Introduction to HIPAA Privacy
is published by HCPro, Inc. Copyright 2003 HCPro, Inc. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro or the Copyright Clearance Center (978/750-8400). Please notify us immediately if you have received an unauthorized copy.
Contents Introduction to HIPAA What you will learn in this course.................... 1 Legislative background............................. 2 Privacy concerns................................. 3 Compliance dates and timelines...................... 4 Who s covered?.................................. 4 Violations and Penalties Introduction.................................... 4 Who s liable for fines?............................. 5 Publicity and special concerns...................... 6 Fines and penalties............................... 7 Privacy Overview What is privacy?................................. 9 Who makes privacy decisions?....................... 9 A balance of interests............................. 10 HIPAA Privacy Nuts and Bolts Elements of the HIPAA privacy regulations............. 11 Health care operations............................ 13 iii
Authorization................................... 15 When is authorization used?....................... 16 Permitted disclosures............................. 17 Defining the minimum necessary standard............. 18 Who decides what is the minimum?.................. 19 De-identification................................ 19 Patients Rights under HIPAA Notice of Privacy Practices......................... 20 What is contained in the notice?..................... 21 Accounting of disclosures.......................... 21 Patient access and amendment...................... 22 Information directories............................ 23 Final exam.................................... 25 Answers to the Final Exam..........................28 iv
Introduction to HIPAA Privacy What you will learn in this course HIPAA is new and means a stronger approach to privacy What are the penalties for violations under HIPAA s privacy rule? Defining PHI (protected health information) How to apply the need to know/minimum necessary rule List methods for protecting patient information and confidentiality in the workplace What is the accounting of disclosures? What is the Notice of Privacy Practices? 1
List six steps toward implementing the privacy rule in your organization Discuss the patient right to access and amend their own records What is treatment, payment, and operations, and what does it mean? For what purposes do you need patient authorization to release information? What are key elements in de-identifying patient information? Who are covered entities under HIPAA? Know the required compliance dates for the implementation of HIPAA s privacy and security rules List key steps toward compliance with HIPAA s Proposed Information Security rule Legislative background The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is about six years old, but the process of developing the regulations that will implement this law is still ongoing. 2
The law was passed by congress and signed by then-president Bill Clinton on August 21, 1996. Much of HIPAA is aimed at accomplishing what its name implies: making health insurance and health information portable, as individuals move from job to job and insurer to insurer. The law standardizes the format of claims forms and other medical records to help make sure consumers have access to their health information and medical histories. But in the process of contemplating this law, congress recognized that standardizing health information also posed risks to consumers. Privacy concerns One of Congress main concerns is that with the majority of health information standardized in a single format, and with each patient assigned a national patient identifier, it would become a relatively simple matter to develop lists of individuals suffering from certain diseases or illnesses. And, as genetic testing increases the ability of physicians to predict illness, the range of information that could be garnered about people would increase. For those reasons, congress included in HIPAA certain new information security and privacy requirements with which health care providers must comply. The Department of Health and Human Services (HHS) published the final privacy regulations effective April 2001. The final rule was established in 3
August 2002. Compliance is required by April 14, 2003. The final security rule was established in February 2003. Compliance dates and timelines Providers had April 14, 2003, to come into compliance with the HIPAA privacy rule, and two years from the effective date of the security rule to come into compliance with that rule. Who s covered? HIPAA standards, will apply to providers who transmit health information electronically or in paper form, health plans, and all health care clearinghouses. Introduction As you learn more about HIPAA, it s important to realize this regulation has teeth. It comes with its own set of penalties for individuals who fail to comply with its provisions, and as such, should not be taken lightly. HHS hopes the stiff penalties will provide incentive for hospitals and others to comply with its provisions. Under the proposed regulations, released in accordance with HIPAA, failure to comply with some or all of the provisions can lead to major fines and jail time. 4
It s unclear to what extent organizations will be policed for compliance with HIPAA. However, that s not a license to ignore privacy and security. Rather, it gives health care providers a chance to test their policies, procedures, and auditing mechanisms. Additionally, it is clear that agencies performing audits and accreditation surveys for other purposes will be looking out for HIPAA violations as well. Who s liable for fines? If a violation occurs and you get caught, who should expect to pay the price? In some cases institutions will be responsible for payment of fines; in other cases the onus will lie with one individual or a group of individuals responsible for the violation(s), according to legal experts. Institutions can be held liable if they fail to implement policies and procedures that prevent violations from occurring. This includes not only having compliant systems and secure workstations, but also failing to create effective policies for employees. In addition, employees need to receive instruction about their role in HIPAA compliance, and trained to follow the institution s procedures. If a policy is in place but employees either don t know it exists or don t understand it, an institution is liable for violations. 5
Employees should know that there are serious consequences for policy violation, and facilities should implement discipline procedures. If a health care organization has implemented appropriate procedures and policies and has adequately educated its employees, then an individual guilty of a violation can be held personally responsible and face fines and prison. Individuals held responsible for violations will likely fall into one of two categories. An employee who steals data for sale or malicious use faces the most stringent penalties: up to $250,000 and 10 years in prison per violation. Because the definition of a violation is somewhat ambiguous, this could add up to more money and jail time, above and beyond the $250,000/10 year limit. If someone, either a hacker or an employee, for example, obtains information using false pretenses such as a stolen or borrowed password, but does not have malicious intent, the penalties are less severe but still serious. In such cases the penalty is up to one year in prison and $100,000 per violation Publicity and special concerns In addition to government sanctions, there are a few other HIPAA considerations to bring to the attention of institution and staff. 6
The release of privacy and security regulations has garnered a great deal of press attention. A health care organization can suffer from bad publicity, even for minor violations. And patient surveys have shown that privacy is a top concern of people seeking medical treatment. No one wants to go to a health care provider where they fear their privacy might be violated. These penalties can also impact physician licensing. HIPAA violations could place physicians licenses at risk. Furthermore, violations can lead to trials and damaging publicity for individuals, as well as institutions. Fines and penalties HIPAA outlines the following general penalties: Offense: Failure to comply with any HIPAA provision. Penalties: Up to $100 per person per violation. Maximum penalty of $25,000 per person for violation of a single standard in one year. HIPAA outlines the following wrongful disclosure penalties: The penalty for knowingly disclosing individually identifiable health information in violation of HIPAA 7
in which someone illegally uses a unique health identifier, or obtains identifiable health information, or discloses identifiable health information varies depending upon what is done with the information. Offense: Knowing misuse of health information Penalty: Fines of up to $50,000 and/or imprisonment for a term of up to one year Offense: Knowing misuse under false pretenses Penalty: Fines of up to $100,000 and/or imprisonment for a term of up to five years Offense: Knowing misuse with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm Penalty: Fines of up to $250,000 and/or imprisonment for a term of up to 10 years 8
What is privacy? A patient s privacy is protected by the professionalism of health care providers and staff. HIPAA changes the professional obligation to protect privacy into a legal obligation, which requires that health care providers refrain from releasing patient information without patient permission (except in certain restricted cases). Who makes privacy decisions? What s troubling providers? Consider the following example: Should a mother s right to privacy be ignored in favor of testing her baby for HIV infection in order to begin treatment immediately, thereby protecting the public good? 9
Yes, according to many ethicists. They would argue that a healthy society must find a way to balance competing interests and viewpoints. In the case of privacy, there are privacy advocates who view the right to privacy as an individual right and public health advocates who view health information as something the public must in some ways share to protect the common good. Health care workers will need to accept that the flexibility they once enjoyed to make decisions about sharing patient information will be largely curtailed. A balance of interests The HIPAA privacy standard attempts to balance the public good with the individual s right to privacy. It makes provisions for certain cases in which public interests override privacy interests. Reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention are all allowable reasons for passing on some private information to state officials. Financial audits and quality inspections can also include health information. And HHS can make further exemptions. Health care providers are limited in what they can unilaterally release, and, patients must be given an absolute right to 10
protect their information in some cases. Health care providers are allowed to use protected health information (PHI) for purposes of providing treatment and obtaining payment for services and other essential health care operations without obtaining specific patient authorization for that use. But to release further information for other purposes requires a patient to agree to a separate authorization, which he or she has the right to refuse without being denied care. Elements of HIPAA privacy regulations The HIPAA privacy rule will offer some significant challenges for health care providers. The following specific points are areas to consider, as they relate to your institution s existing health information privacy practices. Providers and insurance companies will be required to rewrite contracts with business associates includ- 11
ing attorneys, auditors, and consultants to ensure that they adhere to the privacy rules. Patients will have the right to inspect and copy their medical records, as well as to request amendments and corrections. Providers will have to supply patients with a Notice of Privacy Practices, describing how their information will be used. HIPAA requires providers to make good faith efforts in obtaining patients written acknowledgment that they received a copy of this notice. Health care providers and plans must tell patients how their information is being used and to whom it is being disclosed for reasons other than treatment, payment, and health care operations. Health care providers and plans will need to restrict the amount of information used or disclosed to the minimum necessary, in order to achieve the purpose of the use or disclosure. Health care providers and plans will be required to establish privacy-conscious business practices. These include training staff about privacy issues, designating a privacy official, and making sure that the appropriate safeguards are in place to protect health information. 12
Individuals who violate the privacy rule will face new criminal and civil penalties. Violators who unintentionally disclose information will face civil fines of $100 per violation, up to a total of $25,000 per year. Violators who intentionally release protected health information for personal gain face criminal sanctions punishable by up to $250,000 and 10 years in prison. Companies that sponsor health plans will be prohibited from accessing personal health information for employment purposes. To gain this access, the employer will need specific authorization from the employee. Health care operations Health care operations are defined as activities considered to be in support of treatment and payment and for which PHI 13
could be used or disclosed without individual authorization. Some of the examples provided by HIPAA include: Conducting quality assessment and improvement activities. Training future health care professionals. Insurance activities relating to the renewal of a contract for insurance. Fundraising conducted by a provider or its fundraising arm for its own benefit, providing the patient is given an opportunity to opt out. Population-based activities related to improving health or reducing health care costs, protocol development, case management, and care coordination. Business planning and development, related to managing and operating the organization. For resolution of internal grievances, including to an employee and/or employee representative. 14
Among those activities not considered health care operations are: Marketing of health and non-health items and services Disclosure of PHI for sale, rent, or barter Disclosure to an employer for employment determinations Authorization The HIPAA privacy rule prescribes a minimum set of elements to be included in all authorizations: A specific description of the information to be used or disclosed. The name or specific identification of the person(s) or class of persons that are authorized to use or disclose the PHI. The name or specific identification of the person(s) or class of persons to whom the covered entity is authorized to make the use or disclosure. An expiration date or event. 15
Statement saying that the individual has the right to revoke an authorization in writing. An explanation that specifies that when the information is used or disclosed following the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by the privacy rule. The individual s signature and the date of the signature. Providers cannot deny treatment to patients who refuse to sign authorization forms. When is authorization used? The HIPAA regulations outline the instances in which an authorization is necessary. The following is an overall summary of those instances. Marketing. Covered entities must obtain the individual s authorization before using or disclosing PHI for marketing purposes. Pre-enrollment underwriting. Employment determinations. Fundraising. 16 Psychotherapy notes.
Permitted disclosures Health information can be used without patient authorization under several types of circumstances. The following is an overall summary of those instances. Public health activities, such as reporting diseases or collecting vital statistics, required under state and federal law Health oversight, including civil and criminal proceedings, inspections and audits Law enforcement: Disclosure may be made to law enforcement officials pursuant to a warrant, subpoena, or order issued by a judicial officer Research: Disclosure to researchers is permitted, provided an Institutional Review Board or privacy board has approved the research protocol, and the research does not involve treatment of the patient 17
Health information may be disclosed to coroners, medical examiners, and funeral directors Disclosure is also permitted to government authorities to report, for example, domestic violence or neglect Providing information to organ and tissue procurement organizations Defining the minimum necessary standard HIPAA s privacy rule requires that covered entities use or disclose only the minimum necessary amount of PHI. Covered entities must make reasonable efforts to use or disclose or to request from another covered entity, only the minimum amount of protected health information required to achieve the purpose of the particular use or disclosure, the regulation states. The minimum necessary clause means that, when PHI is used, disclosed, or requested, the covered entity must make reasonable efforts to determine how much information will be sufficient to serve the intended purpose. There has been an exception added for disclosures to or requests from a health care provider for treatment. And the rule exempts any uses or disclosures for which the covered entity has received an authorization. 18
Who decides what is the minimum? The best way to make minimum necessary determinations is to see whether you can use the information in de-identified form and still achieve your purpose. Consider the following factors when making minimum necessary determinations: The amount of information to be used or disclosed Whether the use increases the number of people who are likely to have access to that information The importance of the use or disclosure The likelihood that further uses or disclosures could occur. De-identification In certain cases, providers may use PHI without patient authorization if the information is de-identified, that is, if the information does not identify any patients. PHI may include fragments of data apart from one s name that, when pieced together, can sometimes identify a person. De-identifying information is not a process that is set in stone. Protected information is sometimes relative to each particular case. De-identified information has to be completely stripped down so that no one is able to piece things together and identify someone. 19
Though the process can t be standardized, there are some basics that should be removed from any file when de-identifying information, including the individual s name, address, Social Security number, telephone number, and patient ID number. Notice of Privacy Practices The notice is intended to be a public notice to advise patients of the privacy practices of the organization. The notice serves to educate patients about their rights. But the notice isn t only for people coming for a service. The notice must also be provided to anyone who s simply interested in seeing it. Covered entities should make the notice available in both hard copy and electronic form because an electronically delivered notice satisfies the distribution requirement, as long as the patient agrees to receive it electronically. Most importantly, the notices have to be posted. Organizations that have a Web site describing their services must post the notice on their site, and all covered entities must display the notice in a clear, prominent location in their facility (such as on a wall near the reception desk). 20
What is contained in the notice? The most important thing to remember is that the rule requires all notices to begin with this header, using the rule s exact words: This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. That s the only thing that s prescribed in the notice. The Notice of Privacy Practices must do the following: Inform patients about their rights Disclose the entity s privacy practices Inform patients about the entity s responsibilities under the law Inform patients about all of the uses and disclosures of PHI required or allowed by law Explain the process for patients to access their medical records and amend their information Accounting of disclosures The purpose of the accounting is to let individuals know who outside of the health care organization or health plan has obtained their PHI. The accounting lets patients see exactly who has received their PHI and for what purposes. 21
The accounting of disclosures doesn t have to cover every disclosure made. Disclosures for treatment, payment, and health care operations do not need to be covered in the accounting. The accounting also doesn t have to include disclosures of PHI made to the patients themselves, the facility directory, correctional institutions and law enforcement, or for national security or intelligence purposes. The rule exempts disclosures made when authorizations have been signed. The accounting of disclosures should include the date of the disclosure, the information that was disclosed, the name of the person or entity to which the information was given, and the purpose of the disclosure. In addition, the accounting must be in writing and include the address-if known-of the person or entity to which the information was disclosed. Patient access and amendment HIPAA and Washington state law gives patients the right to inspect and copy the health information the plan or provider keeps about them. Your organization should have a policy outlining what information is part of the designated record set and how patients can gain access. Your policy may require patients to write a letter of request or fill out a form before seeing or copying the designated record set. 22
HIPAA allows patients to request amendments to their medical records. Organizations are not required to automatically make whatever changes a patient requests, but they must allow patients to make the requests and follow a specific process for handling them. Information directories To avoid an inadvertent privacy breach under HIPAA, your training program should instruct staff when and how to refer visitors to your patient directory to ensure that only the appropriate information is disclosed. While the regulations permit a covered health care provider to use PHI to create a directory of patients in its facility, the provider must inform the patient of its policies concerning directory information. It must also give the patient the opportunity to opt out of the directory or to restrict the amount of information placed in the directory. 23
Unless the patient objects, the directory may include the patient s name, location in the facility, general condition (e.g., good, fair, stable, critical), and religious affiliation. The provider may disclose the directory information to clergy and to anyone who asks for the patient by name. Religious affiliation may be disclosed only to clergy. With respect to security you have to define threats and thereby calculate the risk for specifying appropriate countermeasures. Protecting against outsiders accessing records is, for the most part, similar to securing data in other sensitive information systems, such as financial institutions. In order to define threats and risk, you have to define what information is to be protected and put in place appropriate firewalls and security features to ensure that outsiders cannot retrieve data from the provider s network. In health care, however, the greatest risks of data security failings come from the need for staff to have quick efficient access to data and for so many people to have that access. That makes developing policies, educating staff, and focusing on behaviors critical. 24
Final Exam 1. As of April 14, 2003 providers must be in compliance with the HIPAA privacy rule. True or False 2. An organization that fails to comply with a HIPAA provision with no harmful intent could be subject to the following penalties: Fines of up to $100 per person per violation to a maximum of $25,000 per person for violation of a single standard in one year. True or False 3. It will be illegal for hospitals to report suspected child abuse when HIPAA goes into effect. True or False 4. HIPAA requires providers to rewrite contracts with business partners including attorneys, auditors and others to make sure that they adhere to privacy rules. True or False 25
5. Before releasing any health information about a patient, providers and health plans will need to restrict the amount of information used or disclosed to the minimum necessary to achieve the purpose of the use or disclosure. True or False 6. Companies that sponsor health plans will be able to access personal health information for employment purposes. True or False 7. HIPAA makes it mandatory for health care providers to designate a privacy official, to whom complaints about HIPAA violations can be directed. True or False 8. What is the Notice of Privacy Practices? a. A notice that is supplied to computer repair services to tell them what file formats our organization uses b. A notice required by HIPAA that tells all patients how their patient information will be used c. A notice included only in patient billing forms 26
9. What kind of personally-identifiable health information is protected by HIPAA s privacy rule? a. Paper b. Electronic c. The spoken word d. All of the above 10. Your organization must make any amendments to records that patients request. True or False 11. Confidentiality protections cover not just a patient s health related information, such as their diagnosis, but also other identifying information such as Social Security numbers and telephone numbers. True or False 27