: HIPAA Privacy Fundamentals HIPAA Enforcement Training for State Attorneys General
Module Introduction : Introduction This module of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training for State Attorneys General (SAG) provides: Term and concepts used in the HIPAA Privacy Rule An overview of the requirements of the HIPAA Pi Privacy Rule Description of certain changes to the Rule made under the ARRA/HITECH Actof 2009 Questions to ask when conducting an investigation HIPAA Enforcement Training for State Attorneys General 2
Module Objectives : Objectives After completing this module, you will be able to: Define terms used in the HIPAA Privacy Rule Summarize the requirements of the HIPAA Privacy Rule Describe the Privacy Rule s administrative requirements for covered entities and business associates Develop investigatory questions to apply to your cases HIPAA Enforcement Training for State Attorneys General 3
Lesson 1: HIPAA Privacy Rule Concepts and Definitions HIPAA Enforcement Training for State Attorneys General
Lesson 1: Objectives After completing this lesson, you will be able to: Define terms used in the HIPAA Privacy Rule Apply this terminology when investigating HIPAA violations Lesson 1: HIPAA Privacy Rule Concepts and Definitions HIPAA Enforcement Training for State Attorneys General 5
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule Use and Disclosure of PHI Covered entities may only use or disclose PHI as permitted or required dby the Privacy Pi Rule. Use isthe sharing, employment, application, utilization, examination, or analysis of information within the entity Disclosure is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity. References: 45 CFR 160.103, 164.502 HIPAA Enforcement Training for State Attorneys General 6
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Covered Entities A covered entity is: A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a covered transaction one for which the Secretary has adopted standards. HIPAA Enforcement Training for State Attorneys General 7
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Organizational Structures Coveredentities entities may beorganized usingstructures structures that affect their obligations under the HIPAA Privacy and Security Rules. Organizational structures include: Hybrid entities Affiliated CoveredEntities (ACEs) Organized Health Care Arrangements (OHCAs) HIPAA Enforcement Training for State Attorneys General 8
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)( Hybrid Entities A hbid hybrid entity is a single legal lentity: That is a covered entity Whose business activities include both covered and non covered functions, and That designates its health care components in accordance with the HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 9
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Hybrid Entities (continued) Hybrid entities may designate parts of themselves as health care components, and must: Comply with thehipaaprivacy Privacy andsecurity Rules Refrain from disclosing PHI inappropriately, including to another component of thehybridhybrid entity May disclose as otherwise allowed if they were separate legal entities. References: 45 CFR 164.103, 164.105(a)(2)(iii) HIPAA Enforcement Training for State Attorneys General 10
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Examples of Hybrid Entities A state health department whose business practices include both covered and non covered functions A correctional facility with a health care clinic that transmits one or more HIPAA covered transactions electronically A data processing center that conducts health care clearinghouse activities iti as well as non health care data dt entry A university health clinic that is a HIPAA covered entity and has health information to which theprivacy Rule does not apply HIPAA Enforcement Training for State Attorneys General 11
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Affiliated Covered Entities Affiliated covered entities: Legally separate covered entities under the same ownership or control May participate in a single HIPAA compliance program HIPAA Enforcement Training for State Attorneys General 12
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Affiliated Covered Entities (continued): Must havedocumented status as an affiliated covered entity All entities must comply with the HIPAA Privacy and Security Rules Common examples include chains of hospitals or clinics Reference: 45 CFR 164.105(b)(2) HIPAA Enforcement Training for State Attorneys General 13
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Organized Health Care Arrangements (OHCA) Organized Health Care Arrangements (OHCA) are organizational structures under which: Two or more covered entities work together Common examples: Integrated health centers containing independent legal entities; multiple health plans with the same sponsor HIPAA Enforcement Training for State Attorneys General 14
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Organized Health Care Arrangements (OHCA) (continued) OHCA members may: Disclose PHI to each other for health care operations activities of the OHCA Use a joint notice of privacy practices Share a common business associate HIPAA Enforcement Training for State Attorneys General 15
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) HIPAA Enforcement Training for State Attorneys General 16
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary The minimum i necessary standard dlimits it uses, disclosures, and requests for PHI to the minimum necessary amount of PHI needed to carry out the purposes of the use or disclosure. HIPAA Enforcement Training for State Attorneys General 17
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary (continued) Exceptions to this include: Disclosures to, or requests by, a health care provider for treatment purposesp Uses or disclosures made to the individual or pursuant to the individual s authorization Disclosures to HHS for HIPAA compliance purposes Uses or disclosures required by law Reference: 45 CFR 164.502(b) HIPAA Enforcement Training for State Attorneys General 18
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary (continued) Thestandard for minimumnecessarynecessary uses requires covered entities to make reasonable efforts to limit access to PHI to those in the workforce that need access to it based on their roles in the covered entity. HIPAA Enforcement Training for State Attorneys General 19
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary (continued) Minimum necessary disclosures and requests for PHI: For routine disclosures and requests, a covered entity must implement policies and procedures/standard protocols. For others, the entity must review individual requests for disclosure to ensure they meet developed criteria to limit PHI disclosed d to what htis reasonably necessary for the intended d purpose. HIPAA Enforcement Training for State Attorneys General 20
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary (continued) The PrivacyRule safeguards standards and the Security Rule work in concert to fulfill the Privacy Rule s minimum necessary standard. HIPAA Enforcement Training for State Attorneys General 21
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Examples of Minimum Necessary Disclosure When leaving a message for a patient on an answering machine to confirm an upcoming doctor s appointment, there is no need to state the reason for the doctor s visit. In sending a bill to a health plan for payment, normally there is no need to include the results of the tests provided d and for which the payment is being requested. When scheduling appointments, front office staff will probably not need to have access to a patient s entire health record. HIPAA Enforcement Training for State Attorneys General 22
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Activity 1: National Pharmacy Chain Extends Protections for PHI Case Study Working together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion questions and provide your answers during the class review. Case Study: A pharmacy employee placed a customer s insurance card in another customer s prescription bag. When contacted by OCR, the pharmacy argued that no inappropriate disclosure had taken place because it did not consider the customer s insurance card to contain PHI. Discussion Questions: 1. Which is the covered entity in this case study the pharmacy chain's headquarters or the local store? What considerations will help you make this determination? 2. Do you think the customer s insurance card was PHI? HIPAA Enforcement Training for State Attorneys General 23
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Activity 2: Dentist Changes Process to Protect PHI Case Study Working together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion question and provide your answer during the class review. Case Study: An OCR investigation confirmed allegations that a covered dental practice flagged some of its medical records with a red sticker with the word AIDS on the outside cover, and that records were handled dso that t other patients, t and staff tffwithout t need to know, could read the sticker and the patient name. Discussion Question: Did the dentist violate the Privacy Rule? HIPAA Enforcement Training for State Attorneys General 24
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms Used in the HIPAA Privacy Rule (continued) Minimum Necessary and Limited Data Sets Under HITECH a covered entity is treated as in compliance with the minimumnecessary necessary standardonlyifthecovered the entitylimitsthe the use and disclosure of PHI to: The limited data set as currently defined in the HIPAA privacy regulations; or, if needed The minimum necessary to accomplish the intended purpose HHS will issue guidance on what htconstitutes t minimum i necessary. Reference: ARRA/HITECH, Subtitle D, Privacy, 13405(b)(1) HIPAA Enforcement Training for State Attorneys General 25
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) Minimum Necessary and Limited Data Sets (continued) Most potentially identifiable data elements is removed, except for dates and geographic information as specified in the Privacy Rule Data recipients must sign a Data Use Agreement stating the information will be used only for the specified purposes, no attempt will be made to re identify it, and it will not be re disclosed Information may be used only for research, public health, or health care operations purposes HIPAA Enforcement Training for State Attorneys General 26
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued) De identification of PHI Removal of certain identifiers so that the individual who is the subject of the PHI may no longer be identified De identified information is not protected, and can be shared without limit HIPAA Enforcement Training for State Attorneys General 27
Lesson 1: HIPAA Privacy Rule Concepts and Definitions Topic 1: Terms Used in the HIPAA Privacy Rule (continued) De identification of PHI (continued) Two methods: Expertdetermination method likelihood of identifying an individual is very small OR Safe harbor method stripping of listed identifiers, such as: Names Geographic subdivisions < state All elements of dates Social Security numbers AND Covered entity has no knowledge that the information can be used to identify the individual HIPAA Enforcement Training for State Attorneys General 28
Lesson 1: Recap A business associate performs a function or service for or on behalf of the covered entity Covered entities and business associates have obligations under HIPAA regarding the use and/or disclosure of PHI All organizations subject to the HIPAA Privacy Rule must request, use, or disclose only the minimum necessary PHI Covered entities may be organized using structures that affect how they address the HIPAA Privacy and Security Rules including hybrid entities, affiliated entities, and organized health care arrangements. Lesson 1: HIPAA Privacy Rule Concepts and Definitions HIPAA Enforcement Training for State Attorneys General 29
Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General
Lesson 2: Objectives After completing this lesson, you will be able to: Describe the general requirements of the HIPAA Pi Privacy Rule Identify uses and disclosures that may violate the Pi Privacy Rule Summarize the rights of individuals under the HIPAAPrivacy Privacy Rule Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 31
Topic 1: Federal Floor of Privacy Protections The HIPAA Privacy Rule: Sets the federal floor for health information privacy Sets forth minimum privacy protections Establishes individual rights Establishes administrative requirements Lesson 2: HIPAA Privacy Rule Does not prevent covered entities from establishing internal policies that provide greater protections, or that offer consumers greater rights Does not preempt more stringent state laws HIPAA Enforcement Training for State Attorneys General 32
Lesson 2: HIPAA Privacy Rule Topic 2: Requirements for Uses and Disclosures of PHI A covered entity must not use or disclose PHI, except as specifically permitted or required by thehipaa Privacy Rule. References: 45 CFR 164.502(a) () HIPAA Enforcement Training for State Attorneys General 33
Topic 3: Required Disclosures of PHI The HIPAA Privacy Rule requires disclosure in two instances: To the individual id when the individual id exercises the right to access PHI in designated record sets or the right to an accounting of disclosures To HHS for HIPAA investigative and enforcement purposes Reference: 45 CFR 164.502(a)(2) ()() Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 34
Topic 4: Permitted Uses and Disclosures of PHI Lesson 2: HIPAA Privacy Rule The Rule permits uses and disclosures without individual authorization including those: To the individual id For treatment, payment, and health care operations (TPO) Incidental uses/disclosures To business associates with a business associate agreement HIPAA Enforcement Training for State Attorneys General 35
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Health lhcare operations are: Certain administrative, financial, legal, and quality improvement activities ofa covered entity, Necessary to run its business, or support the core functions of treatment and payment HIPAA Enforcement Training for State Attorneys General 36
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Incidental uses and disclosures are: Incident to another use or disclosure that is permitted or required by therule Those that occur even though the minimum necessary and safeguard standards are met HIPAA Enforcement Training for State Attorneys General 37
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Examples of incidental uses and disclosures: A hospital inpatient in a shared room overhears two health care providers discuss the other patient s care at her bedside. Hospital staff and other patients hear a patient s name when an ambulatory patient is paged. A visitor or non treatment staff at a hospital sees the name of the patient on a folder containing the patient s chart kept immediatelyoutside of the patient s exam room. An administrative worker in a nurses station sees the names of patients on a whiteboard used to inform staff of which patients are in which rooms. HIPAA Enforcement Training for State Attorneys General 38
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Uses/disclosures requiring an opportunity for the individual to agree or object include: For facility directories To a person involved din the individual s id care and notification purposes (i.e., when a friend is involved in patient care or payment for care) For notification & disaster relief purposes HIPAA Enforcement Training for State Attorneys General 39
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Other uses/disclosures that do not require an authorization: Required by law Public health activities About victims of abuse, neglect, or domestic violence Health oversight activities Judicial andadministrative administrative proceedings Law enforcement purposes HIPAA Enforcement Training for State Attorneys General 40
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) other uses/disclosures that also explicitly do not require an authorization: About decedents d Cadaveric organ, eye, or tissue donation Research purposes To avert a serious threat to health or safety Specialized government functions Workers compensation o HIPAA Enforcement Training for State Attorneys General 41
Lesson 2: HIPAA Privacy Rule Topic 4: Permitted Uses and Disclosures of PHI (continued) Permitted uses/disclosures where written authorization is required include: Marketing Psychotherapy notes All uses or disclosures not otherwise permitted (examples: disclosure to life insurance, drugtest results to employer, anddisclosure disclosure of child s physical results to school) HIPAA Enforcement Training for State Attorneys General 42
Topic 5: Authorization Elements of a Written Authorization Required elements of a written authorization include: Specific description of PHI to be used/disclosed Who can use/disclose PHI To whom the PHI can be used/disclosed Purpose of the use/disclosure Expiration date or event Signature of patient, with date Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 43
Lesson 2: HIPAA Privacy Rule Topic 5: Authorization (continued) Elements of a Written Authorization (continued) Right to revoke in writing; and the exceptions and instructions regarding gthe procedure, or a reference to the Notice if this information is there A statement about the covered entity s ability/inability to condition the authorization on treatment, payment, eligibility, or enrollment A statement that once disclosed, the PHI may no longer be protected by the HIPAA Privacy Rule, or an alternative statement if the disclosure isto another covered entity If use or disclosure is for marketing purposes, and the covered entity will receive remuneration, a statement must be included to that effect HIPAA Enforcement Training for State Attorneys General 44
Lesson 2: HIPAA Privacy Rule Topic 5: Authorization (continued) Defective Authorizations Key items to look for when reviewing an authorization form during the investigation of a HIPAA violation: Was the authorization in effect at the time of the disclosure? Does it contain all the required elements to be valid? Is the authorization free from unlawful conditions? To the best of the covered entity s knowledge, is all information in the authorization not false? If the answer is no to any of the above, the authorization is defective and the covered entity cannot request, use, or disclosephi based on that authorization. A covered entity must retain authorizations it acts upon. HIPAA Enforcement Training for State Attorneys General 45
Activity 3: Authorization Scenario Lesson 2: HIPAA Privacy Rule Read the scenario, and review the authorization, which is is located on page 5 in your Appendix. Working with your your Table Group, answer the discussion questions, and provide your answers during the class review. Scenario: An individual signs an authorization giving his health care provider permission to disclose certaininformation information to his personal traineratat the gym. The individual is upset because the trainer learned from the medical record sent from the health care provider that he has a mental disorder, and shared that information with a friend who happened to be the individual's id employer. Discussion Questions: 1. Did the healthcare provide make an authorized disclosure? 2. Is this a valid authorization? HIPAA Enforcement Training for State Attorneys General 46
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights Notice of Privacy Practice Inspect and Copy Accounting Request Amendment Request Restriction RequestConfidential Communication File a Complaint HIPAA Enforcement Training for State Attorneys General 47
Topic 6: Individual Rights Notice of Privacy Practices A Notice of Privacy Practices for PHI provides notification to individuals id that t includes: Required header and content, in plain language How their PHIwill beused and/or disclosed by a covered entity Their individual rights The covered entity s duties Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 48
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Notice of Privacy Practices (continued) provides notification that includes: How the individual can file a complaint with the covered entity and/or the Secretary of HHS Contact information for a person or office who is responsible for receiving HIPAA complaints and who is able to provide further information about matters covered by the notice Effective date There are varying distribution, acknowledgement, and posting requirements for the different types of covered entities. HIPAA Enforcement Training for State Attorneys General 49
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Inspect and Copy Right of access enables individuals to inspect and copy their PHIin a designated record set. A designated record set is a group of records maintained by or for a covered entity, and includes: An individual s medical and billing records Enrollment, payment, claims li adjudication, di case management record systems of a health plan Other records used by covered entities to make decisions about individuals HIPAA Enforcement Training for State Attorneys General 50
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Inspect and Copy (continued) The right of access does NOT apply to: PHI that is subject to the Clinical Laboratories Improvements Amendment of 1988 Psychotherapy notes Information beingcompiled for a legal proceeding Certain other exceptions also apply. HIPAA Enforcement Training for State Attorneys General 51
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Inspect and Copy (continued) The covered entity must act on a request for access no later than 30days after receipt of the request (and within 60 days if information requested is not maintained or accessible to the covered entity on site). A covered entity may have only one 30 day extension of this 30 (or 60) day deadline, provided that: The patient is provided a written statement of the reasons for the delay, and the date by which the covered entity will complete lt its action on the request HIPAA Enforcement Training for State Attorneys General 52
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to an Accounting of Disclosures Individuals have a right to receive an accounting of disclosures of their PHI made by the covered entity within the past six years. This right ihtapplies, with certain ti exceptions, to: Disclosures made for most public policy purposes Disclosures that violate the rule that the CE knows about Per HITECH, TPO disclosures through an electronic health record The first accounting within a 12 month period is free of charge. HIPAA Enforcement Training for State Attorneys General 53
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Request Amendment Patients have the right to request that the covered entity amend their PHI in a designated record set. A covered entity may require in advance that t individuals make requests for the amendment in writing and provide supporting rationale. HIPAA Enforcement Training for State Attorneys General 54
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Request Amendment (continued) A covered entity may deny an amendment if the information that t the individual id seeks to amend: Was not created tdby the covered entity, unless the originator is no longer available Is not part of the designated record set Would not be available under the individual s right to inspect and copy Is accurate and complete HIPAA Enforcement Training for State Attorneys General 55
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Request Restrictions on Uses or Disclosures Individuals have a right to request restrictions on uses and disclosures otherwise permitted for: Treatment, payment, or healthcare operations Next of kin/caregiver notifications The covered entity is not required to agree to requested restrictions. If the covered entity does agree, it must document the agreement and abide by its terms. The covered entity can break the agreement in certain emergency situations. HIPAA Enforcement Training for State Attorneys General 56
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Request Confidential Communications An individual has the right to request that the covered entity communicate PHI to him or her via specified confidential means, including restricting communications to one method or receiving communications at an alternative location: A covered entity may require that the request be in writing A covered health care provider must accommodate reasonable requests and must not require the patient to explain why the request is being made A covered health plan must accommodate dt reasonable requests if the individual clearly states that disclosure could endanger the individual HIPAA Enforcement Training for State Attorneys General 57
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to Request Confidential Communications (continued) The covered entity may condition the provision ii of a reasonable accommodation dti on: The individual specifying an alternative method of contact t The individual providing information on how payment, if any, will behandled HIPAA Enforcement Training for State Attorneys General 58
Lesson 2: HIPAA Privacy Rule Topic 6: Individual Rights (continued) Right to File a Complaint A person who believes that a covered entity is not complying with HIPAA privacy provisions may file a complaint with the Secretary of HHS A covered entity must advise patients in its Notice of Privacy Practices how complaints may be filed with the Secretary and with the covered entity itself HIPAA Enforcement Training for State Attorneys General 59
Activity 4: Hospital Implements New Policies for Telephone Messages Case Study Lesson 2: HIPAA Privacy Rule Take a few minutes to read the case study. As you read it, think about the patient s right to request confidential communication, and other rights to privacy that have been discussed. Working in your Table Group, answer the discussion question, and provide your answer during the class review. Case Study: A hospital employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. The patient had requested that the hospital use only her office telephone number. Discussion Question: What Privacy Rule provisions were violated? HIPAA Enforcement Training for State Attorneys General 60
Lesson 2: Recap The HIPAA Privacy Rule: Federal Floor of Privacy Protections First set of comprehensive federal health privacy protections Restricts uses and disclosures of PHI Provides rights for individuals who are the subject of PHI Lesson 2: HIPAA Privacy Rule HIPAA Enforcement Training for State Attorneys General 61
Lesson 3: Administrative Responsibilities HIPAA Enforcement Training for State Attorneys General
Lesson 3: Objectives After completing this lesson, you will be able to: Recognize potential violations Identify the fundamental responsibilities Describe the relationship of business associates to covered entities List a covered entity s administrative responsibilities related to protecting individuals PHI Lesson 3: Administrative Responsibilities HIPAA Enforcement Training for State Attorneys General 63
Lesson 3: Administrative Responsibilities Topic 1: Identifying Business Associates and Executing BusinessAssociate Agreements A business associate is a person or entity that performs a function or activity on behalf of a covered entity, or provides certain services to a covered entity that involve the use or disclosure of PHI. Business associates include individuals or organizations that conduct: Legal services Accounting services Claims processing or administration i i HIPAA Enforcement Training for State Attorneys General 64
Lesson 3: Administrative Responsibilities Topic 1: Identifying Business Associates and Executing Business Associate Agreements (continued) A Business Associate Agreement (BAA) establishes the permitted and required uses anddisclosures disclosures of PHIby business associates. Its purpose is to obtain promises from the business associates about how PHI may and may not be used. A BAA also authorizes termination of the contract or other relationship by the covered entity if it is determined that the business associate has violated the contract s terms. HIPAA Enforcement Training for State Attorneys General 65
Lesson 3: Administrative Responsibilities Topic 2: Privacy Policies and Procedures Covered entities and business associates must institute and maintain privacy policies andproceduresto protect PHI. HIPAA Enforcement Training for State Attorneys General 66
Lesson 3: Administrative Responsibilities Topic 3: Privacy Officers Roles and Responsibilities Privacy Officer: Responsible for the development and implementation ti of privacy policies and procedures May receive complaints lit regarding privacy May beable to provide information to patients on their privacy rights HIPAA Enforcement Training for State Attorneys General 67
Lesson 3: Administrative Responsibilities Topic 4: Safeguards Covered entities must: Put in place administrative, technical, and physical safeguards to protect against intentional or unintentional use or disclosure of PHI that violates the Rule Reasonably safeguard PHI to limit incidental uses or disclosures HIPAASecurity Rule: Also requires administrative, technical, and physical safeguards Provides more detail on the safeguards required Is limited to electronic PHI (ephi) HIPAA Enforcement Training for State Attorneys General 68
Topic 5: Established Complaint Process Covered entities must: Have an established complaint process Have an established process for documentation of the complaints and their resolution Have an employee designated to receive and document the complaints Lesson 3: Administrative Responsibilities HIPAA Enforcement Training for State Attorneys General 69
Lesson 3: Administrative Responsibilities Topic 6: Workforce Training Covered entities must: Provide training to their workforce Document that the training occurred HIPAA Enforcement Training for State Attorneys General 70
Lesson 3: Administrative Responsibilities Topic 7: Workforce Sanctions Covered entities must: Have and apply appropriate sanctions when a member of the workforce does not comply with privacy policies andprocedures or with the Privacy Rule HIPAA Enforcement Training for State Attorneys General 71
Lesson 3: Administrative Responsibilities Topic 8: Mitigating Harmful Effects of Improper Uses or Disclosures Covered entities must: Mitigate to theextent extent practicable harmful effects caused by their improper use or disclosure of a patient s PHI that is known to the covered entity HIPAA Enforcement Training for State Attorneys General 72
Topic 9: Prohibition Against Retaliatory Acts Covered entities may not retaliate in any form against anyone who: Files a complaint litof a privacy violation Exercises a right ihtunder the Rule Participates in a process established by therule Lesson 3: Administrative Responsibilities HIPAA Enforcement Training for State Attorneys General 73
Lesson 3: Administrative Responsibilities Topic 10: Prohibitions Against Requiring Individuals to Waive HIPAA Rights as a Condition of Payment, Treatment, Eligibility, or Enrollment Covered entities may not require individuals to waive their HIPAA rights as a condition of their receiving treatment, beingfound eligible for or being allowed to enroll in a health plan, or as a condition of their provider receiving payment. HIPAA Enforcement Training for State Attorneys General 74
Topic 11: Documentation Covered entities must: Lesson 3: Administrative Responsibilities Maintain policies and procedures in paper or electronic form If a communication is required to be in writing, maintain such writing, or an electronic copy, as documentation If an action, activity, or designation is required to be documented, maintain a paper or electronic record of such action, activity, ii or designation i A covered entity must retain required documents for six years from the date of their creation or the date when they were last in effect, whichever is later. HIPAA Enforcement Training for State Attorneys General 75
Lesson 3: Administrative Responsibilities Activity 5: Private Practice Changes Patient Consent Form Case Study Take a few minutes to read the case study. Working in your Table Group, answer the discussion question, and provide your answer during the class review. Case Study: A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment t tin exchange for the physician s i compliance with the Privacy Rule. Discussion Question: Did the doctor violate any requirements or prohibitions of the Privacy Rule? HIPAA Enforcement Training for State Attorneys General 76
Lesson 3: Recap The HIPAA Privacy Rule: Spells out administrative responsibilities Discusses written agreements between covered entities and business associates Lesson 3: Administrative Responsibilities Discusses the need for privacy policies and procedures Describes employer responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI HIPAA Enforcement Training for State Attorneys General 77
Lesson 4: Identifying and Investigating Potential Privacy Rule Violations HIPAA Enforcement Training for State Attorneys General
Lesson 4: Objectives After completing this lesson, you will be able to: Discuss how to identify potential Privacy Rule violations Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Describe what constitutes a violation of the Privacy Rule HIPAA Enforcement Training for State Attorneys General 79
Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Topic 1: Events and Conditions Constituting Privacy Rule Violations Privacy Rule questions for investigation: Did thecovered entity useor disclose PHI for a purpose other than treatment, payment, or health care operations, or other uses or disclosures permitted under 164.502, without proper authorization? If an authorization was required and was executed, was it complete and valid? HIPAA Enforcement Training for State Attorneys General 80
Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued) Privacy Rule questions for investigation: Did a use and/or disclosure requiring an opportunity for the individual to agree or to object occur without the individual s input? Did the covered entity fail to provide an adequate notice of privacy practices? Was an individual s right to request that the covered entity limit i use or disclosure of PHI violated? HIPAA Enforcement Training for State Attorneys General 81
Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued) Privacy Rule questions for investigation: Was an individual inappropriately denied the right to access or amend his or her PHI? Was an individual inappropriately denied an accounting of disclosures of his or her PHI? Was PHI provided to a business associate without an appropriate business associate agreement in place? HIPAA Enforcement Training for State Attorneys General 82
Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Topic 1: Events and Conditions Constituting HIPAA Violations (continued) Privacy Rule questions for investigation: Had theentityentity implemented appropriate internal protections for the PHI, such as minimum necessary, and administrative standards, such as training and safeguards? HIPAA Enforcement Training for State Attorneys General 83
Topic 2: Violation of the HIPAA Privacy Rule Lesson 4: Identifying and Investigating Potential Privacy Rule Violations There are many possible fact patterns that may indicate violations of the HIPAA Rules. The following example is a strong indicator of the absence of required policies, or that policies were not followed. Either would be a violation of the HIPAA Privacy and Security Rules. Example: A workforce member of a covered entity simply disposes of PHI in an unsecured, easily accessible dumpster. Reference: 45 CFR 164.310(d)(2)(i) HIPAA Enforcement Training for State Attorneys General 84
Lesson 4: Recap Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Key items to look kfor during an investigation include: Was the PHI used or disclosed? By or to whom? What documentation regarding the use and disclosure was maintained? Were the other administrative requirements followed? Were individual rights protected? Were the requirements of the Privacy Rule met? Answers to these questions may lead an investigator to determine that multiple violations exist. HIPAA Enforcement Training for State Attorneys General 85
Module Activity Activity: State of CT Privacy Rule Violations Working in your Table Group: Read Section IV of the complaint, which is located on page 2 of your Appendix Draft a list of Privacy Rule violations Provide your answers during the class review HIPAA Enforcement Training for State Attorneys General 86
Module Activity Activity: State of CT Privacy Rule Violations Violations identified by the class include: 1. HIPAA Enforcement Training for State Attorneys General 87
Module Recap : Recap The HIPAA Privacy Rule provides guidance on: What information needs to be protected (PHI) Who must protect PHI (covered entities, business associates) Responsibilities in protecting PHI HIPAA Enforcement Training for State Attorneys General 88
Module Summary : Summary Having completed this module, you are able to: Define terms used in the HIPAA Privacy Rule Summarize the requirements of the HIPAA Privacy Rule Describe the Privacy Rule s administrative requirements for covered entities and business associates Develop investigatory questions to apply to your case HIPAA Enforcement Training for State Attorneys General 89