Upload
donald-brown
View
215
Download
0
Embed Size (px)
Citation preview
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
HIPAA 201: Privacy
October 2002First Consulting Group
An Introduction to the HIPAA Privacy Regulations - with Final Rule Updates
2 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group2 www.fcg.com©2002 First Consulting Group
Privacy Introduction
Privacy Requirements and Impacts– Use and Disclosure– Notice of Privacy Practices– Patient Rights – Administrative Requirements
Summary
Presentation Agenda
3 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group3 www.fcg.com©2002 First Consulting Group
At the end of this presentation, you should:
Understand the specific HIPAA Privacy requirements (both in final rule and with changes)
Understand the business process impacts of the HIPAA Privacy requirements
Understand the intent of the standards and the “reasonable” application of them in your organization
Be able to determine your own organizational strategies and next steps for tackling HIPAA Privacy
Presentation Objectives
4 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group4 www.fcg.com©2002 First Consulting Group
Key Definitions - Covered Entities
HIPAA directly covers: Health Plans – an individual plan or group health plan that
provides, or pays for the cost of, medical care Healthcare Providers – any person or organization who
furnishes, bills, or is paid for health care in the normal course of business such as hospitals, physician services, diagnostic services, outpatient and home health
Healthcare Clearinghouses – any public or private entity, including billing services, repricing companies, community health management information systems or community health information systems that process or facilitates the processing of health information received from another entity
HIPAA indirectly covers: Business Associates - a person or organization who performs
or assists in the performance of a function or activity on behalf of a covered entity
5 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group5 www.fcg.com©2002 First Consulting Group
Key Definitions - PHI
Protected Health Information (PHI) is that information which: Is created or received by a health care provider, health plan,
employer or health care clearinghouse Relates to the past, present or future health of an individual,
or the past, present or future payment for health care Identifies an individual either outright or could give rise to
identify an individual– Eighteen specific identifying elements
Is transmitted or is maintained electronically or in any other form or medium– Explicitly includes Internet, Extranet, leased line, dial-up line and
private network transmission– Includes information which is stored on paper– Read from a computer screen and discussed orally– Person to person telephone calls, video conferencing or voicemail
6 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group6 www.fcg.com©2002 First Consulting Group
Key Concept - Reasonableness
The reasonableness standard allows covered entities to: Apply the rules as appropriate Incur minimal costs Define “reasonable precautions” based on service, location,
or setting Eliminate structural changes
– Soundproofing– Private rooms– Telephone encryption
Implement acceptable alternatives– Low voice tones– Privacy curtains– Cubicles
7 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group7 www.fcg.com©2002 First Consulting Group
Intent of Privacy Rule
The final Privacy Rule seeks to:
Protect patients while encouraging them to seek care Establish a floor of national privacy standards for healthcare
providers, health plans and clearinghouses Create a framework that can be strengthened by both federal
and state government as health information systems evolve; leaves more stringent state law in place
Balance the needs of the individual with the needs of the society
Improve the quality of healthcare in the U.S. Improve the efficiency and effectiveness of healthcare
8 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group8 www.fcg.com©2002 First Consulting Group
Key Points of Privacy Rule
The Privacy Rule:
Covers electronic, paper and oral communications Allows PHI to be used and disclosed for treatment, payment and
health care operations Requires patient authorization for use and disclosure of health
information for non-routine purposes Gives consumers greater access to and control over their health
information Requires organizations to maintain safeguards for protecting
the confidentiality and integrity of health information and protect against unauthorized access of PHI
Designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care
9 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group9 www.fcg.com©2002 First Consulting Group
Structure
The current HIPAA Privacy regulations are organized into four categories:
1. Use and Disclosure2. Notice of Privacy Practices3. Patient Rights4. Administrative Requirements
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Use and Disclosure
RulesImpacts
11 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group11 www.fcg.com©2002 First Consulting Group
Consent for uses and disclosures:– A covered entity may obtain a consent of the individual to
use or disclose protected health information to carry out treatment, payment and healthcare operations (TP0)
Authorizations: A covered entity must obtain an authorization for uses and disclosures that are not covered by the consent for TPO
– A valid authorization must contain defined core elements– Generally, an authorization for use or disclosure of
protected health information may not be combined with any other document to create a compound authorization
– A covered entity must document and retain any signed authorizations
– Patients have to grant permission in advance for each type of non-routine use or disclosure
– Providers may use a standardized authorization form
Use and Disclosure - Rules
12 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group12 www.fcg.com©2002 First Consulting Group
Use and Disclosure - Rules
Parents and Minors: Provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice
– If a state has explicitly addressed disclosure of a minor/s health information to a parent, or access to a child’s medical record by a parent, the final rule clarifies that state law governs
– In special cases in which the minor controls his or her own health information under such law and that law does not define the parent’s ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law
13 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group13 www.fcg.com©2002 First Consulting Group
Business Associates: PHI may be disclosed to business associates only to help providers and plans complete their healthcare functions
– Covered entities (except small health plans) are given up to an additional year to change existing written contracts to come into compliance with the business associate requirements
– Members of a provider, health plan, or other covered entity’s workforce are not considered business associates
– Covered entities who exchange PHI for treatment purposes are not considered business associates, such as a physician who discloses information to a hospital where he has admitting privileges
– The Privacy Rule doesn’t “pass through” its requirements to business associates; it has no authority to do so
– In general, covered entities are not liable for privacy violations of business associates, but if they become aware of a “pattern or practice” that is a material breach of the business associate’s contract, they must take “reasonable steps” to correct the problem (subject to legal interpretation)
Use and Disclosure - Rules
14 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group14 www.fcg.com©2002 First Consulting Group
Use and Disclosure - Rules
An Opportunity for the Individual to Agree/Object is Required:
The final rule requires covered entities to use or disclose protected health information provided that the patient: – Is informed in advance of the use and disclosure; and – Has the opportunity to agree to or prohibit or restrict the
use or disclosure under certain circumstances
§164.510 (a) Facility Directories §164.510 (b) For Involvement in the Individual’s Care and Notification Purposes
15 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group15 www.fcg.com©2002 First Consulting Group
An Opportunity for the Individual to Agree/Object is Required:
Facility Directories:– Covered entities must inform patients:
• That it may include certain information in a directory; and • To whom it may disclose this information (including clergy)
– Patients must be given the opportunity to restrict or prohibit some or all of these uses and disclosures
– Provisions are outlined for disclosing this information without the patient’s consent under certain emergency circumstances
Individual’s Care:– Covered entities may disclose to a family member or friend
protected health information related to the patient’s care:• By obtaining the patient’s agreement when he/she is present;• Under certain circumstances using professional judgment
when the patient is not present or is otherwise unable to object.
Use and Disclosure - Rules
16 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group16 www.fcg.com©2002 First Consulting Group
Use and Disclosure - Rules
Authorization or Opportunity to Agree/Object are Not Required:164.512 (a) Required by Law164.512 (b) Public Health Activities164.512 (c) Victims of Abuse, Neglect or Domestic Violence164.512 (d) Health Oversight Activities164.512 (e) Judicial and Administrative Proceedings164.512 (f) Law Enforcement Purposes164.512 (g) Decedents164.512 (h) Cadaveric Organ, Eye or Tissue Donation Purposes164.512 (i) Research Purposes164.512 (j) Aversion of a Serious Threat to Health or Safety164.512 (k) Specialized Government Functions164.512 (l) Workers' Compensation
17 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group17 www.fcg.com©2002 First Consulting Group
Authorization or Opportunity to Agree/Object are Not Required:
Use and Disclosures Regarding Food and Drub Administration (FDA):– The final rule permits covered entities to disclose
protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products.
Use and Disclosure - Rules
18 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group18 www.fcg.com©2002 First Consulting Group
Authorization or Opportunity to Agree/Object are Not Required:
Incidental Use and Disclosure: – The final rule acknowledges that uses or disclosures that
are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met:
• doctors' offices may use waiting room sign-in sheets, • hospitals may keep patient charts at bedside, • doctors can talk to patients in semi-private rooms, and • doctors can confer at nurse's stations without fear of violating
the rule if overheard by a passerby.
Use and Disclosure - Rules
19 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group19 www.fcg.com©2002 First Consulting Group
Other Requirements Relating to Uses and Disclosures of PHI:
De-identified Health Information:– Health information for which there is no reasonable basis to
believe that the information can be used to identify an individual
– De-identified data may be distributed openly
Re-identification:– With certain restrictions, a covered entity may assign a code or
other means of record identification to allow de-identified information to be re-identified by the covered entity
Limited Data Set:– The final rule permits the creation and dissemination of a
limited data set that does not include directly identifiable information for research, public health, and health care operations
– A Covered entity and the recipient of the data must enter into a date use agreement, in which the recipient agrees to:
• limit the use of the data set for the purposes for which it was given• ensure the security of data • not to identify the information or use it to contact any individual
Use and Disclosure - Rules
20 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group20 www.fcg.com©2002 First Consulting Group
Name Street address, city, county,
precinct, zip code, and geo-codes
Electronic e-mail address Social security number Telephone number Fax number Medical record number- All elements of dates (e.g.
birth date, admission date, discharge date)
Health plan beneficiary numbers
Account numbers Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Requirements for De-identification of PHI:
Use and Disclosure - Rules
= information that must be excluded to create a limited data set
21 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group21 www.fcg.com©2002 First Consulting Group
Minimum Necessary: Intended to restrict access and use of PHI to only the minimum necessary amount of information necessary to perform a requested action
– The “minimum necessary” use and disclosure of PHI does NOT apply to:
• Disclosures to providers for treatment purposes;• Disclosures directly to the patient;• Uses or disclosures for which an individual has signed an
authorization;• Uses or disclosures required to comply with HIPAA transactions;• Disclosures to DHHS that are needed in order to enforce HIPAA;• Uses or disclosures that are required by other law.
– The final rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization.
– Minimum necessary requirements are still in effect to ensure individual’s privacy for most other uses and disclosures
– Minimum necessary standard is not intended to impede disclosures necessary for worker’s compensation programs
Use and Disclosure - Rules
22 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group22 www.fcg.com©2002 First Consulting Group
Research: Covered entities may use or disclose protected health
information for research purposes provided that: – The organization has received IRB or privacy board approval
for a waiver of patient authorization• The IRB and waiver decision process must be documented;• No more than minimal risk exists to individuals for use or
disclosure of their information and their privacy rights and welfare will not be adversely affected;
• No other practicable method exists for conducting the research absent the waiver or access to the protected information
– The researcher is using the information solely for preparing a research protocol
– The information will not be removed from the covered entity, – The information sought is necessary for the research
purposes; – The information will be adequately protected and will not be
reused, and identifiers will be destroyed at the earliest opportunity
Use and Disclosure - Rules
23 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group23 www.fcg.com©2002 First Consulting Group
Marketing Activities:– Covered entities are required to obtain an individual's prior
written authorization to use his or her protected health information for marketing purposes except:
• for a face-to-face encounter• or a communication involving a promotional gift of nominal value
– Covered entities are prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization
– Doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing
• For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.
Use and Disclosure - Rules
24 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group24 www.fcg.com©2002 First Consulting Group
Fundraising:– A covered entity may use or disclose to a business
associate or to an institutionally related foundation certain protected health information for the purpose of raising funds for its own benefit, without an authorization (name, address, phone number, date of episode)
Verification Requirements:– Prior to any disclosure, a covered entity must verify the
identity and authority of any person requesting protected health information, if the identify and/or authority are unknown
Use and Disclosure - Rules
25 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group25 www.fcg.com©2002 First Consulting Group
Use and Disclosure - Impacts
In Summary:
The final rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity.
The rule also allows consent requirements already in place to continue.
Covered entities can disclose protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another covered
A covered entity may use and disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Notice of Privacy Practices
RulesImpacts
27 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group27 www.fcg.com©2002 First Consulting Group
Notice of Privacy Practices - Rules
Content of Notice:– Must provide a written Notice in plain language and
contains:– Header: “This Notice describes how medical information
about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
– Uses and disclosures (Example treatment, third party audits and special studies)
– Separate statements for certain uses or disclosures– Individual rights– Covered entity’s duties– Optional requirement to elect to limit the uses of
disclosures Revisions to the Notice
– Must promptly revise and distribute its Notice whenever there is a material change to the uses and disclosures
28 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group28 www.fcg.com©2002 First Consulting Group
Notice of Privacy Practices - Rules
Specific Requirements:– Must be provided no later than the date of the first service
delivery, including service delivered electronically– In an emergency treatment situation, as soon as
reasonably practicable after the emergency treatment situation
– Except in an emergency treatment situation, a covered entity must make a good faith effort to obtain a written acknowledgement of the receipt of the notice
– If not obtained, a covered entity must document its good faith efforts to obtain why the acknowledgment was not obtained
– A covered entity must document compliance with the notice by retaining copies of the notices issued by the covered entity and any written acknowledgments of the receipt of the notice or documentation of good faith efforts to obtain such written acknowledgements
29 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group29 www.fcg.com©2002 First Consulting Group
Notice of Privacy Practices - Rules
Provision of Notice:– Notice must be made available upon request– Health plans must provide Notice:
• no later than the compliance date for the health plan• at the time of enrollment• within 60 days of material revision of the Notice• at least once every three years
– Healthcare Providers must provide Notice:• no later than the date of the first service delivery• have Notice available at physical delivery site• post Notice in a clear and prominent location • upon revision make Notice available
– Electronic Notice:• E-mail notification is acceptable• If covered entity knows the email failed, a paper copy of the
Notice must be provided
30 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group30 www.fcg.com©2002 First Consulting Group
Notice of Privacy Practices - Rules
Joint Notice by Separate Covered Entities:– Covered entities who participate in an organized health
care arrangement may comply with provision of Notice by a joint Notice provided they:
• Abide by the terms of the Notice with respect to PHI created or received by the covered entity
• Provide Notice of revisions• Must describe the covered entities to which the joint Notice
applies
31 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group31 www.fcg.com©2002 First Consulting Group
Notice of Privacy Practices - Impacts
In Summary:
DHHS makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional
The rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity
The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Patient Rights
RulesImpacts
33 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group33 www.fcg.com©2002 First Consulting Group
Patient Rights - Rules
Under the section, patients have the following rights:– Access to Protected Health Information– Request amendments to their Protected Health Information– Request restriction of uses and disclosures:
• On PHI to carry out treatment, payment, and/or healthcare operations
• Covered entity not required to agree to restrictions• If restrictions are agreed to, covered entity may not use or
disclose PHI unless in emergency treatment, then that information can not be further disclosed
• Terminating a restriction– may terminate if individual agrees to or requests in writing– individual agrees orally then oral agreement is written– after the covered entity has notified the individual in writing
• Documentation– a covered entity must place its agreement to a restriction in
writing
34 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group34 www.fcg.com©2002 First Consulting Group
Patient Rights - Rules
Accounting of Disclosures– The authorization process itself adequately protects individual
privacy by assuring that the individual's permission is given both knowingly and voluntarily.
– The final rule exempts disclosures made pursuant to an authorization from the accounting requirements.
– The final rule also exempts from the accounting requirements incidental disclosures, and disclosures that are part of a limited data set.
– The rule provides a simplified alternative approach for accounting for multiple research disclosures that includes providing a description of the research for which an individual's protected health information may have been disclosed and the researcher's contact information
Confidential Communications Requirements:– Covered entity must make reasonable efforts to allow the
individual to received communications of PHI from alternative means/locations• May request reasons for alternate locations for requests to review
records from a health plan, but not provider• Requests may be made under extreme circumstances or if individual
is incapacitated in some way
35 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group35 www.fcg.com©2002 First Consulting Group
Patient Rights - Impacts
In Summary:
Individuals have the right to request access to their PHI, offer amendments and receive an accounting of disclosure from the covered entity
Prompt action must be taken on request (no later than 30 days)
Covered entities must determine grounds for denial of access to requests
Access must be made to accommodate individuals in confidential setting
Fees may be assessed for reasonable costs- copying, postage, etc.
Organizations must have procedure for complaints to such access
Documentation must be kept for all processing of requests
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Administrative Requirements
RulesImpacts
37 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group37 www.fcg.com©2002 First Consulting Group
Administrative Requirements - Rules
Personnel Designations:– Covered entities must designate a Privacy Official– Contact person/office responsible for receiving complaints– Must document personnel designations
Privacy Awareness Training:– Must train all members of workforce on P&P’s– Training must occur before compliance date- 4/14/2003– All training must be documented
Safeguards:– Administrative - (example: policies and procedures)– Technical - (example: passwords)– Physical safeguards - (example: office locks, access areas)– Must reasonably safeguard PHI from any intentional or
unintentional use or disclosure
38 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group38 www.fcg.com©2002 First Consulting Group
Administrative Requirements - Rules
Complaints to the Covered Entity:– Must have process for individuals to make complaints– Document received complaints and their disposition– Complaint procedure must be in place regarding covered entity’s
policies and procedures
Sanctions:– Must have and apply sanctions against members of its workforce for
violations or breaches of policies/procedures– All sanctions that are applied must be documented
• Examples: oral reprimand, written warning and/or termination
Mitigation: – A covered entity must mitigate to the extent possible, any harmful
effect known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures
39 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group39 www.fcg.com©2002 First Consulting Group
Administrative Requirements - Rules
Refraining From Intimidating or Retaliatory Acts:– A covered entity must not intimidate, threaten, coerce,
discriminate against or take other retaliatory action against:• Individuals for the exercise of the individual of any right under
or for participation by the individual • Individuals and others for filing a complaint, testifying,
assisting or participating in an investigation, compliance review
Waiver of Rights:– A covered entity may not require individuals to waive their rights
as a condition of the provision of treatment, payment, enrollment in health plan, or eligibility for benefits
40 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group40 www.fcg.com©2002 First Consulting Group
Administrative Requirements - Impacts
Policies and Procedures:– Must implement policies and procedures with respect to PHI – Changes to policies and procedures are necessary to comply with
changes in law– Changes in law must be promptly documented within covered
entity’s policies and procedures– Changes to privacy practices stated in the Notice must be
documented
Documentation:– Maintain the policies and procedures in written or electronic form– Must retain copy of the documentation for 6 years from the date
of its creation or when it was last effective
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Summary
SummaryThe Bottom LineQuestions
42 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group42 www.fcg.com©2002 First Consulting Group
Summary
The biggest areas of impact of HIPAA Privacy on an organization:
– Developing and documenting policies and procedures– Designating a privacy official– Identifying and contracting with business associates– Developing, distributing and acknowledging patient
receipt of the Notice of Privacy Practices– Capturing and providing patients access to the uses and
disclosures of their health information not for treatment, payment or healthcare operations
– Training workforce members who have access to patient identifiable information
– Altering the oral communication culture of the organization
43 First Consulting Group©2002 First Consulting Group www.fcg.comwww.fcg.com©2002 First Consulting Group43 www.fcg.com©2002 First Consulting Group
The Bottom Line
Compliance will be required by April 14, 2003
Civil monetary and criminal penalties for breach of privacy– If knowingly providing information
• $50,000 and/or up to 1 year imprisonment– Under false pretenses
• $100,000 and/or up to 5 years imprisonment– Intent to sell, transfer, or use health information for
commercial advantage, personal gain, or malicious harm• $250,000 and/up to 10 years imprisonment
Delegated responsibility to the Department’s Office for Civil Rights– Includes responsibility for enforcement– Comprehensive Enforcement Rule still expected,
encompassing all of the Administrative Simplification provisions
©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential©2002 FCG proprietary and confidential
Questions / Comments?
Name
Telephone Number