1 / 45

IMPLEMENTING THE HIPAA PRIVACY RULES

IMPLEMENTING THE HIPAA PRIVACY RULES. Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002. Prepared By: Robert Belfort Kalkines, Arky, Zall & Bernstein LLP 1675 Broadway, Suite 2700 New York, New York 10019 (212) 830-7270 rbelfort@kazb.com.

thi
Download Presentation

IMPLEMENTING THE HIPAA PRIVACY RULES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IMPLEMENTING THEHIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines, Arky, Zall & Bernstein LLP 1675 Broadway, Suite 2700 New York, New York 10019 (212) 830-7270 rbelfort@kazb.com

  2. A BRIEF HISTORY OF THE PRIVACY RULE Deadline forCongressional action Enactment ofHIPAA Statute 8/21/99 8/21/96 HHS adheresto final rule Final rule reopenedfor comment Final ruleadopted Proposedrule issued 4/14/01 3/14/01 12/28/00 11/3/99 End of commentperiod onproposed changes HHS issuesguidance Adoption ofchanges to rule Modificationsto rule proposed Compliancedate 7/6/01 3/27/02 4/14/03 Summer 2002? 4/26/02

  3. KEY COMPLIANCE ISSUES • Proper use and disclosure of protected health information (PHI) • Application of “minimum necessary” standard • Execution of business associate contracts • Accommodation of patient rights • Creation of administrative, physical and technical safeguards • Issuance of privacy notice • Appointment of privacy officer

  4. WHAT IS PHI? • Individually identifiable health information • created or received by provider, plan, clearinghouse or employer • relates to individual’s health, provision of care or payment for care • identifies or could reasonably be used to identify the individual • Transmitted or maintained in any form

  5. HOW CAN PHI BE USED OR DISCLOSED? Patient Type of Use or Disclosure Approval Required?1 Treatment, payment and health care operations Consent optional (subject to limited exceptions) Psychotherapy notes for most purposes Authorization required Certain marketing and fundraising activities No authorization required Facility directories, family members and disaster relief Opportunity for oral objection by patient IRB-approved research following specified protocols No authorization required “National Priority” disclosures No authorization required Other uses and disclosures not subject to specific exception Authorization required 1 Assumes adoption of proposed amendments to rule.

  6. WHAT ARE HEALTH CARE OPERATIONS? • Quality improvement • Reviewing provider qualifications and performance • Underwriting, rating and related activities • Medical review, legal services and auditing • Business planning and development • Business management and general administration

  7. WHAT ARE PSYCHOTHERAPY NOTES? • Recorded by a mental health professional • In any medium • Documenting or analyzing contents of conversation during private or group counseling session • Separated from rest of medical record • Excludes medication monitoring, session times, modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress

  8. WHEN MAY PSYCHOTHERAPYNOTES BE DISCLOSED? • By originator for treatment • Mental health training programs • Defense of legal action brought by patient • Certain health oversight activities

  9. WHAT ARE THE ELEMENTSOF AN AUTHORIZATION? • Must specifically identify information being disclosed, its recipients and purpose of disclosure • May not be combined with other documents • Must include expiration date or event • Must be signed by patient or personal representative

  10. MARKETING EXCEPTION • Types of marketing permitted without authorization • face-to-face • products or services of nominal value • In name of covered entity • Disclosure of remuneration • Opt out procedures • Determination and disclosure of patient benefit if health status-based

  11. FUNDRAISING EXCEPTION • By covered entity, business associate or related foundation • Disclosable or usable information • demographic information • dates of care provided • Opt out procedures

  12. Required by law Public health Neglect and abuse Health oversight Legal proceedings Law enforcement Decedents Cadaveric donations IRB-approved research Health or safety threat Specialized government functions Workers’ compensation NATIONAL PRIORITY DISCLOSURES

  13. “MINIMUM NECESSARY” STANDARD When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

  14. EXCEPTIONS TO MINIMUM NECESSARY • Treatment • Disclosures to other covered entities • Compliance with law • Disclosures pursuant to patient’s authorization • Disclosure to patient

  15. IMPLEMENTING MINIMUM NECESSARY • Internal role-based access • Policies and procedures for routine disclosures • Criteria for all other disclosures

  16. WHO IS A BUSINESS ASSOCIATE? • Provides specified functions to or on behalf of covered entity • Exceptions • Members of workforce • Members of hospital medical staff • Members of “organized health care arrangement” • Plan sponsors • Financial institutions processing consumer transactions • “Conduits”

  17. Billing companies Computer maintenance vendors Transcription services Attorneys Accountants Compliance consultants Yes No WHO IS A BUSINESS ASSOCIATE? • Employees • Student trainees • Federal Express • AOL • Referring providers • Third party payers

  18. BUSINESS ASSOCIATE CONTRACTS • Permitted uses and disclosures • Adoption of safeguards and reporting of unauthorized disclosures • Compliance by subcontractors • Access, amendment and accounting by patients • Access by HHS • Return or destruction of records if feasible • Termination for material breach

  19. Contract Status Compliance Date Executed on or after April 14, 2003 Date of execution Executed prior to April 14, 2003 with no amendments or April 14, 2004 renewals prior to April 14, 2004 Executed prior to April 14, 2003 with amendment or Date of amendment renewal between April 14, 2003 and April 14, 2004 or renewal WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE?

  20. WHEN ARE YOU LIABLEFOR BUSINESS ASSOCIATES? • If covered entity knows of improper pattern of activity or practice • Covered entity must take reasonable steps to cure breach • If cure unsuccessful, covered entity must • terminate, if feasible; or • report problem to HHS

  21. PATIENT ACCESS TO PHI • Access or copies • Time frames • Appeal rights • Reasonable copying charges • Exception for psychotherapy notes

  22. PATIENT AMENDMENT OF PHI • Time frames • No obligation to amend • Informing other entities • Statement of disagreement

  23. To HHS Permitted marketing Permitted fundraising Research without patient authorization Public interest purposes not covered by exemption Accounting Required Accounting Not Required ACCOUNTING OF DISCLOSURES • Treatment, payment and health card operations • Individual’s written authorization • To individual • Pursuant to oral agreement • National security or intelligence • Correctional institutions or law enforcement agencies

  24. WHAT SAFEGUARDS ARE REQUIRED? Type of PHI Scope of Safeguards Electronic Paper Oral • Rely on proposed security rules • Proposed security rules, where applicable • Faxes • Public postings • File cabinets • Proposed security rules, where applicable • Telephone • Hallway conversations • Public announcements

  25. KEY ELEMENTS OF PRIVACY NOTICE • Mandated header • Permitted uses and disclosures (examples) • Separate statement for certain uses • Individual rights • Covered entity’s duties • Complaints • Contact information

  26. PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS • Provide at first contact after compliance date • Make good faith effort to obtain written acknowledgement • Make available on-site at patient request • Make available by mail at patient request • Post on-site in conspicuous location

  27. PRIVACY OFFICER DUTIES • Oversee implementation of policies and procedures • Answer questions • Handle complaints • Investigate privacy breaches • Conduct audits • Review contracts • Coordinate employee training

  28. RELATIONSHIP TO STATE LAWS • HIPAA provides floor but not ceiling — more stringent state laws not pre-empted • Exceptions • Certain state public health and auditing laws • HHS determination based on specified factors

  29. SAMPLECOMPLIANCE TIMELINE May September January April2002 2003 2003 2003 Education Gap Analysis Remediation Testing Training

  30. ALTERNATIVECOMPLIANCE TIMELINE May September January April2002 2003 2003 2003 Procrastination Infighting Half-hearted efforts Panic Finger-pointing

  31. DEFINE THE COVERED ENTITY • Affiliates • Hybrid entities/health care components • Organized health care arrangements

  32. CONSIDERATIONS IN DEFINING ENTITY • Standardization of policies • Centralization of administration • Sharing of information • Liability concerns

  33. GAP ANALYSIS OPTIONS High Self-Assessment StaffResources ProfessionalSelf-AssessmentTool Moderate On-siteConsultants Low High Moderate Low Financial Resources

  34. CREATE PHI FLOW CHART OtherProviders Registration Patient MedicalRecords Billing Clinician QA Patient DOH Payers AccountsReceivable CollectionAgency Finance

  35. ANALYZE EACH USE AND DISCLOSURE • Consent or authorization required? • Minimum necessary applicable? Satisfied? • Business associate contract required? In place? • Subject to accounting? Recorded?

  36. REVIEW PATIENT RIGHTS’ POLICIES • Access and copying of records • Amendment of records • Restriction on uses

  37. REVIEW ELECTRONIC DATA SAFEGUARDS • Administrative policies • Physical plant security • Technical security measures • catalogue hardware and software (Y2K inventory) • compare security features to security regulations

  38. REVIEW OTHER POLICIES AND PRACTICES • Fax • File cabinets • Telephone • Waiting room procedures • Hallway conversations • Posted information

  39. EVALUATE COMPLIANCE OPTIONS • Prioritize initiatives • Reasonableness considerations • Scalability • Documentation • Maintaining confidentiality

  40. KEY REMEDIATION STEPS • Revise policies and procedures • Document policies and procedures • Execute business associate contracts • Upgrade security of software and hardware • Secure physical plant • Prepare privacy notice, consent and authorization form • Appoint privacy officer

  41. CONDUCT EMPLOYEE TRAINING • Differentiate by employee roles • Initial training before April 14, 2003 • Build into hiring process • Regular refresher training

  42. TRAINING OPTIONS • Internal trainer • Outside attorney or consultant • Written manual • Videotape or CD-ROM

  43. CIVIL PENALTIES • $100 per violation • $25,000 per year cap for each type of violation • Cooperative approach by HHS • reasonable diligence standard • technical assistance • informal dispute resolution

  44. Maximum Offense Maximum Fine Prison Term Use of unique health identifier, or acquisition of individually identifiable health information $50,000 One Year (“basic offense”) Basic offense under false pretenses $100,000 Five Years Basic offense for commercial advantage, personal gain or malicious harm $250,000 Ten Years CRIMINAL PENALTIES

  45. HELPFUL WEB SITES http://aspe.hhs.gov/admnsimp http://www.hhs.gov/ocr/hipaa http://snip.wedi.org http://www.cpri-host.org http://www.ahima.org 251565

More Related