38
TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project HEALTH AFFAIRS TRICARE Management Activity TMA HIPAA Office October 2002

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

  • Upload
    bernie

  • View
    28

  • Download
    2

Embed Size (px)

DESCRIPTION

TRICARE Management Activity. HEALTH AFFAIRS. TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project. HIPAA Privacy - Briefing for Line Leadership. TMA HIPAA Office October 2002. Objectives. Provide a general overview of the HIPAA legislation - PowerPoint PPT Presentation

Citation preview

Page 1: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

HEALTH AFFAIRS

TRICAREManagement

Activity

TMA HIPAA OfficeOctober 2002

Page 2: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

2

Objectives1. Provide a general overview of the HIPAA legislation

2. Describe the HIPAA Privacy Rule and related concepts

3. Provide examples that translate the DoD Health Information Privacy Regulation into everyday policies and procedures

4. Describe TMA HIPAA implementation activities

5. Outline MTF responsibilities

6. Explain the role of Service Representatives and provide contact information

Page 3: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

3

HIPAA Legislation

Compliance within two years of effective dates of final rules

Improve portability & continuity of health insurance coverage

Improve access to long-term care services and coverage

Simplify the administration of health care

Page 4: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

4

HIPAA Legislation (cont’d)

HIPAA under PL 104-191 requires compliance with several standards, including:

• Standards for Electronic Transactions and Code Sets• Privacy• Security Standards

– Electronic Signature Standards– National Standard Employer Identifier– National Standard Health Care Provider Identifier– National Standard Health Plan Identifier

Page 5: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

5

MHS Roles and Responsibilities• HA – Establish/Maintain Policy and Oversight

Responsibilities• TMA – Integrate Policy into MHS Implementation Plan

– Primary for TRICARE Contract HIPAA Impacts– Primary for Transactions & Code Sets– Secondary for Direct Care System HIPAA Impacts

• Services/MTFs – Actual Implementation of HIPAA Requirements within Direct Care System

• Lead Agents– Oversee Implementation of HIPAA Rules for Contracted

Networks in their Region– Maintain a “Foot in Both Camps” to Ensure Regional HIPAA

Compliance

Page 6: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

6

Components of the Privacy Rule Final Rule Published: August 2002

Rule Effective: April 14, 2001 Compliance Date: April 14, 2003

• Consumer control = Rights for individual patient• Boundaries on use and release• Ensuring security• Accountability and penalties• Balancing public responsibility with protections• Preserving strong state laws

Page 7: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

7

Preemption of State Law

The DoD HIPAA Privacy regulation preempts state law except:

• When disclosing PHI about a minor to a parent, guardian, or person acting in loco parentis of such minor. In this case the laws of the state where treatment is provided applies.

• When DoD rules, procedures, or other applicable policy call for DoD components to follow state law with respect to the matter.

Page 8: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

8

Acronyms & DefinitionsIIHI - Individually Identifiable Health Information

PHI - Protected Health Information

TPO - Treatment, Payment and Healthcare OperationsTreatment - provision, coordination, consultation and referral

Payment - billing, reimbursement, eligibility, utilization review

Healthcare Operations - QA, credentialing, legal, medical review, auditing, and regular business and management

Use - Internal utilization or sharing IIHI

Disclosure - External release of IIHI

Page 9: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

9

Who & What is Covered?Who? Covered entities (CEs)

– Health care providers who transmit health information in (standard) electronic transactions

– Health Plans, e.g., TRICARE – Health care clearinghouses, e.g., companies that perform

electronic billing on behalf of MTFs– Our business associates, e.g., managed care support

contractors, are not CEs. However, we must contractually bind them to the same standards.

What? Protected Health Information (PHI)

– Individually identifiable health information including demographics, in electronic, paper or oral medium

– Held by covered entities or their business associates

Page 10: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

10

Patient Rights

• Patients have a right to: – A written notice of information practices from health plans and

providers– Request to access, inspect and obtain a copy of their protected

health information– Request an accounting of disclosures– Request amendment or correction of their records– Request restrictions on uses and disclosures (authorizations)– Accommodation of reasonable communications requests– Complain to the covered entity and to HHS

Page 11: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

11

Notice of Privacy Practices

Includes:

1. Uses and disclosure of PHI for TPO2. Individual’s rights to access, control and

request restrictions on use3. Covered entities’ duties4. Complaints procedures5. Contact information6. Effective date

Page 12: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

12

Notice of Privacy Practices

• MHS-wide notice developed

• Release to MTFs in December 2002

• Distribution to beneficiaries– Mail to home addresses– TRICARE & MTF websites– Retiree organizations

• Centralized electronic tracking of acknowledgement

Page 13: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

13

Minimum Necessary• “Role-based” access limits

– categorize users by their “need to know” profile and align with IT systems

• Limit requests for disclosure from other entities to the minimum needed.

• May rely on judgment of requestor if:– public official for permitted disclosure– covered entity– professional within covered entity– business associate for provision of professional service for

covered entity– researcher with Institutional Review Board documentation

Page 14: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

14

Permitted Uses & Disclosures

For the permitted uses and disclosures listed below, a patient’s opportunity to agree or object is not required.

• as required by law• avert serious threats to health or safety• specialized government functions• judicial and administrative proceedings• law enforcement purposes• cadaver organ, eye or tissue donation purposes • victims of abuse, neglect or domestic violence• inmates in correctional institutions or in custody

• workers’ compensation• research purposes• public health activities• health oversight activities• about decedents

Page 15: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

15

Permitted Use: Required By Law

A covered entity may use or disclose PHI to the extent that such use/disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

Page 16: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

16

Permitted Use: Avert Serious Threats

A covered entity may use or disclose PHI if:• The covered entity in good faith believes the disclosure is

necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, to identify or apprehend an individual who has made a statement admitting participation in a violent crime;

• The disclosure is made to a person(s) reasonably able to prevent or lessen the threat; AND

• The disclosure is consistent with applicable law and standards of ethical conduct.

Page 17: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

17

Permitted Use: Avert Serious Threats (cont’d)

Exception: Disclosure may not be made if the covered entity learns the information in the course of treatment, counseling, or therapy to affect the propensity to commit the criminal conduct that is the basis for the disclosure or through a request by the individual to initiate or to be referred for such treatment, counseling, or therapy

Limitation: Disclosure is limited to the following information:1. name and address 2. date and place of birth 3. social security number 4. ABO blood type and Rh factor 5. type of injury6. date and time of treatment 7. date and time of death, if applicable 8. description of distinguishing physical characteristics, including

height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos

Page 18: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

18

Permitted Use: Specialized Government Functions

PHI may be used or disclosed:• For individual who are Armed Forces personnel for activities

military command authorities have deemed to be necessary to assure the proper execution of the military ;

• A U.S. Department of Defense or Transportation covered entity may disclose to the Department of Veterans Affairs (DVA) the PHI of an Armed Forces member upon the member’s separation or discharge from service for the purpose of determining eligibility for federal veterans’ benefits;

• A DVA covered entity may use and disclose PHI within the DVA to determine eligibility for or provide veterans’ benefits;

• To authorized federal officials for the conduct of lawful intelligence, counterintelligence, or other national security activities authorized by the National Security Act;

Page 19: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

19

Permitted Use: Specialized Government Functions (cont’d)

• To authorized federal officials for the provision of protective services to the President and other persons under protection of the Secret Service and related federal entities or for the conduct of investigations into threats;

• To the Department of State to make medical suitability determinations and may disclose whether an individual was found to be medically suitable to Department of State officials who need the information for the purpose of 1) a required security clearance; 2) determine worldwide availability or availability for mandatory service abroad under the Foreign Service Act; OR 3) for a family member to accompany a Foreign Service member abroad;

Page 20: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

20

Permitted Use: Specialized Government Functions (cont’d)

• By a health plan that is a government program providing public benefits may disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if a statute or regulation authorizes 1) the sharing of eligibility or enrollment information among agencies, or 2) the maintenance of eligibility or enrollment information in a single or combined data system accessible to all agencies;

• By a covered entity that is a government agency administering a government program providing public benefits may disclose PHI relating to the program to another covered entity that is also a government agency administering a government program providing public benefits, provided 1) the programs serve the same/similar populations, and 2) disclosure of PHI is necessary to coordinate the covered functions or to improve administration and management relating to the programs’ covered functions.

Page 21: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

21

Permitted Use: Judicial and Administrative Proceedings

PHI may be disclosed:• In response to a court order or administrative tribunal, provided that

the covered entity discloses only the PHI authorized by the order;

• In response to a subpoena, discovery request, or other lawful process, in the absence of a court order, provided one of the following circumstances applies:

1. satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to ensure that the individual who is the subject of the PHI has been given notice of the request; OR

2. satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to secure a qualified protective order

3. as an alternative to either of the above, the covered entity may itself give written notice to the individual or seek a qualified protective order that meet the rule’s requirements

Page 22: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

22

Permitted Use: Law Enforcement Proceedings

PHI may be disclosed to a law enforcement official:• When required by law, including to report certain types of wounds

or other physical injuries (excludes laws pertaining to the reporting of child abuse or neglect or other victims of abuse, neglect, or domestic violence);

• In compliance with a court order or by a court-ordered warrant, or a subpoena or summons issued by a judicial officer;

• In compliance with a grand jury subpoena;

• In compliance with an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

Page 23: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

23

Permitted Use: Law Enforcement Proceedings (cont’d)

1. the information sought is relevant and material to a legitimate law enforcement inquiry;

2. the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought;

3. De-identified information could not reasonably be used.

• To identify or locate a suspect, fugitive, material witness, or missing person, limited to the types of information listed on page 17;

• If the covered entity believes in good faith that the PHI constitutes evidence of criminal conduct that occurred on the covered entity’s premises;

Page 24: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

24

Permitted Use: Law Enforcement Proceedings (cont’d)

• About an individual who is or is suspected to be a victim of a crime if a law enforcement official requests the information and either the individual agrees to the disclosure or, in the event the individual is unable to give consent due to incapacitation or some other emergency circumstance, the law enforcement official represents that 1) the information is needed to determine whether a violation by law has occurred and the information will not be used against the victim; 2) immediate law enforcement activity would be materially and adversely affected by waiting for the individual to agree to the disclosure; AND 3) the covered entity, in the exercise of professional judgment, determines that the disclosure is in the best interest of the individual;

• In response to a medical emergency, other than an emergency on the provider’s own premises, if the disclosure appears necessary to alert law enforcement to the commission and nature of a crime; the location of the crime or of its victims; and the identity, description, and location of the perpetrator.

Page 25: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

25

Permitted Use: Victims of Abuse, Neglect, or Violence

PHI may be disclosed about an individual believed to be the victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of abuse, neglect, or domestic violence. This section does not to apply to reporting of child abuse or neglect, which is covered above.

Conditions of Disclosure:1. the individual must agree to the disclosure; OR 2. the covered entity, in the exercise of professional judgment, must

determine that the disclosure is necessary to prevent serious harm to the individual or other potential victims OR

3. if the individual is unable to agree due to incapacity, the authorized government authority receiving the PHI must represent that the PHI will not be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be adversely and materially affected by waiting for the individual to agree to the disclosure

Page 26: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

26

Permitted Use: Victims of Abuse, Neglect, or Violence (Cont’d)

Informing the individual: the covered entity must promptly inform the individual of a disclosure as permitted above, except when:

1. the covered entity believes that informing the individual would place the individual at risk of serious harm, OR

2. the covered entity would be informing a personal representative who is believed to be responsible for the abuse, neglect, or other injury, and informing the personal representative would therefore not be in the best interest of the individual.

Page 27: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

27

Permitted Use: Workers’ Compensation

PHI may be disclosed to the extent necessary to comply with workers’ compensation laws or other similar laws that provide benefits for work-related injuries or illness without regard to fault.

Page 28: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

28

Permitted Use: Inmates in Correctional Institutions

PHI may be disclosed about an inmate or other person in lawful custody to a correctional institution, if the PHI is necessary for:

1. the provision of health care to the individual;2. the health and safety of the individual or other inmates;3. the health and safety of the officers, employees, or others at the

correctional institution;4. the health and safety of the individual and officers or other persons

responsible for transporting inmates or for their transfer from one facility or setting to another;

5. law enforcement on the premises of the correctional institution;6. the administration and maintenance of the safety, security, and good

order of the correctional institution

Page 29: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

29

Permitted Use: About Decedents

PHI may be disclosed:

• To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.

Any official of the DoD authorized to perform functions under the authority of the Armed Forces Medical Examiner system under DoD Directive 5154.24 is a medical examiner.

• To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.

Page 30: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

30

Permitted Use: Public Health Activities

PHI may be disclosed:• To a public health authority for the purpose of preventing/controlling

disease, injury or disability, including but not limited to the reporting of disease, injury, vital events (i.e., birth, death), and the conduct of public health surveillance, investigations, and interventions;

• To a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

• To a person subject to the jurisdiction of the Food and Drug Administration (FDA), with respect to an FDA-regulated product or activity for which that person has responsibility. The purposes of such disclosure include:

Page 31: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

31

Permitted Use: Public Health Activities (cont’d)

1. To collect or report adverse events, product defects or problems, or biological product deviations

2. To track FDA-regulated products 3. To enable product recalls, repairs, replacement, or “lookback”

4. To conduct post-marketing surveillance

• To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, provided the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;

Page 32: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

32

Permitted Use: Public Health Activities (cont’d)• To an employer about an individual who is a member of the workforce of

the employer, provided: 1. The covered entity is a health care provider who is a member of the employer’s

workforce or who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury

2. The PHI disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance

3. The employer needs the findings in order to comply with its obligations under the regulations of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration, or under state law, AND

4. The covered health care provider provides written notice to the individual that the PHI relating to the medical surveillance of the workplace and work-related illnesses/injuries is disclosed to the employer by giving a copy of the notice to the individual at the time the health care is provided or by posting the notice in a prominent place at the location where the health care is provided.

Page 33: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

33

Business AssociatesDefinition: “A person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information.”

Cannot be a member of the health care provider, health plan, or other covered entity's workforce.

Can be a health care provider, health plan, or another covered entity

Excludes covered entities who disclose protected health information to providers for treatment purposes

Page 34: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

34

BA Contracts—Required Terms

• Use and disclose PHI only as authorized in the contract– No further uses and disclosures– Such uses and disclosures may not exceed what the covered entity

may do under HIPAA• Implement appropriate privacy and security safeguards• Report unauthorized disclosures to covered entity• Meet all patient rights provisions

– Make available PHI under access, amendment and accounting of disclosures rights

– Incorporate any amendments to PHI

Page 35: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

35

Managing Business Associates• MHS/MTFs must obtain “satisfactory assurance” that business

associates will reasonably safeguard disclosed information and only use the information for the purposes for which the business associate was engaged.

– Memorandums of Understanding (MOUs)• Dept of Veterans Affairs• Dept of Transportation/Coast Guard

– DoD Medical Privacy Regulation– Contract addendum/amendment– MCSC contract modification

• MHS/MTFs are not required to monitor or oversee the means by which their business associates carry out privacy safeguards. However, if a material violation of the contract is discovered, the violation must be cured or the contract terminated.

Page 36: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

36

MTF Requirements• Designate a Privacy Officer• Train workforce to protect privacy• Assess compliance using TMA tool• Review DoD Health Information Privacy Regulation

– Map protected health information flow– Conduct gap analysis & adjust policies/procedures– Introduce Notice of Privacy Practices– Institute authorization form– Establish patient privacy complaint and inquiry procedure

• Identify and brief responsibilities of communities of interest

Page 37: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

37

MTF Privacy Officer• Oversee activities related to compliance with the HIPAA Privacy

Rule• Establish procedures to track access, use and disclosure of PHI• Ensure adherence to MHS policies and procedures at MTF

level• Train workforce• Monitor business associate agreements related to privacy

concerns • Investigate patient complaints regarding privacy infractions

Page 38: TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

38

Resources

• www.tricare.osd.mil/hipaa• [email protected]• MTF Information Papers• Beneficiary Pamphlet• MTF Posters• Authorization form template• Updated PO training materials (CD content)