Chapter 10 HIPAA Privacy Rule Part I HIM 2012

When Use or Disclosure Is Permitted Without Authorization

18 situations Includes situations where individual has opportunity to agree or object (2) Includes situations where individual does not have opportunity to agree or object (16) These uses and disclosures are permissive only (HIPAA permits, but does not require) Must not violate a stricter/more protective state law

Covered Entities: Health Plans

A individual or group plan that provides or pays the cost of medical care

Covered Entity with Multiple Functions Example:

A medical facility may also be a self-insured health plan If an employee of the medical facility is a patient but not an enrollee of the health plan, that individual's PHI may not be used by the medical facility in its capacity as a HC provider and may not be shared with the health plan

ARRA Individual Rights:

Access Accounting of disclosures Right to request restrictions

Use and Disclosure When Authorization is Not Needed

Access or accounting of disclosures requested by individual or personal representative HHS investigation, review, or enforcement action

Payment

Activities by health plan to obtain premiums, or activities by a HC provider or health plan to obtain reimbursement for care or services provided Billing, claims MGMT, claims collection, review of the medical necessity of care, and utilization review.

Fundraising:

Activities initiated by the covered entity to generate money for the benefit of the covered entity Must inform individuals in Notice of Privacy Practices that PHI may be used for fundraising Instructions on how to opt out in the future are required before the first solicitation or as part of the fundraising materials

HIT Policy Committee

Address technologies to promote electronic health records (EHR's) Privacy and security Establishment of an HIT Standards committee consisting of members with an expertise in HC privacy and security Appointment of an ONC Chief Privacy Officer to advise on electronic health information privacy, security, and data stewardship

Privacy Rule: DRS

Allows individuals to inspect, obtain a copy of, and amend information in their designated record set, including information that exists in paper, imaged, and electronic forms.

12 Public Interest/Benefit Purposes

As required by law (for example, reporting specified wounds) Public health activities Victims of abuse, neglect, or domestic violence Healthcare oversight activities Judicial and administrative proceedings Law enforcement purposes Decedents Cadaveric organ, eye, or tissue donation Research Threat to health or safety Specialized government functions Workers' Compensation

Per HITECH BA Subcontractor:

BA's under HIPAA if they require access to an individual's protected health info, regardless of whether a business associate agreement has actually been signed

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Became Federal Statutory law enacted by Congress in 1996

Psychotherapy Notes

Behavioral health notes recorded by a mental health professional who documents or analyzes contents and impressions of conversations that are part of private counseling sessions Authorizations always required for the use or disclosure of psychotherapy notes EXCEPT to carry out TPO

Personal Health Record (PHR) Vendors

By contract, enable CE's to offer PHR's to their patient as part of the CE's EHR

Covered Entities: Workforce

CE's are responsible for their workforce Employees, volunteers, student interns, and trainees Not limited to those who receive wages Employees of out-sourced vendors who routinely work on-site in the CE's facility

ARRA Major Revisions:

Changes to requirements relating to business associates and their subcontractors Protected health information of deceased individuals Notice of Privacy Practices The sale of information Minimum necessary requirement Student immunization records Research authorizations Breach notifications

Organized Healthcare Arrangement (OHCA)

Characterized by two or more CE's who share PHI to manage and benefit their common enterprise and are recognized by the public as a single entity

HITECH and Marketing

Clarifies and expands communications considered to be marketing Limits covered entities' ability to categorize communications as operations (and exempt themselves from marketing requirements)

Marketing

Communication about a product or service that encourages its purchase or use Authorization obtained prior to use for marketing Occur face-to-face between the CE and the individual Concern a promotional gift of nominal value by the CE

In the BAA, the BA agrees to

Comply with the CE's requirements to protect the information BA must agree not to disclose or use the PHI in ways the provider would not permit and must agree to protect patient info from unauthorized access or disclosure

HIPAA Applicability WHO:

Consists of Covered Entities (CE's) and their Business Associates (BA's)

Titles III, IV, and V

Contain tax-related provisions relevant to the Internal Revenue Code and requirements for group health plans

DHHS and Consent

Covered entities electing to obtain patient consent have "complete discretion to design a process" that works best for them Consent obtained at the time services are provided

Marketing Exceptions

Describe or payment for health related product or service included in benefit plan of CE making communication Describe replacements or enhancements in health plan Describe available health related products or services that are of value, but NOT part of health plan Are for treatment of individual Are for case MGMT or care coordination for the individual or to direct or recommend alternative treatments, therapies, HC providers, or settings of care

Redisclosure

Disclosure by a HC organization of info that was created by and received from another entity Allowed for HIPAA related purposes Ex: Treatment

Health Information in Education Records

Education records, including student grades and disciplinary records, but also health records created or collected by the school, are covered by the Federal Educational Records Privacy Act (FERPA) and are also excluded from the Privacy Rule's definition of PHI.

Exceptions to Consent

Emergency Treatment situation- barriers to communication HC provider is required by law to treat the individual but is unable to obtain consent Provider should document its attempt to obtain consent and reason unable to do so Provider should obtain consent ASAP after delivery of treatment

Covered Entities: HC Clearinghouses

Entity that processes billing transactions between a HC provider and a health plan

FOIA Exceptions: Department of Veterans Affairs

Exception is Department of Veterans Affairs through operation of inpatient and outpatient HC facilities

FOIA Exceptions: Medical Records

Exceptions to documents like medical records (if reasons for disclosure outweigh the exception) To preserve the privacy of the individuals about whom they are written

Health Information in Personnel Records

Excludes employment records held by the CE in its capacity as an employer Employee physical examination reports contained within personnel files are specifically exempted from the rule

Notice of Privacy Practices

Explains how PHI will be used and disclosed Explains individuals' rights HC providers must make it available upon first encounter Must be posted in a prominent place, including website if one exists HIPAA and HITECH outline content requirements Receipt must be acknowledged by individual

Appropriate Redisclosures

Facilitate patient care Disclosed only after a patient has been encouraged to first attempt to obtain records rom the originating facility Are disclosed to comply with legal processes Include only info contained within the DRS

e-prescribing gateways

Facilitate the prescribing process between physicians and other pharmacies

When Use or Disclosure is Permitted Without Authorization: Individual HAS the Opportunity to Agree or Object

Facility directory/directory of patients -Patient name (fact of admission, if requested by name) -Location in facility -Condition, in general terms -Religious affiliation (to clergy) Notification to family or friends

De-Identified Information

Fails first part of PHI test Does not receive Privacy Rule Protection Used in research, decision support, other purposes Personal characteristics about individual, individual's relatives, employers, household members, have been removed Provides reasonable basis to believe it could identify an individual Cannot be later constituted or combined to re-identify an individual

Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972 and Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970

Federal statutes that provide specific and highly particularized safeguards to protect information relating to the: Diagnosis, treatment, or referral for treatment of conditions relating to drug abuse or other substance abuse.

Request

For PHI is made by a CE or its BA

Under HITECH, PHI of deceased persons

For more than 50 years is no longer PHI and loses its Privacy Rule protection

Treatment, Payment, and Operations (TPO)

Functions of a CE that are necessary for the CE to successfully conduct business

ARRA and Office of the National Coordinator for Health Information Technology (ONC)

Gave ONC an expanded role in HIT implementation Creation of HIT Policy Committee

Professional Ethical Standards and Codes of Conduct

Govern a variety of HC professions including HIM and Informatics professionals and provide guidance regarding privacy protection of patient information.

Consent to Use/Disclose PHI

HC providers not required to obtain consent for TPO purposes. Some providers may choose to obtain consent as a matter of policy Has no expiration date unless revoked by individual Cannot be used where an authorization would be required under Privacy Rule Revocation must be permitted

American Health Information Management Association (AHIMA) Codes of Ethics

HIM Professionals: "Preserve, protect, and secure personal health information in any form or medium and hold in the highest regards health information and other information of a confidential nature..."

Covered Entities: HC Providers Transactions:

Health claims and encounter information Health plan enrollment Health plan premium payments Coordination of benefits Health claim status

18 Elements: 9-18

Health plan beneficiary # Account # Certificate/license # Vehicle identifiers and serial numbers, license plate numbers Device identifiers URLs IP addresses Biometric identifiers- fingerprints, voice prints Photographic images- full face or others Any other unique identifier, unless permissible reidentification

NPP Exceptions

Health plans, correctional facilities, emergencies If emergency occurs, individual notified immediately after emergency

Title II

IS most relevant in management of health info Prevention of HC fraud and abuse Medical Liability (medical malpractice) reform Administrative Simplification

PHI Test ONE

Identifies the person or provides a reasonable basis to believe the person could be identified from the information given

Personal Representatives Rights May Be Denied

If one is suspected of abusing or neglecting the individual, and granting rights could endanger the individual

Under HITECH a BA's workforce

Includes paid and unpaid individuals working under the BA's direct control

Protected Health Information (PHI)

Individually identifiable health information in any form or medium (paper, imaged, electronic, oral) Genetic information, if it is individually identifiable and is held or transmitted by a CE or BA

PHI Test THREE

Is held or transmitted by a CE or its BA in any form or medium, including electronic, paper, and oral forms

Authorization

Is written permission for a specific disclosure Have the force and effect of federal law A valid authorization must be written in plain language Must contain HIPAA-required elements Is required unless a disclosure meets a HIPAA authorization exception

HIPAA Privacy Rule

Key federal law governing the privacy and confidentiality of patient information.

Affiliated Covered Entity

Legally separate CE's affiliated by common ownership or control May refer to themselves as a single CE Such references must be in writing

Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972 and Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970: PROBLEMS

More global than Privacy Act of 1974 They apply to all federally assisted alcohol and drug abuse treatment programs, not just federal providers Still only apply to a niche population of patients rather than to the protection of patient information, generally.

Covered Entity with Multiple Functions

Must operate each covered function separately and must not disclose PHI to a function not involved with the individual, remaining compliant with Privacy Rule relative to each function they perform

Facility Directory

Name, location in the facility, condition described in general terms, and religious affiliation

18 Elements: 1-8

Names Geographic subdivisions smaller than a state: street address, city, county, precinct, and zip code if geographic unit contains fewer than 20,000 people Dates (except year) relating to birth, admission, discharge, and death (age > 89 can be aggregated as 90 or over) Telephone # Fax # E-mail address Social security # Medical record #

Privacy Act of 1974 Problem:

Narrow because it only applies to information collected by federal government (Veterans Affairs Facilities) Not tailored to protect health information Impact on protection of patient information is limited

Incidental Uses/Disclosures

Occur as part of a permitted use/disclosure Component of doing business EX: Calling out a patient's name in a physician's office

Disclosure

Of PHI, is divulging, releasing, or disseminating information about an identifiable person by a CE or a BA to another entity or person outside the entity holding the information Emphasized by Privacy Rule

Parent, guardians, or others acting in loco parentis

Of a minor are not treated as personal representatives if the minor has consented to his/her own treatment

Business Associate Agreement (BAA)

Once a CE identifies a person or organization as a BA, the CE is legally obligated to initiate a BAA to legally protect information handled outside the CE CE's may lawfully disclose protected health information (PHI) to BA's such as billing companies, accounting firms, or others that may perform services for the provider

Psychotherapy Notes Use/Disclosure

Originator for treatment By CE in training programs for students, trainees, or practitioners in mental health By CE to defend a legal action or other proceeding brought by the individual That is required/permitted with respect to the oversight of the originator of the psychotherapy notes

Limited Data Set (LDS)

PHI that excludes most direct identifiers of individual and the individual's relatives, employers, and household members. Does not de-identify the information

Per HITECH, BA Definition includes

Patient Safety Organizations (PSO's) Health Information Exchanges (HIE's) Health Information Organizations (HIO's) e-prescribing gateways Other persons who facilitate data transmissions Personal Health Record (PHR) vendors

Hybrid Entity

Performs both covered and noncovered functions under the Privacy Rule EX: University that educates students and maintains student educational records is not covered by Privacy Rule However, the same university, in its operation of a medical center, is covered by the Privacy Rule as a HC provider UF, UF Shands

Business Associates (BA's)

Person or organization (not a member of a CE workforce) that performs functions on behalf of the CE involving the use or disclosure of individually identifiable health information

individual

Person who is subject of the PHI Rather than "patient" or "client"

ARRA Provisions Affecting

Personal Health Record vendors Marketing and fundraising Increased enforcement of penalties for noncompliance

Personal Representative

Persons with legal authority to act on behalf of another adult, an emancipated minor, an unemancipated minor, or a deceased individual shall be treated as a personal representative under Privacy Rule

Privacy Rule Goal One:

Protect the privacy of one's health information Limiting access by others

Privacy Rule Goal Two:

Provide an individual with greater rights with respect to his/her health information

Title III

Provides certain deductions for medical insurance

AHIMA Code of Ethics Is not force of law

Provides ethical principles that guide the profession and bind individuals who are members of AHIMA and who hold an AHIMA credential.

Privacy Act of 1974

Provides individuals with privacy rights by requiring federal agencies that hold personally identifiable records to safeguard the information Individuals have right to access/request amendments to their records

Treatment

Providing, coordinating, or managing healthcare-related services by one or more HC providers Usual provision of care to patients admitted to the hospital, during office appointment with physician HC provider consultations relating to a patient or the referral of a patient for HC from one provider to another

Operations

Quality assessment and improvement, case MGMT, review of HC professionals qualifications, insurance contracting, legal and auditing functions, and general business MGMT functions: providing customer service and conducting due diligence.

Patient Safety Organizations (PSO's)

Receive and analyze patient safety issues

Administrative Simplification

Refers to HIPAA's attempt to streamline and standardize the HC industry's inefficient business practices such as billing. Creation of standards for the electronic transmission of data Original intent of HIPAA

Medicare Conditions of Participation (CoP)

Regulate only providers receiving funds from the Medicare and Medicaid programs Inapplicable to non-providers holding confidential information and do not apply to patients insured by other payers or those who are uninsured

HIPAA Security Regulations

Relate to safeguards technical in nature that protect the Privacy of electronic patient information Transaction and code set standardization requirements Unique national identifiers Enforcement rule.

PHI Test TWO

Relates to one's health condition (physical or mental; past, present, or future), or provision of HC, or payment for provision of HC

Activities Defined by HIPAA as Marketing

Remuneration to the covered entity must be disclosed Opt-out instructions must be provided

HITECH: BA's must respond to CE non-compliance with:

Required corrective action Severing relationship with CE Same Criminal and civil penalties as CE Must comply with administrative, physical, technical, safeguards of HIPAA security regulations Must comply with policies, procedures, amd documentation requirements HIPAA security regulations

Freedom of Information Act of 1967 (FOIA)

Right of disclosure to and access by the public regarding federal agency records Government accountability to its citizens and ultimately, taxpayers Narrow application because most HC organizations are not federal

Health Information Organizations (HIO's)

Share health information among providers electronically

Use

Sharing, employment, application, utilization, examination, or analysis of individually identifiable health info within an entity that maintains such info Emphasized by Privacy Rule

American Recovery and Reinvestment Act (ARRA) of 2009 Basics/Introduction

Signed by President Barack Obama Feb 17 2009 Multifaceted Statute Funding for Health Information Technology (HIT) other stimulus funding Changes to HIPAA Privacy Rule located in Health Information Technology for Economic and Clinical Health Act (HITECH) HITECH a statute within ARRA

Title IV

Specifies group health plan coverage for individuals with pre-existing conditions and income tax requirements for specific groups.

Safe Harbor Method

The CE can remove certain elements to ensure that the patient's information is truly deidentified

Designated Record Set (DRS): Group of records maintained for and by CE that is:

The medical records and billing records about individuals maintained by or for a covered HC provider The Enrollment, payment, claims adjudication, and case or medical MGMT record systems maintained by or for a health plan Used in whole or in part by or for the CE to make decisions about individuals

Personal Representative must be treated

The same as the individual regarding the use and disclosure of the individual's PHI

Use and Disclosure Permitted Without Authorization: Individual does NOT have opportunity to agree or object

Treatment, payment, and operations To the individual Incidental disclosures Limited data set Twelve public interest and benefit purposes

Re-Identification

Unrelated code permitted to link de-identified information back to the individual

General Rule of Marketing

Use or disclosure of PHI for marketing requires authorization

State Laws

Vary considerably regarding privacy of patient information, access, use, disclosure. Not all states possess laws that protect health information generally Minimum amount of protection (floor) was achieved through Privacy Rule across all states through set of requirements that affect providers, HC clearinghouses, and health plans.

Covered Entities: HC Providers

Who transmits any health information pertaining to certain transactions (financial or administrative in nature) in electronic form EX: Hospitals, pharmacies, physician office practices, long-term care facilities, clinics