Health Insurance Portabililty & Accountability Act (HIPAA) part 2

Introduction

HIPAA (cont)

HIPAA's Impact

• calls on providers to protect the storage and flow of medical information
• practices might have to reconfigure office reception areas
• sign-in sheet, not outlawed by HIPAA, may need to be further secured to protect patient privacy
• most practices already have some privacy protection measures in place
• most states have privacy laws for the healthcare industry
• HIPAA adds federal regulation to protect confidential patient information

HIPAA's Impact Is Vast

• all healthcare organizations handling PHI are impacted by HIPAA, including:
  • HIPAA covered entities
  • business associates of covered entities
  • service providers
  • vendors
  • Federal, State, County & Local Governments
  • Corrections
  • Military
• HIPAA's biggest impact is on people and how we work

Covered Entities 'Self-Certify' Compliance

• there is no official, federal 'certification' of HIPAA compliance
• Covered Entities 'self-certify'.
• beware of private companies offering 'HIPAA certifications'
• compliance records & paperwork are your 'certification'!

Compliance Dates Have Passed

• this means all Covered Entities and their staff should already be in compliance; many still are not
• HIPAA's Privacy Rule
  • April 14, 2003
  • April 14, 2004 for Small Health Plans
• HIPAA's Security Rule
  • April 21, 2005

HIPAA compliance

• is a process that Covered Entities undertake, and a condition they try to maintain over time HIPAA violations
• involve the misuse of confidential health data, where people are harmed in various ways
• HIPAA violations are far more serious offenses than is non-compliance

Facilities may be in or out of compliance, but people cause HIPAA violations

Non-compliance

• may result in civil monetary penalties, but not criminal charges.

Violations of HIPAA

• (PHI disclosures) can result in huge monetary penalties, & even prison time for 'willful', 'intentional', or 'malicious' violations
• HIPAA violations are far more serious offenses than is non-compliance

HIPAA Enforcement*

• civil penalties:
  • the Office for Civil Rights in the Department of Health & Human Services
  • non-Compliance with HIPAA Requirements & Standards
  • minimum $100 per violation
  • not to exceed $25,000 per person, per incident
• criminal penalties:
  • the Department of Justice, the State Attorney General & Local Law Enforcement, HIPAA Penalties & Sanctions
  • wrongful Disclosure of PHI
  • fined not more that $50,000, imprisoned not more than 1 year or both
  • if offense is committed under false pretenses:
    • fined not more than $100,000
    • imprisoned not more than 5 years or both.
  • commercial advantage, personal gain, or malicious harm:
    • fined not more than $250,000
    • imprisoned not more than 10 years, or both

* both types of penalties may apply to the individual violator; they may also apply to the organization, or its officers

Failures can be costly

• increased operating costs
• loss of accreditation (JCAHO, NCQA)
• imprisonment
• litigation damages
• increases 'capital costs' associated with late compliance efforts
  • public exposure leading to loss of market share
  • financial penalties

Privacy Rule Foundations

• these are HIPAA's 'guiding principles'
• boundaries: individual healthcare information should be used for health purposes and only those purposes
• security: individual healthcare information must be protected against deliberate or accidental misuse or disclosure
• consumer control: patients should be able to see what is in their records, get a copy, correct errors, and find out who else has seen them
• accountability: misuse of personal health information should be punished, & those harmed should have legal recourse
• public responsibility: individual privacy must be balanced with common good

Privacy Rule Requirements

• designation of Chief Privacy Official
• training for all employees
• safeguards to protect PHI, systems, processes
• internal Complaint Process
• sanctions for Violations
• duty to Mitigate harmful effects of privacy breaches

Patients rights under HIPAA are now standardized nation-wide, unless preempted by state law.

• Right to receive a 'Notice of Privacy Practices'
  • tells patients about their new HIPAA rights, & your policies & procedures
  • must be 'posted prominently' & provided to patients in hardcopy
  • tells who the entity's Privacy Officer is, & how to file a privacy complaint
• Right to restrict certain PHI disclosures to others
  • this is a right to request additional restrictions on use & disclosure of patient's PHI
  • covered entities don't have to agree to request
  • excludes mandatory reporting required under law:
    • HIV, Child Abuse, Birth/Death Registries, etc.
  • emergencies override all Restrictions.
• Right to an alternate means of receiving PHI
  • the right to receive communications containing PHI via 'alternative means' or at alternative locations
  • example: mail sent to different address (P.O. Box; home)
  • example: PHI sent via email instead of postal mail
  • covered entities must agree to 'reasonable' requests
  • covered entities may charge reasonable fees to accommodate such requests
  • maximum fees often set by state law
• Right to obtain a copy & inspect own PHI
  • guarantees access to patient's own PHI, but only to the 'Designated Record Set' (DRS)
  • DRS = Data 'used to make decisions' about healthcare treatment & services
  • many kinds of data excluded from DRS
    • psych notes, data from civil, criminal actions, etc.
  • each covered entity will define DRS for its own purposes, within HIPAA boundaries
  • definition of DRS in Policies & Procedures
  • PHI access Can Be denied when:
    • licensed health care professional determines inspection or copying is reasonably likely to endanger the life or physical safety of the individual or another person
    • PHI is about another person, & licensed health care professional determines the inspection or copying is reasonably likely to cause serious harm to that other person
    • request is made by patient's personal representative & a licensed health care professional determined the inspection & copying is reasonably likely to cause substantial harm to the patient or his/her personal representative
• Right to request amendments to PHI
  • right to amend (add an explanatory note) to data in the Designated Record Set.
  • covered entities may refuse if:
    • someone else originated the data
    • data is correct - & doesn't need changing
  • only data in the Designated Record Set can potentially be amended.
  • amendments never delete data, they only add explanations to an existing record.
• Right to an accounting of certain PHI disclosures
  • the right to request a list of certain disclosures of the patient's PHI over a specified time period
  • excludes disclosures made for routine purposes:
    • payment, treatment, operations
    • many other exclusions & exemptions.
  • actual data included in accounting is minimal:
    • date of disclosure?
    • who received PHI?
    • what PHI was disclosed?
    • for what purpose?

Day-to-day Administration of Rights

• should be a form for each of the Rights.
  • must be filled out & signed by patient.
• most rights will be administered through Privacy Officer & Records Department.
• carefully document all requests & actions.
• refer to the Notice of Privacy Practices.
  • provides guidance for staff & patients

6 Guides for Identifying PHI

• PHI can be written or oral.
• PHI can be recorded on paper, computer, or other media.
• PHI reveals the state of a person's health
  • physical, mental, or emotional health, past, present, or future.
• must be 'Individually Identifiable' to be PHI.
• to be PHI, data must give a 'reasonable basis for determining individual identity'.
• PHI may be created or received by a covered entity

Potential Sources of PHI

• paper medical records
• electronic medical records
• claims
• conversations - telephone, in-person
• clinical trials
• faxes/E-mails
• web site interactions
• click stream (cookies)
• vendors
• business partners
• public use files
• audits/quality reviews of partners
• other sources

PHI: Defined 'Data Elements' these data elements may or may not be PHI when they are alone combine 2 or more in the same record and that record now contains PHI

• name
• address: city, county, zip code
• names of relatives
• names of employers
• date of birth
• telephone number
• fax number
• E-mail addresses
• social security number
• medical record number
• health plan beneficiary number
• Account Number
• certificate/license number
• web URL
• internet protocol (IP) address
• finger prints or voice prints
• photographic images
• any other unique identifying number, characteristic, or code (whether in the public realm or not)
• many other sources

Where Is Privacy Most Often Compromised?

• staff conversations away from work:
  • restaurants, elevators, parking lots, etc.
• front Desk & registration areas
• websites & email messages
• telephones
• fax machines

HIPAA & minors

• Under HIPAA, the right to sign an authorization for a minor, and access rights to a minor's PHI, all flow to whomever has the right to make healthcare decisions for the minor:
  • parent
  • legal guardian
  • court-appointed representative
  • emancipated minor

Additional terms

• Health Insurance Portabililty & Accountability Act (HIPAA)
• Health Insurance Portabililty & Accountability Act (HIPAA) part 3

References