CHP Training
Authorization Restrictions
* Patients have a right to restrict authorizations * They can authorize all or a portion of the information they authorize release of * Patients can also revoke authorization With EMRs in place, flags, and alerts can be automated into the process to ensure anyone going into the record will know what is authorized and what is not.
What is Senior Executive Risk?
* Senior Executives may be personally punished for non-conformance to HIPAA rules. * If the Senior Executive is aware of a violation, delegating the responsibility to another person is not protection from personal penalty. * Corporations are liable for violations of HIPAA by employees, other members of their workforce, or Business Associates without contracts.
What is the Privacy Rule?
* Standards for Privacy of Individually Identifiable Health Information federal legislation, aka The Privacy Rule. * Provides national standards to control the flow of sensitive health information. * Establishes real penalties (monetary, and perhaps prison terms) for disclosing this PHI improperly. * Now applies to Business Associates and all subcontractors too!
Business Associate Test
1. Are they performing a function for us or on our behalf? 2. Are they a member of our workforce? 3. Could they have access to Protected Health Information (PHI)? Yes/No/Yes = Business Associate
Three ways to De-Identify Information
1. Small Groups- This group would be used for smaller groups. People over the age of 89, small geographic areas, or people with HIV are a good example. To de-identify information for these groups, you'll want to have a statistician who can assure the information cannot identify an individual. 2. Safe Harbor Method- The Covered Entity would refer to the Safe Harbor Method set out by HHS primarily for research purposes. This approach involves consulting a list of 18 specific items which are to be removed; and the CE must, in addition, have no knowledge of any way the remailing details can be reconstructed to violate the spirit of HIPAA in protecting PHI. Reidentification code. 3. Limited Data Sets- can be used for research, public health, and healthcare operations. A specific list of obvious identifiers must be removed. The difference between totally de-identified PII (PHI) and a Limited Data Set is that in the latter, only certain identifiers need to be removed. It differs from Safe Harbor data in that there can be just enough PII (PHI) remaining to allow it to serve the unique purpose for which it was requested, and in that a re-identification code is expressly prohibited. May include dates such as birth date, admission date, dates of healthcare procedures o other services, and date of death. May include geocodes above the level that would identify an individual household, such as state county, city, town census track, precinct or zip code.
Exceptions to Breaches
1. Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a Covered Entity or Business Associate. Example: Business office worker goes to printer as lab report prints for a nurse. 2. Inadvertent disclosures from an individual who is otherwise authorized to access PHI at a facility operated by a Covered Entity or Business Associate to another similarly situated individual. 3. Disclosures of PHI where a Covered Entity or a Business Associate has a good faith belief an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
A Business Associate must:
1. Use the PHI ONLY for the purpose for which it was shared by the Covered Entity 2. Assume the responsibility to safeguard the information from misuse. What other regulations will you include? 3. Comply with the Covered Entity's obligation to provide individuals with access to their health information and a history of certain disclosures - for some BAs. 4. Notify the Covered Entity if there is a Breach 5. Assess each risk and mitigate.
Memorandum of Understanding (MOU)
Covered Entities exchanging PHI for legitimate business purposes or disclosing even Limited Data Sets have the responsibility to either de-identify data fully, or to see that a written contract with their Business Associate, or other recipient, is in place. Between two governmental agencies, this agreement is called a Memorandum of Understanding (MOU).
HHS
Department of Health and Human Services HHS manages HIPAA and may conduct investigations of complaints, or initiate compliance reviews without cause.
Who's Who of HIPAA
Department of Health and Human Services (HHS)- manages and enforces HIPAA compliance. Gartner Group- Research costs involved with meeting new standards. Gartner reported $3.8 billion American Hospital Association (AHA)- gave money to Gartner for research
OCR
Office for Civil Rights
How is the CHP exam delivered?
On-line at the conclusion of the CHP instructor-led program, the exam is 60 questions in 60 minutes.
Mandatory Disclosure
Only two situations: * PHI must be disclosed, with certain exceptions, to the patient, when he/she asks to review or copy it. * PHI must be disclosed to the Department of Health and Human Services (HHS) for regulatory compliance action which ay be undertaken in enforcing the Privacy Rule.
Healthcare Clearinghouses
Organizations which process healthcare transactions for providers and insurers. These companies translate HIPAA standard transaction formats for entities currently processing in nonstandard formats.
Unsecured Protected Health Information
PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in guidance. Specifies that only encryption and destruction, consistent with National Institute of Standards and Technology (NIST) guidelines, renders PHI unusable, or indecipherable to unauthorized persons such that notification is not required in the vent of a breach of such information.
American Recovery and Reinvestment Act (ARRA)
Part of the Stimulus Package signed by President Obama on February 17, 2009, allotting almost $2.2 billion to the Department of Health and Human Services for things like grants for repair of health centers, training for nurses, physicians and dentists, training and research for disease control; including $20 billion to the Director of the National Institute of Standards and Technology for continued work on advancing healthcare information enterprise integration through activities such as technical standards analysis and establishment of conformance testing infrastructure, so long as such activities are coordinated with the office of the National Coordinator for Health Information Technology.
The Final Rule also takes into consideration a growing healthcare industry which includes:
Patient Safety Organizations (PSOs) Health Information Organizations (HIO)- ePrescribing Gateways and others that facilitate data transmission and vendors of Personal Health Records (HIEs, RHIOs etc.), Treated as Business Associates when applying the Privacy Rule All their subcontractors- All of sizes had 180 days- until September 23, 2013 to comply with Final Rule
To whom does HIPAA apply?
Payers Providers Clearinghouses Business Associates and their Subcontractors (Final Rule update)
PII
Personally Identifiable Information
PII
Personally Identifiable Information, such as name, address, phone number, Social Security number, etc., which can isolate exactly which individual has received or been billed for healthcare treatment.
Examples of Healthcare Providers
Physicians, Dentists, Psychiatrists, Hospitals, Clinics, Pharmacies, Laboratories and Medical Supply companies
Title II of the HIPAA legislation is focused on:
Preventing healthcare fraud and abuse; Administrative Simplification and medical liability reform.
Under the Privacy Rule (also know as Privacy Act) this Patient Identifiable Information was renamed...
Protected Health Information (PHI)
PHI
Protected Health Information, which consists of items within a medical record which could be used to link it to an individual patient.
Do Privacy Rule and Security Rule share common goals?
Yes. While each set of regulations has several purposes and provisions, both share the common goal of protecting PHI. It is a handshake, not a handoff.
Integrity....
means that the captured information is preserved in such a way it is not misunderstood, tampered with, or changed while being held or transmitted.
The Final Rule specifically stated that subcontractors of Business Associates...
must also comply with all aspects of HIPAA and HITECH
Office of Civil Rights
receives and investigates all complaints. Prior to 8/5/09 they only investigated complaints related to the Privacy Rule.
Confidentiality....
targets the goal of keeping private items from falling into inappropriate hands.
For breaches involving 500 or fewer patients in the same state...
the CE must annually submit a log of breaches that occurred throughout the calendar year to HHS; OCR investigates
For breaches involving 500 or more patients (from one state)
the CE must report to HHS HHS will post the information on their website If a breach has been confirmed: *CE must alert the media in the jurisdiction where those impacted patients reside. *CE must notify each individual whose unsecured PHI has been , or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach. * CEs are required to notify individuals of a breach without reasonable delay, but in no case later than 60 calendar days from the discovery of the breach, except in certain circumstances there law enforcement has requested a delay.
What is considered "Discovered" of Breach
the first day a breach is known to the CE or the BA
Final Rule updated Healthcare Operations to include:
underwriting, premium rating and other activities relating to the creation, renewal and replacement of a contract of health insurance or benefits. Prior to this, these terms were defined in both Payment and Healthcare Operations. Underwriting was removed and replaced with Healthcare Operations.
Covered Entities
Health plans, healthcare clearinghouses, and healthcare providers who must comply with HIPAA regulations and standards because they transmit health information in electronic form in connection with HIPAA covered transactions.
What is a Covered Entity?
Health Plan: Provides or pays the cost of medical care Healthcare Clearinghouse: Processes healthcare transactions for providers and insurers Healthcare Provider: Person or entity who is trained and licensed to give, bill and be paid for healthcare services... via electronic transmission
The Final Rule clarified what constitues an EHR:
"Under the Final Rule, the requirement to provide individuals with access to an electronic copy includes all PHI maintained in an electronic designated record set held by a CE.
Court Order
* A HIPAA-covered health care provider or health plan may share your PHI if it has a court order. * This includes the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order.
Supoena
* A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order. * A HIPAA-covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirement of the Privacy Rule are met. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to: Notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or seek a qualified protective order for the information from the court.
Authorization
* A very customized document * Detailed and specific * Includes expiration date * Disclosures made by valid authorization do not need to be tracked and reported to the individual on the Accounting of Disclosures * Used to allow disclosures to family members, friends or others
NPP- Final Rule Updates
* Amended to require that Notice of Privacy Practices (NPP) describe the uses and disclosures of PHI that require an authorization. * Requires a covered healthcare provider that intends to send treatment communications to individuals and has received financial remuneration in exchange for making the communication to, in its NPP notify individuals of this intention and to inform them they can opt out of receiving such communication. * Requires that, if a CE intends to contact the individual to raise finds for the entity, the CE must not only inform the individual in the NPP of this intention but also must inform the individual that he or she has the right to opt out of receiving such communications. * Requires a statement explaining that a CE is required to agree to a request to restrict disclosure of PHI to a health plan if the disclosure is for Payment or Healthcare Operations and pertains to a healthcare item or service for which the individual has paid out-of-pocket in full. * Requires CE to include in their NPP, a statement of the right of affected individuals to be notified following a breach of unsecured PHI.
The Final Rule
* Effective March 26, 2013 * Organizations required to comply with HIPAA and HITECH Act had 180 days to comply- until September 23, 2013 * To strengthen the privacy and security protection for individuals' health information * To strengthen the privacy protections for genetic information * Many changes accommodate technology progress since 1996 * Better complement other regulations such as Human Research Protection (HRP) and Food and Drug Administration (FDA)
Final Rule and Burden of Proof
* For the exceptions, a CE or BA has the burden of proof for showing why breach notification was not required. Accordingly, the CE or BA must document why the impermissible use or disclosure falls under one of the exceptions. * Burden of proof is on the CE and BA: Must have policies and procedures in place Document staff have been trained Be able to determine if there was an attempt to access the data inappropriately Forensically demonstrate the data was not accessed * A BA, acting as an agent of the CE, must treat the BA's knowledge of a breach analogous of the CE's own employees.
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
* Gave money to providers to invest in EMR's * BAs are required to meet the same privacy and security compliance regulations as Covered Entities. * BAs also subject to the same penalties * Must notify patients, HHS and media
Patients Rights to Amend Records
* If a patient sees an error in their medical record, they have a right to request it be amended. (Medical records are not corrected or changed. Medical records are amended. * The CE can accept or deny a request for amendment. * If denied, provide denial notice. * Permit individual to submit written response to denial notice. * Covered Entity may then write rebuttal * All communications must be attached to the disputed information for all subsequent disclosures of the disputed information.
Final Rule Updates:
* If an individual request an electronic copy of PHI that is maintained electronically in one or more designated record sets the CE must provide the individual with access to the electronic information in the electronic form and format requested by the individual. * CE's are not required to scan paper documents to provide electronic copies of records maintained in hard copy. * CE's are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. * Updated to identify separately the labor and cost of supplies for copying PHI, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based fee. *Removed the provision that permitted 60 days for timely action when PHI for access is not maintained or accessible to the Covered Entity onsite. * Retains the provision that permits a CE a one-time extension of 30 days to respond to the individual's request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request). * Confirms the time period for responding to a request for access begins on the date of the request.
Notice of Privacy Practices (NPP) Requirements
* Must describe use and disclosure of PHI and the individuals rights * Must describe the CE's duties Legally obligated to protect PHI, provide Notice and abide by terms * Indicate how to register complaints * Specify a point of contact * Specify an effective date * Specific wording in the Heading The Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review carefully.
Patient Rights- Receive a Copy of Medical Records
* Patients have a right to receive a copy of their medical information. * You can charge reasonable costs for it. * You must provide it within a reasonable time frame.
The window for filing a complaint is?
180 days from the time the person filing the complaint becomes aware of a real or perceived HIPAA violation and they can go back six years.
Small Health Plan
A health plan with annual receipts (premium payments) of $5 million or less. They had an additional year to comply.
Healthcare provider
A person or entity who is trained and licensed to give, bill and be paid for healthcare services and performs certain electronic transactions in the process of doing so.
Business Associates
A person or organization that preforms a function or activity on behalf of a Covered Entity, but is not part of the Covered Entity's workforce. The individual or company needs to have access to PHI in order to perform a function for the Covered Entity.
Administrative Simplification
A portion of Title II of the HIPAA Legislation which strives, among other things, to safeguard PHI and to set standards for electronic information capture, storage, and transmission. The Administrative Simplification portion of Title II of HIPAA was intended to reduce the administrative burden in healthcare and lower the high cost.
Core Data Elements of Authorization
A valid authorization must include these elements: * Description of Information used * Identification of person authorized to disclose information. * Party to whom disclosure will be made * Expiration date * Statement of right to revoke * Personal representatives' authority to act * Plain language- patient needs to understand
What are Business Associates?
Companies that are not necessarily healthcare businesses but which act as a support structure for the business systems and procedures necessary for providers and payers to function. They provide the specific expertise in computer software, hardware or medical equipment or consulting services, for example. These also may be vendors.
What is Privacy Rule?
Confidentiality of PHI in ALL formats: paper, oral, or electronic
Facts about HIPAA:
Also know as the Kennedy-Kassebaum Bill Public Law 104-191 (H.R. 3103) - August 21, 1996 Ensures continuation of health insurance Protects the privacy of patient-identifiable information in any media form.
More info on breaches...
Always inform the patient. An encrypted laptop or jump drive in the hands of an unauthorized person is not considered a breach as the data is undecipherable.
Health Plan
An insurance plan that provides or pays the cost of medical care.
Non-routine disclosures
Are tracked in an "Accounting of Disclosures" and may include: National Priority Activities State Licensing Boards Public Health Research Judicial and Administrative Proceedings Law Enforcement Medical Examiner Net of Kin Notification Emergency Treatment
Who might be a Business Associate?
Attorney Accountant Consultant Cleaning Service Data Aggregator Vendor Cloud Services
Authorization for Use and Disclosure
Authorization * Describes specific elements and disclosure of PHI * Permits disclosure and use by Covered Entity that obtains authorization Revocations * Generally, must be in writing * Should be dated
Examples of Healthcare Clearinghouses
Billing Service Vendors, Community Health Management Information Systems. Even PNC Bank got into the Clearinghouse business.
Civil Penalties
Civil penalties are only monetary. No prison time is assigned for these less serious offenses.
Safeguarding the data involves concerns of...
Confidentiality, Integrity and Availability
Breaches
Final Rule emphasizes it may be an "unreasonable delay" to wait until the 60th day to provide notification. 60 days is the outer limit; breaches need to be reported without delay within 60 days State laws may be stricter: California- 15 days
What does Title II of HIPAA cover?
Fraud and Abuse Medical Liability Reform, Administrative Simplification
GINA and the Final Rule
Genetic Information Nondiscrimination Act of 2008 (GINA)- Insurance organizations cannot use DNA to determine healthcare coverage (Title 2). Or for employment (Title 1) HMOs and issuers of Medicare supplemental policies- cannont use or disclose genetic information for underwriting purposes
What does Title IV of HIPAA cover?
Group Health Plan Requirements
Examples of stricter standards:
Gunshot wounds, stab wounds, domestic violence, sexual abuse to children and AIDS or HIV patients. These all need to be reported to various authorities and will continue to be for their protection and the protections of other citizens.
GINA
HIPAA Privacy Rule to increase privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA) Insurance organization cannot use DNA information to determine healthcare coverage or employment.
What if State Laws Conflict?
HIPAA supersedes any contrary state law except in the following situations: * The Secretary of HHS determines the state laws are necessary for the technical purposes outlined in the statue. * State laws state the Secretary determines address controlled substances. * State laws regarding the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirement. HIPAA is the floor Always follow the stricter standard State, federal or even stricter standards your organization may have.
Examples of Health Plans
Health Insurance Issuers, HMO Plans, Group Health Plans, Long Term Care Plans, Medicare Supplement Plans, Govt Health Plans, State and Local Health Plans, Employee Welfare Benefit Plans
HIPAA is the acronym for?
Health Insurance Portability and Accountability Act
Incidental Disclosure of PHI
If all criteria is met, incidental use and disclosure might include: * Waiting room sign-in sheets * Charts may be kept at patients bedsides * Doctors can talk to patients in semi-private rooms * Doctors and nurses can discuss patient treatment at nurses' stations Without fear of violation, HIPAA is not to interfere with quality patient care. The "Incidental Disclosure" category includes times when, despite the best intentions and the most reasonable precautions, PHI is inadvertently disclosed. The difference between a violation and acceptable behavior depends upon two factors: *Was the information disclosed, the minimum necessary under the circumstance? * Were reasonable safeguards taken to limit the disclosure?
HIPAA- At a Glance
Improve insurance portability and continuity Combat healthcare waste, fraud and abuse Promote medical savings accounts Improve access to long-term care Simplify the administration of health insurance
Payer
In healthcare, an entity assumes the risk of paying for medical treatments. This can be an uninsured patient, a self-insured employer, a health plan, or an HMO
Individually Identifiable Health Information (IIHI)
Individually Identifiable Health Information is PII with health information. Example of PHI: SS# or name of the individual with sore feet, heart condition or cancer 4 factor exercise to determine low probability Protected Health Information is information that is IIHI Just a name or a SS# or just a medical condition may not need to be protected under HIPAA
What does Title I of HIPAA cover?
Insurance Portability
What is the purpose of the CHP exam?
It validates knowledge and skill sets around HIPAA/HITECH and the Final Rule
Items that will identify a patient:
Name Address, City, Zip Code, Country SS# Fingerprint Fax# Medical Record # Insurance #
Consent Forms
No consent form is needed for Treatment, Payment or Operation (TPO). Privacy Rule covers your use of TPO and it can't be revoked. If you do choose to have a patient sign a consent form, you are opening your organization to unnecessary legal liabilities with no upside benefit. The regulations specifically give a CE the ability to use PHI for TPO.
Patient Rights- An Accounting of Disclosures
Non-routine disclosures are required under HIPAA to be tracked, this is another Patient Right. This tracking is called an "Accounting of Disclosures." Patients have the right to see this upon request. Who has looked at my medical record? Other than Treatment, Payment or Healthcare Operations (TPO).
Right to Restrict
Requires a CE to agree to a request by an individual to restrict the disclosure of PHI about the individual to a health plan if both: * The disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law and * The PHI pertains solely to a healthcare item or service for which the individual , or person on behalf of the individual other than the health plan, has paid the CE in full.
What does Title V of HIPAA cover?
Revenue Off-Sets
What is a HIPAA CAP?
Stands for Corrective Action Plan. It is a security risk analysis and risk management plan. Depending on the violation, the OCR may ask you to correct policies and procedures, or how you manage business associates or reporting failures. Part of the plan may also include training your employees on security measures or policies.
What does Title III of HIPAA cover?
Tax-related Health Provisions
An Accounting of Disclosures- HITECH Act
The HITECH Act began giving "Meaningful Use" dollars to Eligible Professionals (EP's) and Hospitals to defray the cost of installing an EMR. Patients have the right to see all of their records, including TPO Patients are able to get up to three years' worth of information after 2014. Once all of this is set up, everyone will have an EMR.
Definition of Breach
The acquisition, access, use or disclosure of PHI in a manner not permitted (by the Privacy Rule) which compromises the security of privacy of the PHI. A breach compromises the security or privacy of the data and causes significant risk of financial, reputational, or other harm to the individual.
Difference between IIHI and PII
The large category of information is called IIHI. Within medical and administrative records might be items such as patient name, city or county where he/she lives, zip code, finger prints, notations of distinguishing tattoos, radiological images showing distinguishing bone fractures or congenital markers, birth date or SS#. These specific details which can uniquely identify an individual are the Personally Identifiable Information (PII), the subsets of the IIHI would be used to actually link the records to the patient.
"Reasonable and Appropriate"
This is the phrase Covered Entities use to determine if their HIPAA compliance initiatives are adequate to protect health information for their size, type of organization and their level of risk.
What is De-identified Information?
To be de-identified, Individually identifiable health information (IIHI) and personally identifiable information (PII) must be removed. De-identified information can be used by anyone, for any purpose. De-identified information does not have to be protected by HIPAA
T.I.P.S about HIPAA Administrative Simplification Title II
Transactions and Code Sets Identifiers Privacy Security
The First Steps for HIPAA:
Transactions and Code Sets & Identifiers
TPO
Treatment, Payment & Healthcare Operations PHI can be used for a CE's own Treatment (T), Payment (P) and Healthcare Operations (O) Examples of healthcare operations which might need PHI are training medical and administrative staff, quality control, preparing accreditation applications, or even limited marketing. PHI can be disclosed to any other provider in order to facilitate treatment or payment. PHI can be "used" and "disclosed" for TPO
Using and Disclosing PHI
Use * Sharing * Employing * Applying * Utilizing * Examining * Analyzing * Information used when moved inside organization Disclosure * Release * Transfer * Provision of access to * Divulging in any manner * Information disclosed when transmitted outside organizations
In order to show they have taken "reasonable and appropriate" measures to try to protect PHI...
a Covered Entity should develop and be prepared to apply specific sanctions to anyone within their scope of liability who fails to perform within the HIPAA requirements and those of the Privacy and Security Rules. Keeping up-to-date records of all interactions also becomes key as this evidence may be required to be presented to HHS during any subsequent investigation.
Court Order and Subpoenas-
are two different things. Court Order from a judge, you only give what is requested. Subpoena is a clerk or lawyer. Notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or seek a qualified protective order for the information from the court.
To be in compliance with the Security Rule, a Covered Entity must...
be sure that the business processes and technology used is not vulnerable to threats that may violate any or all of the three basic principles of security: Confidentiality, Integrity, and Availability
What is Security Rule?
ePHI electronically captured, stored, used or transmitted
Availability...
involves considering techniques to make needed facts available quickly and easily to those who should see them, and preventing them from being accessible to those who shouldn't.