HIPAA

HEALTH INSURANCEPORTABILITY AND

ACCOUNTABILITY ACT

PAUL D. FRIEDMAN, M.A., J.D.300 W. Clarendon, Ste. 400

Phoenix, Arizona 85013(602) 252-8888

[email protected]

HIPAA(not HIPPO)

©Copyright 2005Paul D. Friedman, M.A., J.D.

WHY DID THE HIPPO CROSS THE ROAD?


BECAUSE HE HEARD THERE WAS GOING TO BE A PRESENTATION ON HIPAA ON HIS SIDE OF THE ROAD.

Is it too late to leave?

THE PURPOSE OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

HIPAA amended the Employee Retirement Income Security Act (ERISA), to provide new rights and protections for participants and beneficiaries in group health plans..


HIPAA OVERVIEWHIPAA

Health Insurance Portability and Accountability Act of 1996

Transactions Code Sets

Insurance Portability

AdministrativeSimplification

Fraud and AbuseMedical Liability

Reform

Title I Title II Title III Title IV Title V

Privacy Security EDI

Tax RelatedHealth Provision

Group HealthPlan Requirements

RevenueOff-sets

Identifiers


HIPAA PORTABILITY• Limits Exclusions For Pre-Existing

Conditions

• Prohibits Discrimination Against employees And Dependents Based Upon Health Status


HIPAA PORTABILITY

Health Insurance Must Include Coverage For Pre-Existing Conditions As Long As There Has Not Been A Break In Coverage For 63 Days Or More


Administrative Simplification

[Accountability]

InsuranceReform

[Portability]

Health Insurance Portability and Accountability Act

(HIPAA)

HIPAA - 2003

Transactions, Code Sets, & Identifiers

PRIVACY

Compliance Date:

4/14/2003

Security


PURPOSE OF THE HIPAA PRIVACY RULE

Protect And Enhance The Rights Of Consumers By:Providing Access To Their Health InformationControlling Inappropriate Use Of That Information

Improve Quality of Health Care

Improve Efficiency And Effectiveness Of Health Care Delivery By Providing A National Framework For Privacy Protection


PRIVACYHow Protected Information in Either Written Or Verbal Form Is:

StoredTransmittedSharedDiscardedDisclosed


PRIVACY: PENALTIES

$100 for each violationMaximum of $25,000 per year per specific provision

NON-COMPLIANCE

WRONGFUL DISCLOSURE

FALSE PRETENSES


$50,000 And/Or Up To 1 Year In Prison

$250,000 And/Or Up To 10 Years In Prison

Notify Patient Of Their Privacy RightsPatient Access To Their Medical RecordsPatient Consent Before Releasing

Information

INTRODUCTON TO PRIVACY

The Privacy Rule Provides:


COMPLIANCE TO PRIVACY

Provide patients with a written explanation of how the organization may use and disclose their health informationProvide patients with the ability to get

copies of their medical information and request amendmentsObtain patient consent before sharing

medical information

Compliance Involves:


PERMISSION

HIPAA Allows For But Does Not Mandate Consent For Disclosure of Personal Health Information For Treatment, Payment And Health Care Operations

CONSENT

AUTHORIZATIONWritten Authorization Is Mandated Unless

There Is A Specific Exclusion©Copyright 2005Paul D. Friedman, M.A., J.D.

AUTHORIZATION EXCEPTIONS

Treatment, Payment or Health Care Operations Directories At Facilities Family And Friends Marketing Fundraising Averting a Serious Threat To Health Or Safety Health Oversight Activities Judicial And Administrative Proceedings Law Enforcement Public Health Activities Required By Law Research Victims of Abuse, Neglect Or Domestic Violence

Authorizations Are Mandated Except:


AUTHORIZATION ELEMENTS

Identity Of The Party Authorizing The Disclosure Signature Of The Party Authorizing The Disclosure

Agent May Sign If The Designation Is Present Parents Generally Can Sign On Behalf Of Minors Unless

The Minor Consents And Parental Consent Is Not Mandated Under State Law

The Court Appoints A Guardian Or Allows Assent Parent Agrees That It The Child Has A Confidential Relationship

Identity Of The Party Receiving The Disclosure Identity Of The Party Providing The Disclosure

The Core Elements Of A Valid Authorization:



Description Of Information To Be Disclosed Purpose For Disclosure Expiration Date Or Event Required Statements

Right To Revoke The Authorization Treatment Not Conditioned On Signature

Redisclosure May Occur Plain Language Copy Of Signed Authorization Provided To Individual

Core Elements Of A Valid Authorization (cont):



Copy Is Valid As An OriginalMay Be Prepared By A Third Party No Required Format HIPAA Federally Preempts State Laws Unless

State Law Prevents Fraud And Abuse Ensures Appropriate State Insurance Regulation Necessary For State To Report Health Care Delivery Costs Compelling Need Related To Public Health, Safety Or Welfare Regulation Of Controlled Substances State Law Is More Stringent Than HIPAA Reporting of Disease, Injury, Child Abuse, Birth Or Death Health Plan Management Audits

Other Considerations For Authorizations:


DISCLOSURE WITHOUT AUTHORIZATION

Providers Own Treatment, Payment Or Health Care Operations

Another Provider If Conducting Quality Assessment Case Management And Care Coordination Informing Patient Of Treatment Alternatives

Threat To Health Or Safety & Complies With Legal Duties Law Enforcement Public Health Activities Victims Of Abuse, Neglect Or Domestic Violence

Lawful Oversight Activities Judicial & Administrative Proceedings

Authorization Is Not Mandated:



Disclosure Must Be Made To A Law Enforcement OfficerMust Be Required By Law

Mandatory Reportable Physical Injuries (I.e. gunshot wound) Court Order Administrative Request

Relevant & Material To A Legitimate Law Enforcement Inquiry Request Is Specific & Limited In Scope To Purpose Which Is Sought Redacted Information Would Not Be Useful

Victims Of Abuse, Neglect Or Domestic Violence

Law Enforcement Disclosures:



Location Of A Suspect, Fugitive, Material Witness Or Missing Person Name & Address Date & Place Of Birth Social Security Number Blood Type & Rh Factor Type Of Injury Date & Time Of Treatment Date & Time Of Death (if applicable) Physical Characteristics

Height, Weight, Gender, Race Hair Color, Eye Color, Facial Hair, Scars and Tattoos

Law Enforcement Disclosures (continued):



Patient Suspected To Be A Victim Of A Crime Who Agrees To Disclosure Cannot Consent Due To Incapacity Or Emergency Circumstance

Provider Determines It Is In The Best Interests Of The Patient Information Is Needed To Determine If a Law Was Violated Adverse To Law Enforcement Activity To Wait For Permission

Death If It Is Suspected Was A Result Of Criminal Activity Emergency Situation

Commission & Nature Of A Crime Location Of A Crime Identity, Description & Location Of Perpetrator Of Crime

Law Enforcement Disclosures (continued):



Patient Is Present And Agrees Or ObjectsPatient Is Incapacitated Provider Determines That Patient Would Not Object To

SurrogateCan Be For Limited InformationCan Be Retracted At Any Time

Friends & Relatives


HYPOTHETICAL NUMBER ONE


I Just Hate Hippotheticals!


You are taking care of a well-known actress who is in intensive care after a drug overdose. She is experiencing severe renal failure.

A nurse on another floor asks you if you are aware that this actress is on your unit after the overdose.

What do you say?©Copyright 2005Paul D. Friedman, M.A., J.D.


Ask yourself the following questions:

1) Does your friend need to know if the patient is being treated in your facility?

2) Does your friend need to know if the patient is being treated in intensive care?

3) Does your friend need to know if the patient overdosed to do his [the nurse’s] job?

4) If you were the patient, would you want this person [the inquiring nurse] to know about your treatment?



HIPAA forbids you from sharing this information unless it is necessary for the treatment of this patient.

HIPAA forbids the other nurse from accessing information unless it is necessary for his treatment of the patient.




That Was Pretty Easy. I Kind ofLike This Guy!

HYPOTHETICAL NUMBER TWO


I Spoke Too Soon!



A family member of you patient calls your unit and asks you questions about the status of the patient.

What do you say?



Ask yourself the following questions:

1) Did The Patient Give You Authority To Speak To Family Members?

2) If So, Have You Been Authorized To Release The Information You Are Asked To Disclose?

HIPAA RESOURCES

http://www.aamc.org http://www.hhs.gov/topics/privacy.html http://www.hipaadvisory.com lhttp://www.cio.gov/documents/info_security


THE END OF HIPAA


Whew, Now Ican come back.That Wasn’t So

Bad!

Documents

HIPAA