A HIPAA y Más AlláA HIPAA y Más Allá La Ley de AislamientoLa Ley de Aislamiento y Confidencialid y Confidencialidaadd

Curso de Aprendizaje de Curso de Aprendizaje de Interpretadores de Salud Interpretadores de Salud

Samford University Deciembre 1, 2010

Por John R. Wible, Principal Abogado Alabama Department of Public Health

1ADPH, 2010

DocumentaciónDocumentaciónSubstantiates proof of servicesProvides continuity of careDocumentation must be objective

facts, not opinions

2ADPH, 2010

The “La Regla de Oro de The “La Regla de Oro de la Documentación”la Documentación”

The “Golden Rule of Documentation:” If it ain’t wrote down it didn’t happen!

“Wible’s corollary” The way it is wrote down is the way it

happened regardless of the way it happened!

3ADPH, 2010

Confidencialidad-Confidencialidad- Acceso a Archivos en Acceso a Archivos en GeneralGeneral

All patient information is strictly confidential◦ Contract Employee Handbook 10-04

Some Bad ScenariosBad scenarios equal bad liability

4ADPH, 2010

Condiciónes para Condiciónes para Entrega de Entrega de InformaciónInformaciónConditions for release of

information:◦Prior written consent of

Patient, parent/guardian

Subpoena in accordance with Departmental/ institutional policy

Otherwise provided by law

5ADPH, 2010

TB/STD/DC Archivos TB/STD/DC Archivos Son Confidenciales Son Confidenciales

STD/TB/disease control information not public.

Not revealed even by subpoenaNot admissible into evidence

except for commitment hearings ADPH requests for notifiable

disease records to be forwarded to Legal ◦ Call 334.206.5209.

See ADPH Policy 04-02 for specifics

6ADPH, 2010

Disease Control Disease Control GuidelinesGuidelinesInformation considered not

confidential:Final completed report written in

blank, not identifying any personsThe name of businesses,

establishments, restaurants involved in an investigation

Aggregate statistical informationAny other public recordsRegular environmental and

daycare inspection reports 7ADPH, 2010

ConfidentialConfidential Information Information (EPI)(EPI)

Epidemiologic interview sheetsRequired reportsWork papers, notes and analysesActual numbers of cases or IDsCorrespondence on a caseComplaint generated environmental

and other inspection reportsincomplete drafts of reportsOther document received privately

8ADPH, 2010

Released With Released With AuthorizationAuthorization

A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual

One patient’s authorization, however does not release other person’s names or information

9ADPH, 2010

Written Authorization Written Authorization Not Required: Not Required:

10

Transfer information from one county health department to another or to the state office

Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care

Some practitioners require consents to transfer out of abundance of caution

ADPH, 2010

¿ Que Hace Una ¿ Que Hace Una Autorización Valida?Autorización Valida?

Description of the info to be released

Name or description of info receiverName of patientDescription if the use of the infoExpiration date or continuousRight of revocation by pt.Notice of possible re-disclosuresSignature of pt or representative See CHR Form 6A and instructions

11ADPH, 2010

Nota Relativa a Cierta Nota Relativa a Cierta informacióninformaciónCHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records

This is NOT required if other providers’ releases meet the earlier criteria

Recent Example

ADPH, 2010 12

Release of Contact Release of Contact Information - No lo Information - No lo HagasHagas

The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient

Even with consent, it should not include contact information.

Don’t write identifying information about how the patient contracted the disease

13ADPH, 2010

Confidencialidad - Acceso a Confidencialidad - Acceso a Archivos MArchivos Méédicos de Los dicos de Los NiñosNiños

If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services

If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release

14ADPH, 2010

Acceso a Archivos MAcceso a Archivos Méédicos de dicos de Los Niños - Los Derechios de los Los Niños - Los Derechios de los PadresPadres

All information pertaining to a child must be equally available to both parents

However, if the child gave consent for services, neither parent may have access to the records without that child’s consent. ◦Code of Ala, § 30-3-154

15ADPH, 2010

HIPAA BackgroundHIPAA BackgroundPassed August 21, 1996Designed to simplify healthcare

deliveryProvided for portability of pre-

existing health conditionsStandardized confidentiality and

securityFirst such federal act of its kindHHS makes the rulesAmended by “the Stimulus Package

– ARRA (HITEC)16ADPH, 2010

HIPPA Regla de HIPPA Regla de Privacidad –Privacidad – ¿Cómo Regulada?¿Cómo Regulada?

Límites

◦Setting limits on uses and disclosures

Fair information practices

◦Allowing individuals some level of access to their health data

Accountability

◦Making covered entities accountable for handling and abuses

17ADPH, 2010

How How Uses/Disclosures Uses/Disclosures Are Are RegulatedRegulatedUses or disclosures of PHI require

either

◦Written authorization or

◦Individual opportunities to object

Covered Entities (CEs) may use or disclose PHI without individual’s informed consent for exceptions specified in rule

18ADPH, 2010

HIPPA Regla de HIPPA Regla de PrivacidadPrivacidad¿ Que es Cubierto? ¿ Que es Cubierto? “Protected Health Information”

(PHI):Individually-identifiable health

information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally

45 C.F.R. §160.103

19ADPH, 2010

Usos Sin Usos Sin Consentimiento por Consentimiento por EscritoEscrito

TreatmentPaymentOperationsWhere required by law

20ADPH, 2010

¿ Qien es Cubierto? ¿ Qien es Cubierto? Covered Entities (CEs)Covered Entities (CEs)

Health care providers that billHybrid entities (like ADPH)Health care plansHealth care clearinghouses

◦ 45 C.F.R. §160.103

21ADPH, 2010

Business AssociatesBusiness AssociatesBusiness associates follow the same

level of protection in the privacy rule and include:◦Claims or data processors; ◦Billing companies and financial service providers

◦Quality assurance providers and utilization reviewers

◦Lawyers, accountants & other professionals

45 C.F.R. §160.10322ADPH, 2010

Business Associates and Business Associates and AARAAARA

Must also adhere to the Security Rule like CEs and are subject to same penalties

Establish administrative, physical, and technical safeguards for Protected Health Information (PHI)

Establish policies and procedures for safeguards

Only use or disclose PHI in accordance with HIPAA

“Rat Fink Provision”

23ADPH, 2010

HIPPA Privacy HIPPA Privacy Rule:Rule:

Who is Not Who is Not Covered?Covered?Life insurance companies

Auto insurance companiesWorkers’ compensation carriersEmployersOthers who acquire, use, and disclose vast quantities of health data

AARA may place some requirements -◦E.g., PHI cannot be bought and sold

24ADPH, 2010

HIPPA Privacy Rule: HIPPA Privacy Rule: What Is Not Covered?What Is Not Covered?

PHI does not include

◦Education records covered by FERPA

◦Employment records held by a covered entity in its role as employer

◦Non-identifiable health information

◦45 C.F.R. 160.103

25ADPH, 2010

HIPAA - What it HIPAA - What it Doesn’t DoDoesn’t Do

Does not override state laws that provide more patient privacy than HIPAA

Does not require that all risk of incidental disclosures of patient information be eliminated

Examples: Cubicles Shield-type dividers Sign-in sheets

26ADPH, 2010

HIPAA y ADPH HIPAA y ADPH PrivacidadPrivacidad

27

See ADPH HIPAA Privacy Policy 06-008◦“Minimum Necessary” Concept

◦Patient Verification◦Fax Confidentiality◦The “HIPAA Log”◦Breach Sanctions◦Needs updating

ADPH, 2010

•See also CHR Manual y Contract Employee Handbook

How How Uses/DisclosuresUses/Disclosures

Are RegulatedAre RegulatedMinimum necessary rule When using or disclosing PHI, a

covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

28ADPH, 2010

Divulgaciónes Divulgaciónes PermitidasPermitidas“Minimum” info may be disclosed

To “public officials” To public healthTo law enforcement To national security and intelligence agencies

To judicial authoritiesTo researchersTo DHR for abuse reporting

29ADPH, 2010

Divulgaciónes a La Divulgaciónes a La PoliciaPoliciaPursuant to subpoenas or by verbal

request As “otherwise required by lawFor ID and location purposesDo not give disease information Individual is a victim of a crimeTo alert about a suspicious death When criminal conduct occurs on

premises In emergency setting, to alert

regarding information pertaining to crime

30ADPH, 2010

Divulgaciónes para Divulgaciónes para Seguridad NaticionalSeguridad Naticional

CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities

31ADPH, 2010

Disclosure Disclosure To To Public Public HealthHealth

Disclosure permitted to: “public health authority that is

authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”

32ADPH, 2010

Child or Elder Abuse Child or Elder Abuse NoticeNotice

Examples of specific public health-based exceptions include disclosures

◦About victims of abuse, neglect, or domestic violence

◦To prevent serious threats to persons or the public

33ADPH, 2010

Información de Los Información de Los MuertosMuertos

May be released to:Law enforcementTransporting emergency medical

personnelCoroners and their personnelMortuary personnelBureau of Health Statistics

34ADPH, 2010

HIPAA Regla de HIPAA Regla de SeguridadSeguridad

Primary objective: protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.

Applies to identifiable electronic protected health information (EPHI) related to:◦Past, present or future medical or mental condition

◦The individual’s health care◦Payment records

35ADPH, 2010

Modelo de Modelo de DocumentaciónDocumentaciónMaintain documentation of

policies and procedures for 6 years

Make documentation available to workforce who administer the policy

Review and documentation periodically

Ensure the confidentiality, integrity, and availability of EPHI

36ADPH, 2010

ADPH Política de ADPH Política de SeguridadSeguridadHIPAA requires security of the

premises, i.e., door locks. See ADPH Security Policy No. 05-16.

HIPAA also requires security of the electronic records (computer security)

HIPAA requires security of the paper

HIPAA requires security of your mouth

37ADPH, 2010

Use of Department Use of Department ComputersComputersUse ADPH furnished

equipment/softwareCSC/Tech Support will purchase and

install all network-connected devicesUse password protection & disclaimerCSC/Tech Support will install software

updatesConnect laptops to the network once a

monthBack up critical data

◦See ADPH Policy 2005-016 and Security Manual

38ADPH, 2010

Use of ComputersUse of ComputersChange password every 60 daysUse only for lawful activityReport suspected viruses and

attacksSupervisors notify CSC on new

employee starting work or leaving employ service

Appropriate salvage of computersLimit Department workspaceWear badges

39ADPH, 2010

Patient AccountingPatient AccountingPatients may ask for listing of

disclosures of their PHI up to six (6) years prior in paper or elect. form

The following disclosures are NOT required to be accounted for: ◦Treatment, Payment, Healthcare Operations (TPO)

◦Disclosures to the patient or persons involved with their care

◦Disclosures authorized by the patient or authorized representative

40ADPH, 2010

Patient AccountingPatient AccountingOther disclosures which are not required to be accounted for:National security or intelligence purposesCorrectional institutions or law enforcementIncidental disclosures Limited Data Sets used for research purposes

41ADPH, 2010

HIPAA LogHIPAA Log

42

A single file which relates to pt. files

Kept with medical recordsDocuments “non-routine”

disclosures:◦date of the disclosure;◦the name/address of receiver◦brief description of the PHI disclosed

◦brief statement of the purpose of the disclosure

ADPH, 2010

Required Logged Required Logged ItemsItemsUnauthorized releases on the AIR

FormReleases required by lawReleases based upon subpoenaReleases to law enforcement for ID Requests to limit releasesRequests to amend or correct PHIRequests by the patient for

accountingReports about victims of abuse,

neglect, or domestic violence

43ADPH, 2010

Disclosures - Disclosures - Not Not Required to LogRequired to LogTPO disclosuresDisclosures made to the patient

or rep.Pursuant to a valid authorizationNational security or intelligence

purposes;To a correctional institution or law

enforcement official that has custody of a patient;

To a health oversight official

44ADPH, 2010

HIPAA BreachesHIPAA Breaches

When there is a breach of protected info, the CE has a duty:

To report to or notify clientsTo report to HHS and the media if

>500To mitigate the damageTo examine employees, policies,

equipment and facilities to prevent it happening again

45

“Teton Dam Breach”

ADPH, 2010

BREACHES - BREACHES - PENALTIESPENALTIESBreach may subject employees and

the Covered Entity:To criminal penalties (up to

$250,000)You are NOT covered by the FundTo HHS civil penalties or lawsuitsTo adverse employment action,

IE.,

46ADPH, 2010

Program ManagementProgram ManagementThe HIPAA program and

certain other similar programs are under the management of the Risk Management Committee

Committee proposes HIPAA policy changes

Committee receives and processes all ARIA reports including possible HIPAA breaches

The Committee oversees Red Flags instances

47ADPH, 2010

Red Flag Regulations Red Flag Regulations Federal Trade Commission

Regulations designed to protect against identity theft

As a “creditor”, ADPH has “covered transactions” with clients/patients

ADHP has a duty to be on the lookout for certain red flags

48ADPH, 2010

Categories of “Red Categories of “Red Flags”Flags”Alerts, notifications, or warnings from

a consumer reporting agency; Suspicious documents; Suspicious personally identifying

information, such as a suspicious address;

Unusual use of – or suspicious activity relating to – a covered account; and

Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft

49ADPH, 2010

See Also Policy See Also Policy DocumentsDocuments

98-07 Fax Policy03-10 Notice of Privacy Practices

(NOPP)◦ Sub reviso

03-30 Vital Records Policies04-02 Receipt of Legal Documents05-16 HIPAA Security Policy/Manual06-08 HIPAA Privacy Policy – Sub reviso10-04 Contract Employee HandbookOnline ARIA Form

50ADPH, 2010

¿ ¿ ¿ ¿ ¿ Preguntas????¿ ¿ ¿ ¿ ¿ Preguntas??????

51ADPH, 2010