Upload
sheldon-mcnulty
View
216
Download
0
Embed Size (px)
Citation preview
Understanding HIPAA Privacy Regulations
A guide to company policies and procedures
Prepared by:
The Privacy Rule is intended to:
Protect and enhance rights of consumers by providing them:
access to their protected health information control over PHI uses and disclosures
Improve healthcare quality by restoring public trust and willingness to share information
Improve efficiency and effectiveness by creating uniform nationwide privacy framework
Privacy Regulations apply to:
Covered entities, such as:
Health plans / insurance payers
Health care clearing houses
Health care providers i.e. HMEs, physicians, nursing homes, home health agencies, etc
Whoever “uses” or “discloses” protected health information (“PHI”)
Business associates: through contracts with covered entities that hold them to the same provisions of the law
Basics of HIPAA
Covers electronic, paper & oral information
Requires contracts with business associates to protect health information
Emphasizes "minimum necessary" access to information
Standards apply to "protected health information": all individually identifiable health information in any form
Basics of HIPAA
Protected Healthcare Information (PHI) Defined:Health information, including demographic information, which can reasonably identify the individual and relates to the person’s: Past, present or future physical health, mental
health, or condition; Provision of health care; or Past, present or future payment for the provision of
health
General Rule: “Protected health information may not be used or disclosed for reasons other than treatment, payment or healthcare operations without specific patient authorization”
Basic Patient Rights - HIPAA
Patients must receive written notice of provider's information practices describing patient rights; company must make good faith effort to obtain acknowledgement of receipt – All patients to receive “Privacy Notice” found in manual
Patients may inspect their own health information and obtain a copy
Patients may request amendment to health information
Basic Patient Rights - HIPAA
Patients may receive an accounting of disclosures for purposes other than treatment, payment, and healthcare operations
Patients may request that uses and disclosures of health information be restricted
Patients must be provided means to report a privacy complaint
Basics of Use and Disclosure
Providers must obtain a written patient Authorization before releasing PHI for purposes other than Treatment, Payment, and Health Care Operations.
Consent forms are optional when info used only for treatment, payment and health care operations
Basics of Use and Disclosure
Providers CAN release PHI without authorization:
for treatment, payment or healthcare operations (including to business associates)
when required by law for public health activities for victims of abuse, neglect, or domestic violence for health oversight – ex. Medicare audit for judicial proceedings for specific law enforcement activities
Basics of Use and Disclosure
Providers CANNOT release PHI without authorization when info used for:
marketing
medical research
fund-raising
Authorizations generally address a specific need and circumstance or span of time
Rules Governing Business Associates Providers must identify all Business Associates
that have access to or use/disclose protected health information of patients: Accrediting Bodies Consultants Billing Clearinghouse and Outsource companies Outcomes tracking outsourcing
Business Associate contracts must be established to ensure that Business Associates' practices support HIPAA's requirements
Sanctions must be applied by the company for non-compliance by Business Associates
Exceptions to the rule:
Providers may release patient's location, condition, or death when needed to family, friends, others involved in the care of the patient
Providers may make disclosures to family and others involved when in the patient's best interest – but you still have to follow state law when it comes to rights of minors
Exceptions to the rule:
Providers may make disclosures to “personal representatives” of the patient – i.e. those with Power of Attorney; the estate of a deceased patient
De-identified information is not subject to the privacy rules
Defined as removal of identifiers such as: Name Date Geographic Destinations Phone/Fax Numbers Email, etc.
Penalties for non-compliance
Criminal penalties - Intentional violation Up to $50,000 and up to one (1) year
imprisonment for knowing misuse Up to $100,000 and/or imprisonment
up to five (5) years if offense under false pretenses
Fine of not more than $250,000 and/or imprisonment of up to ten (10) years if offense is with intent
HPP1 – Uses and Disclosures General
“Use” of information is defined as that which is used WITHIN the organization
“Disclosure” of information is that which is released OUTSIDE the organization
Both are permitted without specific consent from the patient when info is used for treatment, payment or healthcare business operations – consent forms are optional in these circumstances
HPP1 – Uses and Disclosures General
TREATMENT – includes information shared between the referral source and the HME provider to accomplish patient care objectives
PAYMENT – includes information shared with insurance payers, billing clearinghouses, and outsource billing firms to obtain payment (billing firms are also business associates)
OPERATIONS – includes information shared with accrediting bodies, consultants, outcomes tracking firms, etc. (these are commonly also business associates)
HPP2 – Uses and Disclosures Restrictions
Patients have a right to restrict the use and disclosure of their PHI, even that used for treatment, payment, and healthcare operations – the “PRIVACY NOTICE” informs them of this
Company has the right to refuse to continue care for patient if restrictions interfere with treatment, payment, or healthcare operations, but must honor request until patient transferred to another provider
HPP2 – Uses and Disclosures Restrictions
Request can be verbal or in writing- both must be honored until company notified otherwise by patient (indefinitely)
Better to have a policy to document patient request – use “Restriction Agreement” Form
Keep a log of patients requesting restriction to PHI
Keep log on file for 6 years
HPP3 – Business Associates
A non-covered entity, defined as an organization or person other than a member of the company’s workforce who receives PHI from the company in order to provide services to or on behalf of the company: Healthcare billing clearinghouses Billing services Accreditation organizations Consulting firms Software vendors with access to company software
systems
HPP3 – Business Associates
Company must complete a contract with each business associates that holds them to the same privacy standards the company is held to as a “covered entity”
Specifies what kind of information will be disclosed and to whom
Identifies the responsibilities of the business associate to protect healthcare information
Specifies what measures will be taken to insure privacy of info upon termination of contract
HPP4 – Deceased Patients
Company must continue to protect info of deceased patient’s for as long as records are maintained
State Law usually says records should be maintained for 7 years (or, 7 years past the age of majority for minors)
PHI can be released to anyone with power of attorney (personal representative, to the patient’s estate)
HPP5 –Personal Representatives
Have the same rights as patients as defined in the “PRIVACY NOTICE”
Defined as: anyone with legal POA (healthcare or general); the estate of deceased patients; guardians of un-emancipated minors
Document the relationship of the personal representative to the patient in the medical / billing record
HPP5 –Personal Representatives
Recognize that some states allow minors to override the healthcare decisions of their guardians – HIPAA laws do not take precedence over state laws that are more stringent
Company is not obligated to disclose information to a personal representative if they reasonably believe that revealing such information may subject the patient to violence, abuse, or neglect
HPP6 - Confidential Communications
Patients are provided with their PHI upon request – treatment notes, billing information/details, etc.
They do not need to provide a reason for receiving the information
Verbal, faxed, or mailed responses to patient are permitted, based on patient request
Hard copy communications best to document company response
HPP7 - Consent
Use of consent form is optional if the information will only be used for treatment, payment and/or healthcare operations (whether information is used by the company, another “covered entity”, or a business associate)
Most companies already have a “Release of Information” statement in their paper work – this is adequate even for optional purposes
A form is provided in the manual to be used if company policy requires separate consent
HPP8 – Other Permitted Disclosures
To public healthcare authorities – infectious disease reporting; Medwatch; FDA requirements, etc.
When required by law enforcement, or to comply with state laws, or to prevent abuse and neglect of patient
To CMS or by CMS demand when investigating allegations of fraud and abuse
HPP9 – De-identified Information
Company is not required to comply with HIPAA regulations in regard to “de-identified” PHI
De-identified PHI has had all identifying information removed – name, phone, birth dates, addresses, HICN, SSN, etc
Can code the patient info with a number that will allow it to be “re-identified” later, within the company, so long as you don’t disclose coding methodology - common in outcomes tracking
HPP10 – Minimum Necessary Information
Company uses and discloses the minimum necessary information needed to accomplish treatment, payment, and healthcare operations
Need for information should be defined, by job description – company decides and puts in policy
Minimum necessary information for business associates should be defined within individual contracts
HPP10 – Minimum Necessary Information
Full access: Clinical staff Customer Service and Billing Operations and management personnel
Limited access: Delivery and warehouse personnel
No access: Maintenance and cleaning personnel
This is suggested policy – company decides!
HPP11- Notification of Privacy Policy
Provided to all patients or their representative upon initiation of care – see sample in manual
Contains list of patient rights to privacy and explanation of typical uses and disclosures of PHI
Must also provide a copy of notice upon request to any person requesting a copy
HPP11- Notification of Privacy Policy
Always document that the patient / personal representative received the notice – carbonless copy w/ signature
If amended, all current patients must receive a copy of the new, amended Privacy Notice
If amended, company must keep old versions (master copy) of Privacy Notice on file for 6 years past date of retirement of previous version of notice
HPP12- Right to Restrict
Patient has right to restrict use of information, even for treatment, payment, and healthcare operations
Company has right to refuse to treat patient under those circumstances, but must abide patient’s request as long as patient continues on service
Get it in writing – use Restriction form in manual
HPP13- Responding to requests
Ask patient / personal representative to make request for extensive release of PHI in writing so you have documentation
Ask patient / personal representative where they want the information sent – it can be mailed to someplace other than their primary address if they so choose; it can be provided via the telephone or by fax
You can charge the patient for copying and mailing the information
HPP13 & 14 - Responding to requests
Patient does not need to provide reason why they want the information
Respond to requests in a timely fashion – 30 to 60 days is reasonable
See policy HPP14 for examples of when info can be legally withheld
If info is legally withheld, must provide patient with written explanation as to why
HPP15 – Right to amend
Patients have a right to amend the info in their medical record after reviewing it, if they choose
The request should be in writing, and state why the patient is requesting the change
Company may deny request if: Info requested changed was not created by the
company If the employee making the entry that is to be
changed is no longer an employee If the info is currently accurate and complete, as is
HPP15 – Right to amend
In case of company denial to amend put both sides (patient and company) in writing and include in patient’s medical record
Release this amended information as well, as applicable, when disclosure to another person is provided at patient request
Complete process in timely fashion – 60 to 90 days
HPP16 – Accounting of Disclosures
Company needs to keep track of disclosures of patient information so they can be provided to patient / personal representative upon request
Exceptions to tracking:
Disclosures made directly to the patient Disclosures made for purposes of treatment,
payment, or healthcare operations Provided to employees of the company Provided for reasons of national security Provided before HIPAA regulations went into effect
HPP16 – Accounting of Disclosures
Must keep track of disclosures for 6 years past the disclosure
Tracking must include:
Date info released To whom info was released What info was released The purpose for which it was released
Document patient requests for accounting of disclosures and respond to them in 60 days or less
HPP17 – Privacy Officer
Company must designate one individual as responsible for protecting privacy
Job duties include: Ensuring confidentiality of all PHI Development and implementation of company HIPAA
policies Limited incidental disclosures Documentation & tracking of disclosures, and
responding to patient complaints
Name, location, and phone number of Privacy Officer should be posted in areas where patient have access
HPP18 – Employee Training
All current employees to receive training – level to be based on their access to confidential information
Employee orientation should include privacy training
Training must be documented in the employee’s personnel file
HPP19 – Securing Medical Records
Secured at the end of the business day, either in locked cabinets or a locked room
Only individuals with permission, consistent with their job duties, may access medical records
Electronic records controlled by logins and passwords to computer system
Documents containing identifiable PHI must be shredded prior to disposal
HPP20 – Patient Complaints
Patients have a right to file formal complaint when they feel their privacy has been violated
Complaints should be directed to the Privacy Officer
Privacy Officer is to: Document the complaint in a log Investigate the complaint Document the resolution to the complaint Inform the patient of findings / resolution
HPP21 – Employee Violations
Employees who violate patient privacy will be subject to company procedures for violations of policy
Company response will depend on the intention of the employee, and the severity of the violation
Company response may range from verbal warning, up to and including termination
All company responses to violations of privacy will be documented in the employee’s file
HPP23 – Protection of data
Computers must be set up to insure integrity of information (firewalls, passwords, etc)
Integrity of systems are routinely assessed
Back-ups are created daily (company may change policy on frequency of back-up)
Back-ups are stored off-site in a protected manner
HPP24 – Access to data
All individuals who need access to computer data are given an access code
A list of access codes and who has one are to be maintained by the company / Privacy Officer
Employees are trained re: privacy regulations before receiving access to data
Employee’s may not share their access code without prior approval of management
HPP25 – Mitigation of damage
If a breach in security is reported the Privacy Officer must take steps to minimize damage
Privacy Officer must investigate breach, determine cause, and suggest possible resolution
All actions on the part of the Privacy Officer should be documented
HPP26 – Access logging
The computer system should be capable of logging access to PHI – check with billing software vendors
The log should be generated routinely to check for unauthorized attempt to access PHI
Unauthorized attempts to access PHI will be followed up by the company’s Privacy Officer
HPP27 – Contingency Plan
The company has a contingency plan that details how the company will back-up, secure, and re-establish its electronic databases in emergency situations
HPP28 – Consent to Film - Record
The company has a policy that dictates what type of patient / client releases are required in order to film or record the patient for use in company training, or promotional activities that will be seen or heard by persons outside the company
HPP29 – Sale of PHI
With very few exceptions, the sale of PHI is prohibited
HPP30 – Notice of Obligation
The company is obligated to notify patients if their PHI has been breached.
This obligation stands, regardless of whether the breach was made by the company or one of its business associates.
This notification will be handled by the company owners, and/or the HIPAA privacy officer of the company.