1

The HIPAA Privacy & Security

Brian Martin

Privacy Program Manager

Navy Medicine Support Command

(904) 542-7200 ext. 8139

Brian.K.Martin@med.navy.mil

2

Learning Objectives

• Know Future CONOPS for Office of Privacy Program Management

• Know the purpose for Privacy Act and HIPAA

• Know key provisions or features of each law

• Know training requirements

• Understand disclosures and accounting of disclosures

• Understand TMA and DoN incident reporting requirements

• Know basic MTF requirements for HIPAA Privacy and Security compliance

3

References

• Public Law 104-191

• Privacy Act of 1974 as Amended

• DoD 6025.18R Health Information Privacy

• DoD 8580.02R Health Information Security

• DoD 5400.11 Privacy Regulation

• DoN 5211.5E Privacy Regulation

• DoD 8500.2 Information Assurance Implementation

• TRICARE Management Activity – training materials

4

Chief of Naval Operations (CNO)

Bureau of Medicine and Surgery (BUMED)

NMLCNMCPHCNMRCNAVMEDMPT&E NMIMC

Command Organization

Navy Medicine West (NMW)

Navy Medicine East (NME)

Navy Medicine Support Command

(NMSC)

Navy Medicine Support Command

(NMSC)

Navy Medicine National

Capitol Area (NMNCA)

Echelon 4

Echelon 1

Echelon 3

Echelon 2

6

Concept of Operations:

• Create an Office of Program Management at NMSC and appoint a full time Director to standardize and integrate HIPAA Privacy and Security execution throughout enterprise.

• Execute all BUMED policies and procedures pertaining to the DoD Health Information Privacy and Security regulations.

• Ensure risk analysis are conducted that include an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, stored, or transmitted by the organization as directed by and in coordination with NAVMISA.

• Provide technical support to Regional Commands and coordinate activities to improve compliance with privacy and security requirements.

Navy Medicine Support CommandOffice of Privacy Program Management

7

Title I

Health insurance portability and renewal

Title IITitle III Title IV Title V

AdministrativeSimplification

Tax provision for medical savings account

Group health plan provision enforcement

Revenue offsetprovisions

Certificate of Creditable

Coverage

Privacy-Apr 03

Security-Apr 05

TCS-Oct 03

Identifiers-May 05

HIPAA, Title I - V

9

HIPAA Privacy Rule Key Provisions

• Apply to the protection of information whether it be in oral, written or electronic form

• Provisions:

– More consumer control = Individual patient rights

– Specifies “what” health information must be protected

– Boundaries on use and release

– Accountability and penalties

– Preserving strong state laws

– Balancing public responsibility with protections

10

Who is Covered under HIPAA Privacy Rule?

• Directly applies to ……

Health Plans (e.g. TRICARE)

Healthcare Clearinghouses (e.g. process claims or perform electronic billing)

Healthcare providers who transmit information in electronic form for specified financial & administrative transactions.

• These groups/organizations referred to as “Covered Entities” (CE)

11

What is Covered under HIPAA Privacy?

• Health Information ….oral, paper, or electronic media and related to…….

– past, present, or future physical or mental health condition of an individual

– provision of health care to individual or

– payment for health care

• Individually identifiable - includes demographics

• Held by CE or their business associates

12

Features of Privacy Act and HIPAA

• Requires Fed agencies to

comply

• Restricts disclosure

• Allows individual access to

records about themselves

• Applies to contractors hired to

operate a system of records

• Provides judicial remedies for

PA violations

• Requires “covered entities” to comply-not just Fed agencies

• Restricts use and disclosure with key exceptions

• Expands patient rights --Notice of privacy practices, access, inspect, copy, amend, acct of disclosures, request restrictions, file complaints, alternate communications requests

• Applies to all members of the workforce

13

Pillars of Privacy-Key Areas

• Privacy Act--

• Consent

• Disclosures

• “Need to Know”

• HIPAA Privacy Rule--

• Notice of Privacy Practices

• Use and Disclosure

• Authorization

• Minimum Necessary

• Military Exemption

14

HIPAA Notice of Privacy Practices

Includes:

1. Use and Disclosure of PHI for TPO

2. Individual’s rights to access, control and

3. request restrictions on use.

4. Covered entities duties

5. Complaint procedures

6. Contact information

7. Effective date

·

15

Notice of Privacy Practices

• Obtain written acknowledgment of receipt of the

Notice of Privacy Practices.

• “Good faith effort”

• Exception--Emergency situations--delay having

to provide Notice until reasonably practicable

and exempt providers from good faith effort to

obtain acknowledgment

16

Use & Disclosure-Privacy Act vs.HIPAA

• No record disclosed without consent of individual to whom record pertains

• Exceptions: Ex: Need to know, released under FOIA, routine use, criminal law enforcement activity

• Disclosures not required if to DoD or DON personnel having a “need to know” in performance of official duties

• CE can use & disclose PHI for TPO of self plus other CE w/out authorization of individual - No “consent” required

• For Non-TPO uses, need authorization but there are exceptions

• Must provide accounting of disclosures for up to 6 years - only if non TPO

17

Exceptions under Privacy Act & HIPAA

• Need to know

• Released under FOIA

• Routine use

• Criminal/law enforcement activity

• Health or safety

• Committee of Congress

• Bureau of Census

• Statistical research

• National Archives

• Required by law

• Avert serious threat to health or safety

• Specialized govt. functions

• Judicial/administrative proceedings

• Cadaver, organ, eye or tissue donation purposes

• Law enforcement purposes

18

Exceptions under Privacy Act & HIPAA-

• Comptroller general for GAO

• Order of court of competent jurisdiction

• Consumer reporting agency

• Victims of abuse,neglect of domestic violence

• Inmates in correctional institutions/custody

• Worker’s compensation

• Research involving minimal risk

• Public health activities

• Health oversight activities

• About decedents

19

HIPAA Privacy Authorization

• Covered entities must obtain an individual’s authorization, signed written permission before using or disclosing PHI for purposes other than treatment, payment or healthcare operations

• Cannot condition provision of treatment, payment, enrollment or eligibility upon an authorization

• Individuals have the right to use an authorization to request a restriction on the use of their PHI

20

HIPAA Privacy Authorization Examples

• Authorization required :

– For research

– To send marketing materials

• Authorization NOT required:

– To fill prescriptions

– For referrals to specialists

– To communicate treatment options

21

HIPAA PrivacyMinimum Necessary

• All Uses and Disclosures subject to this standard

• Balancing act between protecting privacy against “reasonable ability” to limit information that is disclosed and still deliver quality care

• Exceptions:

– Disclosure to or request by provider for treatment

– Disclosure to the individual

– Under authorization - unless requested by CE

– Required by HIPAA standard transaction

– Required by law

– Required for law enforcement

22

HIPAA Privacy Military Exemptions

• Covered entities may disclose PHI of service members to Military Command Authorities if:

– For determination of member’s fitness for duty

– Necessary to assure proper execution of the military mission

23

Training Requirements-Privacy Act and HIPAA Privacy Rule

• Orientation

• Specialized training for specialized areas of job performance

• Management Training

• Provided shortly after assuming duties associated w/level of involvement

• All members of workforce must receive basic HIPAA privacy training

• Focused specialty training

• New employees

• When material change in policy-annual training

24

Civil Remedies/Criminal Penalties under Privacy Act and HIPAA

• Civil: denial of amendment request;denial of access; failure to meet record keeping standards--(against a naval activity)

• Criminal: wrongful disclosure, unauthorized records, wrongful request or obtaining records

• Civil: $100 for each violation for failure to comply with requirements of law privacy regulations

• Criminal: fines up to $50,000,imprisonment up to 1 year for wrongful disclosure by any person

• Requires CE to apply sanctions against members of its workforce who fail to comply with privacy policies and procedures.

25

MTF HIPAA Compliance Requirements

• Must have and introduce written Notice of privacy practices

• Must designate privacy/security officer in writing

• Must develop consent and authorization process for uses and disclosures

• Must provide privacy training to all staff

• Must maintain documentation regarding compliance with the regulation

• Must establish safeguards to protect health information

• Must conduct privacy assessment and modify policies and procedures to be in compliance with the Privacy rule

• Must develop and apply sanctions for violations

26

QUESTIONS??

27

Disclosures

Training Objectives -

• Accounting of Disclosures of Protected Health Information (PHI)

• Review of Disclosures

• Uses & Disclosures – General Information

• Suspension of Individual Rights

• Reporting of Disclosures

• Responding to a Request for Disclosures

• PHI Management Tool (PHIMT)

• Rights of Individuals

28

What is the HIPAA Privacy Rule?

• The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ personal health information in any form: paper, electronic, oral

• It sets boundaries on the use and release of health information

• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made

• It generally gives patients the right to gain access and obtain a copy of their own health records and request amendments and restrictions

29

§164.528 Accounting of Disclosures of Protected Health Information

• An individual has a right to receive an Accounting of Disclosures of Protected Health Information (PHI) made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures

– To carry out treatment, payment and health care operations

– For the facility’s directory or to persons involved in the individual’s care or other notification purposes

– For national security or intelligence purposes

– To correctional institutions or law enforcement officials

– That occurred prior to the compliance date of April 14, 2003

30

What is a Disclosure?

• A “disclosure" is generally defined as the sharing of health information with someone outside of the Military Health System

• Example: A disclosure of health information to a public health official to assist in tracking exposure of individuals to a contagious disease

• Example: Disclosures for family advocacy program offices and the Exceptional Family Member Program (EFMP)

31

Uses & Disclosures - General

Treatment Payment Healthcare Operations

• Provision of care

• Coordination or management of healthcare and related services

• Consultations between providers

• Referral of a patient from one provider to another

• Obtaining premiums

• Reimbursement

• Eligibility and coverage determinations

• Billing and claims management

• Utilization review activities

• Quality assurance

• Health improvement

• Education and training

• Legal services

• Medical review

• Business planning and development

• Management and general administrative activities

HIPAA allows the use and disclosure of PHI for treatment, payment & healthcare operations (TPO) without the patient’s permission

32

Suspension of Individual Rights Communicated in Writing

• An oversight agency or law enforcement official has the authority to request a suspension of an individual’s right to receive an accounting of disclosures if

– Such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to undermine the agency's investigation activities

– The agency must specify the time period for which the requested suspension is required

– Example: A law enforcement investigation of criminal activity when the knowledge of the individual might alter the nature of the investigation

33

Suspension of Individual Rights Communicated Orally

• If the request for suspension is made orally by an authorized agency, the covered entity must

– Document the request, including the identity of the agency or official making the statement

– Temporarily suspend the individual’s right to an accounting of disclosures subject to the request

– Limit the temporary suspension to a period of no longer than 30 days from the date of the oral statement, unless a written request is submitted during that time

34

Reporting the Disclosure

• For each disclosure, the account must include:

– The date of the disclosure

– The name of the entity or person who received the PHI and, if known, the address of such entity or person

– A brief description of the PHI disclosed

– A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure

35

Reporting Multiple Disclosures

• If the covered entity has made multiple disclosures of PHI during the period covered by the accounting to the same person or entity for a single purpose, the accounting may provide

– The information requested for the first disclosure during the accounting period

– The frequency, periodicity, or number of the disclosures made during the accounting period

– The date of the last such disclosure during the accounting period

– The PHIMT will separately track disclosures made for one record

Responsibility for Responding to a Request

• The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request

• If the covered entity is unable to provide the accounting within the 60-day timeframe, the covered entity may extend the time to provide the accounting by no more than 30 days and must

– Provide the individual with a written statement of the reasons for the delay, and

– The date by which the covered entity will provide the accounting

• The covered entity may have only one such extension on a request for an accounting

36

37

Accounting of Disclosures – PHI Management Tool (PHIMT)

• TRICARE will use the PHIMT to process the Accounting of Disclosures

• In addition to Accounting of Disclosures, the PHIMT utilized to process complaints, requests for amendments, requests for restrictions to PHI and for suspension of an individual’s right to a disclosure

• Overall Navy Medicine has a low utilization rate

38

Rights of Individuals

Right to an Accounting of Disclosures

• An individual has a right to receive an Accounting of Disclosures of PHI made by a covered entity in the six years (or a shorter time period at the request of the individual) prior to the date on which the accounting is requested

– Including disclosures to or by business associates of the covered entity

– Only applies to disclosures made after April 14, 2003

39

Rights of Individuals

Amendments• Individuals have the right to request that a Covered

Entity (CE) amend PHI• Amending PHI usually does not involve actually

removing information, but adding an amendment with the accurate data if appropriate

• A CE may deny an individual’s request for an amendment, if it determines that the PHI– was not created by the CE– is not part of the designated record set– is not available for inspection within the CE– is accurate and complete

40

Rights of Individuals

Right to Restrictions

• Individuals have the right to request that certain uses related to TPO and disclosures of PHI be restricted

• Exception to Right to Restrictions - Individuals do not have a right to request that a covered entity restrict a disclosure of PHI about them for

– workers’ compensation purposes or

– when that disclosure is required by law

41

Summary of Disclosure Tracking

• The following subjects have been reviewed

– HIPAA Privacy Rule

– Accounting of Disclosures of PHI

– What is a Disclosure is

– Uses & Disclosures – General Information

– Suspension of Individual Rights

– Reporting of Disclosures

– Responding to a Request for Disclosures

• Charge for an Accounting of Disclosure

– TRICARE’S Disclosure Tracking Tool - PHI Management Tool (PHIMT)

– Rights of Individuals

42

Resources

• DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003

• DoD 8580.02-R DoD Health Information Security Regulation

• www.tricare.osd.mil/hipaa TMA Privacy website

hipaamail@tma.osd.mil for subject matter questions

• hipaasupport@tma.osd.mil for tool related questions

• Service HIPAA Privacy Representatives

43

HIPAA Security

This document contains proprietary information and should be handled in accordance with U.S. Navy Regulations. It is intended solely for official purposes only.

44

Agenda

• HIPAA Security Background

• Key Concepts and Terms

• Security Rule Organization

• Specifics

• Impact

• Compliance

45

Training Objectives

– Describe the organization and context of the HIPAA Security Rule

– Understand HIPAA security standards and implementation specifications

– Identify tools and other resources that support HIPAA security implementation

46

HIPAA Implementation Life Cycle

47

HIPAA Security Background

48

HIPAA Security BackgroundWhere Does This Fit In?

HIPAAHealth Insurance Portability and Accountability Act of 1996

Title IHealth Care Access,

Portability, and Renewability

Title II Title IIITax-Related

Health Provision

Title IVGroup

Health Plan Requirements

Title VRevenue Offsets

Preventing Health Care Fraud and

Abuse

Medical Liability Reform

Administrative Simplification

Unique Identifiers for• Providers• Employers

Electronic Data Exchange

Security Administrative Safeguards Physical Safeguards Technical Safeguards

Source: National Institute of Standards and Technology (NIST)

PrivacyCode sets for Health Care Plans

Preventing Health Care Fraud and

Abuse

Medical Liability Reform

Administrative Simplification

50

HIPAA Security BackgroundPurpose of the HIPAA Security Rule

• To adopt national standards for safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI)

51

HIPAA Security BackgroundPrivacy vs Security

Privacy

• HIPAA 1996

• Covered entities

• April, 14 2003

• PHI

• Uses and Disclosures

• Confidentiality

• OCR

Security

• HIPAA 1996

• Covered entities

• April 21, 2005

• EPHI

• Safeguards

• Confidentiality, Integrity, and Availability

• CMS

52

HIPAA Security Background Summary

• You should now be able to:

– Describe the purpose and applicability of the HIPAA Security Rule

– Identify how HIPAA Security fits in to the HIPAA Law

– Explain the differences between HIPAA Privacy versus HIPAA Security

53

Key Concepts and Terms

The Universe of Health Information

HIIIHIPHIE-PHI

EducationRecords

John Doe

HI:health informationIIHI: individually identifiable health information

PHI: protected health informationEPHI: electronic protected health information

PaperFilesCDs

BiomedDevices

54

QUESTIONS??