Upload
emilee-sedlock
View
223
Download
4
Tags:
Embed Size (px)
Citation preview
THE HIPAA PRIVACY RULETHE HIPAA PRIVACY RULE
What is HIPAA?What is HIPAA?
HHealthealth IInsurancensurance PPortability andortability and AAccountabilityccountability AAct ct
(Passed into law in 1996)(Passed into law in 1996)
Four Parts of HIPAAFour Parts of HIPAA
1. Standardized Electronic Data 1. Standardized Electronic Data Interchange Interchange transactionstransactions and and codes for all covered entitiescodes for all covered entities
2.2. Standards for Standards for securitysecurity of data of data systemssystems
3.3. PrivacyPrivacy protections for individual protections for individual health informationhealth information
4.4. Standard national Standard national identifiersidentifiers for for health carehealth care
The Privacy Rule…The Privacy Rule…
establishes a Federal floor of safeguards to establishes a Federal floor of safeguards to protect the confidentiality of medical protect the confidentiality of medical informationinformation
allows patients to make informed choices allows patients to make informed choices when seeking care and reimbursement for when seeking care and reimbursement for care based on how personal health care based on how personal health information may be usedinformation may be used
took effect on April 14, 2003took effect on April 14, 2003
What Does The Privacy What Does The Privacy Rule Protect?Rule Protect?
Individually Identifiable Individually Identifiable Health Information, Health Information,
commonly referred to as commonly referred to as “Protected Health “Protected Health
Information” or “PHI”Information” or “PHI”
PHI is information transmitted in PHI is information transmitted in any form, oral, written, or any form, oral, written, or electronic that is:electronic that is:1) Created or received by a covered entity;1) Created or received by a covered entity;
andand 2) Relates to the past, present, or future 2) Relates to the past, present, or future
physical or mental health or condition of an physical or mental health or condition of an individual; the provision of health care to individual; the provision of health care to an individual; or the payment for the an individual; or the payment for the provision of health care to an individual; provision of health care to an individual; andand
(i) That identifies the individual; or(i) That identifies the individual; or (ii) There is a reasonable basis to (ii) There is a reasonable basis to
believe the information can be believe the information can be used used to identify the individual to identify the individual
Examples of PHIExamples of PHI
•Name, address, telephone, fax, email and other contact information
•Social security number
•Health plan beneficiary number
•Medical diagnoses
•Medical records and account numbers
•Certificate and license numbers
•Photographs and images
Who Must Comply Who Must Comply with HIPAA?with HIPAA?
1)1) Health PlansHealth Plans2)2) Health Care ClearinghousesHealth Care Clearinghouses3)3) Health Care Providers who conduct Health Care Providers who conduct
certain financial and administrative certain financial and administrative transactions electronicallytransactions electronically
These entities are commonly known These entities are commonly known as Covered Entities (CE).as Covered Entities (CE).
What must a covered entity do to What must a covered entity do to be in compliance with HIPAA?be in compliance with HIPAA?
A.A. Notify patients about their privacy rights Notify patients about their privacy rights and how their information can be usedand how their information can be used
B.B. Adopt and implement privacy Adopt and implement privacy proceduresprocedures
C.C. Train employees so they understand Train employees so they understand the privacy proceduresthe privacy procedures
D.D. Designate a Privacy OfficerDesignate a Privacy Officer
E.E. Secure patient records containing PHISecure patient records containing PHI
Vocabulary of HIPAAVocabulary of HIPAA
Protected Health Information (PHI)Protected Health Information (PHI) is is individually identifiable health information individually identifiable health information that contains unique features or details by that contains unique features or details by which the individual can be identified.which the individual can be identified.
Treatment, Payment and Health Care Treatment, Payment and Health Care Operations (TPO)Operations (TPO) are common uses of PHI are common uses of PHI for which HIPAA does not require an for which HIPAA does not require an authorization.authorization.
Vocabulary of HIPAAVocabulary of HIPAA
Disclosure Disclosure means the release, transfer, means the release, transfer, provision of access to, or divulging of provision of access to, or divulging of information outside the entity holding the information outside the entity holding the information.information.
UseUse means the sharing, employment, means the sharing, employment, application, utilization, examination, or application, utilization, examination, or analysis of individually identifiable analysis of individually identifiable information within an entity information within an entity
Notice of Privacy PracticesNotice of Privacy Practices Plain languagePlain language Specified uniform headerSpecified uniform header Description & at least one example of each Description & at least one example of each
type of use and disclosure made for TPOtype of use and disclosure made for TPO Description of each permitted or required use Description of each permitted or required use
or disclosure without authorizationor disclosure without authorization Sufficient detail of each use and disclosure to Sufficient detail of each use and disclosure to
put individual on noticeput individual on notice Statement that all other uses or disclosures Statement that all other uses or disclosures
will only be made with the individual’s will only be made with the individual’s authorizationauthorization
Delineation of individual’s privacy rightsDelineation of individual’s privacy rights
New Patient’s RightsNew Patient’s Rights
• Right to written Notice of Privacy Practices Right to written Notice of Privacy Practices (NPP) that informs consumers how PHI will be (NPP) that informs consumers how PHI will be used and to whom it is disclosedused and to whom it is disclosed
• Right of timely access to see and copy records Right of timely access to see and copy records for reasonable feefor reasonable fee
• Right to request amendment of recordRight to request amendment of record• Right to restrict access and useRight to restrict access and use• Right to an accounting of disclosuresRight to an accounting of disclosures• Right to revoke authorizationRight to revoke authorization
Requests for AmendmentRequests for Amendment
A patient may request, in writing, to A patient may request, in writing, to have health information or a record have health information or a record about the patient amended. about the patient amended.
The CE The CE does notdoes not have to agree to have to agree to the amendment, however, the the amendment, however, the request to amend becomes a part of request to amend becomes a part of the patient’s medical record.the patient’s medical record.
Requests for RestrictionsRequests for Restrictions
Patients may request, in writing, a Patients may request, in writing, a restriction or limitation on the health restriction or limitation on the health information that a CE uses or information that a CE uses or discloses.discloses.
The CE The CE is notis not required to agree to the required to agree to the restriction.restriction.
Accounting of DisclosuresAccounting of Disclosures
Patients are entitled to request a list Patients are entitled to request a list of people and organizations who of people and organizations who have received their PHI.have received their PHI.
Patients must submit a written Patients must submit a written Request for Accounting of Request for Accounting of Disclosures.Disclosures.
A CE must respond to a patient’s A CE must respond to a patient’s request for an accounting within 60 request for an accounting within 60 days of receipt of the request.days of receipt of the request.
The accounting of disclosures The accounting of disclosures should include disclosures…should include disclosures…
Required by lawRequired by law For public health activitiesFor public health activities About victims of abuse, neglect or domestic About victims of abuse, neglect or domestic
violenceviolence For health oversight activitiesFor health oversight activities For judicial and administrative proceedingsFor judicial and administrative proceedings For law enforcement purposesFor law enforcement purposes For research purposes For research purposes
(if authorization was waived)(if authorization was waived) For specialized government functionsFor specialized government functions For workers’ compensationFor workers’ compensation
AUTHORIZATION…AUTHORIZATION…
Is a detailed document that gives Is a detailed document that gives covered entities permission to use PHI covered entities permission to use PHI for specified purposes.for specified purposes.
Is required for the use and disclosure of Is required for the use and disclosure of PHI not otherwise allowed by the PHI not otherwise allowed by the Privacy RulePrivacy Rule
Does not apply to TPODoes not apply to TPO Does not apply to uses and disclosures Does not apply to uses and disclosures
required by lawrequired by law May be revoked at any time in writingMay be revoked at any time in writing
Authorization RequirementsAuthorization Requirements
An authorization must describe:An authorization must describe:
• the PHI to be used and disclosed;the PHI to be used and disclosed;
• the person authorized to make the use the person authorized to make the use or disclosure;or disclosure;
• the person to whom the covered entity the person to whom the covered entity may make the disclosure;may make the disclosure;
• an expiration date; andan expiration date; and
• the purpose for which the information the purpose for which the information may be used or disclosed.may be used or disclosed.
Minimum Necessary Standard
HIPAA requires covered entities to take HIPAA requires covered entities to take reasonable steps to disclose only the reasonable steps to disclose only the information that is necessary for the information that is necessary for the purpose for which the disclosure is to purpose for which the disclosure is to be made (i.e. the minimum necessary be made (i.e. the minimum necessary amount of information).amount of information).
Minimum Necessary Does Minimum Necessary Does Not Apply To:Not Apply To:
TreatmentTreatment Disclosures to the individual who is the Disclosures to the individual who is the
subject of the PHIsubject of the PHI Uses or disclosures made pursuant to Uses or disclosures made pursuant to
an individual’s authorizationan individual’s authorization Uses or disclosures that are required Uses or disclosures that are required
by lawby law
Do I need to know?Do I need to know?
Ask yourself:Ask yourself: Do I need this information to do my Do I need this information to do my
job and provide good patient care?job and provide good patient care? What is the least amount of What is the least amount of
information I need to do my job?information I need to do my job?
Incidental DisclosureIncidental Disclosure
A secondary use or disclosure that cannot reasonably be
prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or
disclosure.
EXAMPLE
Miguel shares a semi-private room with Victor. Dr. Nixon, Miguel’s
doctor, comes in to talk to Miguel. Dr. Nixon draws the curtain between the two patients. During this bedside consult, Victor overhears Dr. Nixon
say that Miguel needs a hernia operation.
Protecting Patient Privacy “Do’s”Protecting Patient Privacy “Do’s”
Do:Do: Close curtains and speak softly when Close curtains and speak softly when
discussing treatments in semi-private discussing treatments in semi-private roomsrooms
Log off of the computer when you are Log off of the computer when you are finishedfinished
Dispose of patient information by Dispose of patient information by shredding or storing in locked shredding or storing in locked containers for destructioncontainers for destruction
Clear patient information off of your Clear patient information off of your desk when you leave your deskdesk when you leave your desk
Protecting Patient Privacy “Don’ts”Protecting Patient Privacy “Don’ts”
Don’t:Don’t: Tell anyone what you overhear Tell anyone what you overhear
about a patientabout a patient Discuss a patient in public areas Discuss a patient in public areas
such as elevators, hallways, or such as elevators, hallways, or cafeteriascafeterias
Look at information about a patient Look at information about a patient unless you need it to do your jobunless you need it to do your job
Rules for Using ComputersRules for Using Computers
• Keep your password a secretKeep your password a secret
• Do not log in using someone else’s Do not log in using someone else’s passwordpassword
• Log off of the computer when you Log off of the computer when you are finished using itare finished using it
• Turn the computer screen away Turn the computer screen away from public viewfrom public view
• Do not remove equipment, disks, or Do not remove equipment, disks, or software without permissionsoftware without permission
Rules for Using FaxesRules for Using Faxes
Sending:Sending:• Call the intended recipient before sending the faxCall the intended recipient before sending the fax• Double-check the fax number before sendingDouble-check the fax number before sending• Use cover sheets for faxesUse cover sheets for faxes
Receiving:Receiving:• Tell the person faxing information to alert you when Tell the person faxing information to alert you when
he/she is about to send the faxhe/she is about to send the fax• Take faxes off of the machine immediatelyTake faxes off of the machine immediately• Do not let faxed patient information lie around Do not let faxed patient information lie around
unattendedunattended
Business AssociateBusiness Associate
A person or entity that performs a A person or entity that performs a function or activity on behalf of function or activity on behalf of a CE that requires the creation, a CE that requires the creation,
use or disclosure of PHI but use or disclosure of PHI but who is not considered part of who is not considered part of
the CE’s workforce.the CE’s workforce.
Business AssociatesBusiness Associates
Must be helping the covered entity Must be helping the covered entity carry out its health care functionscarry out its health care functions
Must have a written contract or Must have a written contract or agreement with the covered entity agreement with the covered entity that assures that they will that assures that they will appropriately safeguard any PHI appropriately safeguard any PHI they receive or createthey receive or create
HIPAA’s Impact on HIPAA’s Impact on Research ActivitiesResearch Activities
• NO ONE is permitted to NO ONE is permitted to useuse PHI for PHI for research without complying with the research without complying with the new HIPAA requirementsnew HIPAA requirements
• These HIPAA requirements are These HIPAA requirements are entirely separate from the existing entirely separate from the existing federal human subject research federal human subject research regulations. regulations.
Please Note:Please Note:
The Privacy Policies and Procedures The Privacy Policies and Procedures do not replace or override other rules do not replace or override other rules or procedures established by the or procedures established by the Institutional Review Board (“IRB”). Institutional Review Board (“IRB”). Both must be complied with in order Both must be complied with in order to conduct human subject research.to conduct human subject research.
State Law vs. HIPAAState Law vs. HIPAA
If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:
Greater privacy rights,
Greater access to information, or
Greater privacy protections.
Penalties for Privacy ViolationsPenalties for Privacy Violations
Civil Penalties under HIPAA: Civil Penalties under HIPAA: Maximum fine of $25,000 per violationMaximum fine of $25,000 per violation
Criminal Penalties under HIPAA: Criminal Penalties under HIPAA: Maximum of 10 years in jail and/or a Maximum of 10 years in jail and/or a $250,000 fine for serious offenses$250,000 fine for serious offenses
Organization Actions: Organization Actions: Employee Employee disciplinary actions including disciplinary actions including suspension or termination for suspension or termination for violations of UNM’s policies and violations of UNM’s policies and proceduresprocedures
The Privacy Rule RequirementThe Privacy Rule Requirement
You may not retaliate against or You may not retaliate against or intimidate an employee who files a intimidate an employee who files a HIPAA complaint.HIPAA complaint.
TEST YOUR KNOWLEDGE!TEST YOUR KNOWLEDGE!
CASE STUDY
Lori, a nurse who works on 5-West, has a lot of access to PHI. Terri, a nurse who works on 4-North, learns that her friend and elderly neighbor, Ms. Pate, was admitted to 5-West. Terri is concerned and wants to help so she asks Lori to see Ms. Pate’s medical record. Together, they review and discuss their findings.
CASE STUDY
In deep conversation, Drs. Andrews and Day enter a crowded elevator and continue discussing a code yellow. Their conversation is quite detailed and graphic, but never mentions the patient’s name. Engaged in their conversation, they do not notice the onlookers intently listening to their conversation.