Upload
matthew-horton
View
248
Download
0
Tags:
Embed Size (px)
Citation preview
Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP
Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP
HIPAA Executive Office Training January 2003
Cindy Fillman
Department of Public Welfare
Office of General Counsel
2
HIPAA – How did we get here?
Health Insurance Portability and Accountability Act
Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions).
Intended to “improve the efficiency and effectiveness of the health care system.”
Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise.
3
HIPAA – How did we get here?
REGULATIONS
Electronic Transactions and Code Sets
Unique Employer Identifier
National Provider Identifier
Security and Electronic Signature
Privacy
4
COVERED ENTITIES
• Health care providers who engage in covered transactions
• Health plans
Includes Medicare and Medicaid and other specified government programs
Includes government programs that do not fall out with specific exclusion for those programs:
Whose principal purpose is other than providing or paying the cost of health care, OR
Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care
• Health care clearinghouses
5
BUSINESS ASSOCIATES
A Person or entity who on behalf of a Covered Entity
Uses
Accesses
Rediscloses
PHI either
To provide services to a Covered Entity OR
To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity
6
DPW Priorities
How the Department Prioritized
Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates)
Master Client Index Drove some Decision making
7
What are we doing?
Appointing Privacy Officials for affected Offices/Bureaus.
Training all members of the workforce
Drafting policy and procedures and beginning new business practices
Rewriting Contracts and Quasi-Contracts (Business Associate Language)
Drafting/Revising Consents and Authorizations
Documenting Decisions and Activities
8
Training
Committee comprised of personnel of impacted bureaus
Basic format created by the committee
Combination training to allow for flexibility
Kickoff-October-December
Computer and Blended Training-April
Stand up (job specific)-June
9
Policy and procedures
High level HIPAA Handbook
Adaptations made by each program office to meet their own needs
Business processes changes to be phased in by April, 2002.
10
Privacy Standards
Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI)
Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic)
11
Privacy Standards (PHI)
Individually identifiable
About an individual’s physical or mental health or condition
About provision of or payment for health care
Created or received by a provider, health plan, clearinghouse, or employer
Transmitted or maintained in any medium (verbal, written, or electronic)
12
Privacy Standards
Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates
Give consumers greater control over use, and disclosure of PHI
Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law
13
Privacy Standards
Rules restrict use and sharing of PHI Higher security and protection levels Greater individual control and access Greater accountability
Rules apply to covered entities
Compliance deadline is April 14, 2003
Limit disclosures to the “minimum necessary”
14
Minimum Disclosure
Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure
We must determine the minimum amount needed
15
Privacy Obligations
Plans and providers must create privacy-conscious business practices and disclose only the minimum information required
Department must:
ensure internal protection of PHI
monitor external disclosures of PHI
Complete employee training, and
establish procedures for addressing clients’ privacy complaints
16
Plans and providers must inform clients of their business practices (privacy notice)
Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations
A separate, specific authorization is required for non-routine disclosure
Privacy Obligations
17
Consent vs. Authorization
Consents cover T/P/O–authorizations cover most other uses and disclosures
Authorizations are for specific disclosures
May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization
18
Use and Disclosure may use or disclose PHI without consent, an authorization, or
giving an opportunity to agree or object, including:
• For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs.
• When required by law
• For public health activities
• Reporting domestic violence or abuse and neglect
• For health oversight activities
• For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained
19
De-Identified Information
De-Identified Information is not subject to HIPAA requirements
A Covered Entity may determine that health information is not individually identifiable by:
Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information
Removing specified identifiers of the individual or of relatives, employers, or household members
20
De-Identified Information
Names
All geographic subdivisions (address, zip code)
All elements of dates (incl. birthdate and date of admission
Telephone/Fax numbers
E-mail addresses
SSN
Medical record number
Health plan number
Account number
Certificate/license number
VIN/serial number
Device identifier/serial #
URL
IP address
Biometric identifiers (voice/finger prints)
Photos
Other unique characteristics
21
Client Rights
Request restrictions on use and disclosure of PHI
Obtain a disclosure history Review and copy their own medical records Request amendments or corrections the
record Complain to the Department and to the
Secretary of DHHS if privacy rights are violated
22
Business Associate Agreements
Terms and Template
Other Agreements
Trading Partner
Chain of Trust
User Agreements
23
Enforcement ENFORCER: Office of Civil Rights, HHS
Complaint Driven Process(but indicate willingness to provide “guidance” first).
PENALTIES:
For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES
CRIMINAL PENALTIES:
Knowing only: $50,000, one year in prison, or both
False pretenses: $100,000, five years, or both
Use for commercial or personal gain or malicious harm: $250,000, ten years, or both
24
Practical Steps to Compliance
Shred all PHI to be discarded
Log off terminal when not in use
Do not discuss specific cases in public places
Verify fax locations
Be mindful of sharing only “minimum necessary” information
25
Practical Steps to Compliance Be aware of with whom you are sharing
PHI
Report breaches to Privacy
Assure adequate safeguards/paperwork is in place
Check with IT staff to be sure dial-in is secure
Read and follow Privacy and Security Policies and Procedures