HIPAA Privacy Rule

What is administration simplification?

HIPAA's attempt to streamline and standardize the healthcare industry's nonuniform and seemingly chaotic business practices, such as billing.

HIPAA

Health Insurance Portability and Accountability Act created to improve continuity of health insurance coverage and the administration of health care services

What are the permitted uses and disclosures of PHI without written patient consent, but where the patient has the right to object?

1) Patient directory, and 2) Notification to relatives and friends.

What actions must be taken if the amendment is granted?

The amendment must be linked to the original entry, and the amendment must be sent to whomever the patient requests.

When must the secretary of HHS be contacted along with a media outlet to provide breach notification?

When 500+ people are affected

When are information related to fundraising activities okay to use?

When it is disclosed to a BA or institutionally related foundation, only the demographic information and dates of healthcare are provided, they are given the chance to opt out, and they were notified of the use in the NPP.

When does the privacy rule apply to CEs?

When they are directly or indirectly involved with transmitting or performing any electronic transactions specified in the act (i.e. in regards to health claims, insurance coverage, etc.).

healthcare operations

process of reviewing information in medical records for those patients admitted within specific time frame after discharge

portability

protects and guarantees health insurance coverage when an employee changes jobs

accountability

protects health data integrity, confidentiality, and availability

Protected H Info

PROTECTED HEALTH INFORMATION 1. PHI includes information about a person's physical health, mental health, provided care and payment for that care 2. All PHI is considered confidential under HIPAA such as: Name Address Social Security Number Birth Date Names of Relatives

What type of documentation always requires authorization for use/disclosure (except for TPO)?

Psychotherapy notes

What is ARRA and when was it signed into law?

American Recovery and Reinvestment Act (2009)

What is a breach?

An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.

What is HIPAA?

Health Insurance Portability and Accountability Act 1. HIPAA makes it illegal for information to be released to inappropriate parties 2. Intended to make it easier for patients to move from one insurance plan to another 3. Establishes a standard format for health care organizations to share medical information

Individually identifiable health information (IIHI)

Health care data that can be connected to a specific person

What are examples of covered entities?

Healthcare providers, health plans, and healthcare clearinghouses.

Minimum necessary

Reveal only the smallest amount of information required to accomplish the task and no more when using any PHI, a covered entity must generally make reasonable efforts to limit itself to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

What is the designated record set?

The health records, billing records, and various claims records that are used to make decisions about an individual.

What does individually identifiable mean?

The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information.

What is TPO?

Treatment, Payment, and Operations (the exceptions to the release of PHI).

What are exceptions when a CE can make "paid" communications with the patient?

When it is in regards to a prescribed drug where the payment was "reasonable" or it is from a BA on behalf of the CE. If payment was accepted it must always be prominently stated and have the option to opt out.

Business Associate

a person or business who, on behalf of the Covered Entitiy utilizes and/or discloses protected health information

Notice of Privacy Practices required elements

effective date of the notice description of grievance process list of individual rights per HIPAA privacy rule

Covered Entity

health plans, healthcare clearinghouse and healthcare providers who electronically transmit information under standards of operation established by HHS

disclose

release or divulgence of information by an entity to persons or organizations outside of that entity

60

requests for access to PHI by consumers must be responded to by the facility within __ days

minimum necessary requirement

rule that does not require the consent of the patient to transfer records to a facility for follow up care.

What amount of time must covered entities retain an accounting of disclosures?

3 years

How long does a CE have to provide requested information?

30 days and up to 30 days more if written notice is given as to way and expected date of availability (60 days if the info is stored off-site).

What is the notice of privacy practices?

A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.

What is the minimum necessary standard and who does it apply to?

A rule that applies to individuals who work for an organization (providers and other CEs) that they must limit the use, disclosure, and requests of PHI to only the amount needed to accomplish the intended purpose (excludes TPO).

How does the privacy rule define marketing?

Communication about a product or service that encourages the recipient to purchase or use that product or service.

Does HIPAA preempt state laws?

No, it only serves as a federal floor or minimum on privacy requirements - stricter state laws still prevail.

Incidental use and disclosure

The accidental release of PHI during the course of proper patient care

What are the administrative requirements of the HIPAA Privacy Rule?

1) A Privacy Officer and contact person for receiving complaints be designated, 2) All workforce members are given privacy training (with documentation showing such), 3) There are safeguards and mechanisms in place to safeguard information (administrative, technical, and physical safeguards), 4) There are written policies and procedures (and ongoing review of such) that comply with all standards and specifications.

What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (First 6)

1) As required by law, 2) For public health activities, 3) To disclose PHI regarding victims of abuse, neglect, and domestic violence, 4) For health oversight activities, 5) For judicial and administrative proceedings, 6) For law enforcement purposes (6 situations),

How long does a CE have to produce an accounting of disclosures?

60 days and an extension of 30 days if notification is given to the patient

How long does a CE have to respond to a request for amendment to information?

60 days and up to 30 more if given a written notice as to why/ETA.

Workforce

As defined in the HIPAA law, includes everyone involved with a covered entity whether or not they are full time and whether or not they get paid. an employee within a Covered Entitity any member of a service contracted with a facility that does not make use of PHI, ex. laundry, cleaning services, etc.

What are some major issues HITECH deals with in regards to Privacy?

Business associate agreements, minimum necessary requirements, individual rights, breach notification, personal health record vendors, marketing/fundraising/sale of information, and increased enforcement and penalties for noncompliance.

What does not qualify as marketing, and therefore requires no authorization?

Communications to describe health-related products and services, communication for treatment of the individual, and case management or care coordination for the individual.

What must a valid authorization form contain?

Description of the info being disclosed, people authorized to request the data, who can make the disclosure of data, expiration date, statement of the right to revoke authorization, statement that info is subject to redisclosure, signature/date, and a representatives right to sign (if applicable)

What information must be included to an individual for a breach notification?

Description of what occurred (the date and date it was discovered), the types of PHI involved, steps the individual may take to protect themselves, what the entity is doing to prevent/rectify the situation, and contact info for any questions.

What are the 3 key documents of the Privacy Rule?

Notice of Privacy Practices (required), authorization (required), and consent (optional).

What are some elements that must be included in the NPP?

Standard header, description of how information will be used for TPO and for other purposes,statement that other disclosures will only be made with the patients consent, statement of the individual's rights, how to make complaints and the contact person to do so, and effective date.

When is a CE allowed to market a certain group of individuals?

When it may be beneficial to them, it is explained why they are being targeted, and how the service relates to them.

What are the permitted uses and disclosures of PHI without written patient consent where the patient cannot choose to object?

1) Public interest and benefit (12 situations), 2) TPO purposes, 3) To the individual, 4) Incidental disclosures, and 5) Use in limited data sets.

What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (last 6)

7) Regarding decedents (i.e. to coroner or ME), 8) For cadaver organ, eye, or tissue donation, 9) For research (with limitations), 10) To prevent or lessen serious threat to health or safety, 11) For essential government functions, 12) For workers comp.

Violations and Consequences

HIPAA Violations 1. Fines and civil penalties can be filed against any individual that negligently discloses or knowingly & willfully obtains, discloses or uses medical information 2. Fines can be brought against an institution for failing to prevent/report unauthorized access, use or disclosure of medical information HIPAA Consequences Civil Penalties: Range from $100 per violation to annual maximum of $1.5 million for repeated violations. Amount of penalty is based on reasonable cause for HIPAA violation, willful neglect and corrective steps taken Criminal Penalties: Consists of a fine up to $250,000 as well as a prison sentence of up to 10 years

What information must be given to the patient is their request for amendment is denied?

The basis for denial, their right to submit a statement disagreeing with the denial (and how to submit this), that the request for amendment and denial will accompany any new requests for information, and a contact person who they can complain to.

What is an business associate agreement?

The written contract that BAs of CEs must assign to agree to abide by the covered entity's requirements to protect the information's security and confidentiality.

How are penalty amounts set up?

They are tiered according to intent and extent of violation: Unknowing violations < Violations due to a reasonable cause < Willful Neglect < Uncorrected Violations

What are valid grounds for denying access to to personal PHI?

Without opportunity to appeal, any records that are: psychotherapy notes, compiled for legal proceedings, subject to CLIA, about an inmate and could cause harm, subject of research to which denial of access has been agreed, subject to Privacy Act, or obtained from someone in confidence. With opportunity to review: any records where a licensed professional determines access may endanger life or safety, or there is reference to another person and access could cause harm.

What are workforce members?

Employees, volunteers, student interns, trainees, and on-site contractors/vendors whom the covered entity is responsible for their actions.

Protected health information (PHI)

Any identifiable patient health information regardless of the form in which it is stored

Health care provider

Any professional who provides health care services

Disclosure

As defined by HIPAA, the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for a patient

Who may be penalized for HIPAA/Privacy Rule violations?

CEs, BAs, and employees of these

What marketing activities do not require authorization?

Ones that occur face-to-face with the CE or they concern a promotional gift of nominal value to the patient.

Covered entities

Organizations that access the personal health information of patients. They include health care providers, health plans, and health care clearinghouses.

HIPAA's Privacy Rule

Protects patients information so it is available to those who need to see it, while protecting that information from those who should not

What individual rights does the HIPAA Privacy Rule provide?

Right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.

6 years; april 14, 2003

accounting of disclosures: -time frame: ______ -clock starts: ____________

PHI (protected health information)

all individually identifiable health information and other information on treatment and care that is transmitted or maintained in any form or medium

authorization

the mechanism for obtaining consent form a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or healthcare operations required to disclose PHI to person or agency outside the facility

privacy

the right of an individual to keep his/her individual health information from being disclosed

What are the 2 key goals of the Privacy Rule?

1) Provide and individual with greater rights with respect to his or her health information, and 2) Provide greater protections for one's health information.

What are the 6 situations where PHI can be disclosed without authorization for law enforcement purposes?

1) Pursuant to legal process or otherwise required by law, 2) In response to request for identifying/locating a suspect, fugitive, material witness, or missing person, 3) In response to an official request about someone who is, or suspected to be a victim of a crime, 4) About a deceased person that may have happened from criminal conduct, 5) When it is believed in good faith that criminal conduct occurred on the CE's premises, and 6) In response to a medical emergency.

How can a CE properly ensure the de-identification of information?

1) Strip it of all identifying information (name, SSN, locations, dates, etc.), or 2) Have an expert apply scientific and scientific principles to minimize the identification risk.

When is the use or disclosure of PHI required, even without patient authorization?

1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.

Patient Rights

1. HIPAA requires that patients be made aware of their rights and how to protect their information 2. Health care providers are required to post notices for patients telling them how their health care information is used

What are business associates?

A person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of or to a covered entity that involves the use or disclosure of PHI (i.e. consultants, billing companies, transcription companies, accounting firms, and law firms).

What act allows patients to request restrictions of PHI (for TPO purposes) and in what circumstances?

ARRA unless a patient pays completely out of pocket and the CE entity agrees (not required to do so).

Use

As defined by HIPAA, the sharing of information between people working in the same health care facility for the purpose of caring for a patient means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information

What information must be included in the accounting of disclosures?

Date, name and address of requestee, and brief statement of the purpose of disclosure.

What is PHI?

Protected Health Information - individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium.

What information does not need to be accounted for in the accounting of disclosures?

TPO information (if the provider does not have an EHR), disclosure to the patient themselves, any disclosure incidental to another proper disclosure, any for the facility directory, any for national security, for law enforcement officials, or part of a limited data set.

Hybrid entity

a facility that performs both covered and non-covered functions under the HIPAA privacy rule. ex. University Medical Clinic

facility directory

example of a disclosure that the patient has the right to agree or object

security

how we protect PHI from accidental or intentional disclosure, alteration, destruction, or loss