HIPAA/FERPA

HIPAA/FERPA Health Information Portability and Accountability Act of 1996 ≈ Family Educational Rights and Privacy Act of 1974 Introduction to and practical applications of the rules.

HIPAA Background “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.” Translation from the Greek by Ludwig Edelstein. From The Hippocratic Oath: Text, Translation, and Interpretation, by Ludwig Edelstein. Baltimore: Johns Hopkins Press, 1943.

DHHS Privacy & Security Rule • Privacy Rule [Standards for Privacy of Individually Identifiable Health Information] • Published by DHHS on 12-28-2000 and underwent major revisions and was republished 8-14-2002 • Establishes national standards for the protection of certain health information • Security Rule [Security Standards for the Protection of Electronic Protected Health Information] • Published by DHHS on 2-20-2003 • Intended to protect the privacy of individuals’ PHI while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care

DHHS Privacy & Security Rule • Privacy Rule – Defined and limited the circumstances in which an individual’s protected heath information may be used or disclosed by: • Health Plans (health, dental, vision, HMOs, etc.) • Health care providers • Health care clearinghouses (billing agencies, etc.) • Business Associates (legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services) • Security Rule – Applied to all covered entities and business associates above as well

DHHS Privacy & Security Rule • Protected Health Information • “Individually identifiable health information” held or transmitted by a covered entity or its business associate in any form or media • Electronic • e-PHI as it is termed by the security rule • Written / hard copy • Orally

DHHS Privacy & Security Rule • Protected Health Information • Demographic data Including: • Patient identifiers (name, address, SSN, birth date, etc.) • Past, present, or future physical or mental health condition • Provision of healthcare to the individual • Past, present, or future payment • Excludes PHI in employment records on employees • Excludes other records subject to FERPA

DHHS Privacy Rule • Uses and Disclosures • A covered entity may not use or disclose PHI except under following circumstances • As the privacy rule permits or requires • As the individual whose PHI it is authorizes in writing • Privacy Rule requires disclosure for 2 reasons • To an individual who requests access to their PHI • To DHHS when it is undertaking a compliance investigation or review • Specific authorization must be obtained from the individual whose PHI it is in writing for use and disclosure that is not required or permitted

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • A covered entity may disclose protected health information to the individual who is the subject of the information.

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Treatment - provision, coordination, or management of health care and related services for an individual by one or more health care providers • Includes consultation between providers regarding a patient and referral of a patient by one provider to another

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Payment – • Collection of health insurance premiums, fulfill obligations of coverage • Obtain reimbursement for services by patient or reimbursement by insurance

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Healthcare Operation • Quality assessment and improvement • Competency assurance activities, • Medical reviews, audits, or legal services • Specified insurance functions, such as underwriting, risk rating, and reinsuring risk • Development, management, and administration of business plans • Business management and general administrative activities

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Situations where informal consent to use and disclose • Facility directories • Hospital census • Hospital operators • Notification • Disclose PHI to individual’s family, relatives, friends • Disaster relief efforts authorized by law

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • A use or disclosure that occurs “incident to” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted “reasonable safeguards” and the information being shared was limited to the “minimum necessary”

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Required by law • Public health activities • Victims of abuse, neglect, or domestic violence • Health oversight activities (e.g. Medicare audit, etc.) • Judicial/administrative proceedings • Law enforcement purposes

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • Decedents (coroner, funeral director, etc.) • Organ, eye, tissue donation • Research • Serious threat to health or safety • Essential government function (national security function, etc.) • Worker’s compensation laws

Permitted Uses and Disclosures • To the individual • Treatment, payment, and healthcare ops. • Uses/disclosures with opportunity to agree or object • Incidental use and disclosure • Public interest and benefit activities • Limited Data Set • PHI with direct identifiers removed • Used for • Research • Health care operations • Public health purposes

Permitted Uses and Disclosures • “Reasonable Safeguards” defined • A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. • Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.

Permitted Uses and Disclosures • “Reasonable Safeguards” examples • By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area; • By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; • By isolating or locking file cabinets or records rooms; or • By providing additional security, such as passwords, on computers maintaining personal information.

Permitted Uses and Disclosures • “Minimum Necessary” defined • Covered entity should use, disclose, and request only the minimum amount of information needed for the intended purpose. • Cannot use or disclose the entire medical record for a particular purpose unless it can specifically justify the whole record as the amount “reasonably necessary” • Covered entity must have policy and procedures for ensuring “minimum necessary”

DHHS Privacy Rule • Personal Representatives and Minors • Personal representative - a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate • Covered entity must treat the personal representative the same as the individual with regards to uses and disclosures of PHI • Exception allowed if the covered entity believes there to be neglect/abuse or that disclosing PHI to personal representative may endanger the individual

DHHS Privacy Rule • Personal Representatives and Minors • Minor – under 18, parents are the personal representatives for their minor children and as such exercise those rights for their children with regards to use and disclosure of PHI • If parents are not the legal personal representative, state or other law determines rights of the parent • If state has no ruling, covered entity (licensed HC professional using professional judgment) has right to use their discretion to provide or deny a parent access to a minor’s health information

DHHS Security Rule • The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI by: • Ensuring confidentiality, integrity, and availability of all e-PHI maintained or transmitted • Appropriately preparing for & managing reasonably anticipated threats to security & integrity of e-PHI • Safeguarding against reasonably anticipated impermissible uses or disclosures • Ensuring compliance among their workforce

HIPAA and Social Media • Some recent examples of social networking HIPAA breeches include: • A nurse who posted a patient's picture and chart on his Facebook page because he thought it was "funny" and since it was "only Facebook," there was no real harm in it • A doctor who treated a patient over Twitter • Emergency room personnel who posted pictures on the Internet of a man being treated for fatal knife wounds • A doctor who asked a patient on a date after seeing her profile on a dating website • A Rhode Island doctor was fired from the hospital and reprimanded by the Medical Board after she posted on her Facebook page about a long day at work. She never referred to the patient's name but gave out enough details about the injuries to allow others to guess who it was. • June 16, 2012 http://www.24-7pressrelease.com/press-release/social-media-hipaa-violations-on-the-rise-286454.php

HIPAA and Social Media • 7 tips to avoid HIPAA violations in social media • Five Mistaken Beliefs that Lead to Social Media HIPAA Violations

HIPAA video Scenarios

Student Record Maintenance & Confidentiality FERPA, IDEA, & Section 504 of the Rehabilitation Act

FERPA • Family Educational Rights and Privacy Act (FERPA) enacted in 1974 to • ensure student/parent access to education records, and • limit disclosures to others for unauthorized purposes. • Applies to all schools that receive funds under an applicable program of the U.S. Department of Education

FERPA • Gives certain rights to parents and “eligible students” (18 yrs + or in post-secondary educational program) • Right to inspect and review student’s educational records maintained by the school • Right to request that the school correct records that they believe to be inaccurate and right to formal hearing if school denies request

FERPA • Schools must have written permission from a parent or eligible student to release/disclose any information except to certain individuals and in certain circumstances • School officials with legitimate educational interest; • Other schools to which a student is transferring; • Specified officials for audit or evaluation purposes; • Appropriate parties in connection with financial aid to a student • Organizations conducting certain studies for or on behalf of the school;

FERPA • Schools must have written permission from a parent or eligible student to release/disclose any information except to certain individuals and in certain circumstances • Accrediting organizations; • To comply with a judicial order or lawfully issued subpoena; • Appropriate officials in cases of health and safety emergencies; and • State and local authorities, within a juvenile justice system, pursuant to specific State law

FERPA • Schools may disclose, without consent, "directory" information • Schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them

FERPA • Directory information - information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed • Student’s name, address, telephone listing • Date and place of birth • Major field of study • Participation in officially recognized activities and sports, • Weight and height of members of athletic teams, • Dates of attendance, degrees and awards received, • The most recent previous educational agency or institution attended.

FERPA • Educational Records - those records that are directly related to a student, contain personally identifiable information, and are maintained by the school district or institution or by a party acting for the agency or institution. • any information recorded in any way including, but not limited to, handwriting, print, film, microfilm, microfiche, and all electronic records such as email, CD, and or DVDs

FERPA • Required that each school/educational agency must • Adopt an education records policy • Annually notify parents and students in attendance of their rights pertaining to student records • Maintain a permanent file on each student. • Maintain separate special education records.

FERPA • Required that each school/educational agency must • Maintain a list/log of everyone who requests, accesses, and receives information from the records (excluding school employees) and make this available to parents upon request. • Provide public notice of directory information and provide parents an opportunity to refuse to disclose such information. • Provide annual training to school staff on records and confidentiality

FERPA • Sample contents of special education records • Access log • Building level support team—early intervening documentation • Referral form • Initial consent to evaluate/consent for reevaluation • Multidisciplinary team report (eligibility determination) • Current Individualized Education Program • Initial permission for placement • Current written notices and meeting notices

FERPA • Record maintenance and destruction • FERPA does not designate a time frame required for maintaining records (school districts individual policies dictate) • Parents may request a school district to destroy personally identifiable information when it is no longer needed for educational purposes • IDEA requires that parents be notified when a school proposes to destroy student records.

HIPAA vs.ferpa

HIPAA vs. FERPA • DHHS Statement in the Privacy Rule Preamble • “While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA.”

HIPAA vs. FERPA • Protected health information excludes individually identifiable health information in education records covered by FERPA, as amended, 20 U.S.C. 1232g. • HIPAA Final rule (2000): records that are subject to FERPA are not subject to HIPAA • Medical records that are exempt from FERPA's definition of "education records" under the section 99.3 provision are also exempt from coverage by HIPAA

Resources • All Things Medical Billing.com (2011). HIPAA Laws. Accessed at http://www.all-things-medical-billing.com/hipaa-laws.html on March 8, 2012. • Copenhaver, J (2006). Maintaining Student Records and Meeting Confidentiality Requirements: A Primer for Educators. North Logan, UT: Mountain Plains Regional Resource Center. • Pozgar, GD (2005). Legal and Ethical Issues for Health Professionals. Sudbury, MA: Jones and Bartlett Publishers. • U.S. Department of Education Family Policy Compliance Office (2011). Family Educational Rights and Privacy Act (FERPA). Accessed at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html on March 8, 2012. • U.S. Department of Health and Human Services Office of Civil Rights (2003). Summary of the HIPAA Privacy Rule. Accessed at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html on March 8, 2012. • U.S. Department of Health and Human Services Office of Civil Rights (2003). Summary of the HIPAA Security Rule. Accessed at http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html on March 8, 2012.

HIPAA/FERPA

HIPAA/FERPA

Presentation Transcript

FERPA

FERPA

FERPA

FERPA 101

FERPA

HIPAA and FERPA

FERPA Update

FERPA Fundamentals

Protecting Student Health Information HIPAA vs FERPA

FERPA 102

FERPA 102

FERPA 2012

FERPA

School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA

FERPA

FERPA

FERPA Training

FERPA is . .

FERPA Quiz

CYA! FERPA, HIPAA, ADA…Which Acronym Scares YOU The Most?

FERPA

FERPA Highlights

HIPAA/FERPA

HIPAA/FERPA

Presentation Transcript

FERPA

FERPA

FERPA

FERPA 101

FERPA

HIPAA and FERPA

FERPA Update

FERPA Fundamentals

Protecting Student Health Information HIPAA vs FERPA

FERPA 102

FERPA 102

FERPA 2012

FERPA

School-Based Health Centers &amp; Confidentiality: Understanding FERPA &amp; HIPAA

FERPA

FERPA

FERPA Training

FERPA is . .

FERPA Quiz

CYA! FERPA, HIPAA, ADA…Which Acronym Scares YOU The Most?

FERPA

FERPA Highlights

School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA