Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP

Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP

HIPAA Executive Office Training January 2003

Cindy Fillman

Department of Public Welfare

Office of General Counsel

2

HIPAA – How did we get here?

Health Insurance Portability and Accountability Act

Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions).

Intended to “improve the efficiency and effectiveness of the health care system.”

Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise.

3

HIPAA – How did we get here?

REGULATIONS

Electronic Transactions and Code Sets

Unique Employer Identifier

National Provider Identifier

Security and Electronic Signature

Privacy

4

COVERED ENTITIES

• Health care providers who engage in covered transactions

• Health plans

Includes Medicare and Medicaid and other specified government programs

Includes government programs that do not fall out with specific exclusion for those programs:

Whose principal purpose is other than providing or paying the cost of health care, OR

Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care

• Health care clearinghouses

5

BUSINESS ASSOCIATES

A Person or entity who on behalf of a Covered Entity

Uses

Accesses

Rediscloses

PHI either

To provide services to a Covered Entity OR

To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity

6

DPW Priorities

How the Department Prioritized

Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates)

Master Client Index Drove some Decision making

7

What are we doing?

Appointing Privacy Officials for affected Offices/Bureaus.

Training all members of the workforce

Drafting policy and procedures and beginning new business practices

Rewriting Contracts and Quasi-Contracts (Business Associate Language)

Drafting/Revising Consents and Authorizations

Documenting Decisions and Activities

8

Training

Committee comprised of personnel of impacted bureaus

Basic format created by the committee

Combination training to allow for flexibility

Kickoff-October-December

Computer and Blended Training-April

Stand up (job specific)-June

9

Policy and procedures

High level HIPAA Handbook

Adaptations made by each program office to meet their own needs

Business processes changes to be phased in by April, 2002.

10

Privacy Standards

Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI)

Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic)

11

Privacy Standards (PHI)

Individually identifiable

About an individual’s physical or mental health or condition

About provision of or payment for health care

Created or received by a provider, health plan, clearinghouse, or employer

Transmitted or maintained in any medium (verbal, written, or electronic)

12

Privacy Standards

Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates

Give consumers greater control over use, and disclosure of PHI

Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law

13

Privacy Standards

Rules restrict use and sharing of PHI Higher security and protection levels Greater individual control and access Greater accountability

Rules apply to covered entities

Compliance deadline is April 14, 2003

Limit disclosures to the “minimum necessary”

14

Minimum Disclosure

Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure

We must determine the minimum amount needed

15

Privacy Obligations

Plans and providers must create privacy-conscious business practices and disclose only the minimum information required

Department must:

ensure internal protection of PHI

monitor external disclosures of PHI

Complete employee training, and

establish procedures for addressing clients’ privacy complaints

16

Plans and providers must inform clients of their business practices (privacy notice)

Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations

A separate, specific authorization is required for non-routine disclosure

Privacy Obligations

17

Consent vs. Authorization

Consents cover T/P/O–authorizations cover most other uses and disclosures

Authorizations are for specific disclosures

May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization

18

Use and Disclosure may use or disclose PHI without consent, an authorization, or

giving an opportunity to agree or object, including:

• For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs.

• When required by law

• For public health activities

• Reporting domestic violence or abuse and neglect

• For health oversight activities

• For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained

19

De-Identified Information

De-Identified Information is not subject to HIPAA requirements

A Covered Entity may determine that health information is not individually identifiable by:

Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information

Removing specified identifiers of the individual or of relatives, employers, or household members

20

De-Identified Information

Names

All geographic subdivisions (address, zip code)

All elements of dates (incl. birthdate and date of admission

Telephone/Fax numbers

E-mail addresses

SSN

Medical record number

Health plan number

Account number

Certificate/license number

VIN/serial number

Device identifier/serial #

URL

IP address

Biometric identifiers (voice/finger prints)

Photos

Other unique characteristics

21

Client Rights

Request restrictions on use and disclosure of PHI

Obtain a disclosure history Review and copy their own medical records Request amendments or corrections the

record Complain to the Department and to the

Secretary of DHHS if privacy rights are violated

22

Business Associate Agreements

Terms and Template

Other Agreements

Trading Partner

Chain of Trust

User Agreements

23

Enforcement ENFORCER: Office of Civil Rights, HHS

Complaint Driven Process(but indicate willingness to provide “guidance” first).

PENALTIES:

For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES

CRIMINAL PENALTIES:

Knowing only: $50,000, one year in prison, or both

False pretenses: $100,000, five years, or both

Use for commercial or personal gain or malicious harm: $250,000, ten years, or both

24

Practical Steps to Compliance

Shred all PHI to be discarded

Log off terminal when not in use

Do not discuss specific cases in public places

Verify fax locations

Be mindful of sharing only “minimum necessary” information

25

Practical Steps to Compliance Be aware of with whom you are sharing

PHI

Report breaches to Privacy

Assure adequate safeguards/paperwork is in place

Check with IT staff to be sure dial-in is secure

Read and follow Privacy and Security Policies and Procedures