HIPAA

1
HIPAA

• Health Insurance
• Portability Accountability
• Act of 1996

2
HIPAA Administration Simplification

• Multi-phased law
• Enacted to reduce health care administrative
  costs through standardization of electronic
  health care transactions
• Need to protect security and privacy

3
Basic Principles of HIPAA Privacy Rules

• It gives individuals more control over their
  health information.
• It sets boundaries on the use and release of
  health information.
• It establishes safeguards that covered entities
  must achieve to protect the privacy of health
  information.
• It holds violators accountable, by imposing civil
  and criminal penalties if they violate an
  individuals privacy rights.

4
Who Has to Comply with HIPAA?

• Each Covered Entity (CE) must comply
• Covered entity means
• A health plan
• A health care clearinghouse
• A health care provider that transmits any health
  information in electronic form in connection with
  a standard transaction.

5
What is PHI?

• Any information, oral or recorded in any form or
  medium, that
• Is created or received by a health plan, health
  care provider, healthcare clearing house and
• Relates to the past, present or future physical
  or mental health or condition of an individual,
  or the provision or payment for health care for
  an individual and
• Is individually identifiable (as defined)

6
Identifiers

• Any of the following numbers
• Social Security
• Medical Record
• Account Health Plan beneficiary s
• Certificate/license
• Vehicle ID or plate
• URL or IP addresses
• Device identifiers
• Biometric identifiers
• Full face or comparable images

• Names
• Geographic units
• Dates (month/day relating to any individual
  including birth, treatment)
• Ages over 89
• Phone, fax numbers
• Email addresses
• Any other unique identifiers

7
Use and Disclosure of PHI

• General Rule
• A covered entity may not use or disclose PHI,
  except as required or permitted by the
  regulations.
• Permitted Uses and Disclosures (TPO)
• Treatment
• Payment
• Health care Operations

8
Business Associate Agreement

• By law, the HIPAA privacy rule applies only to
  covered entities.
• However, most CEs do not conduct all business
  activities and functions alone.
• What is a Business Associate?
• A person who, on behalf of a covered entity
  Uses/accesses/re-discloses PHI either
• To perform or assist in the performance of a
  function
• Provides services to a covered entity
• Must involve the use of individually identifiable
  health information
• An employee of the employer sponsoring the plan
  is not a business associate.

9
Health Care Operations -Business Associates
provide Services involving disclosure

• Legal
• Accounting
• Data aggregation
• Administration
• Consultants

• Actuarial
• Accreditation
• Management
• Financial Services

Third Party Administrators Contractors, vendors
of covered entities Employers and other plan
sponsors Any person relying on any covered entity
as source of health information
10
Business Associates

• Business Associates may perform functions for
  covered entities with satisfactory assurance of
  appropriate safeguards for PHI.
• The satisfactory assurances must be in writing,
  whether in the form of a contract or other
  agreement between the covered entity and the
  business associate.

11
Business Associates ContractsRequired
Elements45 CFR 164.504 (e)

• Describe the permitted and required uses of PHI.
• Provide that the business associate will not use
  or further disclose the PHI other than as
  permitted or required by the contract or as
  required by law and
• Require the business associate to use appropriate
  safeguards to prevent a use or disclosure of the
  PHI other than provided for by the contract.

12
Forms of Patient Permission to Use or Disclose PHI

• There are three possible forms of permission
  needed to use or disclose PHI
• For TPO or for public purposes (such as
  cooperating enforcement, public health agencies
  or courts).
• Verbal Agreement For disclosure to people
  involved in the health care of the patient, or
  for facility directory listings.
• Authorization For all other circumstances.

13
Authorizations

• Authorizations are required by the Privacy Rule
  45 CFR 164.508 (a)
• CE are required to obtain an authorization for
  use and disclosure of PHI.
• CE may use only authorizations that meet the
  requirements of 45 CFR 164.508 (b)
• Any such use or disclosure will be lawful only to
  the extent it is consistent with the terms of
  such authorization.

14
Penalties for Non-Compliance

• 100 fine per day for each unmet standard (Up to
  25,000 per person, per year, per standard).
• 50,000 fine PLUS one year in prison for
  knowingly disclosing health information for
  improper use or to unauthorized entities
• 100,000 fine PLUS five years in prison for
  obtaining health information under false
  pretenses.
• 250,000 fine PLUS ten years in prison for using
  health information to sell, transfer, or use for
  commercial advantage, personal gain or malicious
  harm.

15
Remember.

• PHI should be seen only by those who are
  authorized to see it.
• PHI should be heard by only those who are
  authorized to hear it.
• PHI should be transmitted to or shared with only
  those who are authorized to receive it.