HIPAA
Is there any way to use and disclose psychotherapy note?
1st The only person who can use these are for refreshing the writer's memory..no disclosure to any other health care provider 2nd way to get it is for students of mental health training. Different than other forms of PHI 3rd- can disclose to lawyer Can dislcose to coronorer or medical examiner to determine cause of death 4th - tarasoff exception
How many civil monetary penalties have there been since the final rule
3
Disclosures to another covered entity for the recipient entity's health care operations activities
45 C.F.R. 164.506(c)(4)
Disclosures to another covered entity that is part of an OHCA (along with the sending covered entity)
45 C.F.R. 164.506(c)(5)
Disclosures to a health care provider for therecipient provider's treatment activities
45 C.F.R. § 164.506(c)(2)
Disclosures to another covered entity or a non-covered provider for the recipient's payment activities
45 C.F.R. § 164.506(c)(3)
How many HHS resolutions have there been
50 since the final rule
Right to request additional protections
(a) Requests for Restrictions. Individuals have the right to request that covered entities restrict certain uses and disclosures of PHI and that covered entities adhere to restrictions to which they have agreed. (b) Confidential Communications. Individuals have the right to request covered entities to provide confidential communications of PHI about the individual
general rule regarding disclosure
(a)(1) Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose [PHI] without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of [PHI], such use or disclosure must be consistent with such authorization."
General rule regarding business associates
(e)(1)(i): A covered entity may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. (e)(2): A covered entity must document the satisfactory assurances required by paragraph (e)(1) of this section through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of 164.504(e).
What did HIPAA cover post ARRA
The HIPAA Privacy Rule directly regulates both covered entities and business associates
What did HIPAA cover pre ARRA
The HIPAA Privacy Rule directly regulates covered entities but only indirectly (contractually through the BAA provisions) regulates business associates.
HIPAA Privacy Rule
HHS published privacy recommendations. These govern, not the HIPAA statute
opt out under OBAMA
Always have to be notified of right to opt out, now it has to be "clear and conspicuous". This isnt really defined. but its a strict liability standard
What is a group health plan?
An employee welfare benefit plan (as defined in ERISA) including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that: Has 50 or more participants; OR Is administered by an entity other than the employer that established and maintains the plan (i.e., is administered by a third party administrator (TPA)
amendment of phi?
An individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set." Cannot change the record if it was correct at the time it was created
what is a health plan?
An individual or group plan that provides, or pays the cost of, medical care
What health information is covered?
Any information, whether oral or recorded in any form or medium, that: Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and Relates to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
What is the compliance date for covered entities
April 14, 2003 pre ARRA September 23, 2013
Fundraising Pre ARRA
Attending physicians...anyone at the hospital really Demographic infor and dates of health care can be used. Name, street address, sex, age, precinct, insurnace status Dates of health care—dont want to ask for money directly after discharge. Couldnt find all the patients found by a famous surgeon and ask for money directly for that surgeon's practice. Dont want people in development office to be able to figure out what is wrong with them.
When were there official guidelines for privacy rule?
August 2002 the final rule was published. there were modifications to this in 2006 (Pre ARRA) Post ARRA the final rule was published Jan 2013
conditioning
Have to state ability or inability to condition giving treatment based on signing authorization. Some actions can and some cant. May have to have several forms. research can be conditioned
HIPAA
Health Insurance Portability and Accountability Act of 1996
Health care
Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to ... : Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body;
Uses and disclosures required by law
In the final rule, we clarify that . . . 'law' is intended to be read broadly to include the full array of binding legal authorities such as constitutions, statutes, rules, regulations, common law, or other governmental actions having the effect of law. . . . [L]aw is not limited to state action: rather, it encompasses federal, state, or local actions with legally binding effect, as well as those by territorial and tribal governments."
pre-ARRA, the HIPAA Privacy Rule did not directly apply to:
Lawyers Accountants Billing companies Third party administrators Collection companies Etc. (all business associates)
what information can an oral agreement consent to?
Uses and disclosures of directory information -- § 164.510(a) Uses and disclosures to persons involved in the individual's care or payment for care -- § 164.510(b)(1)(i) Uses and disclosures for notification purposes -- § 164.410(b)(1)(ii) Uses and disclosures for disaster relief purposes -- § 164.510(b)(4) Uses and disclosures when the individual is deceased
revocation
Must tell in authorization that there is a right to revoke. But if they have taken actions in reliance and cant take it back, its ok.
Fundraising post ARRA
Obama expanded the amount of information available Felt like they needed more targeted asking -treating physician is now included-when you get a personal letter you would feel more liekly to give back -outcome information is included..want to know if patient is deceased if they know of it—dead,alive -health insurance status-hospitals can search and not ask people who are paying with medicaid or medicare for giving -diagnosis would be helpful but its not included -current health status-
What health information is protected?
PHI (protected health information)
which providers are not covered?
Conduct all standard transactions by paper, telephone, or a "dedicated fax machine" ("as oppose to faxing from a computer").
what is not included in health care operations
Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
Individual rights under hipaa
Right to receive a notice of privacy practices (164.520) Right to request additional privacy protections (164.522) Right to request access to PHI (164.524) Right to request amendment of PHI (164.526) Right to receive an accounting of disclosures of PHI (164.528)
Administrative- Refraining from Intimidating or Retaliatory Acts
A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against: Individuals: Any individual for the exercise by that individual of any right under, or for participation by the individual in any process established by [the Privacy Rule], including the filing of a complaint ... Individuals and others: Any individual and others for: Filing a complaint with the Secretary; Testifying or participating in an investigation or compliance review; or Opposing any practice made unlawful by the [Privacy Rule]
waiver of rights?
A covered entity may not require individuals to waive their rights under 160.306 or th[e HIPAA Privacy Rule] as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits."
optional consent
A covered entity may obtain consent of the individual to use or disclose [PHI] to carry out treatment, payment, or health care operations.
IF its not for TPO, when may a covered entity use or disclose PHI
A covered entity may use or disclose [PHI], provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the disclosure, in accordance ... [with 164.510]. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by [164.510]. . . .
Administrative Personnel Designations
A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. A covered entity must designate a contact person or office who is responsible for receiving complaints ... and who is able to provide further information about matters covered by the notice of privacy practices.
administrative sanctions
A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] ... A covered entity must document the sanctions that are applied, if any.
administrative safeguards
A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the ... [Privacy Rule]. A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
administrative mitigation
A covered entity must mitigate, to the extent possible, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of [the HIPAA Privacy Rule] ..."
how long must a covered entity retain documentation for hipaa
A covered entity must retain the documentation required by this paragraph for six years from the date of its creation or the date when it last was in effect, whichever is later.
Administrative training requirements
A covered entity must train all members of its workforce on the policies and procedures with respect to PHI required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity
notification of breach of phi
A covered entity shall, following the discovery of a breach of uPHI, notify each individual whose uPHI has been, or is reasonably believed by the CE to have been, accessed, acquired, used, or disclosed as a result of such breach.
civil money penalties schedule
A did not know= 100-50,000 B reasonable cause= 1,000=50,000 C willful neglect, corrected= 10,000-50,000 Dwillful neglect, not corrected= 50,000 maximum in all is 1.5 million
which health care providers are covered by HIPAA privacy rule?
A health care provider who transmits any health information in electronic form in connection with a standard transaction
who is a health care provider
A provider of services under 1861(u) of the SSA; A provider of medical or health services under 1861(s) of the SSA; and Any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
individually identifiable
That identifies the individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the individual."
IIHI
is information that is a subset of health information, including demographic information collected from an individual, and: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and That identifies the individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
hipaa criminal penalties
knowingly violate. penalties are up to a year in jail and $50,000
PHI
means individually identifiable health information: (1) except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; or Maintained in electronic media; or Transmitted or maintained in any other form or medium. . . .
valid authorization
needs to contain all of the required information, not be compounded with other things,. may include attitional requirements as long as they are not inconsistent
if an entity is merely negligent, can they get criminal sanctions?
no
pre ARRA did a doc have to agree to a restriction?
no A covered entity must permit an individual to request that the covered entity restrict: Uses or disclosures of PHI about the individual to carry out T, P, or O; and Disclosures permitted under 164.510(b) (i.e., those disclosures to persons involved in an individual's care or payment for care) dont have to agree to them
is there a private right of action under hipaa?
no.
Did implementation of HITECH do anything to change the level of consent necessary for TPO?
no. Final rule adopted in 2002 was not changed
Are the post office, telephone companies, or internet service providers considered covered a covered entity?
no. just movers of information. not a health care clearinghouse
what is treatment?
provision coordination or management of are
settlement agreements are called what under privacy rule?
resolution agreements
what happens at the end of a business contract?
return or destroy the protected health information
Required statements in a written authorization
revocation, conditioning, re-disclosure
subcontractor
same application as business associate
Confidentiality
the nondisclosure of information. The information given is used to diagnose, treat, get insurance, pay for health care. Not used inappropriately
Know who is going to have to give you NOPP..
direct treatment relationship
What level of individual permission is required before a covered entity may internally use or externally disclose PHI for purposes relating to treatment, payment, and health care operations?
generally none
Covered Entities Pre ARRA
health care providers, health plans, health care clearinghouses
what is a standard transaction
health claim
building block of information
health information> individually identifiable health information>protected health information
employment record
in employment records held by a covered entity in its role as an employer
Disclosure
the release, transfer, provision of access to, or divulging in any manner if information outside the entity holding the information
public policy activities which dont require authorization or opportunity to object
uses and disclosures required by law
general requirements of a written authorization
valid authorization, defective authorization, compound authorization
student treatment records
which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice.
Use
with respect to individually identifiable health information the sharing, employment, application, utilization, examination, analysis of such information within an entity that maintains such information
when must training occur
within reasonable time
Anonymity
without a name. identity is hidden
Privacy
without undue state interference..the question of whether someone like me can make decisions in terms of religion, school, with or without undue state interference.
can you restrict health care operations?
yes.
can you get the information in any form that you want?
yes. can get it any form that you request
post ARRA, can a patient make restrictions?
yes. can pay for restriction. if they pay in full, provider cannot send information to a health plan
what is included in the required by law
§ 164.512(c) (victims of abuse, neglect, and domestic violence); § 164.512(e) (judicial and administrative proceedings); and § 164.512(f) (law enforcement purposes).
A covered entity's own TPO activities
45 C.F.R. § 164.506(c)(1)
covered entities Policies and Procedures
A covered entity must implement policies and procedures with respect to [PHI] that are designed to comply with the standards, implementation specifications, or other requirements of [the Privacy Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to [PHI] undertaken by the covered entity, to ensure such compliance.
Complaints to a covered entity
(d)(1) Standard: Complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by this subpart or its compliance with such policies and procedures or the requirements of this subpart. (2) Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.
fundraising under clinton opt out
Have to be told about this. The default is opt in unless you opt out. Have to describe how they can opt out. Under Clinton, if someone opted out, they only have to make reasonable efforts to stop
re-disclosure
If not a covered entity...if you authorize disclosure to them...have to tell them that the info can be re-disclosed.
are there set sanctions?
No. "The type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a pattern or practice of improper use or disclosure of [PHI]. Sanctions could range from a warning to termination." [64 Fed. Reg. at 59991]
where does fundraising fall? inside or outside of TPO
inside (healthcare operations)
consumer report theory
"We proposed that the notice be publicly available so that individuals may use the notice to compare covered entities' privacy practices and to select a health plan or health care provider accordingly. We therefore retain the proposed requirement for covered entities to provide the notice to any person who requests a copy, including members of the general public
6 situations for law enforcement purposes no
1. Pursuant to process and as otherwise required by law 2. Limited information for identification and location purposes 3. Victims of a crime 4. Decedents 5. Crime on premises 6. Reporting crime in emergencies
4 elements of a psychotherapy note
1.Note-doesn't matter form it is maintaiend-electronic, written by a 2.Health professional who is a mental health professional-psychiatrist by training, clinical licensed psychologist, advanced psychiatric nurse practitioner, licensed counselor-only mental health professional—only people who can authorize this 3.Documenting (summarizing) or analyzing contents of conversation 4. Must be separate from the rest of the individual's medical record.
core elements of a written authorization
1.description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion 2. the name or other specific identification of the persons or class of persons authorized to make the requested use or disclosure 3. the name or other specific identification of the person or class of persons to whom the covered entity may make the reqested use or disclosure 4. a description of each purpose of the requested use or disclosure (at the request of the individual is enough if an individual initiates) 5. an expiration date or expiration event 6. signature of the individual and date
health care clearinghouse
A public or private entity, including a billing service, re-pricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions: Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Who can complain and where can you complain to?
ANY Individual can complain to covered entity ANY individual can complain to OCR
What type of training is sufficient?
Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice's information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations, or interactive software programs. The small physician practice's solution would not protect the large plan's data, and the plan's solution would be neither economically feasible for necessary for the small physician practice."
A covered health care provider that has a direct treatment relationship with an individual must (2)
Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgement of receipt of the notice provided ... and if not obtained, document its good faith efforts to obtain such acknowledgement and the reason why the acknowledgement was not obtained;
business associate post ARRA
Expanded to those considered to be a business associate. i.e. billing company, lawyer, accountant. penalties also applies to BA
what is health care operations?
Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: 1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities ... population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not constitute treatment; 2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
deidentified information
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information
18 identifiers
Name- (do initials consitute name? no answer, but risk averse say do it anyway Geographic subdivisions smaller than state—remove zip code, remove street address Dates except year-birth date, admission date, discharge date, date of death (year has to removed as well if 89 or older)just Telephone number Fax number Email address SSN Medical record number Health plan beneficiary numbers (insurance number) Account numbers—any other number refering to patient certificate./lincense number—if included, needs to get removed Vehicle identifiers and serial numbers, and license plate numbers Device identifiers URLs IP address Biometrics- Full facial photographic images- identifier..comparable images Any other unique identifying characteristic (i.e. tattoo)
A covered health care provider that has a direct treatment relationship with an individual must (1):
Provide the notice: (A) No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or (B) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation;
safe harbor method of deidentification
The covered entity removes all of a list of 18 enumerated identifiers and has no actual knowledge that the information remaining could be used, alone or in combination, to identify an individual who is a subject of the information. includes family members
Factors in determining cmp
The nature and extent of the violation [including]: The number of individuals affected; and The time period during which the violation occurred. The nature and extent of the harm resulting from the violation [including]: Whether the violation caused physical harm; Whether the violation resulted in financial harm; and Whether the violation resulted in harm to an individual's reputation; and Whether the violation hindered an individual's ability to obtain health care. History of prior compliance . . . Financial condition of the covered entity or business associate . . . Other factors as justice may require
grateful patient fundraising
The solicitation of a monetary or other in-kind donation from a current or former patient (or family or friend of such patient) who may be grateful for the health care given to or received by the patient.
education record
The term "education records" means, except as may be provided otherwise in subparagraph (B), those records, files, documents, and other materials which: (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.
An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures
To carry out TPO . . .; To individuals of PHI about them . . . ; For the facility's directory or to persons involved in the individual's care or other notification purposes
do the same requirements for covered entities extend to business associates?
YES. same penalties and requirements for criminal and civil penalties
compound authorization
an authorization for a use or disclosure of PHI must not be compounded with any other authorizations or forms. unless for research or along with a psychotherapy note
what is considered payment?
activities taken by health plan to obtain premiums or health plan or providers actions taken seeking reimbursement... Billing is the most important
state AG enforcement
can go after, but not a lot in most parts of the country. NE
What information is excluded by PHI
education records covered by FERPA at 20 U.S.C. § 1232g[(a)(4)(A)]; records described at 20 U.S.C. § 1232g(a)(4)(B)(iv);(governed by practice guidelines ) employment records held by a covered entity in its role as an employer; and Regarding a person who has been deceased for more than 50 years. (state law)
defective authorization
expiration date or event has occurred, not filled out completely, known to the entity to have been revoked, any of the infomation is false