Title: HIPAA PRIVACY
1HIPAA PRIVACY
- Office for Civil Rights
- U.S. Department of Health and Human Services
- November 8, 2002
2The Health Insurance Portability Accountability
Act of 1996
- HIPAA
- (Public Law 104-191)
- Signed August 16, 1996
- Title II
- Subtitle F Administrative Simplification
3Purpose of HIPAA Provisions
- To improve efficiency and effectiveness of the
health care system by standardizing the
electronic exchange of administrative and
financial data
4The Privacy Rule
5The Privacy Rule
- April 14, 2001 Effective Date
- April 14, 2003 Compliance Date
- April 14, 2004 Compliance Date
- (for small health plans)
6Relationship to other laws
- First comprehensive federal health privacy
protections - Does not replace federal, state, or other laws
that may guarantee individuals even greater
privacy protections - Other state laws might require or permit
disclosures - Only required disclosures under the Rule are (1)
to the individual and (2) to HHS
7Purpose of the Privacy Rule
- Creates for the first time, national standards to
protect individuals medical records and other
personal health information
8Why is the Privacy Rule needed?
9Do You Know Where Your Medical Information Goes?
10Who is covered by the Rule?
- Limited by HIPAA to
- -Health plans
- -Health care clearinghouses
- -Health care providers who transmit any health
information in electronic form in connection with
a transaction for which the Secretary has adopted
a standard - Business Associates
11What is covered by the Rule?
- Protected health information (PHI) is
- -Individually identifiable health information
- -Transmitted or maintained in ANY form or medium
- Held or transmitted by covered entities or their
business associates - Not PHI
- -De-identified information
- -Employment records
- -FERPA records
12What is a business associate?
- Agents, contractors, others hired to do work on
behalf of a covered entity that requires
protected health information (PHI) - Covered entity must obtain satisfactory
assurance-usually through a contract-that a
business associate will safeguard PHI, and limit
its use and disclosure - Contract transition period
13What does the Rule mean for covered entities?
- Accountability
- Professional standards are now law
- Changes in
- -Culture
- -Processes
- -Relationships
- -Documentation
14What must covered entities do under the Rule?
- Implement standards to protect and guard against
the misuse of individually identifiable health
information by the April 14, 2003 compliance date
15What are specific requirements for covered
entities?
- Administrative Requirements
- Flexible and Scalable
- Covered entities required to
- -Designate a privacy official
- -Develop policies and procedures (on how PHI is
going to be handled and on receiving complaints) - -Provide privacy training to its workforce
- -Implement administrative, technical, and
physical safeguards to protect the privacy of PHI
16What are specific requirements for covered
entities? (Contd)
- Covered entities are required to
- -Develop a system of sanctions for employees
who violate the entitys policies - -Meet documentation requirements
- -Mitigate any harmful effect of a use or
disclosure of PHI that is known to the covered
entity - -Refrain from intimidating or retaliatory acts
- -Not require individuals to waive their rights
to file a complaint with HHS or their other
rights under this rule
17What does the Rule mean for individuals?
- Under the Privacy Rule, individuals have the
right to - -Notice of privacy practices
- -Access inspect and copy PHI
- -Amend
- -Accounting
- -Alternative communication
- -Request restrictions
- -Complain to covered entity and HHS
18Personal Representatives
- Standard personal representatives. A covered
entity must treat a personal representative as
the individual under applicable law in situations
involving - -Adults and emancipated minors
- -Deceased individuals
- With respect to PHI relevant to such personal
representation
19Personal Representatives (Contd)
- Standard personal representatives. There are
exceptions for - -Unemancipated minors
- -Where the covered entity has a reasonable
belief that there has been or may be domestic
violence, abuse, neglect, or endangerment
20When is a covered entity permitted to use or
disclose PHI?
- In general, there are four categories of uses and
disclosures of PHI - Treatment, payment and health care operations
(TPO) - Authorized by the individual
- Requiring the individual to agree or object
- Permissible public policy disclosures
21BoundariesUses and disclosures
- TPO (164.502)
- -Treatment Care
- -Payment Reimbursement
- -Health care operations Running the store
- (Specific definitions in the Privacy Rule for
each term)
22BoundariesUses and disclosures
- Authorized by the individual (164.508)
- -Psychotherapy notes generally need an
individuals authorization before use or
disclosure - -Any uses or disclosures not otherwise permitted
or required by the Rule - -Authorizations must be in plain language and
contain specific elements -
23BoundariesUses and disclosures
- Requiring an opportunity for the individual to
agree or object (164.510) - -Facility directories (eg. hospital)
- -PHI for relatives or close personal friends
- -For notification purposes
24BoundariesUses and disclosures
- Public Policy Disclosures (164.512)
- -Covered entities may use or disclose PHI
without authorization only if the use or
disclosure comes within one of the listed
exceptions and follows its conditions
25BoundariesUses and disclosures
- As required by law
- For health oversight
- For public health
- For research
- For law enforcement
- For judicial and administrative proceedings
- For specialized government functions
26BoundariesUses and disclosures
- To facilitate cadaveric organ, eye and tissue
donation and transplants - About decedents to funeral directors, coroners
and medical examiners - For workers compensation
- To report abuse, neglect, domestic violence
- To avert serious and imminent threat to health or
safety
27Minimum necessary
- Covered entities must make reasonable efforts to
limit the use or disclosure of PHI to minimum
amount necessary to accomplish their purpose - Role- based access limits
- Exceptions
- -Disclosure to individual
- -Disclosure to or request by provider for
treatment purposes
28Minimum Necessary (Contd)
- Exceptions
- -Use or disclosure made pursuant to an
individuals appropriate authorization - -Use or disclosure required for compliance with
the Administrative Simplification Rules of HIPAA - -Use or disclosure that is required by law
- -Disclosure to HHS for enforcement purposes
-
29Oral Communication Rule
- All forms of communication covered
- Requires reasonable efforts to prevent
impermissible uses and disclosures - Policies and procedures to limit access/use
(role-based) - -Except disclosures to or request by provider
for treatment purposes
30Overheard, seen in passing
- Incidental disclosures
- The Rule permits uses/disclosures incident to an
otherwise permitted use or disclosure, provided
minimum necessary and safeguards standards are
met - Examples talking to patient in semi-private
room, talking to other providers if passers-by
are present, waiting room sign in sheets, patient
charts at bedside, etc. - Allow for common practices if reasonably performed
31Frequently Asked Questions/Concerns about the
Privacy Rule
32PATIENT My doctor needs to discuss my treatment
with other doctors and nurses. But the Privacy
Rule prohibits doctors and nurses from discussing
private health information if there is a
possibility that someone will overhear. What if
my doctor needs to discuss my condition with a
nurse at a busy nursing station, or with me over
the phone from someplace other than a private
office? The privacy rule prevents these
discussions.
The Privacy Rule does not intend to prohibit
providers from talking to each other and to their
patients.
33PHYSICIAN The privacy rule requires me to
monitor the activities of my business associates.
I can be found in violation of the rule if my
business associate violates the contract, even if
I dont know about it.
Covered entities are not required to monitor or
oversee the means by which the business associate
carries out safeguards or the extent to which the
business associate abides by the requirements of
the contract.
34HOSPITAL The privacy rule prohibits
semi-private rooms. With two patients in a room,
there is no way to guarantee that one wont
overhear health information about the other.
Now Ill have to rebuild my facility to include
only private rooms.
The Privacy Rule does not require these types of
structural changes be made to facilities.
Covered entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
35PATIENT The privacy rule prevents my pharmacist
from filling my prescription before I show up and
sign that consent. Instead of having the
prescription waiting for me, I may have to come
to the pharmacy, sign a consent, and then wait
around for hours while the prescription is filled.
The Privacy Rule permits covered entities,
including pharmacists, to use identifiable health
information for treatment, payment, or health
care operations without prior patient consent.
36HOSPITAL The privacy rule allows doctors and
nurses to see an patients entire medical record,
if the hospital thinks they need it to do their
jobs.
The Privacy Rule does not prohibit use or
disclosure of, or requests for an entire medical
record. The covered entity must document in its
policies and procedures that the entire medical
record is the amount reasonably necessary for
certain identified purposes.
37INSURER How are we supposed to do business
under this Rule? It would prohibit doctors from
faxing information to us, or to each other, or to
their patients.
The Rule does not prohibit faxing of individually
identifiable health information. Covered
entities must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of PHI.
38INSURER What happens when I am required to
report information under state law? I assume
that if some other law requires me to disclose
health information, I wont have to do a big
analysis under the privacy rule, or get caught in
the middle because the privacy rule might not
allow the disclosure?
A disclosure of identifiable health information
that is required by another law is permitted by
the Privacy Rule.
39ANYONE The Privacy Rule is delayed by the
Administrative Simplification Compliance Act that
was passed in December 2001.
This law delays compliance with the Transaction
and Code Set standards for covered entities that
file a compliance plan. This law does not apply
to the Privacy Rule. The compliance date for the
Privacy Rule is still April 14, 2003. (April 14,
2004 for small health plans).
40PATIENT When my family member comes to pick me
up from the hospital, the doctor will still be
able to explain my condition and tell him what to
expect when I return home. Right?
The Rule permits doctors to discuss a patients
condition with family or friends involved in the
persons care, unless the patient objects.
41A hospital customarily displays patients names
next to the door of the hospital rooms that they
occupy. Will the Rule allow the hospital to
continue this practice?
The Rule explicitly permits certain incidental
disclosures that occur as a by-product of an
otherwise permitted disclosure. In this case,
disclosure of patients names by posting on the
wall is permitted by the Rule, if the use or
disclosure is for treatment or health care
operations purposes. Minimum necessary
42Are hospitals able to inform clergy about
parishioners in the hospital?
Yes, the Rule allows this communication to occur,
as long as the patient has been informed of this
use and disclosure and does not object.