HIPAA Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) Transactions Standards 1. Health claims 2. Health claim attachments 3. Healthcare payment and remittance advice 4. First report of injury 5. Health claim status 6. Referral certification and authorization Code Sets ICD-9-10 International classification of diseases 9 th edition HCPCS Healthcare Financing Administrative Common Procedure Coding System CPT- Current Procedure Terminology 1
PHI, What is It? Protected Health Information (PHI) - Individually identifiable health information - Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate Permitted Uses Of PHI Individual Treatment, Payment and Health Care Operations (TPO) Opportunity to Agree or Object Public Policy Incident to Limited data set Authorized Individuals Besides required disclosures, Covered Entities may also disclose PHI to their patients/health plan enrollees - Health plans can contact their enrollees - Providers can talk to their patients 2
Treatment, Payment and Health Care Operations(TPO) Covered Entities may use/disclose PHI to carry out essential health care functions - Treatment -Payment - Health care operations Treatment Treatment means the provision, coordination, or management of health care by one or more health care providers; including consultation between health care providers or patient referrals Payment Payment means activities of: Health care providers to obtain payment or be reimbursed for their services Health plans to obtain premium, fulfill coverage responsibilities, or provide reimbursement for the provision of health care 3
Health Care Operations Health Care Operations are administrative, financial, legal, and quality improvement activities Necessary to run business and to support core functions of treatment and payment Health Care Operations Quality assessment and improvement activities Training, accreditation, certification, credentialing, licensing, reviewing competence, and evaluating performance Fraud and abuse detection Individual s right to Agree or Object Must give individual opportunity to restrict or prohibit the use or disclosure of name, location,,g general condition, and religious affiliation May disclose PHI relevant to person s involvement in care or payment to family, friends, or others identified by individual May notify of individual s location, condition, or death to family, personal representatives, or another responsible for care Applies to disaster relief May disclose is individual is not present or incapacitated 4
As required by law For public health Public Policy About victims of abuse or neglect For health oversight activities For judicial & administrative proceedings For law enforcement purposes Public Policy For research purposes To avert a serious threat to health or safety For worker s compensation About decedents (coroners, ME, Funeral directors) For organ, eye, or tissue donations Incident to Rule permits uses/disclosures incident to an otherwise permitted use or disclosure, provided minimum necessary & safeguards standards are met Allows for common practices if reasonably performed 5
Limited Data Set For research,public health, health care operations purposes Direct identifiers must be removed Allows for zip codes, dates Requires Data Use Agreement: recipient cannot use for other purposes or identify or contact individuals Minimum Necessary Covered Entities must make reasonable efforts to limit the use or disclosure of, and requests for, PHI to minimum amount necessary to accomplish intended purpose Minimum Necessary Covered Entities may reasonably rely upon requester s determination as to minimum amount necessary if: - Public Official - Another Covered Entity - Business Associate for provision of professional service - Researcher with IRB/Privacy Board documentation or other appropriate representations 6
Minimum Necessary Exceptions Disclosures to or request by Providers for treatment Disclosures to individual Uses/disclosures with an authorization Uses/disclosures required for HIPAA standard transactions Disclosures to HHS/OCR for enforcement Uses/disclosures required by law Business Associates Who Is A Business Associate? A person who performs a function or activity on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information Is not a workforce member Covered entity can be a Business Associate 7
Who IS Not A Business Associate Two entities each performing functions on its own behalf - Provider gives PHI to payer for payment - Hospital and physician treating patients at hospital Persons or organizations where access to protected health information is not necessary to do their job Janitors, electricians, copy machine repair persons Are you responsible for Business Associate Obtain satisfactory assurance that Business Associate will appropriately p safeguard PHI - Written contract or other written arrangement or agreement No monitoring Cure or terminate contract if known violation Contract Must Include Permitted uses and disclosures Requirement to use appropriate safeguards Requirement to report of non-permitted uses and disclosures to Covered Entity Requirement to extend same terms to subcontractors 8
Authorizations Authorizations are required for uses and disclosures not otherwise permitted or required by the Rule Authorizations Generally, cannot condition treatment, payment, eligibility, or enrollment on an authorization There are special rules for psychotherapy notes and marketing Authorization must contain core elements & required statements, including: Expiration date or event Statement of authorization is revocable Individual Rights Notice of Privacy Practices Access Amendment Accounting Request restrictions Confidential communications Complain to Covered Entity Complain to Secretary (HHS/OCR) 9
Notice of Privacy Practices An individual has a right to adequate written notice of: - Uses and disclosures of PHI that may be made by the Covered Entity - Individual s rights and Covered Entity s legal duties with respect to PHI Notice content Header specific language in Rule Description of uses and disclosures Individual rights and how to exercise them Covered Entity duties and contact name or title and telephone number to receive complaints Effective date Access Individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set Timely action by Covered Entity - Providing Access: Inspection and copy, or - Written denial - Review of certain denials by licensed health care professional 10
Amendment to PHI Individual has the right to have Covered Entity amend PHI in a Designated Record Set Covered Entity may deny request in certain cases Example: if record is accurate and complete Timely action by Covered Entity Accepting amendment or written denial of the amendment Denial Individuals may submit written disagreement Covered Entity may rebut the statement of denial in writing Covered Entity must include request, denial, disagreement and rebuttal in Designated Record Set Accounting An individual has a right to receive an accounting of disclosures of PHI made by Covered Entity in the 6 years prior to date requested 11
Confidential Communication A covered health care provider must permit and accommodate reasonable requests to receive communications of PHI by alternative means and at alternative location The requirement applies to a health plan if individual clearly states disclosure could endanger individual Disclosure Restrictions A Covered Entity must permit an individual to request restrictions on uses and disclosures of PHI to carry out TPO and to persons involved in individual s id care The Covered Entity is not required to agree to such request If they do agree they may not violate the restriction except in emergency Complaints Any person who believes a Covered Entity is not complying with applicable requirements of the Privacy Rule may file a written complaint with the Secretary/OCR 12
Office for Civil Rights (OCR) Enforces Civil Rights laws and the Privacy Rule Investigation and Resolution of complaints Exception determinations OCR may investigate complaints OCR may conduct compliance reviews Complaints to OCR Any person or organization may file complaint with OCR by mail or electronically - Only for possible violations occurring after compliance date - Complaints should be filed within 180 days of the time the incident occurred Individuals may also file complaints with Covered Entity Complaints Provide a process for individuals to make complaints to Covered Entity Do not require individuals to waive their rights to file a complaint with the Secretary or their other rights under Privacy Rule Refrain from intimidating or retaliatory acts 13
Complaint Process Informal review may resolve issue fully without formal investigation - many complaints will resolve in this manner If not, begin investigation Civil Monetary Penalties None will occur if: Person did not know and by exercising reasonable diligence would not have known of the violation If failure to comply is due to reasonable cause and not willful neglect and entity corrects within 30 day cure period Offense is punishable by criminal sanction Exceptions Potential extension of the 30 day cure period Technical Assistance if Covered Entity is unable to comply CMP reduction possible if: - Amount excessive relative to the violation - Due to reasonable cause and not willful neglect 14
HIPAA Penalties General Penalty for Failure to Comply: Each Violation: $100. Maximum penalty for all violations of an identical requirement: May not exceed $25,000 Wrongful Disclosure of Individually Identifiable Health Information: Wrongful disclosure: $50,000; one year imprisonment, or both False Pretenses: $100,000; five years imprisonment, or both Intent to sell: $250,000; ten years imprisonment, or both What Do I do First? First get the appropriate forms together Train your personnel Work on physical security issues Don t panic Forms 1.HIPAA Notice of Privacy Practices 2.Authorization of Use and Disclosure of Protected Health Information 3.Revocation of Authorization For Use And Disclosure of Protected Health Information 4.Request For Confidential Communication of Protected Health Information 15
FORMS 5.Business Associate Agreement 6.Request to Inspect or Copy Protected Health Information 7.Approval of Request to Inspect or Copy Protected Health Information 8.Denial of Request to Inspect or Copy Protected Health Information FORMS 9.Request to Amend Protected Health Information 10.Request for Accounting of Protected Health Information Disclosures 11. Log for Disclosure of Protected Health Information 12.HIPAA(Privacy Rule) Complaint and Resolution Form 13.Audit Form FORMS 14. Employee HIPAA Compliance Signature Form 15. Employee Compliance Training Log 16. Marketing Authorization Form 17. Appointment Reminder Authorization 16
Authorizations You must have an authorization if: 1.You need help from your state association to obtain reimbursement for the patient s care 2.You use the patient s name in any type of advertising of any kind Authorizations 4. You use the patient s name in any type of testimonial 5. You use the patient s name on internal thank you welcome boards 6.If you use a picture of a child for a kids wall Authorizations You may not threaten to withhold treatment because a patient will not sign an authorization 17
Notice of Privacy Practices You must have a Notice of Privacy Practices It must be given to every patient after April 14, 2003 the first time you see the patient, and the first time you see the patient after any material amendment to the Notice You must provide the patient with a full copy upon request It must be posted in a prominent location at your site Training of Personnel The Security Regulations require you to provide your workforce, agents, and contractors with training regarding security issues, policies, and procedures necessary for them to carry out their function Training of Personnel Awareness training for all personnel Periodic security reminders Education regarding virus protection Education in importance of monitoring log Education in password management 18
Administrative Requirements Designate a privacy official - Responsible for privacy policies and procedures Designate a contact person or office responsible for receiving complaints This can be the same person Develop a system of sanctions for employees who violate the Entities policies or the requirements of the Privacy Rule Compliance Official Issues 1.Determine if you are a Covered Entity 2.Decide on organizational structure 3.Identify Business Associates and enter into agreements 4.Develop and provide a Notice and, if necessary, an Acknowledgement form 5. Develop a valid authorization form for future use Compliance Official Issues 6.Compare current PHI use and disclosures practices with Privacy Rule requirements, and identify where practices need to change. Identify TPO uses and disclosures of PHI, all other uses and disclosures and develop Minimum Necessary policies and protocols 19
Compliance Official Issues 7.Develop a system to track and account for disclosures 8.Designate a Privacy Official and contact person or office 9.Design and implement Policies and Procedures 10.Develop and implement systems to safeguard PHI 11.Train workforce 12.Check the Rule for particular requirements Security Employees may only have access to the portion of the patient s records required dby their job responsibilities You must make reasonable effort to limit access Security Security measures may include: -Computer firewalls - Locked file drawers - Limited access work area - Procedures to protect confidentiality when discussing payment matters - Private areas for discussion of patient health information 20
Security - Secure carriers if files left on door or wall - Proper backup and storage of data files - Secure storage for backups - Secure off-site records storage - Policies/procedures to insure patient records are properly stored during lunch hours, breaks, or time away from station Place stickers on the front of the files that say Confidential Security What if I have open-shelved filing? - Make sure that the area is secure at all times - Do not allow anyone other authorized personnel in the area - Place stickers on the shelves that say Confidential - As you work with the files on a daily basis, check for either a confidential stamp or sticker. If absent, mark it confidential as you go HIPAA QUICK TIPS 1. Never walk away from an open file drawer. Lock after each use. 2. Keep all files away from easy view. Do not keep files laying around with visible PHI. 3. Mark all filing cabinets, files, etc. confidential. Phone messages on patient s answering machines. HIPAA is concerned with protecting your patient s privacy. One of the easiest ways to violate a patient s privacy is by exposing PHI on answering machines. 21
HIPAA QUICK TIPS WHAT ARE THE RISKS? 1. The risk is that a family member, friend, or other could overhear or receive the message. 2. The risk that the message could be left at the wrong number is also very crucial. 3. The receiver might hear information that the patient does not want to be exposed. HIPAA QUICK TIPS INFORMATION TO AVOID 1. Laboratory and test results 2. Any information that links the patient s name to the medical condition. 3. The type of clinic or specialist the patient is seeing. 4. Personal information (ex: HIV, psychotherapy, substance abuse, pregnancy, etc.) HIPAA QUICK TIPS 1. Reminders of appointments are OK. 2. Train your employees on a set policy 3. Ask the patient if they would prefer a separate phone line(cell phone, etc.) for follow-up calls. Get it in writing 4. Always use good judgment on the type of messages that you leave. 22
HOW AND WHEN TO EXECUTE HIPAA AUDITS AND TRAINING SIMPLE GUIDELINES AUDITS AND TRAINING 1. Complete an audit at least twice a year. Pull at least five files for your audits. 2. Follow the easy questions on your audit sheet, under the audit label in your manual, and compare to the file you are working with. 3. Assign a responsible employee to complete this task. It does not have to be a member of your compliance committee. 4. When finished, document your audit by filing it in your HIPAA Compliance Plan and Manual AUDITS AND TRAINING 5. Even though there is no set training guidelines I would recommend that your training sessions should be held at least twice a year. Please have every employee sign an employee compliance training log for these training sessions and place it in the signed training section of your HIPAA Compliance Plan and Manual. REMEMBER, YOUR HIPAA MANUAL IS INSUFFICIENT IF YOU DO NOT CONTINOUSLY UPDATE, TRAIN, AND AUDIT. IT IS UP TO YOU TO STAY IN COMPLIANCE WITH HIPAA. 23
Simple Rules 1. Except for the patient s name, confidential patient information is not called out into the waiting room 2. Release of confidential patient information is done ONLY by staff specifically authorized to do so. 3. Confidential patient information is not left on an unattended printer, photocopier, or fax machine unless these devices are in a secure area. Physical access to fax machines and printers is limited to authorized staff. 4. Staff does not discuss confidential patient information among themselves in public areas. Simple Rules 5. Conversations with the patient/family regarding confidential patient information are not held in public areas. 6. Overhead and intercom announcements do not include confidential patient information. 7. Phone conversations and dictation are in areas where confidential patient information cannot be overheard. 8. Computer monitors are positioned away from public view, to avoid observation by visitors. 9. Confidential patient information is discarded in the appropriate secure container or shredded. Simple Rules 10. Screens of unattended computers are returned to the logon screen or have a password enabled screen saver. Staff understands their ID and password are confidential and never shares them, or the use of their workstation while logged in. 11. On desks in public areas, chart holders or nurse s stations, ti documents with confidential patient information are face down or concealed, avoiding observation by patient s or visitors. 12. Paper records and medical charts are stored or filed in such a way as to avoid observation by patient s or visitors, or casual access by unauthorized staff. 24
Simple Rules 13. Answering machines volume is turned down so information being left cannot be overheard by other staff or visitors. Voice mail passwords are not the default settings, or the last four digits of your phone number. 14. Patient t lists, including scheduled d procedures, with information beyond room assignments are not readily visible by patients or visitors. 15. Staff feel comfortable, and obligated, to report misuse of confidential patient information to their supervisor, knowing there will be no retaliation. 16. All supervisors regularly review institutional policies that are applicable for their work assignments with their staff, to insure that current practices and procedures protect patient privacy. Simple Rules 17. Only authorized staff has access to confidential patient information, and they access and use only the minimum amount necessary to accomplish their duties. All staff wear the appropriate nametag at all times. 18. For units that t are not staffed 24 hours, patient t records are filed in locking storage cabinets or rooms that are locked. 19. Visitors and patients are appropriately escorted to ensure they do not access staff areas, dictating rooms, chart storage, etc. Those persons not recognized in restricted areas, are challenged for identification. 25