1 / 60

Outline of Presentation

Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P. Outline of Presentation. HIPAA Overview Transactions and Code Set Rule Security Rule Privacy Rule. HIPAA Overview.

celine
Download Presentation

Outline of Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of HIPAA Administrative Simplification and Privacy RegulationsDarrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.

  2. Outline of Presentation • HIPAA Overview • Transactions and Code Set Rule • Security Rule • Privacy Rule

  3. HIPAA Overview • “Health Insurance Portability and Accountability Act of 1996” • Regulations • Facilitate electronic exchange of health information • Protect the privacy and security of health information

  4. HIPAA Regulations • Final Form • Transactions and Code Set Rule • Security Rule • Privacy Rule • National Standard Employer Identifier Rule • Remaining are unpublished or in proposed form.

  5. Applicability • The regulations apply to “covered entities:” • Health care providers that electronically bill for services (e.g., most ambulance suppliers, physicians, hospitals), • Health plans, and • Health care clearinghouses.

  6. TRANSACTIONS AND CODE SET RULE

  7. Transactions and Code Set Rule • Purpose • To encourage the use of electronic exchanges • To reduce the administrative burden associated with using different formats • Specifies the content and format standards for eight common types of health information transactions.

  8. Standard Transactions • Transactions are composed of: • Format data – define and control the structure of the transaction (e.g., the data element is a dollar amount) • Data content – all data elements and code sets inherent to a transaction and not related to the format of the transaction (e.g., the actual dollar amount)

  9. Transactions • The eight standard transactions include: • Health care claims or equivalent encounter information, • Health care payment and remittance advice, • Coordination of benefits, • Health care claim status, • Enrollment and disenrollment in a health plan, • Referral certification and authorization, • Eligibility for a health plan, and • Health plan premium payments. • No standards promulgated for first report of injury and health claims attachments.

  10. Compliance • Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. 16, 2003.

  11. Implementation • HIPAA Awareness – understand the rule and educate workforce. • Operational Assessment – assess and identify internal implementation issues and develop a work plan to address issues. • Development and Testing - finalize development of, install, and train staff on, applicable software and perform all software and systems testing.

  12. SECURITY RULE

  13. Security Rule • Final rule published Feb. 20, 2003. • Compliance required by April 21, 2005. • Requires covered entities to: • Assess risks and vulnerabilities, • Maintain appropriate security measures, and • Document these methods.

  14. Security Rule • Requires covered ambulance suppliers to: • Apply administrative, physical, and technical safeguards • That reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information • That they create, receive, maintain or transmit.

  15. Examples – Required Safeguards • Administrative • Sanction policy • Business associate contracts • Physical • Disposal of device and media controls • Workstation security • Technical • Person or entity authentication • Unique user identification

  16. PRIVACY RULE

  17. Privacy Rule • Applicability • Uses and Disclosures • Patient Rights • Administrative Requirements • Penalties • Interaction with State Law

  18. Compliance Date • Covered ambulance suppliers must be in compliance with the Privacy Rule by April 14, 2003.

  19. Applicability of the Privacy Rule • Applies directly to covered entities. • Regulates protected health information maintained by covered entities.

  20. Protected Health Information • Protected health information (“PHI”) is information in any form that: • Identifies or reasonably could be used to identify the patient, • Relates to the past, present, or future health or condition of a patient, payment for care, or provision of care, and • Is created or received by a covered entity, provider or employer.

  21. Protected Health Information • It includes: • Medical information • Billing information • Patient demographic information • Information stored electronically • Information you convey on the phone • Information maintained on paper

  22. Business Associates • Requires covered entities to contractually bind their business associates to some of the requirements of the Privacy Rule.

  23. Definition • A business associate is an entity that • creates or receives PHI • to provide a service or function for or on behalf of a covered entity.

  24. Examples - Business Associates • Disclosures of PHI to: • An accreditation organization perform accreditation services. • A billing and collection service to assist with reimbursement. • A transcription service to transcribe notes.

  25. Examples - No Business Associate • Disclosure of PHI: • To a provider for treatment of a patient. • Inadvertently to a janitorial agency that provides cleaning services. • To researchers for research purposes. • No business associate relationship with your employees.

  26. Business Associate Agreements • You must enter into written agreements with your business associates to: • Limit use and disclosure of PHI, • Safeguard PHI, and • Ensure certain patient rights (e.g., providing a patient with access to PHI).

  27. USES AND DISCLOSURES

  28. Overview of Uses and Disclosures • Covered ambulance suppliers may use or disclose PHI only: • For purposes expressly required or permitted by the rule, or • With patient authorization.

  29. Examples When Authorization Required • To provide a list of names of patients involved in automobile accidents to a company that offers automobile insurance. • To provide a list of patient names to a national association for the association’s fundraising purposes.

  30. Examples When Authorization Not Required • To use and disclose PHI for your own treatment, payment and health care operations (TPO). • To disclose PHI for the treatment or payment activities of another covered entity. • In limited situations, to disclose PHI for the health care operations of another covered entity.

  31. Health Care Operations • Generally, no authorization required if the disclosure is: • To a covered entity that also has a relationship with the patient and • For quality assessment and improvement activities, case management and coordination, fraud and abuse detection or compliance, and other similar activities.

  32. Disclosures to Family Members • May disclose PHI to family members or others involved in the patient’s care or payment for care if: • The patient agrees (or agreement is inferred), or • The patient is not present or is incapacitated and you believe that it is in the patient’s best interest. • Also may notify of the patient’s location, general condition, or death.

  33. Other Purposes • May use and/or disclose PHI without authorization if certain criteria are met: • To avert a serious threat to health or safety • As required by law • For limited marketing activities • For public health activities • For health oversight activities • For research

  34. Other Uses and Disclosures – Avert Serious Threat • May use or disclose PHI based on your good faith belief that the use or disclosure is necessary: • To prevent/lessen a serious and imminent threat to the health or safety of a person or the public; or • Under limited circumstances, for law enforcement authorities to identify or apprehend an individual.

  35. Written Authorization – The Default Category • May use and disclose PHI for any reason with the written authorization of the patient. • Must be in writing and contain certain statements and information that ensures patient knows how his or her information will be used and disclosed.

  36. MINIMUM NECESSARY STANDARD

  37. Minimum Necessary Standard • Covered entities may use, disclose and request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure or request.

  38. Minimum Necessary Exceptions • Disclosures to and requests by providers for treatment (but it does apply to uses) • Disclosures to the patient who is the subject of the PHI • Uses and disclosures pursuant to authorization

  39. INCIDENTAL USES AND DISCLOSURES

  40. Incidental Uses and Disclosures • An incidental use or disclosure is that which occurs as a result of another use or disclosure that is permitted (e.g., a conversation between EMTs treating a patient overheard by another patient).

  41. Incidental Uses and Disclosures • Incidental uses and disclosures are permitted as long as a covered entity has: • Applied reasonable safeguards, and • Implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.

  42. PATIENT RIGHTS

  43. Patient Rights • Receive a notice of privacy practices • Receive an accounting of certain disclosures of PHI • Access their information • Amend their information • Request a restriction on the use or disclosure of information • Request confidential communications

  44. Content of Notice • A header indicating the purpose of the notice • A description the uses and disclosures that you may make • A statement of patient rights and how to exercise them • A statement of your duties • Instructions for filing complaints • Contact information

  45. Provision of Notice - First Service Delivery • General Rule: • Provide the patient with your notice no later than the first service delivery on or after April 14, 2003; and • Make a good faith effort to obtain a written acknowledgment of receipt of notice. • If not obtained, document good faith efforts and reason why not obtained.

  46. Obtaining Acknowledgment • Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be retained by the ambulance supplier • Tear off sheet to mail back to the ambulance supplier • Combine an acknowledgment with consent

  47. Good Faith Effort – Reason Not Obtained • Patient refused • Patient failed to mail back acknowledgment • Patient unconscious or agitated

  48. Provision of Notice - First Service Delivery • EXCEPTION - Emergency Treatment Situations: • Notice: Provide the notice as soon as reasonably practicable after the emergency situation. • Acknowledgment: NOT required to make a good faith effort to obtain the acknowledgment.

  49. Provision of Notice • You also must make the notice available by April 14, 2003: • Upon request; • At the delivery site (notice must be posted and available for individuals to take with them); and • If you maintain a web site about your services or benefits, prominently on your web site and make the notice available electronically through the site.

  50. Accounting • Don’t need to track disclosures • To carry out treatment, payment, or health care operations • To patients who are the subject of the PHI • Pursuant to an authorization

More Related