, not the provider.
Our commitment to patient care includes a commitment to respecting patients’ rights of privacy.
All KUMC employees and trainees must follow the institution’s policies for handling and releasing patient information.
19. Proposed Benefits of the Privacy Rule The Privacy Rule establishes the first comprehensive federal protections for health information.
Patients will have increased access and control over their records.
The Privacy Rule supports the creation of new electronic standards that will make health care billing more efficient.
The Privacy Rule strikes a balance between individual rights and the need for information in public health and research.
20. New privacy rights for patients go into effect � on April 14, 2003 For questions, contact:
Karen Blackwell, MS
kblackwe@kumc.edu
913.588.0940
Tom Field, MSEd
tfield@kumc.edu
913.588.0942
including subsidiaries, sister companies, trading partners, and business associates,
Consider engaging legal counsel to maintain attorney-client privilege
that address privacy, security, confidentiality, data management, and records retention
CORPOATE COMPLIANCE
including subsidiaries, sister companies, trading partners, and business associates,
Consider engaging legal counsel to maintain attorney-client privilege
that address privacy, security, confidentiality, data management, and records retention
CORPOATE COMPLIANCE
