Chapter 10: HIPAA Privacy Rule- HIM 250

TPO

-Treatment, payment, and operations - functions of a CE that are necessary for the CE to successfully conduct business. -Some Privacy Rule requirements are relaxed or removed where PHI is needed for TPO purposes.

Enhancements to Privacy Rule Part 2

The HITECH Act encouraged healthcare providers to adopt electronic health records (EHRs) and improve privacy and security protections for healthcare data.

"In loco parentis"

in the place of a parent

When uses and disclosures are required, even without authorization

-Access or accounting of disclosures requested by individual or personal representatives. -Department of Health and Human Services (HHS) investigation, review, or enforcement action.

Although HIPAA is not the first piece of federal privacy legislation, it is more expensive than the Federal Privacy Act of 1974, which applied privacy rules to _

Federal Agencies

Federal Drug and Alcohol Laws

Federal facilities and those who received federal funds were required to abide by: -Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970. -Drug Abuse Prevention, Treatment and Rehabilitation Act of 1972.

An individual has the opportunity to agree or object _

(1) Facility directory Patient name (fact of admission, if requested by name) Location in facility Condition, in general terms Religious affiliation (to clergy) (2) Notification to family or friends

An individual does not have the opportunity to agree or object _

(3) Treatment, payment, and operations (4) To the individual (5) Incidental disclosures (6) Limited data set

1967 (FOIA)

- Freedom of Information Act - Right of disclosure to and access by the public regarding federal agency records. -Government transparency was the goal. -Some situations however the risk outweighs the benefit (public's right to know). -Exceptions to this law were the Dept of Veterans Affairs (VA) Hospitals and clinics.

1965 (CoP)

- Medicare Conditions of Participation Governs only providers receiving Medicare and Medicaid reimbursement. On July 30, 1965, President Lyndon B. Johnson signed into law the bill that led to Medicare and Medicaid. The original Medicare program included Part A (Hospital Insurance) and Part B (Medical Insurance). Today these 2 parts are called "Original Medicare."

Title I- Insurance Portability

- Protects individuals from losing their health insurance when leaving or changing jobs by providing insurance continuity (portability). - Prohibits discrimination based on a person's status or that of his or her dependents in the enrollment in health insurance plans and the amount of premiums charged.

De-Identified Information

-Cannot identify the individual -Privacy Rule defines process: Safe Harbor Method - 18 Identifiers (Figure 10.4 on Page 214) Statistical and Scientific Principles to Minimize Risk -Reidentification is allowed for research purposes (i.e. - Patient X) Cannot disclose the mechanism for reidentification

Limited Data Set

-Data sets stripped of certain direct identifiers that are specified in the Privacy Rule. -May be used to comply with the Minimum Necessary Rule. -They are NOT considered de-identified information under the Privacy Rule.

HIPAA Privacy Rule Exclusions

-De-identified information -Personnel and educational records

DRS

-Designated record set -The medical records and billing records about individuals maintained by or for a covered healthcare provider. -The enrollment, payment, claims adjudication and case or medical management records systems maintained by or for a health plan; or used in whole or part by or for the CE to make decisions about individuals.

HITECH Changes to the ONC

-Expanded the role of the ONC -Health Information Technology (HIT) Policy Committee was created. -HIT Committee provides guidance in technology integration while promoting EHR privacy and security. -Appointed an ONC Chief Privacy Officer.

Notice of Privacy Practices

-Explains how PHI will be used and disclosed -Explains individuals' rights -Healthcare providers must make it available upon first encounter -Receipt must be acknowledged by individual -Must be posted in a prominent place, including website if one exists -HIPAA and HITECH outline content requirements

Who are Covered Entities?

-Healthcare providers -Health plans -Healthcare clearinghouses

Health Insurance Portability and Accountability Act (HIPAA) of 1996

-Improve portability and continuity of health insurance coverage in the group and individual markets. -To combat waste, fraud, and abuse in health insurance and health care delivery. -To promote the use of medical savings accounts. -To improve access to long-term care services and coverage. -To simplify the administration of health insurance.

Workforce Members

-Include employees, volunteers, student interns, trainees, and anyone else working under the CE's direct control. -Contractors working on a covered entity's premises may be considered workforce members if they routinely work there.

HIPAA: Redisclosure

-Involves PHI created by and received from another entity. -Redisclosure allowed for HIPAA-permitted purposes ONLY: Facilitate patient care Only disclosed after attempting to obtain records from the originating facility To comply with legal process Include only information contained within DRS

Authorization

-Is written permission for a specific disclosure -Must contain HIPAA-required elements -Psychotherapy notes, behavioral health notes, follow separate HIPAA restrictions -There are times when disclosure meets a 'HIPAA authorization exception.

Business Associates (BAs) Part 1

-Person or organization (not a member of a CE workforce) that performs functions on behalf of the CE involving the use or disclosure of individually identifiable health information. -A business associate agreement (BAA) should be initiated to legally protect information handled by a BA.

Title II - Administrative Simplification Part 2

-Privacy standards -Security standards -Transactions and code sets -National provider identifiers -Enforcement

1974 - Privacy Act

-Provides individuals with privacy rights by requiring federal agencies that hold personally identifiable records to safeguard the information. -Also provided the right to access and amend their health records. -NOTE: Only applied to information collected by federal agencies

Consent

-Required in order to use or disclose PHI for TPO -Optional document -Revocation of consent must be permitted

Business Associates (BAs) Part 2

-Subcontractors of BAs are also BAs -Organizations or individuals that meet the definition of a BA must comply with HIPAA, even without a BAA. -BAs must respond to CE if non-compliance is identified. May result in corrective action -or - severing relationship with CE.

Title II - Administrative Simplification Part 1

-The most relevant title to management of health information, containing provisions relating to the prevention of healthcare fraud and abuse, medical liability reform, and administrative simplification. -The Privacy Rule resides in Title II along with HIPAA security regulations.

Privacy Regulation History

1965 - Medicare and Medicaid (CoP) 1967 - Freedom of Information Act 1974 - Privacy Act 1970 - Federal Alcohol Treatment Laws 1972 - Federal Drug Treatment Laws

Which of the following items does the "Administrative Simplification" portion of Title II of HIPAA not address?

A computer memory requirement for health plans maintaining patient health information.

Healthcare clearinghouses

A public or private entity that does either of the following functions: -Processes or facilitates the processing of health information received from another entity. -Receives a standard transaction from another entity and processes or facilitates the processing of health information. (including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches)

Which of the following is not a required element of the Notice of Privacy Practices?

A statement that treatment can be refused if the notice is not signed.

Commercial Uses and Disclosures of PHI- Fundraising

Activities initiated by the covered entity to generate money for the benefit of the covered entity Must inform individuals in Notice of Privacy Practices (NPP) that PHI may be used for fundraising Opt out clauses are required before the first solicitation or as part of the fundraising materials Prior authorization required IF fundraiser targets individuals based on diagnosis For example, kidney patients targeted to raise funds for new kidney dialysis center

Commercial Uses and Disclosures of PHI- Marketing Part II

Additional activities where Authorization not required: Communications by CE about health-related products and services in a CE's benefit plan Replacements or enhancements to a health plan, or health-related products or services that are of value (although not part of a benefit plan) For treatment of individual For case management/care coordination or alternative treatments

ONC remains focused on two strategic objectives

Advancing the development and use of health IT capabilities. Establishing expectations for data sharing.

The minimum necessary standard_

Applies to both uses and disclosures of PHI.

Public Interest and Benefit Standards

As required by law Public health activities Victims of abuse, neglect, or domestic violence Healthcare oversight activities Judicial and administrative proceedings Law enforcement purposes Decedents Cadaveric organ, eye, or tissue donation Research Threat to health or safety Specialized government functions Workers' Compensation

Request

Asking for all or part of an individual's PHI.

The Privacy Rule

Became effective in 2003 under HIPAA law. -Goal 1: Protect the privacy of one's health information by limiting access by others. -Goal 2: Provide an individual with greater rights with respect to his or her health information.

Payment

Billing, claims management, claims collection, review of the medical necessity of care, utilization review, etc.

Commercial Uses and Disclosures of PHI- Sale of PHI

CEs and BAs may NOT sell PHI without patient authorization except: Public health and research data Treatment and healthcare operations Such as PHI that is part of CE sale or merger Authorization must specify whether the recipient of the PHI can exchange it further for payment.

Organized Health Care Arrangement

Characterized by two or more CE's who share PHI to manage and benefit their common enterprise and are recognized by the public as a single entity. Example: Physician treating patient in hospital

Commercial Uses and Disclosures of PHI- Marketing Part I

Communication about a product or service that encourages its purchase or use General rule: Use or disclosure of PHI for marketing requires authorization Marketing activities that do not require an authorization Occur face-to-face with the individual Concern promotional gifts of nominal value Remuneration (monetary benefits) granted to the covered entity must be disclosed Opt-out instructions must be provided to the patient

Who does HIPAA protect?

Covered Entities and Business Associates

Disclosure

Divulging, releasing or disseminating outside information about an identifiable person by a CE or a BA to another entity or person outside the entity holding the information.

Comparing HIPAA to the Federal Privacy Act of 1974_

HIPAA applies more specifically to medical information.

Commercial Uses and Disclosures of PHI- Marketing Part III

HITECH Act: Clarifies and expands communications considered to be marketing Limits covered entities' ability to categorize communications as operations (and exempt themselves from marketing requirements)

Covered Entities (CEs) -Transaction examples

Health claims and encounter information, health plan enrollment, health plan premium payments, coordination of benefits, health claim status.

Covered Entities (CEs)

Healthcare providers that conduct certain transactions electronically. Health plans: Insurance plans Healthcare clearinghouses: Intermediary billing companies

Covered Entities (CEs) - Provider examples

Hospitals, pharmacies, physician office practices, long-term care facilities, and clinics.

Title V- Revenue Offset Provisions

Includes provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes, and repeals the financial institution rule to interest allocation rules.

Health plans

Insurance companies, health maintenance organizations (HMO's), government programs that pay for healthcare (Medicare for example), and military and veterans' health programs.

Affiliated Covered Entity

Legally separate CE 'affiliated' by common ownership or control. Example: Hospital with a separate Surgery Center

A HIPAA authorization_

May be revoked as long as it is in writing.

Safe Harbor Identifiers

Names Geographic subdivisions of specified size Dates (except year) relating to birth, admission, discharge, and death (age > 89) Telephone # Fax # E-mail address Social security # Medical record # Health plan beneficiary # Account # Certificate/license # Vehicle identifiers Device identifiers URLs IP addresses Biometric identifiers Photographic images Any other unique identifier

Minimum Necessary Rule

People should only have access to the amount of information needed to do their jobs.

Patient Privacy After Death

Per HITECH, individually identifiable information of persons deceased >50 years is not protected by the HIPAA privacy rule. In other words, it loses its PHI status.

Hybrid Entity

Performs both covered (healthcare functions) and non covered (research) functions under the privacy rule Example: Research Hospital

HIPAA: Key Terms- Personal representatives

Persons with legal authority to act on behalf of another adult, an emancipated minor, an unemancipated minor, or deceased individual.

Healthcare providers

Physicians, Hospitals, Pharmacies, etc.

What does HIPAA protect?

Protected Health Information (PHI). Identifier

Title III- Medical Savings and Tax Deduction

Provides for certain deductions for medical insurance, and makes other changes to health insurance law.

Treatment

Providing coordinating or managing healthcare or healthcare-related services by one or more healthcare providers.

Operations

Quality improvement, legal and auditing functions, general business management such as customer service, etc.

HITECH Enhancements

Requirements related to business associates and subcontractors PHI for deceased individuals Notice of Privacy Practices Sale of information Minimum Necessary Requirement Individual Rights (Access, Use and Disclosure) Student Immunization Records Marketing and Fundraising Increased Enforcement and Penalties

The HIPAA privacy rule _

Sets a minimum (floor) of privacy requirements.

Use

Sharing, employment, application, utilization, examination or analysis of individually identifiable information within an entity that maintains such information.

You are a member of the hospital's health information management committee. The committee has created a HIPAA-compliant authorization form. Which of the following items would you advise the committee to remove, as the Privacy Rule does not require it?

Signature of the patient's attending physician.

Title IV- Group Health Plan Provisions

Specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements.

What Does HIPAA Cover?

The HIPAA Privacy Rule covers all individually identifiable health information that is created, stored, maintained, or transmitted by a HIPAA covered entity or business associate of a HIPAA covered entity.

"The Floor" of Compliance

The HIPAA Privacy Rule set a minimum amount of protection, "a floor" of compliance, uniformly across all states through the establishment of a consistent set of requirements.

Enhancements to Privacy Rule Part 1

The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act (ARRA) of 2009.

ONC

The Office of the National Coordinator for Health Information Technology= -The forefront of the administration's health IT efforts. -A resource to the entire health system to support the adoption of health information technology and the promotion of nationwide, standards-based health information exchange to improve healthcare.

Champion Hospital retains a law firm to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statements is correct?

The law firm is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital.

Enhancements to Privacy Rule Part 3

This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.

#1: Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes. #2: They will also be sending her records to her physician for continuity of care. As they pertain to Mercy Hospital, these two functions are_

Use #1 and disclosure #2

Covered Entity with Multiple Functions

each covered function operates separately and must not disclose PHI to a function not involved with the individual. Example: Medical facility with self-insured health plan.

HIPAA: Key Terms- Individuals

person who is the subject of the PHI