Chapter 11 HIPAA Privacy Rule Part II HIMT 1200

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

Privacy Rule expands Common Rule

By regulating both privately and federally funded research, equalizing information privacy protections in both types of research.

When requests are granted

CE must provide access to PHI in form or format requested If not available in form or format, a readable hard-copy form or other form or format must be produced

Clinical Laboratory Improvement Amendments of 1988 (CLIA)

CLIA regulations aim to ensure quality laboratory testing May prohibit access to to PHI

Will NOT Be Preempted by HIPAA: D: The state law requires a health plan to report or provide access to information

For MGMT or financial audits, program monitoring and evaluation, or licensure or certification of facilities or individuals.

Waived Authorization

No authorization

Will NOT Be Preempted by HIPAA A): The State Law is determined by the Secretary of Health and Human Services as Necessary to:

Prevent HC fraud and abuse Ensure appropriate regulation of insurance and health plans to the extent authorized by law Complete State reporting on HC delivery or costs Serve a compelling need related to public health, safety, or welfare, and the intrusion into privacy is warrante when balanced against the need

There are exceptions to access

Psychotherapy notes; Information compiled for civil or criminal actions PHI held by clinical laboratories or research laboratories

Will NOT be Preempted by HIPAA: B: The state law regulates

The manufacture, registration, distribution, or dispensing of any controlled substance as identified by state law

As of March 31, 2016

The most frequent violations were impermissible uses and disclosures, followed by safeguard violations and violations relating to access and the minimum necessary requirement.

If a request for amendment was denied and the individual did not write a statement of disagreement,

The request for amendment and denial must only accompany future disclosures if the individual requests it.

In responding to an individual's request for access to PHI

CE must arrange a convenient time and place of inspection with the individual or mail copies

Documentation and Record Retention

Privacy Rule: 6 years for Privacy Related Documents Date document was created, last effective date of the document Policies and Procedures, NPP, complaint dispositions, other actions, activities, and designation per Privacy Rule requirements.

Accounting includes:

-Date of disclosure -Name and address of entity or person who received the information -Brief statement of the purpose of the disclosure or copy of request for accounting are required -Include public interest and benefit disclosures from an accounting

Breach Notification: Must Inform Affected Individuals Of:

-Description of what occurred (including date of breach and date of discovery) -Types of unsecured PHI involved (Name, SSN, DOB, Home Address, Account Number) -Steps individual may take to protect him/herself -Entity's steps to investigate, mitigate, prevent in the future -Contact information for individuals to ask questions and receive updates

Reasonable fee may be imposed on individual's request

-Labor and supplies •Search and retrieval fees may not be charged to individuals for their own records -Postage, when individual has requested information to be mailed -Preparation of an explanation summary, if agreed to by the individual in advance •Stricter state laws may apply to fees

Penalty categories

-Unknowing -Due to reasonable cause and not willful neglect -Due to willful neglect/corrected within 30 days of discovery -Due to willful neglect and not corrected as required

Under a Limited Data Set (LDS)

16 of 18 identifiers must be removed EX: Names, Fax Numbers, SSN's, Medical Record Numbers, Certificate/License Numbers Only data elements permitted are items 3 (Dates) and 18 Unique Code for Reidentification Researcher assurance of this is required.

If a breach affects 500+ individuals, immediate notification is required to

:-Local media outlets -Secretary of HHS for posting on breach portal

Individuals cannot be required to purchase portable media if they prefer their PHI be mailed or e-mailed

A flat $6.50 fee for electronic copies of PHI has been recommended

Examples of Control Over Info

Access Request amendment Accounting of disclosures Request confidential communications Request restrictions of PHI Complain of privacy rule violations

CE's must report all breaches using an online breach reporting system

All breaches within a calendar year must be entered into the online system no later than 60 days of the following calendar year

Erroneous disclosures (facsimile transmitted to the wrong patient)

Also subject to accounting of disclosures, regardless if recipient read the information

January 2013 Final Rule States That

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA demonstrates that there is a low probability that the PHI has been compromised.

CE's and BA's must document Training

And all steps to ensure compliance Show that Privacy traininghas occurred Signed statement by workforce members Workforce members should complete nondisclosure agreements- commitment to Privacy of patient info and compliance with Privacy Rule

Authorization is NOT Required: The Use or Disclosure Will Only Be for Research on Decendents' PHI

And it is necessary for research Researcher assurance of this is required.

Mitigation Includes

Apology Disciplinary action against the responsible employee or employees Repair of the process that resulted in the breach Payment of a bill or financial loss that resulted from the infraction Gestures of goodwill and good public relations (awarding gift certificates)

Combined Conditioned and Unconditioned Authorizations

Are permitted for research if the form clearly distinguishes between the two components and provides individuals with the ability to opt in to the unconditioned research activities.

A CE must act on a request no later than 60 days after its receipt with one 30 day extension

As long as it notifies the individual in writing of the reasons for delay and when the accounting will be made available HITECH proposes to limit the response period to 30 days with one 30 day extension.

Unconditioned Authorization

Authorization is not required in order to receive treatment or some other service or benefit.

Altered Authorization

Authorization is required, but one or more standard authorization elements may be Omitted.

Submit Complaints

CE must provide process for individual to complain about policies and procedures, noncompliance with them, or noncompliance with Privacy Rule Notice of Privacy Practices (NPP) must inform individuals of right to complain at CE level and to the US Department of Health and Human Services, along with contact information.

Conditioned Authorization

CE's condition treatment, payment, and health plan enrollment or benefit eligibility on an authorization. Discourages coercing individuals to sign authorizations to receive services.

Retaliation and Waiver

CE's may not retaliate against anyone who exercises his/her rights under the privacy rule, assists in an investigation by HHS or other appropriate investigative authority, opposes an act or practice that the person believes is a violation of Privacy Rule Individuals cannot be required to waive the rights they hold under the privacy rule in order to obtain treatment, payment or enrollment/benefits eligibility.

Data Safeguards

CE's must have administrative, technical, and physical safeguards to protect privacy of PHI from intentional and unintentional use/disclosure Limit incidental uses/disclosures Include shredding of paper documents that contain PHI, limiting access to areas containing PHI through keycards, passwords, or locks.

Mitigation

CE's must mitigate harmful effects that result from wrongful use/disclosure of PHI CE determine possible courses of action

Right of Access

Can access one's own PHI contained in a designated record set

Compound authorization

Combines consent to participate in a research study with authorization to use/disclose PHI is permitted, although this type of authorization is generally prohibited otherwise

Policies and Procedures

Conduct ongoing review of privacy policies and procedures Policy changes are consistent with changes in privacy/security regulations Update NPP- like those introduced by HITECH Current topics addressed- high risk areas- -mobile devices, social media, camera phones, body-worn cameras in law enforcement,

Privacy Officer and Contact Person

Designate Privacy officer to be responsible for developing and implementing privacy policies and procedures Expertise in Health Information Management Contact Person must be able to provide further information about matters covered by the entity's NPP

The accounting requirement includes

Disclosures made in writing, electronically, by telephone, or orally.

Exceptions to Breach

Disclosures made to unauthorized recipients if they would not reasonably be able to retain the disclosed information Workforce member or individual acting under CE or BA authority unintentionally acquires, accesses, or uses the PHI if it was in good faith, within scope of authority, and couldn't be further disclosed or used in an impermissible manner. Inadvertent disclosure by individual at a CE or BA to another authorized person at a CE or BA and info is not further disclosed/used in impermissible manner.

Will NOT be preempted by HIPAA: C: The state law provides for the reporting of

Disease or injury, child abuse, birth, or death or for the conduct of public health surveillance, investigation, or intervention

$1,000 - $50,000

Due to reasonable cause CE or BA knew or would have known with reasonable diligence but not willful neglect

Request Amendment: Identify the records n the DRS that are affected by the amendment and append the information through a link to the amendment's location

EX: If the Dx was incorrect, the amendment would have to appear and be linked to each record or report in the DRS.

Individuals DO have right to review Denial of Access

Endanger life or physical safety of individual or other person Cause substantial harm to another person (not HC provider) mentioned in PHI Cause substantial harm to the individual or another person if the individual's personal representative requests access

Workforce Training and MGMT

Every member of CE workforce must be trained in PHI policies and procedures New members must be trained within reasonable time after hire/orientation Material changes= additional training Includes janitorial staff, outsourced vendors employees Heightened consequences for CE's or BA's that violate Privacy Rule BA's Should train their own workforce members

Labor

Excluding costs associated with reviewing requests , or searching for and retrieving PHI Such as locating and reviewing the PHI in the record and segregating and preparing the PHI

Search and Retrieval Fees

Expressly prohibited for requests by individuals for their own records, although permitted for requests by other

Civil Monetary Penalties (CMP)

Fines imposed by CE or BA because of HIPAA violation Based on intent or neglect.

The first accounting within any 12-month period must be provided without charge

For any other request within a 12-month period, the CE may charge a reasonable cost-based fee. Entity must inform individuals of the fee in advance and give them the opportunity to withdraw or modify the request.

Privacy Board

Group formed by CE to review research studies where authorization waivers are requested and to ensure the HIPAA Privacy Rights of research subjects are upheld.

Penalties and Enforcement

HIPAA Enforcement Rule (2006) •Penalties for non-compliance apply to both CEs and BAs -Civil+Criminal

HITECH makes it easier for schools to obtain student immunization records where state or other law may require them prior to admission

HITECH permits CE's to disclose a child's immunization records (considered public health activity) to a school with the oral consent of the parent or guardian

Authorization is NOT Required An IRB or Privacy Board

Has approved the study pursuant to a waived authorization or altered authorization. Waiver is only permitted if the use or disclosure provides only a minimal risk to individual's privacy The research could not practicably be conducted unless access to and use of PHI was granted

Breach Notification

Imposes obligations on entities when PHI in their custody has been wrongfully used or disclosed Extend consequences to entities not previously bound by HIPAA

Stand-Alone Authorization:

Includes the core elements of a valid authorization

Accounting of Disclosures

Individuals have the right to know about instances where his or her PHI has been disclosed Timely response to request for accounting First accounting within a 12-month period is free Must account for disclosures in past 3 years

Confidential Communications

Individuals have the right to request alternative routing/destination of PHI HC providers and Health Plans must honor a request without requiring a reason if the request is reasonable and states that disclosure could pose a safety risk. Requests may be refused if information is not provided as to how payment will be handled or if they do not provide an alternative address or method by which he or she can be contacted.

Request Restrictions

Individuals may request restrictions on uses and disclosures of PHI to carry out TPO Covered entity does not have to agree to the requested restriction Must document and abide by request if covered entity agrees to it, unless and until terminated with notice to the other party

Breach

Is an "unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information" -Several exceptions -An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates a low probability the PHI has been compromised

Mandatory Public Health Reporting

Is not part of a CE's operations Requirements by states to report births- birth certificates, communicable diseases, and incidents of abuse or suspected abuse of children, individuals who are mentally disabled, and the elderly.

Fee limits apply whether PHI

Is sent to the individual or whether the individual directs that it be sent to any third party. Both are access requests by the individual

Authorization is NOT required: The Use/Disclosure of PHI

Is solely preparatory to research and the researcher will not remove PHI from the covered entity and the PHI is necessary for the proposed research Researcher assurance is required

When CE terminates agreement,

It must inform the individual that it is doing so. Termination is only effective with respect to the PHI created or received after the individual has been informed.

Denial of access

May be subject to review (appeal) May not be subject to review (appeal)

Statement explaining how, if the individual does not submit a disagreement to the denial, he or she

May request that both the original amendment request and the CE's denial accompany any future disclosures of the PHI that is the subject of the amendment.

Requesting Access to One's Own PHI

May require that request in writing Covered entity must respond within 30 days after request received Per HITECH, covered entities with EHRs must make PHI available electronically, or must send it to designated person or entity electronically if individual requests

Breach Notification: HITECH Requires Breach Notification as

Mitigation -Notification to individuals affected -Notification to HHS via online portal •HIPAA-covered entities and BAs subject to HHS regulations •Non HIPAA-covered entities and non-BAs subject to FTC regulations -Includes PHR vendors, third-party service providers of PHR vendors

Institutional Review Board (IRB)

Must approve federally funded human subjects research, even if the patient has signed an informed consent.

All requests for amendments, denials, the individual's disagreement, and the CE's rebuttal

Must be appended or linked to the record or PHI that is the subject of the amendment request. When future disclosures are made, this material or summary of it must accompany them

CE's that use or maintain an EHR

Must include TPO disclosures in their accounting of disclosures Separate access report for EHR's, allowing individuals to see who has viewed their DRS in the previous three years. Displayed in access report rather than accounting of disclosures

Request Amendment: Act on individuals request

No later than 60 days after its receipt by either allowing the requested amendment or denying it in writing

Exception to Request Restrictions

Per HITECH, covered entity must agree if disclosure would be made to health plan for payment or operations, and PHI pertains solely to an item or service that has been paid for in full by other than the health plan

30 days from receipt of request

Permitted 30-day extension if written statement includes reason for delay and date covered entity will complete its action. Extended time permitted for records not maintained on site May extend the time for action on a request for access only once

HIPAA Privacy Rule

Provides individuals with rights to provide some control over their health information

Denials NOT Subject to Appeals Process

Request for access to PHI in psychotherapy notes PHI held by CE's that are correctional institutions, if it jeopardizes safety (inmate still has the right to inspect his/her PHI) PHI created or obtained as part of the DRS by a covered HC provider in the course of research- subject agrees to suspend his/her right to access PHI PHI obtained from someone other than a HC provider under a promise of confidentiality- access would reveal source of info PHI contained in records that are subject to federal Privacy Act if denial of access under Privacy Act would meet requirements of that law

Research: When authorization is required•

Research is a public interest and benefit authorization exception, but IRB or privacy board must approve variations to authorization requirement

Resolution Agreements

Settlements compelling them to perform obligations per the agreements (including payments) and to submit reports to HHS for three years.

Disclosures Where Accounting Is NOT required

TPO disclosures (CE's without EHR's) Individuals to whom the information pertains Incident to an otherwise permitted or required use or disclosure Pursuant to an authorization For use in the facility's directory, to persons involved in the individual's care, or for other notification purposes To meet national security or intelligence requirements To correctional institutions or law enforcement officials As part of a limited data set Those that occurred before the compliance date for the CE

Authorization is NOT Required: The Covered Entity and the Researcher will enter into a Data Use Agreement

That Provides the researcher will receive only a limited data set for research, public health, or HC operations.

Encryption is a technology

That safeguards PHI against breaches.

Breach Requirements apply only to unsecured PHI:

That which technology has not made unusable, unreadable, or indecipherable to unauthorized persons

If the individual submits a disagreement

The CE can prepare a written rebuttal and it must provide a copy to the individual

Request Amendment: Inform the individual that the amendment was accepted and have him/her identify the persons with whom the amendment needs to be shared and then obtain his/her agreement to notify those persons.

The CE must make reasonable efforts to provide the amendment within a reasonable amount of time to anyone who has received the PHI.

When a denial subject to review is made,

The CE must write the denial in plain language and include a reason Must explain that the individual has the right to request review of denial and how the individual can complain to the CE Including name or title and phone number of the person or office to contact How individual can lodge a complain to DHHS Right to have denial reviewed by licensed HC professional who did not participate in the original denial and who is designated by CE to conduct review- CE must grant or deny based on reviewing professionals decision.

For individuals who choose not to complain to the CE or who submit complaints at both levels,

The OCR maintains a complaint submission process. CE must document all complaints it receives, along with the disposition of each complaint.

Within the required 60 days, the CE must write a denial in plain language that contains the following information

The basis for the denial The individual's right to submit a written statement disagreeing with the denial The process by which the individual can submit his/her disagreement A description of how the individual may complain to the CE, including the name or title and telephone number of the contact person or office

A CE may account for disclosures of its BA's or provide for the BA to make its own accounting

Under HITECH, BA's must respond to accounting requests made directly to them.

Violation Category: $100- $50,000

Unknowing violations Would not have known violation was committed even with reasonable dilligence

Breaches are deemed discovered

When the breach is first known or when it reasonably should have been known Individuals must be notified without reasonable delay and within 60 days by first-class mail or faster method such as telephone

If a third party intitiates a request for PHI on its own behalf,

With HIPAA Authorization, fee limits do not apply OCR encourages providing individuals with free copies of their PHI

Example of Request for Confidential Communications

Woman who requests that billing information from her psychiatrist, from whom she is seeking treatment because of domestic violence, be sent to her work address instead of to her home.

Disclosure pursuant to a court order without patient authorization

Would also be subject to accounting of disclosures

Individuals right to accounting of PHI disclosure may be suspended at written request of HC oversight agency or law enforcement official

Written request from the appropriate agency or law enforcement official must indicate that such an accounting would impede its activities and how long suspension is required.

Request Amendment: May extend its response

by 30 days if it explains reasons for the delay in writing and gives a date by which it will complete its actions. There can be no additional extensions

Enforcement per HITECH

•HHS contracts with a private entity to conduct random audits (no longer complaint-driven only) •State attorneys general may bring civil actions in federal court representing citizens affected by HIPAA violations •Individuals can now be individually prosecuted •Recommendations for compensating individuals harmed by violations

Preemption- Sometimes it is impossible to follow both HIPAA and State Laws

•HIPAA is a federal floor, or minimum, on patient privacy requirements. •State laws contrary to HIPAA apply if they are "more stringent" -Provide greater privacy protections -Provide greater patient rights regarding their PHI -Fulfill specific purposes enumerated in the law (i.e., are less stringent but serve purposes such as controlling regulated substances or preventing healthcare fraud and abuse)

Right to Request Amendment

•Individual has the right to request an amendment to his or her health information •May require the amendment request to be in writing- in CE's Notice of Privacy Practices (NPP) •HIPAA provides reasons that an amendment request may be denied •Timely response to the request is required •HIPAA provides process for denial of amendment requests

Research: In what form authorization may occur:

•Standalone •Compound (informed consent + authorization) •Conditioned + unconditioned •Altered•Waived

Administrative Requirements:

•Standards for Policies and procedures/Changes •Designation of privacy officer and contact person to receive complaints * Requirements for Privacy training •Workforce training-Non-disclosure agreements •Mitigation of wrongful use/disclosure -Include process for handling privacy complaints •Data safeguards •Prohibition against Retaliation and waiver •Document and record retention (HIPAA standard is 6 years)


संबंधित स्टडी सेट्स

PRS Inservice-Chest/Abdominal Wall/Gynecomastia

View Set

BTC6210, Quiz 3 (Weeks 6, 7, 8 Lecture + reading material)

View Set

Ch 6: Post-Civil War Business & Labor

View Set

Accounting #2 Midterm -- Midterm Study Guide

View Set

Ch 9 - Cellular Respiration and Fermentation

View Set

ATI Medical-Surgical: Endocrine RSNG Spring 2018

View Set

Chapter 18- Patient Exams and Procedure

View Set

Chapter 13: Information Security and Controls

View Set

4.05 Unit Test: Recreation and Spending

View Set