"No, it's not a female Hippopotamus, anyone else know?"

"No, it's not a female "No, it's not a female Hippopotamus, anyone else Hippopotamus, anyone else

know?" know?"

"You have 300 e-mails on "You have 300 e-mails on HIPAA compliance questions. HIPAA compliance questions. And you could use a haircut."And you could use a haircut."

"I haven't heard of HIPAA, "I haven't heard of HIPAA, but I can hip hop." but I can hip hop."

State & Regional Medical Equipment State & Regional Medical Equipment Association Training PowerPoint: Association Training PowerPoint:

HIPAA TODAY - HIPAA TODAY - Where Do We Where Do We Go From Here?Go From Here?

Updates, Tips & Action Items for Updates, Tips & Action Items for HME/Re-hab & Home Care ProvidersHME/Re-hab & Home Care Providers

Mark J. Higley, MBA Vice President - Development The VGM Group

Training is Required!Training is Required!All employees and members of your

work force who have access to protected health information need HIPAA training! This PowerPoint presentation – and the many other features and information available on this web site – will assist you in satisfying the training requirement!

The format…The format…

We’ll try to present the We’ll try to present the information in an easy to information in an easy to understand (and sometimes understand (and sometimes humorous) manner!humorous) manner!

So….So….

Let’s Get Started!

By Now, You All Know what By Now, You All Know what HIPAA is…right?HIPAA is…right?

HealthcareInPain AndAgony (again)

The Big PictureThe Big Picture

HIPAA implementation of the standards does not have to be any type of major burden on the average HME/Re-hab provider, especially not an economic burden.

You’ll be OK!You’ll be OK!The Privacy compliance date is now

effective (April 14, 2003). Many providers are not yet compliant. You’ll be OK. There is, effectively, no enforcement (*). But, some of you may need to get moving NOW.

(*) At this time, any OCR actions have been “patient complaint driver”, i.e., there is no formal HIPAA auditing procedure. There have been a relatively small amount of patient-initiated complaints (about 700 nationwide as of 7/17/03), most regarding a) patient denied access to his or her medical records, b) no notice of privacy practices provided to patients, and c) inadequate privacy safeguards in place in treatment settings

Although health care organizations Although health care organizations had more than 24 months to had more than 24 months to

implement HIPAA…implement HIPAA…Much confusion and

misunderstanding persists…Without doubt, there may be some

real barriers and glitches in the law… But, at this stage it is important to

clear up the glaring misconceptions!!

To get us “warmed up” let’s To get us “warmed up” let’s look at a few common look at a few common

examples regarding “Myths” examples regarding “Myths” and the facts about what the and the facts about what the

law actually says. (We’ll law actually says. (We’ll have more examples later.)have more examples later.)

MythMyth

One provider cannot send medical records of a patient to another provider without that patient's consent.

Fact:Fact:No consent is necessary for one

provider to transfer a patient's medical records to another provider's office for treatment purposes. The Privacy Regulation specifically states that a provider “is permitted to use or disclose protected health information” for “treatment, payment, or health care operations,” without patient consent.

MythMyth

A provider is prohibited from sharing information with the patient's family without the patient's express consent.

Fact:Fact: FACT: Under the Privacy Rule, a provider

may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual,” the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care. If the patient is present, the provider may disclose medical information to such people if the patient does not object.

MythMyth

A patient's family member can no longer pick up supplies from an HME provider or prescriptions from a pharmacy for the patient.

Fact:Fact:Under the Regulation, a family

member or other individual may act on the patient's behalf “to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.” The Regulation permits the provider to reasonably infer that doing so is in the patient's best interest and in accordance with professional judgment and common practice.

MythMyth

Patients will sue health care providers for not complying with the HIPAA Privacy Regulation.

Fact:Fact:Even if a person is the victim of an

egregious violation of the HIPAA Privacy Regulation, the law does not give people the right to sue. An individual's only federal recourse is to file a written complaint with the Office of Civil Rights, and it is then within the Secretary's discretion to investigate the complaint.

(continued)(continued) And, According to the final rule, HHS

“intends to seek and promote voluntary compliance” and “will seek to resolve matters by informal means.” Therefore enforcement “will be primarily complaint driven,” and civil penalties will only be imposed if the violation was willful, with the standard being even higher for imposing criminal penalties, so there is not a likelihood of strict enforcement or severe penalties.

MythMyth

Patients' medical records can no longer be used for marketing.

Fact:Fact:Use or disclosure of medical

information continues to be permitted for health related marketing. The 2000 version of the Privacy Rule required that patients be notified if the health care provider was paid to communicate about a health related product, be given the opportunity to opt out of future communications, and be informed of the identity of the source of the communication. The Bush Administration eliminated all of these requirements from the Regulation.

Marketing, continuedMarketing, continued

Currently, the only disclosure of medical information for marketing that requires prior authorization by the patient under the Privacy Rule is that in which the provider paid to recommend a product or service that is not related to health. The Privacy Regulation prohibits “marketing,” however marketing is narrowly defined so that any communication about health related products or treatment is permitted even if the health care provider is paid to encourage the patient to use the product or service.

??????

The HIPAA Privacy Rule remains as a source of great confusion among providers and others within the health care community.

We’ll review some of the more confusing issues in a minute!

For governmental For governmental information on HIPAA……information on HIPAA……

e-mail your questions to [email protected]

Call the CMS HIPAA HOTLINE 1-866-627-7748

Log onto the CMS HIPAA web site: http://www.cms.hhs.gov/hipaa

For Privacy inquiries only: Log check out:

http://www.hhs.gov/ocr/hipaa Call : 1-866-627-7748

For information on HIPAA For information on HIPAA that you can understand…that you can understand…

e-mail your questions to [email protected]

For training (*):

Log onto the VGM HIPAA web site: http://www.vgm.com/regulatory/hipaa.asp

Call : 1-800-642-6065

Let’s go back a little:Let’s go back a little: What Do I What Do I ReallyReally Have To Have To

Do Now?Do Now?

At a minimum (if you haven’t At a minimum (if you haven’t done so yet!):done so yet!):

1. Appoint a Privacy Officer (a person responsible for seeing that the privacy and

procedures are developed, adopted and followed)

2. Post a Notice of Privacy Practices and provide a copy to the patients about their privacy rights and how their information can be used and how it will be protected.

And…And…

3. Create, adopt and implement your policies and procedures for your facility.

4. Train employees so they understand the new privacy procedures (Use the VGM PPT presentation!)

5. Secure patient records that contain protected health information so that they are not readily available to those who don't need them but are to those that do.

And, remember the Transaction And, remember the Transaction and Code Set Compliance date and Code Set Compliance date

is coming up!is coming up! You should now have begun testing

your updated software internally (or make sure your clearinghouse or third party biller is doing so) to ensure your systems will be able to transmit standardized transactions correctly starting October 16,2003.

October 13, 2003October 13, 2003“All covered entities must be ready to

transmit and receive the covered transactions they conduct electronically in the new standardized HIPAA format. The law also requires all Medicare claims be submitted electronically in the HIPAA standard format starting October 16, 2003 (with the exception of those from small providers and under certain limited circumstances.)”

Test, test and test.Test, test and test.

Test your systems early and often. Call you payers and determine when they will be ready to test with you (or your billing service or clearinghouse.) Continually monitor their progress until you are satisfied that you are compliant with the standards. Changes to your software may also affect your internal office procedures. Test your office systems and be certain to train your staff on any changes.

Quick Review of the Basics!Quick Review of the Basics!

HIPAA Applies to Covered Entities (you all knew that, right??)

Health Plans Health care Clearinghouses Health care Providers

““TPO”TPO”

“TPO” = Treatment, payment and certain health care operations

The definition covers more than you might expect!

TreatmentTreatment “The provision, coordination, or

management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another."

PaymentPayment For health plans, to obtain premiums or to

provide reimbursement to providers of health care services

For health care providers, to obtain reimbursement for such services.

Includes billing, claims management, collection activities, review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

and also…and also… utilization review activities, including

precertification and reauthorization of services, concurrent and retrospective review of services; and disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: name and address, date of birth, social security number, payment history, account number(s), and name(s) and address(s) of health care provider(s) and/or health plan(s).

Health care operations Health care operations

HIPAA bundles a large number of functions into the term "health care operations." This expansive list is important for many reasons, most notably because HIPAA requires no permission from patients for uses

Health care operations include:Health care operations include: contacting of health care providers or

patients with information about treatment alternatives

case management and care coordination conducting quality assessment and

improvement activities, including outcomes evaluation and development of clinical guidelines or protocols (but NOT general research)

activities relating to improving public health or reducing health care costs

and…and… reviewing the competence or qualifications

of health care professionals evaluating practitioner and provider

performance evaluating health plan performance conducting training programs for students,

trainees, or practitioners (health or non-health)

accreditation, certification, licensing, or credentialing activities

and…and… conducting or arranging for medical review,

legal services, auditing functions or other compliance programs

business planning and development, cost-management and planning-related analyses

development or improvement of methods of payment or coverage policies

business management and general administrative activities of the entity

business activities relating to compliance with HIPAA

Wow! That Includes a Lot!Wow! That Includes a Lot!It sure does! So, you see that in most

cases in dealing with your patients you do NOT need to worry about obtaining any consent.

But…… Information uses and disclosures not falling within the TPO trio, and not otherwise exempted by other parts of the privacy regulations, require a supplemental authorization.

AuthorizationAuthorization

For some "extra" activities, the patient must provide an authorization. There are four areas where authorizations are likely to come into use.

The Four AreasThe Four AreasThe first is for psychotherapy notes,

but these are probably not applicable to most HME/Re-hab providers!

The second important area is research. HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

Authorizations, cont’dAuthorizations, cont’d

The third major area for authorizations is a marketing activity that fails to meet certain criteria for exception.

Under HIPAA regulations, marketing is defined as "making a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service."

Authorizations, cont’dAuthorizations, cont’d

The fourth area is in general requests for, and release of, protected health information, such as information required as part of an insurance coverage application.

For HME/Re-hab providers, this area is the most likely in which you will need to obtain the authorization.

Some Better News About Some Better News About AuthorizationsAuthorizations

The final Privacy Rule eliminates the requirements to have separate and different authorization forms. A single authorization form is to be used for all authorization purposes.

The single model form may be downloaded from www.vgm.com.

Other Important Features Other Important Features

of the Final Privacy Ruleof the Final Privacy Rule

Notice of Privacy Notice of Privacy PracticesPractices

Must be presented at “time of first service” (usually for treatment)

This does NOT mean providers have to mail the NPP to their entire patient data base (more discussion will follow…)

Model Forms are readily available for specific HME, Home Care & Hospice applications!

Tips on the NPPTips on the NPP Use dual “layered” Notices (post a shorter

version that briefly summarizes the individual's rights, as well as other information)

“Revised” Notices must be redistributed to patients (Web site posting is OK!)

Direct treatment providers must still hand out the full notice-with or without a summary-and obtain an acknowledgement of receipt in writing or make a good faith effort to obtain one.

What about this NPP What about this NPP acknowledgement?acknowledgement?

HIPAA does NOT specify a format nor content to the Acknowledgement of the NPP, except that the document is "a written acknowledgement of receipt" or "documentation of good faith efforts to obtain such written acknowledgment".

More NPP & AcknowledgmentMore NPP & AcknowledgmentIf the good faith effort fails to

obtain an acknowledgment (e.g., the patient refuses to sign), the reason(s) why should also be documented in writing.

A health care provider whose first treatment encounter with a patient is over the phone satisfies the requirements by mailing the notice to the individual no later than the day of that service delivery.

More NPP & AcknowledgmentMore NPP & Acknowledgment

Providers may include a tear-off sheet or other document with the notice that requests the acknowledgment be mailed back to the provider.

In some cases, “electronic” (e.g. email) delivery is OK.

Questions about the NPP?

Pharmacy & NPP ?Pharmacy & NPP ?

We just added DME to our pharmacy. Is our pharmacist permitted to have customers acknowledge receipt of the notice by signing or initialing the log book that they already sign when they pick up prescriptions??

Yes, provided that the individual is clearly informed on the log book of what they are acknowledging and the acknowledgment is not also used as a waiver or permission for something else that also appears on the log book (such as a waiver to consult with the pharmacist). The HIPAA Privacy Rule provides covered health care providers with discretion to design an acknowledgment process that works best for their businesses.

ConsentConsent

(Remember….now optional)• Providers may obtain patient consent

prior to use or disclose PHI for treatment, payment or healthcare operations

Business Associates:

(Confused? You’re not alone!!)

Business Associates – Business Associates – What’s New?What’s New?

The effective date for compliance with the Business Associate (BA) provisions of the HIPAA Privacy rule was extended one year to April 2004 for existing contracts

DHHS provides model business associate contract provisions designed to make it easier and less costly for providers to implement the requirements. (Available from VGM!)

Business Associates – Business Associates – General ReviewGeneral Review

Who needs them? Individuals and entities that receive PHI to perform or assist the performance of a function or activity on behalf of a CE.

Who are your BAs?Who are your BAs?

Let’s start with the “formal definition”:

"A person who on behalf of a covered entity (or of an organized health care arrangement in which the covered entity participates) performs or assists in the performance of:

BAsBAs ….a function of activity involving the

use of disclosure of individuality identifiable health information, including

Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing; or

BAsBAs A person who provides legal, actuarial,

accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for such CE (or to or for an organized health care arrangement in which the CE participates) where the provision of service includes the disclosure of individuality identifiable health information from such CE (or arrangement) or from another business associate of such CE (or arrangement) to the person."

Two Key Questions!Two Key Questions!

Are they performing a service or activity on our behalf?

Does the service or activity involve the use or disclosure of protected health information for purposes other than treatment?

So, just whom may be your BAs?So, just whom may be your BAs?

Accountants, lawyers, practice management services, billing and coding services, paper shredding services, health records storage services, telephone answering services, copying services, bookkeeping services, marketing services, outside financial companies, professional liability carriers, clearinghouses, computer hardware vendors, software vendors, computer support companies, web designers and hosting services, electronic attachment services, collection companies, etc.

What about product manufacturers, What about product manufacturers, suppliers & other vendors?suppliers & other vendors?

A business associate agreement should be used only when you intend the other party to have access to patient-identifiable information in order to perform some service for you. This is not what generally occurs when a homecare provider is purchasing inventory or otherwise buying items or accepting samples from a vendor.

It is generally not advisable for a homecare provider to enter into a business associate agreement with a manufacturer or other vendor from whom it purchases products, supplies or drugs, unless the provider also provides patient-identifiable information to the manufacturer in order to perform some other service. Examples of services that might require a business associate agreement include patient outcomes analysis, quality improvement analyses, benchmarking against standards of care, and so forth.

Who else is probably NOT a BA?Who else is probably NOT a BA?

Another health care provider for treatment of an individual

A health plan that is a public benefits program, e.g., Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration

With persons or services, e.g., janitorial service or electrician, whose functions or services do not involve the use or disclosure of PHI and where any access to PHI would be incidental, if at all.

Who else is probably NOT a BA?Who else is probably NOT a BA?

A person or organization that acts merely as a conduit for PHI, e.g., US Postal Service, private couriers, banks and other financial institutions, etc.

More Common BA More Common BA Questions!Questions!

Do providers need a business associate agreement with manufacturers/vendors for treatment consultations?

No.

The Privacy Rule specifically states that such agreements are not required for disclosures by a CE to another entity involved in treating a specific patient, and HHS has determined that a manufacturer’s services in supporting appropriate use of its product for a patient are part of the patient’s treatment.

Not Sure About Who Needs Not Sure About Who Needs the BAC?the BAC?

If you are not sure whether a BA contract is needed, and or the entity is independently covered (i.e., is a CE), do not immediately enter into contract until further review and analysis is completed. Why????

Many reasons….Remember it is a CONTRACT!

Some situational examples:

Although a HIPAA BA Contract does not require you to monitor the BA, it would require action if you become aware of a breach on the BA's part.

Amongst other action, you would have to cancel the primary contract if the BA failed to cure the breach. The BA could fail to cure the breach if they disagree that there is a breach. Do you really need these kind of headaches?

If the other entities are covered entities, let the Office of Civil Rights deal directly with them in any dispute over ambiguity in compliance.

Sample BA Letters & InfoSample BA Letters & Info

See the main HIPAA menu page at:

http://www.vgm.com/regulatory/hipaa.asp

Individual (Patient) Rights, Individual (Patient) Rights, Training and Use & Training and Use &

DisclosureDisclosure

Many providers don’t realize there is much more to the Privacy Rule than the NPP and Business Associate regs. You should be aware of (at least) these issues. Let’s review some of them!

Individual (Patient) RightsIndividual (Patient) Rights

Right to request restrictions on certain uses and disclosures

Right to receive confidential communications of PHI

Right to review and copy PHI

Individual (Patient) RightsIndividual (Patient) Rights

Right to amend and correct PHI Right to receive an accounting

of how PHI has been used or disclosed

Right to receive written notice of how PHI will be used and disclosed

TrainingTraining

The regs require that you “provide training to members of the work force”

This does NOT necessarily mean you have to expend many $$ for the many “tools” now on the market. (Begin with the free VGM training!)

TrainingTrainingRather, the guidance states, it

depends on your size and complexity of your operation.

In many cases, the training can be simply having your staff read the appropriate sections of your compliance materials, and sign that they understand your policies and procedures (!)

A Few Training DetailsA Few Training DetailsOn-going training is requiredNew staff, volunteers and temporary

hires are required to have HIPAA training

Business Associates are an option For larger organizations, make

training a part of orientation and re-orientation

Common Use & Disclosure Common Use & Disclosure Questions/TopicsQuestions/Topics

Use & Disclosure regulations are quite long (and some think very boring!) So, we’ll use some common Q&As and a few real-life situations to keep you a little more interested…Deal?

Use & DisclosureUse & DisclosurePatient Medical Record: We have a

patient's medical record that contains older portions of a medical record that were created by another/previous provider (such as a physician). Will the HIPAA Privacy Rule permit us to disclose a complete medical record even though portions of the record were created by other providers?

Answer…Answer…

Yes, the Privacy Rule permits a provider who to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

Use & Disclosure, cont’dUse & Disclosure, cont’d

Do patients have the right to access and/or amend their records that created prior to the effective date of the Privacy Rule (4/14/03)?

Use & DisclosureUse & Disclosure

YES!


Doesn’t HIPAA require a homecare provider to keep a manufacturer’s personnel, such as our Sunrise Medical rep, from being in the office? What about delivery people and PHI?

No.

The rule recognizes that many people who are not seeking care have valid reasons for being in provider offices ‑‑ other people’s visitors, custodians and delivery personnel, as well as employees of manufacturers and other vendors.

The rule specifically provides that it is not unlawful for information about patients to be seen or overheard in these settings, provided that there are safeguards in place so that any such exposure is incidental to an otherwise lawful use or disclosure.

Manufacturer personnel visit homecare and other providers to bring samples, to meet with clinical staff to answer questions and provide information about the use of new products, and to meet with people who may be ordering products and supplies.


Would an authorization be necessary for a patient to take records, for treatment reasons, to another provider? And/or, can a family member pick-up records for the patient for the same reason?

Authorization is not be required under HIPAA but it may be required under your state law.

Consider obtaining an authorization from the patient even if your state law does not require it. It is your proof that you allowed access to those records and your proof that you verified the identity of the person making the request for copies of the record. You could document all that information, which is time consuming, or you could have the patient complete an authorization and use that for your documentation.


(Actual VGM Question): “I HAD A PHONE CALL FROM ANOTHER DME SUPPLIER ASKING ABOUT A COMMON PATIENT. HOW DO I HANDLE SUCH A REQUEST AS IT PERTAINS TO HIPAA AND PHI DISCLOSURE? THANK YOU

The final Privacy Rule (August 2002 amendments) eased many of the privacy regulations, including TPO Disclosures:

“Clarifies disclosures from one provider to other providers for treatment are permitted, and the CE can disclose PHI to another CE to facilitate the recipient’s Payment and aspects of Health Care Operations, i.e., quality assurance, population based health activities, case management, training, accreditation, certification, licensing, or credentialing.


If my patient suggests that I am not complying with the Use and Disclosure regulations, and/or that his privacy rights have been violated, where would he submit a complaint?

The Office of Civil Rights. However, CEs have until April 14, 2003, to comply with the HIPAA Privacy Rule. Activities occurring before April 14, 2003, are not subject to OCR enforcement actions. After that date, a person who believes a CE is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.


If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies?

The Privacy Rule permits you to charge reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her PHI, the you may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information.


Can I FAX patient medical information to another provider’s office (such as the primary care physician)?

Yes.

Providers can disclose PHI to another health care provider for treatment purposes. This can be done by fax or by other means. You must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI that is disclosed using a fax machine.

Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other provider’s office, and placing the fax machine in a secure location to prevent unauthorized access to the information

Use & Disclosure, cont’dUse & Disclosure, cont’d The section concerning "Amendment

of Health Information" gives no examples of what types of information a patient may want to amend in his/her PHI. What is this all about? I can see someone needing to change insurance information or similar items, but surely the actual medical condition or circumstances of the event cannot be changed!

The government's intent with the Amendment rule is to make sure the record is complete and accurate. The Amendment rule limits those items to be amended to those in the designated record set, which is determined by the provider, usually the medical and billing record.

It is not, however, meant for any correction to be made as medical records are legal documents. It is also not meant to be an administrative burden on the provider. So by checking and making sure records are complete and accurate, a provider can minimize the amount of "amending" needed to be done.

The provider is also not responsible for records not originating within his office. The patient should be directed to the source of the record for those amendments.


I read that “incidental” use and disclosure is OK. I presume that means things like if I’m overheard discussing patient treatment with another therapist. What’s the actual definition?

Customary communications and practices play an important and essential role in ensuring that patients receive prompt and effective health care. Due to the nature of the communications and the various environments, the potential exists for a patient’s PHI to be disclosed incidentally. HIPAA does not intend to impede these communications and practices and does not require that all risk of incidental use or disclosure be eliminated to satisfy the standards.

Incidental uses and disclosures are permitted if they occur as a by-product of another permissible use or disclosure, as long as the CE has applied reasonable safeguards and implemented the minimum necessary standard.


How about collection agencies?

Disclosure of PHI to a collection agency used by CEs is acceptable under HIPAA as a Business Associate arrangement. Under HIPAA rules the CE may disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made

SECURITYSECURITY

(If this doesn’t confuse you, (If this doesn’t confuse you, nothing will!)nothing will!)

Security Rule: FYI!Security Rule: FYI!

The Security Rules were recently finalized and published in the Federal Register on February 21.

Rules will be effective April 21, 2005.Security and Privacy Rules intertwine.

Even with a 2005 compliance date, the time to prepare is now!

What? There is “security” in What? There is “security” in the “Privacy Rule” ?the “Privacy Rule” ?

Yes. There is there is a "mini-security rule" (in section 164.530 for any HIPAA-nerds) that requires providers and their business associates to implement "appropriate administrative, technical and physical safeguards" for PHI in all forms, non-electronic and electronic…requiring compliance by April 14, 2003

The Final Security RuleThe Final Security RuleThe final standards are defined in

rather generic terms emphasize being “scalable, flexible, and generally addressable through various approaches or technologies”. So, the final rule is essentially a model for information security, with less specific guidance on how to implement it.

What about some model What about some model forms like we have for the forms like we have for the

Privacy Rules???Privacy Rules???

Good question!. HHS has promised more specifics in the future and to provide model guidance documents. As the compliance date is not until 2005, we have some time.

OK, in the meantime, what’s OK, in the meantime, what’s in this final Security Rule???in this final Security Rule???

The new rules, just like the Privacy rules, have "standards" - what must be done; and "implementation specifications" - how to do it. The standards are separated into three groups - Administrative Safeguards, Physical Safeguards and Technical Safeguards.

““Implementation Specifications”Implementation Specifications”

Most of the standards have “implementation specifications”, that describe the actions that should be taken to ensure compliance with the standards. However, only 13 of these implementation specifications are required; the majority of the specifications are termed "addressable."

HHS introduced this concept of "addressable implementation specifications" (AIS) to provide you “additional flexibility with respect to compliance with the security standards.”

““Addressable”??Addressable”??

“Addressable specifications” are variable approaches to meeting specific standards, any of which may not be relevant to you. For example, the Rule requires training on security issues for the workforce, but identifies training in passwords only as an "addressable" specification.

So, “addressable” gives us a So, “addressable” gives us a little wiggle room, huh?little wiggle room, huh?

You might say that. But you still must be reasonable!

What is reasonable?What is reasonable?The decision about the “reasonable

and appropriate” nature of these “addressable specifications” is up to you, the provider! It should be based on your overall technical environment and security framework. This decision may rely on many things, including the measures you already have in place, and the cost of implementing new measures.

What’s “Required”What’s “Required”

“Required implementation” is just what is says - the provider will need to implement this specification to be in compliance.

The list includes many workstation use and security procedures.

Give me an example of some Give me an example of some “required” workstation procedures!“required” workstation procedures!

OK!: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

That’s HIPAA-Babble and pretty That’s HIPAA-Babble and pretty vague, isn’t it?vague, isn’t it?

Yes, I agree. Again, by next year we’ll be seeing plenty of “how to” security compliance manuals and tips. Remember the procedures will be scalable to the size and complexity of your provider organization. In the meantime, just try to understand the concepts!

Let’s Be Reasonable: Flexible Let’s Be Reasonable: Flexible and Scalable Securityand Scalable Security

Most important: Use common sense and reason securing your data, systems, facility and personnel!

Many of the requirements are probably already in place (e.g., locks on the doors, fire and theft alarms for the facility…you get the idea, right?)

Summary of the HIPAA Security RulesSummary of the HIPAA Security Rules

Establish and document policies and procedures relating to information security

Establish physical safeguards of computer systems, equipment and buildings

Technical security to protect the confidentiality and integrity of information and control and monitor access

Safeguard systems against external threats

The Bottom Line:The Bottom Line:

Remember!“Scalability – the Privacy and Security

rules are the same no matter what size the entity”…however implementation requirements for small providers are much less than what is expected from large providers

Important!Important!

You should not panic and think Security is going to cost you a fortune. Think before you buy and let common sense and reason be your other guide!

Fact or Fiction?Fact or Fiction?

Fact or Fiction?Fact or Fiction? Patient: My respiratory therapist needs to

discuss my treatment with other doctors. But the Privacy Rule prohibits doctors and other providers from discussing private health information if there is a possibility that someone will overhear. What if my therapist needs to discuss my condition with a doctor, or with me over the phone from someplace other than a private office? The privacy rule prevents these discussions!

Fiction!Fiction!

False! The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. HHS has developed new regulatory language to clarify this issue.


Patient: The privacy rule will create a government database with all of my personal health information (including data from my home health care providers.

Fiction!Fiction!

False! The rule does not require a provider or any other CE to send medical information to the government for a government database or similar operation.

Fact or Fiction?Fact or Fiction?Patient: My HME also has a

pharmacy. But, the privacy rule prevents the pharmacist from filling my prescription before I show up and sign that consent. Now, instead of having the prescription waiting for me, I’ll have to come to the pharmacy, sign a consent, and then wait around while the prescription is filled.

Fiction!Fiction!False! The Privacy Rule allows permit

CEs, including HMEs and pharmacists, to use identifiable health information for treatment, payment, or health care operations without prior patient consent. HHS developed new regulatory language to fix this potential problem.


HME or Re-hab Provider: The privacy rule requires me to monitor the activities of my business associates.

Fiction!Fiction!

False! CEs are not required to monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.


The Privacy Rule will require me to redesign my office.

Fiction!Fiction!False! The Privacy Rule does not

require these types of structural changes be made to facilities. Under the proposed Security Rules, however, covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.


All Providers: The privacy rule allows HME staff, therapists, practitioners, and others to review a patient’s entire medical record if they think they need it to do their jobs.

Fact!Fact!

True! The Privacy Rule does not prohibit use or disclosure of, or requests for an entire medical record. The CE must document in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes


HME/Re-hab Provider: The privacy rule requires covered entities to purchase expensive computer equipment.

Fiction!Fiction!

False! The Privacy Rule requirements do not require any particular technologies or types of technologies. They are flexible and scalable to the CE’s information needs and information systems.


Billing Service, Clearinghouse or Payer: How are we supposed to do business under this Rule? It would prohibit providers from faxing information to us, or to each other, or to their patients.

Fiction!Fiction!

False! The Rule does not prohibit faxing of individually identifiable health information. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.


The Privacy Rule is delayed by the Administrative Simplification Compliance Act (ASCA) that was passed in December 2001 and allowed for an extension to October of 2003 by submitting a compliance plan.

Fiction!Fiction!

False! This law delays compliance with the Transaction and Code Set standards for covered entities that file a compliance plan. This law does not apply to the Privacy Rule. The compliance date for the Privacy Rule is still April 14, 2003.


Patient: When my family member comes to pick me up from my Re-hab facility, they will still be able to explain my condition and tell him what to expect when I return home. Right?

Fact!Fact!

True! The Rule permits providers to discuss a patient’s condition with family or friends involved in the person’s care, unless the patient objects.

FINAL COMMENTSFINAL COMMENTS

Develop an understanding of the HIPAA regulations

Designate a Privacy Officer and/or committee

Create, adopt and implement privacy procedures for the facility

Train employees so they understand the new privacy procedures.

Secure patient records that contain protected health information so that they are not readily available to those who don't need them but are to those that do.

Identify all Business Associates

Educate Patients

And finally, remember :

Be Flexible

Be Scalable

(& Don’t forget

reasonable!)

“The privacy regulations

should not interrupt, influence,

or jeopardize patient care”

It is 2003.The Privacy Rule Is

Effective!

START NOW!

Documents

"No, it's not a female Hippopotamus, anyone else know?"