HIPAA
HIPAA: When referring to 8. Health care operations
Quality assessment or improvement activities, Case management, Care coordination, Medical reviews, Audits, Credentialing, Risk rating, Accreditation, Legal services(insurance fraud and abuse detection)
Basic Principle -
To limit the circumstances in which the protected health information may be used or disclosed by a covered entity
The provisions of health care to the individual
What test are or will be done Who is attending to them Discharge status Admission status Work status (workers comp)
A covered entity may not use or disclose PHI unless
1. As the privacy rule permits 2. Authorized in writing by the individual 3. When required by law
Health Care Provider
Any one who transmits health information in connection with: Benefits Claims Eligibility inquiries Referrals or authorizations (In short any person or organization that furnishes, bills, or is paid for health care)
HIPAA: When referring to 1. HHS or DHS
Department of Health and Human Services
HIPAA: When referring to 5. Disclosure
The action of making information known
HIPAA: When referring to 2. PHI
Protected Health Information
HIPAA: When referring to 6. Treatment
Provision, management, or coordination of health care
Patients right under HIPAA:
- Request a restriction on further uses and disclosures of their PHI - Requests communication by alternate means or at an alternate address - Request access, inspect, or get a copy of their medical record - Request an amendment (correction) to their PHI - Request an account of certain disclosures
Limited data sets: research, public health, health care operations.
- Specific data where patients relatives, household members, or employers information has been removed.
Who is required to follow or is subject to "The Privacy Rule"
1. Health plans 2. Health care providers 3. Health care clearing houses
Examples requiring written authorization:
1. Life insurance coverage 2. Pre-employment physical 3. Lab tests 4. Pharmaceutical firms 5. Marketing 6. Psychotherapy notes
Public interest and Benefit Activity: The privacy rule permits the use and disclosure of PHI for 12 national priority purposes:
1. Required by law (state or federal) 2. Public health activities (flu, measles outbreak) 3. Victims of abuse, neglect , or domestic violence 4. Health oversight activities (audits, investigations) 5. Judicial and administrative activities (subpoena, protective order) 6. Law enforcement purposes (identify, locate a suspect or fugitive; victim of a crime) 7. Decedents (deaths, coroner or medical examiners office) 8. Cadaveric, eye, tissue donation 9. Research 10. Serious threat to health or safety (ebola, contagion outbreak) 11. Essential government function (intelligence, national security) 12. Workers compensation
Permitted uses and disclosures: a covered entity is permitted, but not required, to disclose PHI without authorization:
1. To the individual 2. Treatment, payment, health care operations 3. Opportunity to agree or object 4. Incident to an otherwise permitted use or disclosure 5. Public interest and Benefit Activity 6. Limited data sets: research, public health
Any individually identifiable health information (PHI) This includes demographic information that relates to or such as:
1.The individuals past, present, or future physical or mental health or condition 2. The provisions of health care to the individual 3. The past, present, or future payment provisions of health care to the individual
Treatment, payment, health care operations:
A covered entity may use and disclose PHI for its own treatment, payment, and health care operation activities.
Penalties continued Criminal Penalties (OCR Privacy Rule Summary)
A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.
HIPAA: When referring to 7. Payment
Activities that include: Furnish or obtain reimbursement Provider obtaining payment or reimbursement for services provided Obtain premiums Furnishing or Obtaining reimbursement for care provided
Authorized uses and disclosures:
An entity must obtain patients written authorization for any use or disclosure that is NOT for treatment, payment, or health care operations.
Health Care Clearinghouses
An entity that processes information from a non-standard format to a standard format or vice versa. This includes: Billing services Pricing or re-pricing companies Community health management information systems (CDC)
Incident to an otherwise permitted use or disclosure:
Best example of this is when a provider is speaking to a patient in a shared room or a room that is only divided by a curtain. The information must be limited to the "minimum necessary".
Opportunity to agree or object: Informal permission
Either by asking the patient outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Also, in an emergency situation, or where the person is incapacitated or not available. This includes participating in patient directory and disclosing information to relatives, friends, and family of the patient.
Penalties for not complying with HIPAA Civil Money Penalties (OCR Privacy Rule Summary)
HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
HIPAA=
Health Insurance Portability and Accountability Act of 1996
The past, present, or future payment provisions of health care to the individual
Insurance information Employment Bank Information Medical History Referrals Home health Future medical (work comp)
The individuals past, present, or future physical or mental health or condition
Name Address Birth date Social security number Reason they are being treated Treatment status Diagnosis Prognosis
De-identified Health Information
Note: There is no restriction on the use or disclosure of de-identified health information. De-identified health information is: information that neither identifies or provides a reasonable basis to identify an individual No name No date of birth No address No relatives/ household members information
The Individual
The entity may disclose PHI to the individual who is the subject of the information - unless required for access, or accounting
What is protected health information?
This is information in any format. Spoken Paper Telephone Electronic Mail Fax
Health Plans defined as
individual or group who pays the cost of medical care. That includes: Dental Vision Prescription drugs insures HMO/ PPO Medicaid/ Medicare
"Minimum Necessary"
means only accessing or disclosing the PHI necessary to do your job. - A covered entity must develop policies and procedures that reasonably limit it disclosures of and requests for PHI to the minimum necessary - A covered entity is not required to apply the "minimum necessary" rule for disclosures to, or requests by a health care provider for treatment purposes
HIPAA: When referring to 3. Privacy Rules
refers to HIPAA
HIPAA: When referring to 4. Covered Entities
refers to organizations subject to the privacy rule; abide by HIPAA