Embed Size (px)
DESCRIPTION
HIPAA for Area 2
Citation preview
To HIPAA and BeyondTo HIPAA and BeyondThe Law of The Law of
Confidentiality and Confidentiality and SecuritySecurity
Public Health Area II Public Health Area IIDecember, 2010December, 2010
By John R. Wible, General CounselAlabama Department of Public Health
1ADPH, 2010
DocumentationDocumentationSubstantiates proof of servicesProvides continuity of careDocumentation must be objective
facts, not opinions
2ADPH, 2010
The “Golden Rule of The “Golden Rule of Documentation”Documentation”
The “Golden Rule of Documentation:” If it ain’t wrote down it didn’t happen!
“Wible’s corollary” The way it is wrote down is the way it
happened regardless of the way it happened!
3ADPH, 2010
Confidentiality-Confidentiality- Access to Records Access to Records GenerallyGenerally
All patient information is strictly confidential◦ See Employee Handbook 10-02
Some Bad ScenariosBad scenarios equal bad liability
4ADPH, 2010
Conditions for Conditions for Release of InformationRelease of InformationConditions for release of
information:◦Prior written consent of
Patient, parent/guardian
Subpoena in accordance with Departmental/ institutional policy
Otherwise provided by law
5ADPH, 2010
TB/STD/DC Records TB/STD/DC Records Special Special ConfidentialityConfidentiality
STD/TB/disease control information not public.
Not revealed even by subpoenaNot admissible into evidence
except for commitment hearings ADPH requests for notifiable
disease records to be forwarded to Legal ◦ Call 334.206.5209.
See ADPH Policy 04-02 for specifics
6ADPH, 2010
Disease Control Disease Control GuidelinesGuidelinesInformation considered not
confidential:Final completed report written in
blank, not identifying any personsThe name of businesses,
establishments, restaurants involved in an investigation
Aggregate statistical informationAny other public recordsRegular environmental and
daycare inspection reports 7ADPH, 2010
ConfidentialConfidential Information Information (EPI)(EPI)
Epidemiologic interview sheetsRequired reportsWork papers, notes and analysesActual numbers of cases or IDsCorrespondence on a caseComplaint generated environmental
and other inspection reportsincomplete drafts of reportsOther document received privately
8ADPH, 2010
Released With Released With AuthorizationAuthorization
A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual
One patient’s authorization, however does not release other person’s names or information
9ADPH, 2010
Written Authorization Written Authorization Not Required: Not Required:
10
Transfer information from one county health department to another or to the state office
Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care
Some practitioners require consents to transfer out of abundance of caution
ADPH, 2010
What Makes a Valid What Makes a Valid Authorization?Authorization?
Description of the info to be released
Name or description of info receiverName of patientDescription if the use of the infoExpiration date or continuousRight of revocation by pt.Notice of possible re-disclosuresSignature of pt or representative See CHR Form 6A and instructions
11ADPH, 2010
Note Concerning Note Concerning Certain InformationCertain InformationCHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records
This is NOT required if other providers’ releases meet the earlier criteria
ADPH, 2010 12
Release of Contact Release of Contact Information – Don’t Do Information – Don’t Do It!It!
The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient
Even with consent, it should not include contact information.
Don’t write identifying information about how the patient contracted the disease
13ADPH, 2010
Confidentiality – Access to Confidentiality – Access to Medical Records of MinorsMedical Records of Minors
If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services
If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release
14ADPH, 2010
Access to Medical Records of Access to Medical Records of Minors – Rights of the Minors – Rights of the ParentsParents
All information pertaining to a child must be equally available to both parents
However, if the child gave consent for services, neither parent may have access to the records without that child’s consent. ◦Code of Ala, § 30-3-154
15ADPH, 2010
HIPAA – In HIPAA – In BriefBrief
HIPAA stands for The Health Insurance Portability and Accountability Act (1996)
Addresses privacy and security of health data
Includes verbal, written, or electronic dataPrivacy Rule, (2003), includes both paper
& e-PHISecurity Rule, (2003), includes only e-PHIHHS makes the rulesAmended (2009) by “the Stimulus Package
– ARRA (HITEC)
PHI – What is PHI – What is it?it?
Patient namePatient addressPatient phone numberPatient date of birthPatient social security number,
Medicaid number, etcDiagnosisTreatment informationFinancial information
The Privacy Rule: The Privacy Rule: What and Who Is What and Who Is Covered?Covered?“Protected Health Information”
(PHI):Individually-identifiable health
information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally
45 C.F.R. §160.103ADPH is a “covered entity”
18ADPH, 2010
Releases without Releases without Written ConsentWritten Consent
TreatmentPaymentOperationsWhere required by law
19ADPH, 2010
Business AssociatesBusiness AssociatesBusiness associates follow the same
level of protection in the privacy rule and include:◦Claims or data processors; ◦Billing companies and financial service providers
◦Quality assurance providers and utilization reviewers
◦Lawyers, accountants & other professionals
45 C.F.R. §160.10320ADPH, 2010
Business Associates and Business Associates and AARAAARA
Must also adhere to the Security Rule like CEs and are subject to same penalties
Establish administrative, physical, and technical safeguards for Protected Health Information (PHI)
Establish policies and procedures for safeguards
Only use or disclose PHI in accordance with HIPAA
“Rat Fink Provision”
21ADPH, 2010
HIPPA Privacy HIPPA Privacy Rule:Rule:
Who is Not Who is Not Covered?Covered?Life insurance companies
Auto insurance companiesWorkers’ compensation carriersEmployersOthers who acquire, use, and disclose vast quantities of health data
AARA may place some requirements -◦E.g., PHI cannot be bought and sold
22ADPH, 2010
HIPPA Privacy Rule: HIPPA Privacy Rule: What Is Not Covered?What Is Not Covered?
PHI does not include
◦Education records covered by FERPA
◦Employment records held by a covered entity in its role as employer
◦Non-identifiable health information
◦45 C.F.R. 160.103
23ADPH, 2010
HIPAA - What it HIPAA - What it Doesn’t DoDoesn’t Do
Does not override state laws that provide more patient privacy than HIPAA
Does not require that all risk of incidental disclosures of patient information be eliminated
Examples: Cubicles Shield-type dividers Sign-in sheets
24ADPH, 2010
HIPAA and ADPH HIPAA and ADPH PrivacyPrivacy
25
See ADPH HIPAA Privacy Policy 06-008◦“Minimum Necessary” Concept
◦Patient Verification◦Fax Confidentiality◦The “HIPAA Log”◦Breach Sanctions◦Needs updating
ADPH, 2010
•See also CHR Manual and Employee Handbook
How How Uses/DisclosuresUses/Disclosures
Are RegulatedAre RegulatedMinimum necessary rule When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
26ADPH, 2010
Permitted DisclosuresPermitted Disclosures“Minimum” info may be disclosed
To “public officials” To public healthTo law enforcement To national security and intelligence agencies
To judicial authoritiesTo researchersTo DHR for abuse reporting
27ADPH, 2010
Disclosure to PoliceDisclosure to PolicePursuant to subpoenas or by verbal
request As “otherwise required by lawFor ID and location purposesDo not give disease information Individual is a victim of a crimeTo alert about a suspicious death When criminal conduct occurs on
premises In emergency setting, to alert
regarding information pertaining to crime
28ADPH, 2010
Disclosure to National Disclosure to National Security AgenciesSecurity Agencies
CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities
29ADPH, 2010
Disclosure Disclosure To To Public Public HealthHealth
Disclosure permitted to: “public health authority that is
authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”
30ADPH, 2010
Child or Elder Abuse Child or Elder Abuse NoticeNotice
Examples of specific public health-based exceptions include disclosures
◦About victims of abuse, neglect, or domestic violence
◦To prevent serious threats to persons or the public
31ADPH, 2010
Information on Information on DecedentsDecedents
May be released to:Law enforcementTransporting emergency medical personnel
Coroners and their personnelMortuary personnelBureau of Health Statistics
32ADPH, 2010
Maintenance of Maintenance of DocumentationDocumentation
Maintain documentation of policies and procedures for 6 years
Make documentation available to workforce who administer the policy
Review and documentation periodically
Ensure the confidentiality, integrity, and availability of ePHI
33ADPH, 2010
HIPAA - The Security HIPAA - The Security RuleRule
Primary objective: protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.
Applies to identifiable electronic protected health information (ePHI) related to:◦Past, present or future medical or
mental condition◦The individual’s health care◦Payment records
34ADPH, 2010
What about e-PHI?What about e-PHI?Same as PHI, but created, received, or maintained electronically
Does not include telephone calls, copy machines, fax machines, most voice mail
Does not include de-identified information
Security of the Security of the PremisesPremisesHIPAA requires security of the
premises, i.e., door locks. See ADPH Security Policy No. 05-16.
HIPAA also requires security of the electronic records (computer security)
HIPAA requires security of the paper
HIPAA requires security of your mouth
36ADPH, 2010
Building SecurityBuilding SecurityPost the Department’s Notice of Privacy
Practices where clients can see itMaintain visitor sign-in logs and have
visitors sign in and out (this includes repair persons)
Use ADPH and Visitor ID badgesKeep back doors locked or
monitored during business hoursKeep server rooms lockedKeep PHI storage areas locked when
unattended
Paper SecurityPaper SecurityClean Desk
◦ Keep patient records covered or in folders◦ Lock records up at end of day or when away
from deskFax/Copy Machines
◦ Put fax & copiers in secure area away from traffic
◦ Remove faxes/copies promptlyFile Cabinets
◦ Keep locked when unattended◦ Locate in secure area◦ Limit access
Shred it!
Use of Department Use of Department ComputersComputersUse ADPH furnished equipment/softwareCSC/Tech Support will purchase and
install all network-connected devicesUse strong password protection &
disclaimer◦ Don’t give out your password
CSC/Tech Support will install updatesConnect laptops to the network once a
month for auditBack up critical data
◦See Policy 2005-016 and Security Manual
39ADPH, 2010
Use of ComputersUse of ComputersChange password every 60 daysUse only for lawful activityReport suspected viruses and attacksSupervisors notify CSC on new
employee starting work or leaving employ service
Appropriately salvage computersLimit access to Department
workspaceBe careful with portable storage
devices
40ADPH, 2010
Email and Internet Email and Internet SecuritySecurity
Email◦Do not open email from an unknown source; especially unknown attachments
◦Verify email recipients; make sure email is going to intended recipient
◦Always encrypt email and attachments containing protected information
◦Read security remindersAvoid risky internet sites
Laptop SecurityLaptop SecurityKeep laptop out of view when travelingDo not leave in hot vehicle for long timeDo not check with luggage when flyingPassword protectSet screen saver to require passwordLog on to network once a month to update virus protection software
Encrypt protected information
Patient AccountingPatient AccountingPatients may ask for listing of
disclosures of their PHI up to six (6) years prior in paper or electronic form
The following disclosures are NOT required to be accounted for: ◦Treatment, Payment, Healthcare Operations (TPO)
◦Disclosures to the patient or persons involved with their care
◦Disclosures authorized by the patient or authorized representative
43ADPH, 2010
Patient AccountingPatient AccountingOther disclosures which are not required to be accounted for:National security or intelligence purposesCorrectional institutions or law enforcementIncidental disclosures Limited Data Sets used for research purposes
44ADPH, 2010
HIPAA LogHIPAA Log
45
A single file which relates to pt. files
Kept with medical recordsDocuments “non-routine”
disclosures:◦date of the disclosure;◦the name/address of receiver◦brief description of the PHI disclosed
◦brief statement of the purpose of the disclosure
ADPH, 2010
Required Logged Required Logged ItemsItemsUnauthorized releases on the AIR
FormReleases required by lawReleases based upon subpoenaReleases to law enforcement for ID Requests to limit releasesRequests to amend or correct PHIRequests by the patient for
accountingReports about victims of abuse,
neglect, or domestic violence
46ADPH, 2010
Disclosures Disclosures Not Not LoggedLogged
TPO disclosuresDisclosures made to the patient
or rep.Pursuant to a valid authorizationNational security or intelligence
purposes;To a correctional institution or law
enforcement official that has custody of a patient;
To a health oversight official
47ADPH, 2010
HIPAA BreachesHIPAA Breaches
When there is a breach of phi or e-PHI You have a duty to report on an ARIA
Call if it is serious!ADPH as a duty to:To report to or notify clientsTo report to HHS and the media if
>500To mitigate the damageTo examine employees, policies,
equipment and facilities to prevent it happening again
48
“Teton Dam Breach”
ADPH, 2010
BREACHES - BREACHES - PENALTIESPENALTIESBreach may subject employees and
the Covered Entity:To criminal penalties (up to
$250,000)You are NOT covered by the FundTo HHS civil penalties or lawsuitsTo adverse employment action,
IE.,
49ADPH, 2010
Program ManagementProgram ManagementThe HIPAA program and certain
other similar programs are under the management of the Risk Management Committee
Committee proposes HIPAA policy changes
Committee receives and processes all ARIA reports including possible HIPAA breaches
The Committee oversees Red Flags instances
50ADPH, 2010
Red Flag Regulations Red Flag Regulations Federal Trade Commission
Regulations designed to protect against identity theft
As a “creditor”, ADPH has “covered transactions” with clients/patients
ADHP has a duty to be on the lookout for certain red flags
51ADPH, 2010
Categories of “Red Categories of “Red Flags”Flags”Alerts, notifications, or warnings from
a consumer reporting agency; Suspicious documents; Suspicious personally identifying
information, such as a suspicious address;
Unusual use of – or suspicious activity relating to – a covered account; and
Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft
52ADPH, 2010
See Also Policy See Also Policy DocumentsDocuments
98-07 Fax Policy03-10 Notice of Privacy Practices
(NOPP)◦ Under Revision
03-30 Vital Records Policies04-02 Receipt of Legal Documents05-16 HIPAA Security Policy/Manual06-08 HIPAA Privacy Policy10-04 Contract Employee HandbookOnline ARIA Form
53ADPH, 2010
For A Copy of the For A Copy of the PresentationPresentationSee “HIPAA For Area 2” a download on Slideshare 7
http://www.slideshare.net/jwible
54
7Slideshare
ADPH, 2011
