Upload
john-wible
View
571
Download
0
Tags:
Embed Size (px)
DESCRIPTION
HIPAA En Espanole
Citation preview
A HIPAA y Más AlláA HIPAA y Más Allá La Ley de AislamientoLa Ley de Aislamiento y Confidencialid y Confidencialidaadd
Curso de Aprendizaje de Curso de Aprendizaje de Interpretadores de Salud Interpretadores de Salud
Samford University Deciembre 1, 2010
Por John R. Wible, Principal Abogado Alabama Department of Public Health
1ADPH, 2010
DocumentaciónDocumentaciónSubstantiates proof of servicesProvides continuity of careDocumentation must be objective
facts, not opinions
2ADPH, 2010
The “La Regla de Oro de The “La Regla de Oro de la Documentación”la Documentación”
The “Golden Rule of Documentation:” If it ain’t wrote down it didn’t happen!
“Wible’s corollary” The way it is wrote down is the way it
happened regardless of the way it happened!
3ADPH, 2010
Confidencialidad-Confidencialidad- Acceso a Archivos en Acceso a Archivos en GeneralGeneral
All patient information is strictly confidential◦ Contract Employee Handbook 10-04
Some Bad ScenariosBad scenarios equal bad liability
4ADPH, 2010
Condiciónes para Condiciónes para Entrega de Entrega de InformaciónInformaciónConditions for release of
information:◦Prior written consent of
Patient, parent/guardian
Subpoena in accordance with Departmental/ institutional policy
Otherwise provided by law
5ADPH, 2010
TB/STD/DC Archivos TB/STD/DC Archivos Son Confidenciales Son Confidenciales
STD/TB/disease control information not public.
Not revealed even by subpoenaNot admissible into evidence
except for commitment hearings ADPH requests for notifiable
disease records to be forwarded to Legal ◦ Call 334.206.5209.
See ADPH Policy 04-02 for specifics
6ADPH, 2010
Disease Control Disease Control GuidelinesGuidelinesInformation considered not
confidential:Final completed report written in
blank, not identifying any personsThe name of businesses,
establishments, restaurants involved in an investigation
Aggregate statistical informationAny other public recordsRegular environmental and
daycare inspection reports 7ADPH, 2010
ConfidentialConfidential Information Information (EPI)(EPI)
Epidemiologic interview sheetsRequired reportsWork papers, notes and analysesActual numbers of cases or IDsCorrespondence on a caseComplaint generated environmental
and other inspection reportsincomplete drafts of reportsOther document received privately
8ADPH, 2010
Released With Released With AuthorizationAuthorization
A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual
One patient’s authorization, however does not release other person’s names or information
9ADPH, 2010
Written Authorization Written Authorization Not Required: Not Required:
10
Transfer information from one county health department to another or to the state office
Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care
Some practitioners require consents to transfer out of abundance of caution
ADPH, 2010
¿ Que Hace Una ¿ Que Hace Una Autorización Valida?Autorización Valida?
Description of the info to be released
Name or description of info receiverName of patientDescription if the use of the infoExpiration date or continuousRight of revocation by pt.Notice of possible re-disclosuresSignature of pt or representative See CHR Form 6A and instructions
11ADPH, 2010
Nota Relativa a Cierta Nota Relativa a Cierta informacióninformaciónCHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records
This is NOT required if other providers’ releases meet the earlier criteria
Recent Example
ADPH, 2010 12
Release of Contact Release of Contact Information - No lo Information - No lo HagasHagas
The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient
Even with consent, it should not include contact information.
Don’t write identifying information about how the patient contracted the disease
13ADPH, 2010
Confidencialidad - Acceso a Confidencialidad - Acceso a Archivos MArchivos Méédicos de Los dicos de Los NiñosNiños
If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services
If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release
14ADPH, 2010
Acceso a Archivos MAcceso a Archivos Méédicos de dicos de Los Niños - Los Derechios de los Los Niños - Los Derechios de los PadresPadres
All information pertaining to a child must be equally available to both parents
However, if the child gave consent for services, neither parent may have access to the records without that child’s consent. ◦Code of Ala, § 30-3-154
15ADPH, 2010
HIPAA BackgroundHIPAA BackgroundPassed August 21, 1996Designed to simplify healthcare
deliveryProvided for portability of pre-
existing health conditionsStandardized confidentiality and
securityFirst such federal act of its kindHHS makes the rulesAmended by “the Stimulus Package
– ARRA (HITEC)16ADPH, 2010
HIPPA Regla de HIPPA Regla de Privacidad –Privacidad – ¿Cómo Regulada?¿Cómo Regulada?
Límites
◦Setting limits on uses and disclosures
Fair information practices
◦Allowing individuals some level of access to their health data
Accountability
◦Making covered entities accountable for handling and abuses
17ADPH, 2010
How How Uses/Disclosures Uses/Disclosures Are Are RegulatedRegulatedUses or disclosures of PHI require
either
◦Written authorization or
◦Individual opportunities to object
Covered Entities (CEs) may use or disclose PHI without individual’s informed consent for exceptions specified in rule
18ADPH, 2010
HIPPA Regla de HIPPA Regla de PrivacidadPrivacidad¿ Que es Cubierto? ¿ Que es Cubierto? “Protected Health Information”
(PHI):Individually-identifiable health
information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally
45 C.F.R. §160.103
19ADPH, 2010
Usos Sin Usos Sin Consentimiento por Consentimiento por EscritoEscrito
TreatmentPaymentOperationsWhere required by law
20ADPH, 2010
¿ Qien es Cubierto? ¿ Qien es Cubierto? Covered Entities (CEs)Covered Entities (CEs)
Health care providers that billHybrid entities (like ADPH)Health care plansHealth care clearinghouses
◦ 45 C.F.R. §160.103
21ADPH, 2010
Business AssociatesBusiness AssociatesBusiness associates follow the same
level of protection in the privacy rule and include:◦Claims or data processors; ◦Billing companies and financial service providers
◦Quality assurance providers and utilization reviewers
◦Lawyers, accountants & other professionals
45 C.F.R. §160.10322ADPH, 2010
Business Associates and Business Associates and AARAAARA
Must also adhere to the Security Rule like CEs and are subject to same penalties
Establish administrative, physical, and technical safeguards for Protected Health Information (PHI)
Establish policies and procedures for safeguards
Only use or disclose PHI in accordance with HIPAA
“Rat Fink Provision”
23ADPH, 2010
HIPPA Privacy HIPPA Privacy Rule:Rule:
Who is Not Who is Not Covered?Covered?Life insurance companies
Auto insurance companiesWorkers’ compensation carriersEmployersOthers who acquire, use, and disclose vast quantities of health data
AARA may place some requirements -◦E.g., PHI cannot be bought and sold
24ADPH, 2010
HIPPA Privacy Rule: HIPPA Privacy Rule: What Is Not Covered?What Is Not Covered?
PHI does not include
◦Education records covered by FERPA
◦Employment records held by a covered entity in its role as employer
◦Non-identifiable health information
◦45 C.F.R. 160.103
25ADPH, 2010
HIPAA - What it HIPAA - What it Doesn’t DoDoesn’t Do
Does not override state laws that provide more patient privacy than HIPAA
Does not require that all risk of incidental disclosures of patient information be eliminated
Examples: Cubicles Shield-type dividers Sign-in sheets
26ADPH, 2010
HIPAA y ADPH HIPAA y ADPH PrivacidadPrivacidad
27
See ADPH HIPAA Privacy Policy 06-008◦“Minimum Necessary” Concept
◦Patient Verification◦Fax Confidentiality◦The “HIPAA Log”◦Breach Sanctions◦Needs updating
ADPH, 2010
•See also CHR Manual y Contract Employee Handbook
How How Uses/DisclosuresUses/Disclosures
Are RegulatedAre RegulatedMinimum necessary rule When using or disclosing PHI, a
covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
28ADPH, 2010
Divulgaciónes Divulgaciónes PermitidasPermitidas“Minimum” info may be disclosed
To “public officials” To public healthTo law enforcement To national security and intelligence agencies
To judicial authoritiesTo researchersTo DHR for abuse reporting
29ADPH, 2010
Divulgaciónes a La Divulgaciónes a La PoliciaPoliciaPursuant to subpoenas or by verbal
request As “otherwise required by lawFor ID and location purposesDo not give disease information Individual is a victim of a crimeTo alert about a suspicious death When criminal conduct occurs on
premises In emergency setting, to alert
regarding information pertaining to crime
30ADPH, 2010
Divulgaciónes para Divulgaciónes para Seguridad NaticionalSeguridad Naticional
CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities
31ADPH, 2010
Disclosure Disclosure To To Public Public HealthHealth
Disclosure permitted to: “public health authority that is
authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”
32ADPH, 2010
Child or Elder Abuse Child or Elder Abuse NoticeNotice
Examples of specific public health-based exceptions include disclosures
◦About victims of abuse, neglect, or domestic violence
◦To prevent serious threats to persons or the public
33ADPH, 2010
Información de Los Información de Los MuertosMuertos
May be released to:Law enforcementTransporting emergency medical
personnelCoroners and their personnelMortuary personnelBureau of Health Statistics
34ADPH, 2010
HIPAA Regla de HIPAA Regla de SeguridadSeguridad
Primary objective: protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
Applies to identifiable electronic protected health information (EPHI) related to:◦Past, present or future medical or mental condition
◦The individual’s health care◦Payment records
35ADPH, 2010
Modelo de Modelo de DocumentaciónDocumentaciónMaintain documentation of
policies and procedures for 6 years
Make documentation available to workforce who administer the policy
Review and documentation periodically
Ensure the confidentiality, integrity, and availability of EPHI
36ADPH, 2010
ADPH Política de ADPH Política de SeguridadSeguridadHIPAA requires security of the
premises, i.e., door locks. See ADPH Security Policy No. 05-16.
HIPAA also requires security of the electronic records (computer security)
HIPAA requires security of the paper
HIPAA requires security of your mouth
37ADPH, 2010
Use of Department Use of Department ComputersComputersUse ADPH furnished
equipment/softwareCSC/Tech Support will purchase and
install all network-connected devicesUse password protection & disclaimerCSC/Tech Support will install software
updatesConnect laptops to the network once a
monthBack up critical data
◦See ADPH Policy 2005-016 and Security Manual
38ADPH, 2010
Use of ComputersUse of ComputersChange password every 60 daysUse only for lawful activityReport suspected viruses and
attacksSupervisors notify CSC on new
employee starting work or leaving employ service
Appropriate salvage of computersLimit Department workspaceWear badges
39ADPH, 2010
Patient AccountingPatient AccountingPatients may ask for listing of
disclosures of their PHI up to six (6) years prior in paper or elect. form
The following disclosures are NOT required to be accounted for: ◦Treatment, Payment, Healthcare Operations (TPO)
◦Disclosures to the patient or persons involved with their care
◦Disclosures authorized by the patient or authorized representative
40ADPH, 2010
Patient AccountingPatient AccountingOther disclosures which are not required to be accounted for:National security or intelligence purposesCorrectional institutions or law enforcementIncidental disclosures Limited Data Sets used for research purposes
41ADPH, 2010
HIPAA LogHIPAA Log
42
A single file which relates to pt. files
Kept with medical recordsDocuments “non-routine”
disclosures:◦date of the disclosure;◦the name/address of receiver◦brief description of the PHI disclosed
◦brief statement of the purpose of the disclosure
ADPH, 2010
Required Logged Required Logged ItemsItemsUnauthorized releases on the AIR
FormReleases required by lawReleases based upon subpoenaReleases to law enforcement for ID Requests to limit releasesRequests to amend or correct PHIRequests by the patient for
accountingReports about victims of abuse,
neglect, or domestic violence
43ADPH, 2010
Disclosures - Disclosures - Not Not Required to LogRequired to LogTPO disclosuresDisclosures made to the patient
or rep.Pursuant to a valid authorizationNational security or intelligence
purposes;To a correctional institution or law
enforcement official that has custody of a patient;
To a health oversight official
44ADPH, 2010
HIPAA BreachesHIPAA Breaches
When there is a breach of protected info, the CE has a duty:
To report to or notify clientsTo report to HHS and the media if
>500To mitigate the damageTo examine employees, policies,
equipment and facilities to prevent it happening again
45
“Teton Dam Breach”
ADPH, 2010
BREACHES - BREACHES - PENALTIESPENALTIESBreach may subject employees and
the Covered Entity:To criminal penalties (up to
$250,000)You are NOT covered by the FundTo HHS civil penalties or lawsuitsTo adverse employment action,
IE.,
46ADPH, 2010
Program ManagementProgram ManagementThe HIPAA program and
certain other similar programs are under the management of the Risk Management Committee
Committee proposes HIPAA policy changes
Committee receives and processes all ARIA reports including possible HIPAA breaches
The Committee oversees Red Flags instances
47ADPH, 2010
Red Flag Regulations Red Flag Regulations Federal Trade Commission
Regulations designed to protect against identity theft
As a “creditor”, ADPH has “covered transactions” with clients/patients
ADHP has a duty to be on the lookout for certain red flags
48ADPH, 2010
Categories of “Red Categories of “Red Flags”Flags”Alerts, notifications, or warnings from
a consumer reporting agency; Suspicious documents; Suspicious personally identifying
information, such as a suspicious address;
Unusual use of – or suspicious activity relating to – a covered account; and
Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft
49ADPH, 2010
See Also Policy See Also Policy DocumentsDocuments
98-07 Fax Policy03-10 Notice of Privacy Practices
(NOPP)◦ Sub reviso
03-30 Vital Records Policies04-02 Receipt of Legal Documents05-16 HIPAA Security Policy/Manual06-08 HIPAA Privacy Policy – Sub reviso10-04 Contract Employee HandbookOnline ARIA Form
50ADPH, 2010
¿ ¿ ¿ ¿ ¿ Preguntas????¿ ¿ ¿ ¿ ¿ Preguntas??????
51ADPH, 2010