HIPPA
subcontractor example
A hospital contracts with a billing company. The billing company contracts with a shredding company to dispose of its billing records. The shredding company contracts with a trucking company to bring the hospital's paper billing records to its shredding facility.
protected health information (PHI)
ANY Information about an INDIVIDUAL'S Past, Present, or Future Medical History, Conditions, or Treatments THAT Contains Patient IDENTIFIERS such as NAME, ADDRESS, PHONE #'s, etc. In ANY form of STORAGE or TRANSMISSION.
ultimate result
Added uniform standards for DATA SHARING, PRIVACY, and SECURITY of Personal Health Information
HITECH
As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards. On January 25, 2013, the Department of Health and Human Services (HHS) posted Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the Final Rule) under the authority of the HITECH Act and the Genetic Information Nondiscrimination Act (GINA). The Final Rule was effective on March 26, 2013. However, in general covered entities and business associates had an additional six months, until September 23, 2013, to come into compliance
Eventual HIPAA Advantages
Better Financial Efficiency by Reducing Processing Costs Portable Increase TRUST that Information is SECURE and PRIVATE Electronic Medical Record for ALL Americans
updates include
Breach notification requirements Fine and penalty increases for privacy violations Right to request copies of the electronic health care record in electronic format Mandates that Business Associates are civilly and criminally liable for privacy and security violations New regulations on Marketing regarding PHI The sale of PHI The use of PHI for research Access to PHI and ePHI
exceptions to reporting abuse
Certain courts have the rights,in some cases, to order providers to release PHI. Providers must report cases of suspicious deaths or certain injuries, such as gunshot wounds. Providers report information about patients' deaths to coroners and funeral directors. Some states require physicians and other caregivers who suspect child abuse or domestic violence to report it to the police. Police have the right to request certain information about patients when conducting a criminal investigation Laws that require providers to report certain communicable diseases to state health agencies when patients have these diseases, even if the patient doesn't want the information reported. The Food and Drug Administration requires providers to report certain information about medical devices that break or malfunction.
ways to protect patient privacy
Close patient room doors when discussing treatments and administering procedures. Close curtains and speak softly in semi-private rooms when discussing treatments and administering procedures. Avoid discussions about patients in elevators and cafeteria lines.
ways to protect
Do not leave messages regarding patient conditions or test results on answering machines or with anyone, other than the patient. Avoid paging patients using information that could reveal their health issues.
Business Associates: Downstream Contractors
Downstream entities that work at the direction of or on behalf of a business associate and handle protected health information are required to comply with the applicable Privacy and Security Rule provisions, just like the "primary" business associate and are subject to the same liability for failure to do so.
Key HIPAA Components
Fall 2002 - Electronic Data Exchange standards April 2003 - Compliance with PRIVACY standards for ALL INSTITUTIONS April 2005 - Compliance with SECURITY Standards May 2007 - NPI National Provider Identifier Civil and Criminal Penalties for Non-Compliance if No 'Good Faith Effort' March 2013 - HITECH Enforcement begins
Fines and Penalties Privacy violations may carry penalties under federal HIPAA/HITECH and state privacy laws
Four categories of violations that reflect increasing levels of culpability HIPAA Criminal Penalties $50,000 - $1,500,000 fines Imprisonment up to 10 years HIPAA Civil Penalties $100 - $25,000 / year fines More fines if multiple year violations State Laws Fines and penalties apply to individuals as well as health care providers, up to a maximum of $250,000; may impact your professional license Imprisonment up to 10 years
MINIMUM NECESSARY STANDARD
HIPAA allows covered entities some flexibility to address unique circumstances when sharing PHI to render good care, but still avoid unnecessary or imprudent disclosure of PHI. Reasonableness standard consistent with prudent professional judgment.
key privacy concepts
HIPAA establishes a "FLOOR" for PRIVACY Rights. Uniform across 50 States. Minimum standards that preempt existing State law. Individual States may set STRICTER privacy rights, or higher "CEILING" for their citizens for certain conditions: States may protects rights for: reproductive/contraceptive matters, STD/HIV, Psychotherapy, substance abuse and Minor's access to care.
HIPPA
Health Insurance Portability and Accountability Act
B
I called a patient's phone number and left a voice mail for Mr. John Smith to contact YSU community hospital regarding his scheduled thyroid surgery. Was this a privacy breach? A. No, the patient provided this phone number B. BYes, I stated his name and medical procedure C. No, I did not state the medical reason for the surgery
Reporting abuse
If a patient, a member of the public, or an employee suspect that an organization is NOT complying with HIPAA, that person can file a complaint with the Office for Civil Rights (OCR) in the US Department of Health and Human Services.
18 HIPAA identifiers
Names Social Security numbers Addresses Medical record numbers Relatives' names Member/account numbers Employers Certificate numbers Dates of Birth Voiceprints Telephone and fax numbers Fingerprints
TPO: healthcare operations acitivty
Operations: example: 1. covers you under documentation review committee 2. JHACO 3. Audits
TPO: payment
Payment: examples: when call out to these people will share payment info. Because they will be billing the pt.
A privacy breach can occur when information is
Physically lost or stolen Paper copies, films, tapes, electronic devices Anytime, anywhere - even while on public transportation, crossing the street, in the building, in your office Misdirected to others outside of organization Verbal messages sent to or left on the wrong voicemail or sent to or left for the wrong person Mislabeled mail, misdirected email Wrong fax number, wrong phone number Placed on intranet, internet, websites, Facebook, Twitter
HIPPA orginal intent
Protect workers from loss of insurance if job changes & eliminate 'pre-existing conditions' exclusions
TPO (Treatment, Payment, Operations)
Reasons that a provider can release patient information * These types of activities are covered by patient's consent. You may freely use PHI for these activities without further permission.*
T/F The Notice of Privacy Practices (NOPP) allows PHI to be used and disclosed for purposes of TPO
T
TPO
TPO: treatment, payment, operations
Privacy breach examples
Talking in public areas, talking too loudly, talking to the wrong person Lost/stolen or improperly disposed of paper, mail, films, notebooks Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings) Lost/stolen zip disks, CDs, flash drives, memory drives Hacking of unprotected computer systems Email or faxes sent to the wrong address, wrong person, or wrong number User not logging off of computer systems, allowing others to access their computer or system
Authorizations to Disclose PHI are required if:
The disclosure is for any purpose other than TPO. The disclosure is for research, fundraising or marketing; and A previous authorization has been revoked or is otherwise no longer valid.
TPO: treatment examples
Treatment: examples: 1. referral to physician bc knee isn't doing well, 2. to PTA, 3. to OT/ST 4. other PTs 5. DME 6. commod 7. NOT FAMILY 8. Pothesitist
TREATMENT Activities
Upon CONSENT, you may share PHI with any other licensed health professional [MD/DO, DDS, Ph.D., LPN/RN, R.Ph., PT, etc.] who is, or may be, involved in the care of the patient. Covers written, electronic and verbal communication. Covers referrals and coordination of care by persons who have yet to see patient thus unable to obtain consent.
Healthcare Operations
Upon CONSENT, you may share PHI with other business entities for Quality Assessment, Planning, Licensing and Audits, and Healthcare Teaching There are special rules governing LAW ENFORCEMENT activities, so these require special caution.
consent
Upon presentation of the Notice of Privacy Practices, and signing the Acknowledgement of Receipt, the patient grants the right for the practice to use PHI for CERTAIN COVERED ACTIVITIES without further written permission.
maintaining records
When discarding paper PHI make sure the information is shredded in a secure bin. Leaving paper patient information intact in a wastebasket could lead to a privacy breach. Do not leave it unattended in an area where others can see it. When finished using PHI return it to its appropriate location. When finished looking at electronic PHI log off the system. Do not leave information visible on an unattended computer monitor.
Notice of Privacy Practices (NOPP)
describes how healthcare organizations may use and disclose the patient's PHI Advises the patient of his/her privacy rights Establishes PRIVACY OFFICER who is responsible for practice's HIPAA matters. Acknowledgement of Receipt: Patients SIGN to indicate they understand privacy policy of practice
authorization
is SPECIFIC written permission from the patient to use PHI for non-TPO activities. Must be detailed document and specify: Description of PHI to be used Person authorized to make disclosure Recipient of PHI Purpose of disclosure Expiration Date
subcontractor
is an entity to which a business associate delegates a function, activity, or service involving the covered entity's PHI, other than in the capacity of a member of the workforce of such business associate.
PHI
protected health information
