THE HIPAA PRIVACY RULETHE HIPAA PRIVACY RULE

What is HIPAA?What is HIPAA?

HHealthealth IInsurancensurance PPortability andortability and AAccountabilityccountability AAct ct

(Passed into law in 1996)(Passed into law in 1996)

Four Parts of HIPAAFour Parts of HIPAA

1. Standardized Electronic Data 1. Standardized Electronic Data Interchange Interchange transactionstransactions and and codes for all covered entitiescodes for all covered entities

2.2. Standards for Standards for securitysecurity of data of data systemssystems

3.3. PrivacyPrivacy protections for individual protections for individual health informationhealth information

4.4. Standard national Standard national identifiersidentifiers for for health carehealth care

The Privacy Rule…The Privacy Rule…

establishes a Federal floor of safeguards to establishes a Federal floor of safeguards to protect the confidentiality of medical protect the confidentiality of medical informationinformation

allows patients to make informed choices allows patients to make informed choices when seeking care and reimbursement for when seeking care and reimbursement for care based on how personal health care based on how personal health information may be usedinformation may be used

took effect on April 14, 2003took effect on April 14, 2003

What Does The Privacy What Does The Privacy Rule Protect?Rule Protect?

Individually Identifiable Individually Identifiable Health Information, Health Information,

commonly referred to as commonly referred to as “Protected Health “Protected Health

Information” or “PHI”Information” or “PHI”

PHI is information transmitted in PHI is information transmitted in any form, oral, written, or any form, oral, written, or electronic that is:electronic that is:1) Created or received by a covered entity;1) Created or received by a covered entity;

andand 2) Relates to the past, present, or future 2) Relates to the past, present, or future

physical or mental health or condition of an physical or mental health or condition of an individual; the provision of health care to individual; the provision of health care to an individual; or the payment for the an individual; or the payment for the provision of health care to an individual; provision of health care to an individual; andand

(i) That identifies the individual; or(i) That identifies the individual; or (ii) There is a reasonable basis to (ii) There is a reasonable basis to

believe the information can be believe the information can be used used to identify the individual to identify the individual

Examples of PHIExamples of PHI

•Name, address, telephone, fax, email and other contact information

•Social security number

•Health plan beneficiary number

•Medical diagnoses

•Medical records and account numbers

•Certificate and license numbers

•Photographs and images

Who Must Comply Who Must Comply with HIPAA?with HIPAA?

1)1) Health PlansHealth Plans2)2) Health Care ClearinghousesHealth Care Clearinghouses3)3) Health Care Providers who conduct Health Care Providers who conduct

certain financial and administrative certain financial and administrative transactions electronicallytransactions electronically

These entities are commonly known These entities are commonly known as Covered Entities (CE).as Covered Entities (CE).

What must a covered entity do to What must a covered entity do to be in compliance with HIPAA?be in compliance with HIPAA?

A.A. Notify patients about their privacy rights Notify patients about their privacy rights and how their information can be usedand how their information can be used

B.B. Adopt and implement privacy Adopt and implement privacy proceduresprocedures

C.C. Train employees so they understand Train employees so they understand the privacy proceduresthe privacy procedures

D.D. Designate a Privacy OfficerDesignate a Privacy Officer

E.E. Secure patient records containing PHISecure patient records containing PHI

Vocabulary of HIPAAVocabulary of HIPAA

Protected Health Information (PHI)Protected Health Information (PHI) is is individually identifiable health information individually identifiable health information that contains unique features or details by that contains unique features or details by which the individual can be identified.which the individual can be identified.

Treatment, Payment and Health Care Treatment, Payment and Health Care Operations (TPO)Operations (TPO) are common uses of PHI are common uses of PHI for which HIPAA does not require an for which HIPAA does not require an authorization.authorization.

Vocabulary of HIPAAVocabulary of HIPAA

Disclosure Disclosure means the release, transfer, means the release, transfer, provision of access to, or divulging of provision of access to, or divulging of information outside the entity holding the information outside the entity holding the information.information.

UseUse means the sharing, employment, means the sharing, employment, application, utilization, examination, or application, utilization, examination, or analysis of individually identifiable analysis of individually identifiable information within an entity information within an entity

Notice of Privacy PracticesNotice of Privacy Practices Plain languagePlain language Specified uniform headerSpecified uniform header Description & at least one example of each Description & at least one example of each

type of use and disclosure made for TPOtype of use and disclosure made for TPO Description of each permitted or required use Description of each permitted or required use

or disclosure without authorizationor disclosure without authorization Sufficient detail of each use and disclosure to Sufficient detail of each use and disclosure to

put individual on noticeput individual on notice Statement that all other uses or disclosures Statement that all other uses or disclosures

will only be made with the individual’s will only be made with the individual’s authorizationauthorization

Delineation of individual’s privacy rightsDelineation of individual’s privacy rights

New Patient’s RightsNew Patient’s Rights

• Right to written Notice of Privacy Practices Right to written Notice of Privacy Practices (NPP) that informs consumers how PHI will be (NPP) that informs consumers how PHI will be used and to whom it is disclosedused and to whom it is disclosed

• Right of timely access to see and copy records Right of timely access to see and copy records for reasonable feefor reasonable fee

• Right to request amendment of recordRight to request amendment of record• Right to restrict access and useRight to restrict access and use• Right to an accounting of disclosuresRight to an accounting of disclosures• Right to revoke authorizationRight to revoke authorization

Requests for AmendmentRequests for Amendment

A patient may request, in writing, to A patient may request, in writing, to have health information or a record have health information or a record about the patient amended. about the patient amended.

The CE The CE does notdoes not have to agree to have to agree to the amendment, however, the the amendment, however, the request to amend becomes a part of request to amend becomes a part of the patient’s medical record.the patient’s medical record.

Requests for RestrictionsRequests for Restrictions

Patients may request, in writing, a Patients may request, in writing, a restriction or limitation on the health restriction or limitation on the health information that a CE uses or information that a CE uses or discloses.discloses.

The CE The CE is notis not required to agree to the required to agree to the restriction.restriction.

Accounting of DisclosuresAccounting of Disclosures

Patients are entitled to request a list Patients are entitled to request a list of people and organizations who of people and organizations who have received their PHI.have received their PHI.

Patients must submit a written Patients must submit a written Request for Accounting of Request for Accounting of Disclosures.Disclosures.

A CE must respond to a patient’s A CE must respond to a patient’s request for an accounting within 60 request for an accounting within 60 days of receipt of the request.days of receipt of the request.

The accounting of disclosures The accounting of disclosures should include disclosures…should include disclosures…

Required by lawRequired by law For public health activitiesFor public health activities About victims of abuse, neglect or domestic About victims of abuse, neglect or domestic

violenceviolence For health oversight activitiesFor health oversight activities For judicial and administrative proceedingsFor judicial and administrative proceedings For law enforcement purposesFor law enforcement purposes For research purposes For research purposes

(if authorization was waived)(if authorization was waived) For specialized government functionsFor specialized government functions For workers’ compensationFor workers’ compensation

AUTHORIZATION…AUTHORIZATION…

Is a detailed document that gives Is a detailed document that gives covered entities permission to use PHI covered entities permission to use PHI for specified purposes.for specified purposes.

Is required for the use and disclosure of Is required for the use and disclosure of PHI not otherwise allowed by the PHI not otherwise allowed by the Privacy RulePrivacy Rule

Does not apply to TPODoes not apply to TPO Does not apply to uses and disclosures Does not apply to uses and disclosures

required by lawrequired by law May be revoked at any time in writingMay be revoked at any time in writing

Authorization RequirementsAuthorization Requirements

An authorization must describe:An authorization must describe:

• the PHI to be used and disclosed;the PHI to be used and disclosed;

• the person authorized to make the use the person authorized to make the use or disclosure;or disclosure;

• the person to whom the covered entity the person to whom the covered entity may make the disclosure;may make the disclosure;

• an expiration date; andan expiration date; and

• the purpose for which the information the purpose for which the information may be used or disclosed.may be used or disclosed.

Minimum Necessary Standard

HIPAA requires covered entities to take HIPAA requires covered entities to take reasonable steps to disclose only the reasonable steps to disclose only the information that is necessary for the information that is necessary for the purpose for which the disclosure is to purpose for which the disclosure is to be made (i.e. the minimum necessary be made (i.e. the minimum necessary amount of information).amount of information).

Minimum Necessary Does Minimum Necessary Does Not Apply To:Not Apply To:

TreatmentTreatment Disclosures to the individual who is the Disclosures to the individual who is the

subject of the PHIsubject of the PHI Uses or disclosures made pursuant to Uses or disclosures made pursuant to

an individual’s authorizationan individual’s authorization Uses or disclosures that are required Uses or disclosures that are required

by lawby law

Do I need to know?Do I need to know?

Ask yourself:Ask yourself: Do I need this information to do my Do I need this information to do my

job and provide good patient care?job and provide good patient care? What is the least amount of What is the least amount of

information I need to do my job?information I need to do my job?

Incidental DisclosureIncidental Disclosure

A secondary use or disclosure that cannot reasonably be

prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or

disclosure.

EXAMPLE

Miguel shares a semi-private room with Victor. Dr. Nixon, Miguel’s

doctor, comes in to talk to Miguel. Dr. Nixon draws the curtain between the two patients. During this bedside consult, Victor overhears Dr. Nixon

say that Miguel needs a hernia operation.

Protecting Patient Privacy “Do’s”Protecting Patient Privacy “Do’s”

Do:Do: Close curtains and speak softly when Close curtains and speak softly when

discussing treatments in semi-private discussing treatments in semi-private roomsrooms

Log off of the computer when you are Log off of the computer when you are finishedfinished

Dispose of patient information by Dispose of patient information by shredding or storing in locked shredding or storing in locked containers for destructioncontainers for destruction

Clear patient information off of your Clear patient information off of your desk when you leave your deskdesk when you leave your desk

Protecting Patient Privacy “Don’ts”Protecting Patient Privacy “Don’ts”

Don’t:Don’t: Tell anyone what you overhear Tell anyone what you overhear

about a patientabout a patient Discuss a patient in public areas Discuss a patient in public areas

such as elevators, hallways, or such as elevators, hallways, or cafeteriascafeterias

Look at information about a patient Look at information about a patient unless you need it to do your jobunless you need it to do your job

Rules for Using ComputersRules for Using Computers

• Keep your password a secretKeep your password a secret

• Do not log in using someone else’s Do not log in using someone else’s passwordpassword

• Log off of the computer when you Log off of the computer when you are finished using itare finished using it

• Turn the computer screen away Turn the computer screen away from public viewfrom public view

• Do not remove equipment, disks, or Do not remove equipment, disks, or software without permissionsoftware without permission

Rules for Using FaxesRules for Using Faxes

Sending:Sending:• Call the intended recipient before sending the faxCall the intended recipient before sending the fax• Double-check the fax number before sendingDouble-check the fax number before sending• Use cover sheets for faxesUse cover sheets for faxes

Receiving:Receiving:• Tell the person faxing information to alert you when Tell the person faxing information to alert you when

he/she is about to send the faxhe/she is about to send the fax• Take faxes off of the machine immediatelyTake faxes off of the machine immediately• Do not let faxed patient information lie around Do not let faxed patient information lie around

unattendedunattended

Business AssociateBusiness Associate

A person or entity that performs a A person or entity that performs a function or activity on behalf of function or activity on behalf of a CE that requires the creation, a CE that requires the creation,

use or disclosure of PHI but use or disclosure of PHI but who is not considered part of who is not considered part of

the CE’s workforce.the CE’s workforce.

Business AssociatesBusiness Associates

Must be helping the covered entity Must be helping the covered entity carry out its health care functionscarry out its health care functions

Must have a written contract or Must have a written contract or agreement with the covered entity agreement with the covered entity that assures that they will that assures that they will appropriately safeguard any PHI appropriately safeguard any PHI they receive or createthey receive or create

HIPAA’s Impact on HIPAA’s Impact on Research ActivitiesResearch Activities

• NO ONE is permitted to NO ONE is permitted to useuse PHI for PHI for research without complying with the research without complying with the new HIPAA requirementsnew HIPAA requirements

• These HIPAA requirements are These HIPAA requirements are entirely separate from the existing entirely separate from the existing federal human subject research federal human subject research regulations. regulations.

Please Note:Please Note:

The Privacy Policies and Procedures The Privacy Policies and Procedures do not replace or override other rules do not replace or override other rules or procedures established by the or procedures established by the Institutional Review Board (“IRB”). Institutional Review Board (“IRB”). Both must be complied with in order Both must be complied with in order to conduct human subject research.to conduct human subject research.

State Law vs. HIPAAState Law vs. HIPAA

If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:

Greater privacy rights,

Greater access to information, or

Greater privacy protections.

Penalties for Privacy ViolationsPenalties for Privacy Violations

Civil Penalties under HIPAA: Civil Penalties under HIPAA: Maximum fine of $25,000 per violationMaximum fine of $25,000 per violation

Criminal Penalties under HIPAA: Criminal Penalties under HIPAA: Maximum of 10 years in jail and/or a Maximum of 10 years in jail and/or a $250,000 fine for serious offenses$250,000 fine for serious offenses

Organization Actions: Organization Actions: Employee Employee disciplinary actions including disciplinary actions including suspension or termination for suspension or termination for violations of UNM’s policies and violations of UNM’s policies and proceduresprocedures

The Privacy Rule RequirementThe Privacy Rule Requirement

You may not retaliate against or You may not retaliate against or intimidate an employee who files a intimidate an employee who files a HIPAA complaint.HIPAA complaint.

TEST YOUR KNOWLEDGE!TEST YOUR KNOWLEDGE!

CASE STUDY

Lori, a nurse who works on 5-West, has a lot of access to PHI. Terri, a nurse who works on 4-North, learns that her friend and elderly neighbor, Ms. Pate, was admitted to 5-West. Terri is concerned and wants to help so she asks Lori to see Ms. Pate’s medical record. Together, they review and discuss their findings.

CASE STUDY

In deep conversation, Drs. Andrews and Day enter a crowded elevator and continue discussing a code yellow. Their conversation is quite detailed and graphic, but never mentions the patient’s name. Engaged in their conversation, they do not notice the onlookers intently listening to their conversation.