HIPAA PRIVACY: A PRACTICAL APPROACH - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

HIPAA PRIVACY: A PRACTICAL APPROACH

Description:

HIPAA PRIVACY: A PRACTICAL APPROACH April 14, 2003 is the deadline for health care providers to develop formal privacy procedures and to notify patients of their ... – PowerPoint PPT presentation

Number of Views:157
Avg rating:3.0/5.0
Slides: 22
Provided by: hawaiiEdu
Category:

less

Transcript and Presenter's Notes

Title: HIPAA PRIVACY: A PRACTICAL APPROACH


1
HIPAA PRIVACY A PRACTICAL APPROACH
April 14, 2003 is the deadline for health care
providers to develop formal privacy procedures
and to notify patients of their privacy rights.
The following presentation outlines an approach
for the smaller practice to access reasonable
compliance solutions.
2
HIPAA COMPLIANCE WHAT IT MEANS FORYOUR
OFFICEPAUL A. GILMAN, ESQ.ANDREW S. WILLIAMS,
ESQ.ARONBERG GOLDGEHN DAVIS GARMISAONE IBM
PLAZA SUITE 3000CHICAGO, ILLINOIS 60611(312)
828-9600
3
WHAT IS HIPAA?
  • Health Insurance Portability Accountability Act
    of 1996
  • Sets standards and requirements for maintenance
    and electronic transmission of patient health
    information
  • Covers 4 areas
  • Privacy of information
  • Security of data
  • Transactions and code set standards for
    electronic transactions
  • Identifiers for providers, employers, and payers

4
TO WHOM DOES HIPAA APPLY?
  • Covered Entities
  • Health Plans
  • Health care clearing houses
  • Health care providers who transmit any health
    information (including billing) in electronic
    form
  • Who is a health care provider
  • A provider of medical or health services and any
    other person organization who furnishes, bills or
    is paid for health care in the normal course of
    business.
  • Includes physicians, dentists, chiropractors,
    podiatrists, etc.
  • Others dealing with covered entities, such as
    Business Associates, will be impacted by HIPAA

5
WHAT INFORMATION IS COVERED?
  • HIPAA Regulates Protected Health Information
    (PHI)
  • PHI is information, oral or recorded, in any
    form or medium, that
  • Is created or received by a provider, plan, etc.
    and
  • Relates to past, present or future physical or
    mental health or condition of an individual, the
    provision of health care to an individual, or
    past, present or future payment for the provision
    of health care

6
WHAT IS THE PRIVACY RULE?
  • A Covered Entity may only use or disclose PHI
  • With notice to the individual and acknowledgement
    of how that information will be used (Notice of
    Privacy Practices) but only for treatment,
    payment or healthcare operations (TPO)
  • Without Notice of Privacy Practices under certain
    circumstances, such as per subpoena, to avert
    serious threat to health or safety
  • With a specific written authorization for
    disclosure for use permitted for other than TPO
  • Even with Notice of Privacy Practices, Covered
    Entity must make reasonable efforts to limit use
    or disclosure of PHI to the minimum necessary
    amount to accomplish the intended purpose of the
    use or disclosure of the PHI

7
WHAT IS THE SECURITY RULE?
  • Applies to physical, technical and administrative
    requirements to protect maintenance, availability
    and confidentiality of PHI
  • Closely intertwined with Privacy Rule
  • Requires appropriate technological measures and
    physical security safeguards to maintain the
    security of PHI
  • Final rules expected in October, 2002
  • Compliance mandated 26 months after publication
    of final rules.
  • Will require Policies and Procedures and training
    for
  • Password Maintenance
  • Access Controls
  • Physical Controls
  • Logging off computers
  • Screensavers
  • Locking doors and files cabinets
  • E-Mail Risks
  • Other

8
WHAT IS THE TRANSACTIONS AND CODE SET RULE?
  • Covers 8 EDI transactions between or within
    Covered Entities (or their Business Associates)
  • Claims
  • Remittances
  • COB
  • Eligibility
  • Referral Certification
  • Claim Status
  • Enrollment
  • Premiums
  • Providers conducting electronic transactions must
    conduct standard transactions
  • Standard Codes
  • Minimum data sets

9
KEY COMPLIANCE DATES
  • RULE COMPLIANCE DATE
  • Transactions and Code Set October 16, 2002
    (October 16, 2003 if extension requested by
  • October 15, 2002)
  • Identifiers Summer/Fall, 2004 (est.)
  • Privacy April 14, 2003
  • Security Summer/Fall 2004 (est.)

10
SANCTIONSWHY DO WE CARE ABOUT HIPAA?
  • 100 Per violation, up to 25,000 per year for
    each offense
  • Wrongful disclosure may result in fine of 50,000
    or jail
  • Enforcement by Office of Civil Rights (OCR)
  • May be next hotbed of consumer litigation

11
OTHERS IMPACTED BY HIPAABUSINESS ASSOCIATES
  • Disclosure to Business Associates (BA) is
    generally permitted
  • A person or organization that performs a function
    or activity on behalf of a Covered Entity and has
    access to PHI in the course of performing the
    function or activity, but is not part of the
    Covered Entitys workforce
  • Examples of Business Associates
  • ?Accountants ?Accreditation Services
  • ?Non-owned Providers ?Attorneys
  • ?On Call
  • ?Locum Tenens
  • ?Billing Service Companies ?Coding Providers
  • ?Collection Agencies ?Collection Agencies
  • ?Consultants ?Copy Services
  • ?DME ?Document Shredding Services
  • ?Laboratories ?Lawyers
  • ?Management Services ?Marketing Services
  • ?Medical Record Storage ?Transcription Services
  • ?Vendors (software, hardware, etc.)

12
BUSINESS ASSOCIATE CONTRACTS
  • Required by HIPAA
  • Specify permitted uses and disclosures of PHI
  • Require Business Associates to report improper
    use and disclosure to Covered Entity
  • Authorize Contract termination for material
    breach
  • Require subcontractor compliance
  • Allow patient access, amendment and disclosure
    accounting
  • Allow Department of Health and Human Services to
    access BAs books and records
  • Return or destroy PHI, if feasible, and otherwise
    ensure no disclosure or improper use when
    contract ends
  • Written contract existing with BA before 10/13/02
    and not modified or concluded before 4/13/03,
    will be compliant until earlier of
  • Modification or conclusion before 4/14/04 or
  • 4/14/04

13
KEY PRIVACY COMPLIANCE POINTS
  • Requires a cultural change
  • PRIVACY IS ABOUT CONSCIOUSNESS-RAISING THINK
    PRIVACY BEFORE USE OR DISCLOSURE
  • If its not documented, it didnt happen
  • HIPAA does not require a complete overhaul of
    business

14
STEPS TO COMPLIANCE
  • Appoint a Privacy Officer and Contact Person (can
    be the same person)
  • Required
  • Responsible for development and implementation of
    privacy-related programs, policies and procedures
  • Identify all categories of persons whose duties
    require access to PHI (by job functions)
  • Conduct GAP Analysis
  • Gather Baseline information
  • Hardware
  • Software
  • Networks
  • Data location, access, flow
  • Current policies and procedures
  • Identify and document GAPs in actual uses and
    disclosures of PHI against HIPAAs requirements
  • Assess the GAP What is needed to close the GAP

15
  • Identify Business Associates
  • Draft Business Associate Agreements
  • Communicate with and enter into agreements with
    Business Associates
  • Develop Required Forms, Policies and
    Procedures
  • Forms Examples
  • Notice of Privacy Practices
  • Consents
  • Authorization
  • Request for Restriction on Use or Disclosure
  • Request to inspect and copy PHI
  • Request to amend or correct PHI
  • Request to receive an accounting of uses and
    disclosure
  • Accounting of uses and disclosure of PHI
  • Complaint forms

16
  • Policies
  • Notice of privacy practices
  • Minimum necessary use and disclosures
  • De-identification of health information
  • Other Policies
  • Workforce training
  • Patient privacy compliance
  • Marketing
  • Release of information
  • Patient requests
  • Information access control
  • Disciplinary action
  • Media controls Access levels
  • Disaster recovery plan
  • Facility security plan
  • Develop and implement privacy training program
  • For existing employees, training must occur by
    April 14, 2003
  • For new employees, within a reasonable period
    after hire
  • Monitor Compliance On-Going Basis

17
HIPAA TRAINING
  • Assess own culture for best learning
    opportunities.
  • Key Questions
  • Who gets trained on which aspects of HIPAA? Does
    everyone get trained on all of HIPAA or just
    parts?
  • When do we begin?
  • How will we conduct on-going training?
  • What form will training take?
  • How do we track who got what training?

18
WHAT DO I TRAIN?
  • Privacy Rule requires that a Covered Entity train
    all members of its workforce on its policies and
    procedures with respect to PHI as necessary and
    appropriate to carry out their function with the
    Covered Entity
  • Training must be scaled to size of office and
    workforce
  • No one size fits all solution
  • All employees must understand requirements of the
    Privacy Rule
  • Rights of individuals
  • Duties and responsibilities of BA
  • Impact of requirements on their day-to-day work
  • Policies and Procedures
  • Sanctions for Violations
  • Security Rule Training Train in Conjunction
    with Privacy Training
  • Password Management
  • Physical Access
  • Virus Protection
  • Backup and Disaster Recovery Procedure
  • Locking drawers, bins and files
  • Clean desk awareness
  • Faxes, printouts and reports
  • Visitor access to records area

19
PRIVACY TRAINING DEADLINES
  • Existing Employees before 4/14/03 Must
    develop Policies and Procedures before training
    can begin
  • New Hires within a reasonable period of time
    after hire date
  • On-Going Training as changes to law or policies
    and procedures affect job function

20
HOW DO I TRAIN?
  • Determine the best way to reach employees.
  • Classroom style
  • Audio conference
  • Web-based
  • Self-directed learning manuals, videos, etc.
  • Simple approach distribute manual, including
    Policies and Procedures, distribute tips FAQs,
    etc.

21
CONCLUSION
  • Dont Panic
  • Resources are available
  • Web Sites
  • Seminars
  • Guide Books (ADA, etc.)
  • Trade Associations
  • Remember what is necessary for a large office may
    not apply to a smaller office
Write a Comment
User Comments (0)
About PowerShow.com