300 likes | 313 Views
The HIPAA legislation aims to improve health insurance coverage, combat fraud in healthcare, simplify administration, and enhance patient privacy. This article discusses the purpose and key standards of the HIPAA legislation.
E N D
November 2001 Washington County Health System Health Iinformation Portability & Accountability Act Amendment to Internal Revenue Code
Purpose of HIPAA Legislation • Improve portability and continuity of health insurance coverage • Combat waste, fraud, and abuse in health care • Promote the use of medical savings accounts • Improve access to long-term care services and coverage • Simplify the administration of health insurance Preamble to Public Law 104-191 (“HIPAA”), Health Insurance Portability and Accountability Act of 1996
Purpose of Subtitle F Reasons for HIPAA Simplifications… • Reduce administrative costs and burdens associated with healthcare • Standardize data • Facilitate electronic transmission of administrative and financial transactions
Privacy and Security • Electronic movement of health information creates privacy and security issues. • Secretary of Health & Human Services (HHS) has finalized standards regarding privacy. • Regulations regarding security are in draft form.
Title II - Administrative Simplification: StandardStatusDate 1. Electronic transactions Final 10/16/02 and code sets 2. Unique identifiers • National providers Draft 5/7/98 • National employers Draft 6/16/98 • Health plans TBA • Individuals On Hold 3. Privacy Final 4/14/03
Title II - Administrative Simplification: StandardStatusDate 4. Security and Electronic Draft 8/12/98 Signatures 5. Claims Attachments TBA 6. Enforcement TBA
Why is patient privacy an issue? • Boston Globe 8/8/00 Following routine testing, an Orlando woman received a letter from a drug company advertising its treatment for her high cholesterol. • Washington Post 3/1/95 A 13 year old daughter of a hospital employee took a list of patient names and phone numbers from the hospital when visiting her mother at work. As a joke, she contacted patients and told them they were diagnosed with HIV.
Why is patient privacy an issue? • USA Today 10/10/96 A Tampa, FL public health worker walked away with a computer disk containing the names of 4,000 people who tested positive for HIV. The disks were sent to two newspapers.
Mr. Sickman arrives… Dr. Wellmaker and the hospital are required to: • Obtain patient consent for use of patient health information in treatment, payment and healthcare operations • Provide a notice of privacy practices
Nurses gets Mr. Sickman’s health history from the hospital information system. • Access controls such as passwords are required for security. • Nurse must be assigned computer privileges on a need-to-know basis. • Workstations must be located in secure areas. • Disaster recovery plans and data backups are required.
Mr. Sickman regains consciousness and stabilizes. The hospital must… • Obtain his consent to use health information for payment, treatment and healthcare operations. • Provide him with a notice of privacy practices. • Tell him information will be placed in the patient directory and allow him a chance to object.
The physicians treating Mr. Sickman must also… • Obtain his consent and provide a notice of privacy practices. • The hospital and physicians may be considered an “organized health care arrangement.” • Clinically integrated setting where individuals usually receive healthcare from more than one provider. • Hospital and physicians may use a joint consent and notice of privacy practices.
Mr. Sickman’s family asks Dr. Wellmaker for an update on his condition and prognosis. • Dr. Wellmaker must tell Mr. Sickman he would like to discuss his condition with his family. • Mr. Sickman must have the opportunity to object or limit the information disclosed to his family.
The press sends a reporter demanding to know Mr. Sickman’s condition. • HIPAA allows release to the public of directory information including: • Patient name • Facility location • Description of the patient’s general condition Provided that… • Mr. Sickman was informed and given a chance to object. • The press asked for Mr. Sickman by name.
Registration staff contacts Mr. Sickman’s health insurance to verify eligibility. The health plan requests additional identifying information. • Standard formats for verifying eligibility. • Health plan may only request the minimum necessary information. • The patient’s specific authorization is not required; use of health information for payment is covered under the general consent.
Dr. Wellmaker admits Mr. Sickman to the hospital… He dictates an emergency department note, which is transcribed by an outside vendor. • Transcription vendor is considered a business associate of the hospital. • Hospital must have a business associate contract with the vendor that meets HIPAA’s requirements.
Mr. Sickman recovers and is discharged. The hospital and physicians file claims with the patient’s health insurance plan. • Standard codes for diagnoses and procedures • Standard formats for electronic transactions. • Paper claims are still permitted. • Health plans MUSTaccept the standard electronic transactions. • May not modify standard transactions and code sets. • Clearing houses may be used to convert non-standard formats into standard electronic transmissions.
Later, the hospital’s development office contacts Mr. Sickman’s family for a contribution. • Privacy rules allow for such solicitations, as long as the patient was notified of the possibility in the notice of privacy practices. • The request for donation must tell Mr. Sickman how he can ask to be removed from the contact list for future mailings. • If Mr. Sickman asks to be deleted from the mailing list, the hospital must make reasonable efforts to honor his request.
Students who participated in Mr. Sickman’s care present his case as part of their coursework. • HIPAA’s definition of healthcare operations includes training programs • No specific authorization is necessary.
Mr. Sickman asks to review his medical record. • Patients have the right to review and obtain a copy of their medical record as long as the hospital maintains the information. • There is NO automatic right of access to: • Psychotherapy notes • Information in criminal, civil, or administrative actions • Protected health information exempted by the Clinical Laboratory Improvements Act
Patients reviewing their medical record… • Hospitals may deny a patient’s request under some specific circumstances. • The hospital has 30 days to respond to the patient’s request; 60 days if the records are stored off-site.
Mr. Sickman wants to know to whom the hospital has released information in his record. • The following uses need not be included in the accounting for disclosures: • Payment, treatment, or healthcare operations • Disclosures to the patient him/herself • For the facility directory or those involved in the patient’s care • For national security or intelligence purposes • To correctional institutions and law enforcement • Prior to the effective compliance date of the privacy regulations
Disclosures • The hospital must provide the listing within 60 days (with a possible 30 day extension). • A patient is entitled to one free accounting per year; subsequent requests may be charged to the patient.
The written accounting of disclosures must include… • Date of disclosure • Person/organization to whom information was disclosed • Brief description of information disclosed • Copy of patient authorization or request for disclosure Disclosure documentation must be retained for at least 6 years.
Mr. Sickman finds errors in his medical record and asks to have his record amended. • Individuals may request amendments: • To their medical record • For as long as the hospital maintains the information. • The hospital… • May require a written request from the patient detailing why the record should be changed. • Has 60 days to make the changes, with a possible 30 day extension
Patient’s request to change the medical record… • If the patient’s request is granted, the hospital must… • Notify the patient that the amendment was accepted • Inform other parties affected by the change
Doctoral candidate requests information for research. Requests information on all pneumonia cases treated by the hospital in the last year. • Unless the information is “de-identified”, it cannot be provided without the patient’s authorization. • To be “de-identified”, 18 specific items must be removed from all aspects of the medical record.
Summary • Privacy is becoming more important. • Patients want to be more informed. • Standardized transactions will increase efficiency. • Physical and computer safe guards will be critical. • Implementation will be very costly.
Washington County Health System HIPAA Organizational Chart