HIPAA: A Case Study

1
HIPAA A Case Study
HIPAA Implementation and Remediation at the
University of Texas Medical Branch

• July 25, 2002

2
What Is HIPAA?
3
What is Electric Data Interchange (EDI)?

• Harnessing technology
• Standardization of code sets and transactions
• Efficiencies within the healthcare industry

4
What Is Security?

• Structure
• The HIPAA security standards are organized into
  four categories Some examples of each are
  listed
• Administrative physical technical network
• Policies and physical application level
  internet procedures safeguards controls
  assessment
• Business media controls access
  control intranet/contingency LAN
• Personnel security awareness audit
  controls remote management training access
  (dial-in)
• Standards are also proposed for electronic
  signatures

5
What does privacy mean under HIPAA?

• HIPAA Regulates Uses and Disclosures of Patient
  Health Information (PHI)
• Defines who may access and use health information
• Defines how and when PHI is disclosed, requires
  patient authorization
• Provides patient rights
• Establishes individual penalties for individuals
  who violate the HIPAA standards

6
Protected Health Information (PHI)

• PHI is individually identifiable health
  information maintained or transmitted either
  electronically, written, or orally.
• Electronic transmission may include
• The internet (wide-open)
• Extranet (using internet technology to link a
  business with information only accessible to
  collaborating parties)
• Leased lines
• Dial-up lines
• Private networks and
• Those transmissions that are physically moved
  from one location to another using magnetic tape,
  disk, or compact disk media.

7
Use

• The sharing, employment, application,
  utilization, examination, or analysis of such
  information within an entity that maintains such
  information

Disclosure
The release, transfer, provision of access to, or
divulging in any other manner of information
outside the entity holding the information.
8
HIPAA allows uses and disclosures of PHI for

• Treatment
• The provision, coordination, or management of
  health care and related services by one or more
  health care providers, including
• The coordination or management of health care by
  a health care providers with a third party
• Consultation between health care providers
  relating to a patient or
• The referral of a patient for health care from
  one health care provider to another.

• Payment
• The activities undertaken by
• A health plan to obtain premiums or to determine
  or fulfill its responsibility for coverage and
  provision of benefits under the health plan or
• A covered health care provider or health plan to
  provide reimbursement for the provision of health
  care.

• Health Care Operations
• Activities as they relate to covered functions,
  and any of the activities of an organized health
  care arrangement in which the covered entity
  participates.(e.g. quality assurance activities,
  risk management or audits)

9
Authorizations to Disclose PHI are required if

• The disclosure is for any purpose other than TPO.
• The disclosure is for research, fundraising or
  marketing and
• A previous authorization has been revoked or is
  otherwise no longer valid.

10
Opportunity for an Individual to Agree or Object

• In some instances HIPAA allows for UTMB to
• disclose certain information without the
  patients
• authorization if
• The patient provides a verbal agreement, and
• The disclosure is for
• A facility directory
• Notification of the clergy
• Individuals involved with the patients care

11
Use/Disclosure for Research

• PHI may be used for research with
• The human subjects consent/authorization
• OR
• an IRB waiver of authorization
• Reviews preparatory to research are allowed
  without a patient authorization
• De-identified PHI or a limited data set may be
  used in research without the patients
  authorization

12
De-identification requires the following to be
removed

• Email Addresses/URLs/IP Addresses
• Medical Record Numbers
• Health Plan Beneficiary Numbers
• Account Numbers
• Certificate/License Numbers
• Vehicle Identifiers and Serial Numbers (e.g.
  VINs, License Plate Numbers)
• Device Identifiers and Serial Numbers
• Biometric Identifiers (e.g. finger or voice
  prints) or Photographs
• Any other unique identifying number,
  characteristic, or code

• Names (individual, employer, relatives, etc.)
• Address (street, city, county, zip code more
  than 3 digits, or any other geographical codes)
• Telephone/fax numbers
• Social security numbers
• Dates (except for years)
• Birth date
• Admission date
• Discharge date
• Date of death
• All ages gt 89 and all elements of dates
  indicative of such age

13
Individual Rights

• The following rights are provided to all UTMB
  Patients
• Right to inspect and copy PHI
• Right to an accounting of disclosures
• Right to have reasonable requests for
  confidential communications accommodated
• Right to file a complaint with UTMBs Privacy
  Office or the Office of Civil Rights
• Right to written notice of information practices
  from providers and health plans

14
Why is HIPAA Compliance Important?

• It is federal law.
• Compliance is required by
• April 14, 2003 for the Privacy Standards
• October 12, 2003 for the EDI Standards
• Security regulations are not yet final
• Civil fines and criminal penalties exist.
• Individual employees can be fined for their
  actions

15
Impact of HIPAA Violations

• HIPAA calls for several civil and criminal
  penalties for noncompliance. These fines
  include
• General penalty for failure to comply
• Each violation 100
• Maximum penalty for all violations of an
  identical requirement, not to exceed 25,000.00
  and
• Wrongful Disclosure of Identifiable Health
  Information
• Fines up to 250,000.00 and/or imprisonment up to
  10 years for knowingly misusing individually
  identifiable health information.

16
Implementation and Remediation
17
Implementation InitiativesPrivacy

• Initial Organization and Assessment
• HIPAA Taskforce, Chief Privacy Officer,
  Consultant for Gap Assessment.
• Project Development
• Implementation planning, EDI, security, privacy
  charters and work plans.
• Institution Wide Solutions
• Policy development and institutional level
  remediation.
• Departmental Remediation
• Departmental remediation of known gaps and
  physical walk through
• Institution Wide Training
• Training, on-line and stand up training courses

18
Phase One AssessmentObjective Determine where
PHI is located within the organization

• Developed an Institutional HIPAA taskforce
• Include legal, audit, security, clinicians, admin
  staff, IT/IS
• Determined project scope and costs
• Consultant costs v. In house costs (employee
  availability)
• Determined institutional needs
• Developed a list of all depart. w/ PHI (must be
  creative, morgue childcare, field house, Ronald
  McDonald House, Etc.)
• Prioritized compliance solutions based on the
  departmental need
• Relied on Employees w/ inst. knowledge of how the
  entity really works

19
General Out-patient PHI Flow Chart
20
Phase Two Develop ProjectsObjective Roll gaps
and compliance solutions into projects

• Wrote 3 independent Charters (Privacy, EDI,
  Security) and developed workplans
• Prioritized and defined projects
• Developed an issue log for institutional
  decisions
• Decided to focus on policy development, created 7
  categories
• Consents/Notices Research
• Authorizations Employment
• Patient Rights Students
• Business Associates

21
Phase Three - Global Solutions Objective
Organize policy work teams and write draft
policies for review and comment

• Wrote over 40 new privacy policies with forms.
• All policies were reviewed by a work group and
  the HIPAA Taskforce.
• Most policies have been sent to the Institutional
  Handbook of Operating Procedures committee for
  formal approval.
• 5 policies remain active and require
  institutional decisions.

22
Policy Workgroups
23
Draft Policies
24
Policies Requiring Institutional Decisions

• Email of PHI
• A written document and required in medical
  record.
• HIPAA and general malpractice concerns.
• Disposal of PHI
• Medical Record Maintenance Policy
• Shadow Record
• Student Conduct and Discipline Policy
• (Faculty Conduct and Disciplinary Policy)

25
Phase Four Departmental FocusObjective Review
all departmental operations and remediate gaps,
includes physical inspections

• Developed remediation tracking tool for every
  department.
• Designed to track compliance with recognized gaps
  and gaps discovered during physical inspection.
• Scheduled to meet with department 4 times to
  track compliance before compliance deadline.

26
Phase Five TrainingObjective To provide both
general and specific HIPAA training to all
13,000 employee workforce

• Develop On-line training courses required for all
  employees, including Students and Volunteers.
• Provide specific training for staff who
• Release medical records, and
• Are front line patient registration personnel.

27
Additional HIPAA Compliance Projects

• Cross referencing medical records
• Tracking/accounting for disclosures
• Business associates data mart and contract
  amendment process
• Consent/acknowledgement tracking
• E-commerce solution for physician-patient
  communication
• Shadow record management database

28
Conclusion Questions