HIPAA Privacy Rule, HIPAA, HIPAA Compliance Education review

What marketing activities do not require authorization?

Ones that occur face-to-face with the CE or they concern a promotional gift of nominal value to the patient.

Covered entities

Organizations that access the personal health information of patients. They include health care providers, health plans, and health care clearinghouses.

PHI

PHI or not PHI -account numbers -device identifiers and serial numbers -medical record numbers -health plan beneficiary numbers -clinical test results -medication prescription -counseling session start/stop times

not PHI

PHI or not PHI -education records -health information in your personnel record -workman's comp records -psychotherapy notes

Protected H Info

PROTECTED HEALTH INFORMATION 1. PHI includes information about a person's physical health, mental health, provided care and payment for that care 2. All PHI is considered confidential under HIPAA such as: Name Address Social Security Number Birth Date Names of Relatives

HIPAA consent

Patient's agreement to use or disclosure for TPO purposes

What is PHI?

Protected Health Information - individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium.

HIPAA's Privacy Rule

Protects patients information so it is available to those who need to see it, while protecting that information from those who should not

What type of documentation always requires authorization for use/disclosure (except for TPO)?

Psychotherapy notes

Minimum necessary

Reveal only the smallest amount of information required to accomplish the task and no more when using any PHI, a covered entity must generally make reasonable efforts to limit itself to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

What individual rights does the HIPAA Privacy Rule provide?

Right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.

when does minimum necessary standard not apply

communicating with other providers in tx of pt, talking to pt themselves, compliance and enforcement purposes (dept health and human services, law enforcement, etc)

$100,000; 5 years prison

criminal penalties for failure to comply -commit offense under false pretenses

$250,000; 10 years prison

criminal penalties for failure to comply -intent to sell PHI or client lists for personal gain or malicious harm

$50,000; 1 year prison

criminal penalties for failure to comply -knowingly or wrongfully disclosing or receiving PHI

dept that you would complain to at the federal level about inappropriate disclosure of PHI

dept of health and human services

examples of "treatment" for disclosing PHI

dispensing, counseling, maintaining profiles, consulting with other professionals

besides providing the NOPP to patients, what else must you do with it?

display in a prominent location; provide a copy to anyone who asks for one even if they aren't a customer; if you have a website, put it there too

what if someone refuses to sign acknowledging the NOPP?

document the refusal- good faith effort so not required

things needed in policies and procedures for HIPAA

educating individuals on their privacy rights and the practices of the pharmacy; minimum necessary requirment; how to verify identity of people seeking disclosures; safeguarding PHI against intentional or unintentional misuse

Notice of Privacy Practices required elements

effective date of the notice description of grievance process list of individual rights per HIPAA privacy rule

examples of business associates

entity that helps with claims processing, data processing, shredding companies

incidental disclosures

ex- when counseling- as long as exception not rule, dept of health and human services is not overly concerned

facility directory

example of a disclosure that the patient has the right to agree or object

big distinction btwn marketing- what is allowed without authorization and what isn't

financial remuneration- red flag when money is changing hands and you as a pharmacist are putting money in your pocket because of manuf or provider giving you money for info related to your patients- then you need permission

documented institutional review board (IRB) or Privacy Board approval

first thing a covered research entity must obtain

Complaint

first thing in enforcement process

public health authority

food and drug administration, the centers for disease control and prevention, occupational safety and health administration OSHA, state health departments

if a person has a court order for PHI, what do you do

give the records- automatically know it is okay to submit records requested on the subpoena

what if employee breaches PHI

have sanctions for transgression- take affirmative action (could just retrain them, warning in writing)

right of access of a pt to their info

have the right to inspect and copy PHI- pharmacist must comply w/in 30d

what goes at the top of a NOPP

header at top in caps and bold- "this notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully"

Covered Entity

health plans, healthcare clearinghouse and healthcare providers who electronically transmit information under standards of operation established by HHS

examples of "payment" for disclosing PHI

submiting claims for reimbursement, 3rd party claims, determining pt eligibility and extent of coverage, sending bills

what to do if PHI is breached

take action to mitigate any harmful use or disclosure- policies and procedures, retain documents for 6y

who takes the burden for business associates complying with HIPAA

the business associate (formerly the pharmacy)

authorization

the mechanism for obtaining consent form a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or healthcare operations required to disclose PHI to person or agency outside the facility

Child abuse or neglect; quality, safety or effectiveness of a product or activity regulated by FDA; person at risk of contracting or spreading a disease; workplace medical surveillance

the privacy rule permits covered entities to disclose protected health information, without authorization, to whom?

privacy

the right of an individual to keep his/her individual health information from being disclosed

categories of when a pharmacy can disclose PHI w/o pt authorization

treatment purposes, payment purposes, health care operations

building/physical; computer/electronic

what are the 2 types of security in HIPAA

Genetic information nondiscrimination Act

what does GINA stand for

Health insurance protability and accountability act of 1996

what does HIPAA stand for

Health plans, healthcare clearing houses, healthcare providers

who is covered by the privacy rule

does HIPAA apply to pharmacy?

yes

if someone refuses to sign acknowledging NOPP can you fill their prescriptions?

yes

if a pt asks for disclosure of PHI given out, would you need to include if a law enforcement agent came in to the pharmacy?

yes, unless the law enforcement officer asks you not to tell them

is this marketing... receiving financial remuneration from a drug company for sending out refill reminders (remuneration is greater than cost of making communication)

yes, you are making money off of it and need authorization

if you want to release all of your diabetic patients' profiles to a marketing company to benefit financially, do you need to get pt authorization?

yes- marketing

What is the minimum necessary standard and who does it apply to?

A rule that applies to individuals who work for an organization (providers and other CEs) that they must limit the use, disclosure, and requests of PHI to only the amount needed to accomplish the intended purpose (excludes TPO).

Who is subject to breach regulations under ARRA? Under the FTC?

ARRA - HIPAA covered entities and business associates FTC - noncovered entities and non-BAs (i.e. PHR vendors)

What act allows patients to request restrictions of PHI (for TPO purposes) and in what circumstances?

ARRA unless a patient pays completely out of pocket and the CE entity agrees (not required to do so).

What is ARRA and when was it signed into law?

American Recovery and Reinvestment Act (2009)

What is a breach?

An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.

Protected health information (PHI)

Any identifiable patient health information regardless of the form in which it is stored

Health care provider

Any professional who provides health care services

Disclosure

As defined by HIPAA, the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for a patient

Determination of Justice

DOJ

What information must be included in the accounting of disclosures?

Date, name and address of requestee, and brief statement of the purpose of disclosure.

What are business associates?

A person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of or to a covered entity that involves the use or disclosure of PHI (i.e. consultants, billing companies, transcription companies, accounting firms, and law firms).

an agency or authority/ is responsible for public health matters as part of its official mandate/ a public health agency

A public health authority is____ of the US government, a state, a territory, a political subdivision of a state or territory, or indian tribe that____ as well as a person or entity under a grant of authority from, or under a contract with,

When is the use or disclosure of PHI required, even without patient authorization?

1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.

What are the 3 types of situations in which PHI is handled?

1) Use - internal to a covered entity or its business associate, 2) Disclosure - the dissemination of PHI from a CE or its BA, 3) Requests - those made by a CE or its BA.

exceptions to the definition of marketing

(all related to tx of pt): face to face communication to individual about their tx, case mgmt, care coordination, direct/ recommend alternatives for tx, talk about health related services offered by pharmacy or health plan

What are the administrative requirements of the HIPAA Privacy Rule?

1) A Privacy Officer and contact person for receiving complaints be designated, 2) All workforce members are given privacy training (with documentation showing such), 3) There are safeguards and mechanisms in place to safeguard information (administrative, technical, and physical safeguards), 4) There are written policies and procedures (and ongoing review of such) that comply with all standards and specifications.

What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (First 6)

1) As required by law, 2) For public health activities, 3) To disclose PHI regarding victims of abuse, neglect, and domestic violence, 4) For health oversight activities, 5) For judicial and administrative proceedings, 6) For law enforcement purposes (6 situations),

What are the permitted uses and disclosures of PHI without written patient consent, but where the patient has the right to object?

1) Patient directory, and 2) Notification to relatives and friends.

What are the 2 key goals of the Privacy Rule?

1) Provide and individual with greater rights with respect to his or her health information, and 2) Provide greater protections for one's health information.

What are the permitted uses and disclosures of PHI without written patient consent where the patient cannot choose to object?

1) Public interest and benefit (12 situations), 2) TPO purposes, 3) To the individual, 4) Incidental disclosures, and 5) Use in limited data sets.

What are the 6 situations where PHI can be disclosed without authorization for law enforcement purposes?

1) Pursuant to legal process or otherwise required by law, 2) In response to request for identifying/locating a suspect, fugitive, material witness, or missing person, 3) In response to an official request about someone who is, or suspected to be a victim of a crime, 4) About a deceased person that may have happened from criminal conduct, 5) When it is believed in good faith that criminal conduct occurred on the CE's premises, and 6) In response to a medical emergency.

How can a CE properly ensure the de-identification of information?

1) Strip it of all identifying information (name, SSN, locations, dates, etc.), or 2) Have an expert apply scientific and scientific principles to minimize the identification risk.

Who is authorized to see information?

1. Access is based on a Need-to-know basis 2. Not all members that contribute to the quality of care need to see patient information 3. Interns never record information they may hear about the patient if it pertains to their medical condition; doing so may be a HIPAA violation

How is Patient Information Used?

1. Billing Departments Use the information to bill patients and insurance companies 2. Quality Control Personnel Review the information for the purpose of monitoring patient care 3. Caregivers Use information to determine the care treatments patients will receive 4. Other uses are not allowed!!!!

Patient Rights

1. HIPAA requires that patients be made aware of their rights and how to protect their information 2. Health care providers are required to post notices for patients telling them how their health care information is used

Patient Identification

1. Patient's Nurse 2. Patient's chart 3. White Board 4. Wrist Band 5. Open-ended question NOTE: USE AT LEAST TWO PATIENT IDENTIFIERS

preparatory to research

2 thing a covered research entity must obtain

research on protected health info of descendants

3 thing a covered research entity must obtain

What amount of time must covered entities retain an accounting of disclosures?

3 years

How long does a CE have to provide requested information?

30 days and up to 30 days more if written notice is given as to way and expected date of availability (60 days if the info is stored off-site).

limited data sets with data usage agreement

4 thing a covered research entity must obtain

research use disclosure with individual authorization

5 thing a covered research entity must obtain

accounting research disclosures

6 thing a covered research entity must obtain

how long to retain log of signatures acknowledging NOPP?

6 years

How long does a CE have to produce an accounting of disclosures?

60 days and an extension of 30 days if notification is given to the patient

How long does a CE have to respond to a request for amendment to information?

60 days and up to 30 more if given a written notice as to why/ETA.

transition previsions

7 thing a covered research entity must obtain

What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (last 6)

7) Regarding decedents (i.e. to coroner or ME), 8) For cadaver organ, eye, or tissue donation, 9) For research (with limitations), 10) To prevent or lessen serious threat to health or safety, 11) For essential government functions, 12) For workers comp.

How many breaches justify a web posting or use of media to inform the public?

9

Privacy notice

A covered entity's written policies and procedures for protecting its patients PHI

What is the notice of privacy practices?

A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.

Use

As defined by HIPAA, the sharing of information between people working in the same health care facility for the purpose of caring for a patient means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information

Workforce

As defined in the HIPAA law, includes everyone involved with a covered entity whether or not they are full time and whether or not they get paid. an employee within a Covered Entitity any member of a service contracted with a facility that does not make use of PHI, ex. laundry, cleaning services, etc.

How long does a CE have to inform an individual that their PHI has been breached?

As quickly as possible and within 60 days is there is "imminent misuse."

What are some major issues HITECH deals with in regards to Privacy?

Business associate agreements, minimum necessary requirements, individual rights, breach notification, personal health record vendors, marketing/fundraising/sale of information, and increased enforcement and penalties for noncompliance.

Who may be penalized for HIPAA/Privacy Rule violations?

CEs, BAs, and employees of these

How does the privacy rule define marketing?

Communication about a product or service that encourages the recipient to purchase or use that product or service.

What does not qualify as marketing, and therefore requires no authorization?

Communications to describe health-related products and services, communication for treatment of the individual, and case management or care coordination for the individual.

What must a valid authorization form contain?

Description of the info being disclosed, people authorized to request the data, who can make the disclosure of data, expiration date, statement of the right to revoke authorization, statement that info is subject to redisclosure, signature/date, and a representatives right to sign (if applicable)

What information must be included to an individual for a breach notification?

Description of what occurred (the date and date it was discovered), the types of PHI involved, steps the individual may take to protect themselves, what the entity is doing to prevent/rectify the situation, and contact info for any questions.

What type of information does a breach not include?

Disclosures to unauthorized persons if they would not reasonably be able to retain the info, or unintentional access by an employee or BA if it was in good faith/within the scope of employment. It must also pose a "risk of harm" (financial or reputation). Does not apply if the information is encrypted, only if it is unsecured PHI.

What are workforce members?

Employees, volunteers, student interns, trainees, and on-site contractors/vendors whom the covered entity is responsible for their actions.

Violations and Consequences

HIPAA Violations 1. Fines and civil penalties can be filed against any individual that negligently discloses or knowingly & willfully obtains, discloses or uses medical information 2. Fines can be brought against an institution for failing to prevent/report unauthorized access, use or disclosure of medical information HIPAA Consequences Civil Penalties: Range from $100 per violation to annual maximum of $1.5 million for repeated violations. Amount of penalty is based on reasonable cause for HIPAA violation, willful neglect and corrective steps taken Criminal Penalties: Consists of a fine up to $250,000 as well as a prison sentence of up to 10 years

What is administration simplification?

HIPAA's attempt to streamline and standardize the healthcare industry's nonuniform and seemingly chaotic business practices, such as billing.

What is HIPAA?

Health Insurance Portability and Accountability Act 1. HIPAA makes it illegal for information to be released to inappropriate parties 2. Intended to make it easier for patients to move from one insurance plan to another 3. Establishes a standard format for health care organizations to share medical information

HIPAA

Health Insurance Portability and Accountability Act created to improve continuity of health insurance coverage and the administration of health care services

Individually identifiable health information (IIHI)

Health care data that can be connected to a specific person

What are examples of covered entities?

Healthcare providers, health plans, and healthcare clearinghouses.

How was ARRA important?

It included significant funding for HIT, provided important changes for the HIPAA Privacy Rule/implemented the HITECH Act (Health Information Technology for Economic and Clinical Health Act)

Does HIPAA preempt state laws?

No, it only serves as a federal floor or minimum on privacy requirements - stricter state laws still prevail.

What are the 3 key documents of the Privacy Rule?

Notice of Privacy Practices (required), authorization (required), and consent (optional).

What are some elements that must be included in the NPP?

Standard header, description of how information will be used for TPO and for other purposes,statement that other disclosures will only be made with the patients consent, statement of the individual's rights, how to make complaints and the contact person to do so, and effective date.

T/F: a pt can ask that you restrict disclosures to their health plan if they paid out of pocket

T

What information does not need to be accounted for in the accounting of disclosures?

TPO information (if the provider does not have an EHR), disclosure to the patient themselves, any disclosure incidental to another proper disclosure, any for the facility directory, any for national security, for law enforcement officials, or part of a limited data set.

Incidental use and disclosure

The accidental release of PHI during the course of proper patient care

What actions must be taken if the amendment is granted?

The amendment must be linked to the original entry, and the amendment must be sent to whomever the patient requests.

What information must be given to the patient is their request for amendment is denied?

The basis for denial, their right to submit a statement disagreeing with the denial (and how to submit this), that the request for amendment and denial will accompany any new requests for information, and a contact person who they can complain to.

What is the designated record set?

The health records, billing records, and various claims records that are used to make decisions about an individual.

What does individually identifiable mean?

The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information.

What is an business associate agreement?

The written contract that BAs of CEs must assign to agree to abide by the covered entity's requirements to protect the information's security and confidentiality.

How are penalty amounts set up?

They are tiered according to intent and extent of violation: Unknowing violations < Violations due to a reasonable cause < Willful Neglect < Uncorrected Violations

Federal agencies

Those entitities to whom the Federal Privacy Act of 1974 applied

What title of HIPAA is most relevant to HIT?

Title II, which contains info on 1) Preventing Health Care Fraud and Abuse, 2) Medical Liability Reform, and 3) Administration Simplification.

What are consents for?

To obtain (optional) consent from patients for TPO purposes before treatment is given.

What is TPO?

Treatment, Payment, and Operations (the exceptions to the release of PHI).

HIPAA Privacy Rule

Violation of this rule included failure to provide patients with a Notice of Privacy Practices.

When must the secretary of HHS be contacted along with a media outlet to provide breach notification?

When 500+ people are affected

When are information related to fundraising activities okay to use?

When it is disclosed to a BA or institutionally related foundation, only the demographic information and dates of healthcare are provided, they are given the chance to opt out, and they were notified of the use in the NPP.

What are exceptions when a CE can make "paid" communications with the patient?

When it is in regards to a prescribed drug where the payment was "reasonable" or it is from a BA on behalf of the CE. If payment was accepted it must always be prominently stated and have the option to opt out.

When is a CE allowed to market a certain group of individuals?

When it may be beneficial to them, it is explained why they are being targeted, and how the service relates to them.

When does the privacy rule apply to CEs?

When they are directly or indirectly involved with transmitting or performing any electronic transactions specified in the act (i.e. in regards to health claims, insurance coverage, etc.).

What are valid grounds for denying access to to personal PHI?

Without opportunity to appeal, any records that are: psychotherapy notes, compiled for legal proceedings, subject to CLIA, about an inmate and could cause harm, subject of research to which denial of access has been agreed, subject to Privacy Act, or obtained from someone in confidence. With opportunity to review: any records where a licensed professional determines access may endanger life or safety, or there is reference to another person and access could cause harm.

Hybrid entity

a facility that performs both covered and non-covered functions under the HIPAA privacy rule. ex. University Medical Clinic

Business Associate

a person or business who, on behalf of the Covered Entitiy utilizes and/or discloses protected health information

6 years; april 14, 2003

accounting of disclosures: -time frame: ______ -clock starts: ____________

3 rights of an individual under HIPAA

acess to their individual PHI, request to amend one's PHI, providing an accounting of disclosures of PHI

investigation or accepted by DOJ

after DOJ

interview and review

after complaint

resolution/ possible privacy or security rule violation/ possible criminal violation

after interview and review

resolution

after investigation

DOJ

after possible criminal violation

investigation

after possible privacy or security rule violation

what kinds of breach must be reported

all cases of impermissible acquisition access, use or disclosure of PHI need to be reported

PHI (protected health information)

all individually identifiable health information and other information on treatment and care that is transmitted or maintained in any form or medium

pt asking to remove meds that were incorrectly put on their profile is utilizing their HIPAA right of _______

amendment

what is a business associate

another entity that shares PHI with the pharmacy

how can a pt request a copy of their health info?

can now request it be electronically

$25,000

civil penalties for failure to comply -fine per year for multiple violations -fine cap per year per requirement

What needs to be included in the notice of privacy practices (NOPP)?

how pharmacy intends to use and disclose PHI; have to let individual know if there is a breach; pharmacy has legal duty to protect their PHI; uses and disclosures that require extra authorization; statement of pt rights (including access, amendment, accounting); ability to access NOPP and file complaint; how to complain at fed level and phone # of store privacy official

security

how we protect PHI from accidental or intentional disclosure, alteration, destruction, or loss

how can you get around the need to report all types of breach?

if the pharmacy or your business associate can demonstrate that there is a low probability that someone's PHI, even though it might have been disclosed, that it was not compromised- if you analyze this you must record it

what does it mean for PHI to be re-disclosed

if you authorize to release it, it goes to a non-covered entity that does not need to follow HIPAA

minimum necessary standard for HIPAA

limit use or disclosure of PHI- making it the minimum necessary

definition of marketing

make a communication about a product/ service that encourages recipients to purchase or use a product or service

if a person has a subpoena for PHI, what do you do?

make sure there is evidence that the person whose records are being sought gave the okay for them to be released

admin HIPAA reqs for operating a pharmacy

name privacy official, train employees, implement admin, technical, phys safeguards for the info in your posession, process for receiving complaints, impose sanctions for transgressions, mitigate harmful use of disclosure

how can you share PHI with business associates?

need a business associate agreement

if a pt asks for disclosure of PHI given out, would you need to include when they signed an authorization form?

no

is this marketing... receiving financial remuneration from a drug company for sending out refill reminders (remuneration is reasonably related to costs of making that communication)

no, not marketing

if a pt asks for disclosure of PHI given out, would you need to include reporting to PDMP?

no- exception related to fraud and abuse protection

could you sue someone under HIPAA?

no... no specific private cause of action, but could use same logic under HIPAA if you did engage in an action against an individual who violated your privacy rights using principles under HIPAA but not HIPAA regulation itself

pharmacy perspective of HIPAA

notice of privacy practice, train people working in pharmacy, appoint a privacy officer, make sure records are secure

specific entity under the dept of health and human services that enforces HIPAA

office of civil rights

PHI includes...

past, present, future phys or mental health; provision of that health care; payment for provision of health care; identifies pt or could reasonably be expected to identify the pt

HIPAA Administrative Simplification

process implemented to standardize the electronic transmission of health data.

healthcare operations

process of reviewing information in medical records for those patients admitted within specific time frame after discharge

goal of HIPAA

protect health info and maintain it as confidential

portability

protects and guarantees health insurance coverage when an employee changes jobs

accountability

protects health data integrity, confidentiality, and availability

GINA

protects individuals against discrimination based on their genetic info. in health coverage and employment

what must be done in regard to privacy when you get a new pt?

provide or offer to provide: copy of NOPP, signature acknowledging they received it and agree

when can you disclose PHI

providing healthcare tx, obtaining payment for tx, misc day-to-day healthcare operations

other policies and procedures the pharmacy should have

providing info on how people can make complaints; ensuring cooperation of business associates; process of getting auth from pts when needed

right of amendment under HIPAA

pt has right to request records be amended and pharmacist must comply w/in 60d or give reason why it wasn't amended

right of disclosure under HIPAA

pt has the right to request the disclosures of their PHI- pharmacist must comply within 60d- but anything under tx, payment, operations doesn't need to be listed as a disclosure

note of privacy practices

purpose: to provide consumers with adequate notice of uses or disclosures of PHI -must be written in plain language; must be provided at the time of first service or assessment for eligibility; has to provide privacy officer contact information

examples of "operations" for disclosing PHI

quality assessment activities or fraud detection, audits (3rd party or DEA, etc)

financial remuneration exception

refill reminders

disclose

release or divulgence of information by an entity to persons or organizations outside of that entity

what are required statements for authorization to release PHI

reminder to pt that they can revoke permission at any time, reminder you can't not treat them bc they don't sign it, potential for info to be re-disclosed

60

requests for access to PHI by consumers must be responded to by the facility within __ days

minimum necessary requirement

rule that does not require the consent of the patient to transfer records to a facility for follow up care.

what is a pt authorization to release PHI

signed and dated document with specific description of PHI that is being disclosed, who it will go to, why it is being used, expiration date when auth is no longer valid

how do you know it's a court order?

signed by a judge

things that would need to be disclosed if a pt asks for the disclosure of PHI given out

state vaccine reporting database, audit by office of civil rights, info sent to FDA regarding a recall, workers' comp, misdirected faxes/ emails