DPH CBO Women's Health Training July 2003 › hipaa › training › DPHW... · July 23 and 24,...
Transcript of DPH CBO Women's Health Training July 2003 › hipaa › training › DPHW... · July 23 and 24,...
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
1
HIPAA Overview
HIPAA Overview
Presented to Women’s Health Branch
Community-Based Organizations
July 23 and July 24, 2003
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
2
HIPAA Overview
• Welcome and Introductions
• Logistics and Housekeeping
• Training Objectives
− Provide an overview of HIPAA− Help determine how HIPAA affects your organization− Provide an overview of the importance of privacy− Present a HIPAA privacy vocabulary− Raise awareness of how health information may be used and disclosed− Understand Patients Rights under HIPAA− Increase knowledge of privacy requirements
• Agenda
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
3
HIPAA Overview Handouts
• HIPAA Components (Social Security Act Titles)
• HIPPA Overview (UNC Institute of Government)
• Status of HIPAA Regulations
• Know your Compliance Requirements (HIPAA Tip #2)
• Electronic Data Interchange (EDI Rule)
• HIPAA Definitions
• Q&A Consents and Authorizations
• Sample Authorization and Consent Forms
• Countdown to Compliance (Before April 14, 2003)
• Detailed Countdown for Implementing HIPAA’s Individual Rights
• Guidelines for Safeguarding the Privacy of Health Information
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
4
HIPAA Overview Health Insurance Portability and Accountability Act (HIPAA)
• Public Law 104-191, August 21, 1996
• Amends Internal Revenue Service Code of 1986
Purpose of HIPAA
• Guarantees health coverage when job changes• Combats waste, fraud, and abuse in health insurance and health care
industry• Promotes use of medical savings accounts• Improve access to long-term care services and coverage• Simplifies the administration of health insurance
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
5
HIPAA Overview How the Law is Structured
• HIPAA is divided into five titles – each addresses a unique aspect of health insurance reform. (See Handout: HIPAA Titles).
• Title II is also known as Administrative Simplification.
• If Congress did not adopt legislation to enact AdministrativeSimplification, HHS was charged with promulgating rules.
• HHS was limited to enacting rules based on statutory language.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
6
HIPAA Overview
What are the HIPAA Regulations?
See Handouts:
• Overview of HIPAA• Status of Regulations
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
7
HIPAA Overview
Standards for Electronic Transactions and Code Sets• Standardizes the data content and format of 10 financial or administrative
transactions related to health care (e.g., claims, payments) • Standardizes medical codes (ICD-9, CPT-4) and other codes sets• Compliance deadline: October 16, 2003 (extended from 10/16/02 if
compliance plan filed with CMS• Requires all Medicare claims be electronic after 10/16/03• Health Care Providers and Payers currently use many different forms and formats
for billing and claims processing–Confusing–Inefficient–Expensive
• Standardized Transactions and Codes–Consistency–Accuracy–Reduced paperwork
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
8
HIPAA Overview
Standards for Identifiers
• National Employer Identifier – Adopt Employer Identification Number as standard
• Compliance deadline: 7/30/04• National Provider Identifier (Final Rule projected July 2003)• National Health Plan Identifier (Proposed rule projected August 2003)• National Identifier for Individuals - on hold indefinitely • Compliance deadline: 2 years after final rules published
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
9
HIPAA Overview
Standards for Privacy of Individually Identifiable Health Information
Compliance deadline: April 14, 2003
• Regulates uses and disclosures of individually identifiable healthinformation
• Provides patient rights with respect to their health information • Establishes requirements to assure privacy of patient IIHI • Applies to paper/oral/electronic records • Sets boundaries on the Use and Disclosure of health information• Gives “patients” more control over their own health information• Establishes safeguards for protecting the privacy of health information• Holds providers and payers accountable for violations of privacy
requirements
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
10
HIPAA Overview Standards for Security
• Proposed Standards for Security and Electronic Signatures− Adopts standards for security of health information in electronic format − Compliance deadline: April 2005− Electronic Signature Standards Final Rule - projected availability TBD
• Applies to electronic records only− Privacy Rule addresses security of all records and communications
• Requirements for providers and payers to assure that electronic health information pertaining to individuals remains secure
• Technology-neutral• Scalable• Addresses administrative, technical and physical safeguards
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
11
HIPAA Overview
Privacy versus Security
• Privacy and Security go hand-in-hand.
• Privacy is the “what.”− Patients have the right to have their health information protected from
unauthorized disclosures.
• Security is the “how.”− Organizations must determine the procedures they will put into place to
protect health information.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
12
HIPAA Overview
Enforcement Rule
• First installment: Civil Money Penalties (Enforced by CMS)• Coming: Criminal Money Penalties (Enforced by US Dept of Justice)• Establishes procedures for imposing penalties for violation of
Administrative Simplification Regulations• Civil Money Penalties:
− $100 per violation− $25,000 cap per year/per violation
• Enforcement initially complaint driven:− Office Of Civil Rights is responsible for Privacy Enforcement.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
13
HIPAA Overview
What is the Impact of Not Complying?
• Possible litigation• Potential withholding of federal Medicaid and Medicare funds• Penalties:
− Civil monetary for violation of each standard− Criminal for intentional wrongful disclosure of protected health information.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
14
HIPAA Overview
Why Comply with HIPAA?
• Protecting the confidentiality of our clients’ health information is criticalto maintaining trust and confidence in the healthcare and public healthsystems.
• Protecting client health information− Is the right thing to do! − Is required by law!
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
15
HIPAA Overview
Short Stretch Break
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
16
HIPAA Overview
Who is Affected by HIPAA?
• Professionals who provide services or activities through a contractualagreement with a health care provider/plan
• Individuals/professionals who work directly for a health careprovider/plan
• Patients who seek services from a health care provider or health care plan
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
17
HIPAA Overview Who is covered by HIPAA - Covered Entities?
• Health plans− Provides or pays for the cost of health care services− Includes Medicaid, Medicare, HealthChoice, Veterans Health Program, Military
Health Plan, Indian Health Service, others− Excludes most all other government-funded programs
DPH Programs are not considered “health plans” (e.g., Maternal and ChildHealth Block Grant, Sickle Cell Program, Cancer Control Program, etc.)
• Health care providers who conduct any of the HIPAA-regulated transactions electronically
DPH Program Participants, such as local health departments, public and private health care providers, and community-based organizations are coveredentities if they electronically process any of the transactions, even if they use abilling service to file their claims.
• Health care clearinghouses (billing services)
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
18
HIPAA Overview How to Determine if You are a Covered Entity
• See Handout: How to HIPAA – Tip #2
• Do you provide health care care services as defined by HIPAA?
• Do you conduct any of the defined transactions electronically?• See Handout: Electronic Data Interchange (EDI Rule)
− Do you bill payers for services (Medicaid, Medicaid, Insurance Companies)?
− Do you bill payers electronically directly?− Do you use a billing service to bill payers and do they bill payers
electronically on your behalf?
Organizations need to work with their attorney to determinetheir covered entity status and how HIPAA affects them legally!
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
19
HIPAA Overview How to Comply with TCS (EDI) Standard
• If you bill electronically either directly or via a billing service, you need to assurethat you can continue to do so according to the HIPAA Transaction and Code SetStandards:
− Contact your software vendors.− Contact your billing services.− Contact your payers (Insurance, Medicaid, Medicare).− Inquire about their HIPAA plans and status & how you need to work with them to
ensure that your billing will not be interrupted.− Medicare and Medicaid have free direct billing software available.− TCS requires new data for claims.− TCS requires use of standard code sets.− Some insurance companies might no longer accept paper claims in the future (like
Medicare post October).− Review your status with Medicare regarding exemption from electronic billing (fewer
than 10 full-time employees).
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
20
HIPAA Overview Who is covered in DHHS and DPH?
• DHHS is what is defined as a “hybrid entity” whose primary purpose is not toprovide health care, but has components that perform covered functions (healthplan, health care providers services). The areas within DHHS that performHIPAA covered functions are called covered health care components. Healthcare components must comply with HIPAA fully. An example within DPH is theState Laboratory for Public Health.
• Most program areas within DPH are not HIPAA-covered health care components:− DPH provides program funding via grants, which not considered health
plans.− DPH in most cases does not provide direct health care services, but program
(health care and program oversight), technical consultation, case consultation.− DPH performs public health activities, such as vital records, communicable disease
surveillance, etc.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
21
HIPAA Overview
Privacy Regulation Applicability
• The Privacy Regulation establishes a federal floor of safeguards to protect the confidentiality of health information.
• The HIPAA Privacy Regulation does not preempt state laws that provide greater protections (e.g., mental health, HIV/AIDS).
• The HIPAA Privacy Regulation applies to covered entities (or to covered health care components within a hybrid entity).
• Privacy Requirements affect:– Medical records– Billing records– Other records/documents with health information– Paper records– Electronic records– Oral communications.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
22
HIPAA Overview
Privacy
Privacy is the right of an individual to keep his/her individual health information from being used or disclosed inappropriately for non-health related purposes.
DPH Privacy Policies
DPH privacy policies apply to all areas that create, maintain, or receive individually identifiable health information during their regular course of business. This extends privacy protections beyond HIPAA covered health care components.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
23
HIPAA Overview
Privacy Regulation - Key Concepts• Sets boundaries on the use and disclosure of health records.• Establishes appropriate safeguards health care providers and others must
achieve to protect privacy of client information.• Holds health care providers accountable with civil and criminal penalties if
they violate an individual’s privacy rights.• Ensures that each covered health care component protects the health
information it maintains.• Ensures that an individual’s health information is not used inappropriately.• Ensures that the minimum amount of information is used or disclosed
whenever possible:− Does not apply to treatment− Limits the amount of information to be used or disclosed to what is
minimally necessary to accomplish intended purpose.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
24
HIPAA Overview
Privacy Regulation - Key Concepts• Requires identification of members of the workforce who need access to health
information and the type of information that they need access to in order to perform their jobs.
• Requires appropriate administrative, technical, and physical safeguards to protect health information.
• Requires new policies and procedures to address privacy protections and an individual’s access rights.
• Requires training of all staff members.
• Establishes new rights for individuals regarding access to their personal health information.
• Ensures individuals have more control over when and how their personal health information is used.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
25
HIPAA Overview
Privacy Regulation - Individual Rights• Right to be informed about protections on and use of their health information
through a notice of privacy practices• Right to inspect, copy, and review their health records• Right to request amendments to their health records• Right to request restrictions on use and disclosure of health information• Right to request reasonable personal communications • Right to an accounting of disclosures of their health information• Right to file a complaint against covered entity
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
26
HIPAA Overview Privacy Regulation Terminology
• See Handout: HIPAA Definitions• To understand HIPAA, there are some important terms you should know:
- Covered Entity- Hybrid Entity- Health Care Component- PHI- IIHI- TPO- Use vs. Disclosure- Minimum Necessary- Consent vs. Authorization- Designated Record Set- Notice of Privacy Practices- Business Associate- Workforce
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
27
HIPAA Overview
Privacy Regulation Terminology
• Covered Entities:-Health plans (provide or pay for the cost of medical care)
- Medicaid, Medicare, Blue Cross- Excludes Workers’ Comp, Disability, WIC, most government-fundedprograms that provide grants
- Health care clearinghouses (narrowly defined to those that translate data fromnon-standard to standard format)
- Health care providers who electronically transmit health information inconnection with a standard transaction
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
28
HIPAA Overview
Privacy Regulation Terminology
• Hybrid Entity is:– A single legal entity that is a covered entity and whose covered functions are not its
primary functions. Your organization may be designated as a hybrid entity. The hybrid entity is responsible for ensuring that is health care components within the entity comply with the rules
• A Health Care Component is:– A component of a covered entity that performs covered functions that qualify the
component as a Health Care Provider, Health Plan, or Health Care Clearinghouse. Health Care Components within a hybrid entity are required to comply with HIPAA fully.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
29
HIPAA Overview
Privacy Regulation Terminology
• PHI (Protected Health Information):– All Individually Identifiable Health Information and other information on treatment
and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)
• IIHI (Individually Identifiable Health Information− Any information, including demographic information collected from an
individual, that:• Is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and that• Relates to the past, present, or future physical or mental health or condition of
an individual, the provision of health care to an individual, or the past, present, or future payment of the provision of health care to an individuals; and that
• Identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
30
HIPAA Overview
Privacy Regulation Terminology
• Individual Identifiers:• Names• All geographic subdivisions smaller than a
state, including street address, city, county, precinct, zip code……….
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
Account numbersCertificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images…..
Any other unique identifying number or characteristic…..
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
31
HIPAA Overview
Privacy Regulation Terminology
• TPO – treatment, payment, and other health care operations- Treatment:
• Provision, coordination, or management of health care and related services• Coordination and management of health care by a health care provider with a
third party (e.g., HMOs)• Consultations among health care providers• Referrals of patients from one health care provider to another
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
32
HIPAA Overview
Privacy Regulation Terminology
• Payment:− Activities by a health plan to obtain premiums or fulfill obligations for
coverage and the provision of benefits− Activities by either a provider or a health plan to obtain reimbursement
(e.g., Medicaid payment of claims; provider filing of claims− Examples:
-Billing and Claims Management-Determination of eligibility or coverage-Utilization Review Activities-Debt Collections
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
33
HIPAA Overview
Privacy Regulation Terminology
• Health Care Operations:− Quality assessment and improvement activities− Competency and performance reviews− Conducting training programs− Accreditation, Certification, Licensing− Credentialing− Medical Review− Legal Services− Auditing functions− Business planning and development
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
34
HIPAA Overview
Privacy Regulation Terminology
Use
• The sharing, employment, application, utilization, examination, or analysis of Protected Health Information (PHI) within the covered entity that maintains the PHI.
Disclosure
• The release, transfer, provision of access to, or divulging in any other manner of PHI outside the covered entity holding the information.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
35
HIPAA Overview
Privacy Regulation Terminology
• Minimum Necessary:− When using any PHI, a covered entity must make all reasonable efforts to
limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
• Need to Know Principle:− Necessary for your job− How much do you need to know?− How much do other people need to know?− The key is to balance the privacy of health information against the need
for information.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
36
HIPAA Overview Privacy Regulation TerminologySee Handouts: Q&A Consents and Authorizations, Authorization Forms,
Consent Form
Consent
• Consent from client to use IIHI for Treatment, Payment and Health Care Operations (TPO)
• HIPAA no longer requires…strongly suggested, may be required by NC General Statutes
• Not a consent for treatment, which is still required by NC General Statute and Standard of Care
Authorization
• Required for all non-TPO uses and disclosures not otherwise permitted by law
• Customized document that gives permission to use specified PHI for specified purposes or disclose to specified third party
• If client refuses to sign authorization, health care provider can not deny treatment
• Expiration date required• Precise language
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
37
HIPAA Overview
When an Authorization is NOT Required
• Disclosure is required by law
• Disclosure is for public health purposes
• When required for program monitoring and evaluation
• To avert serious threat to health or safety
• To report child abuse and/or neglect
• When used in judicial/administrative proceedings
• When required in certain situations for law enforcement purposes
• Others also (medical examiner, organ donation)
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
38
HIPAA Overview
Privacy Regulation Terminology
• Notice of Privacy Practices:– Who
• Covered health care components– What
• Must develop a document that describes the ways health information may be used and to whom it could be disclosed, including examples of each
– Why• So that patients are more aware of who might have access to their health
information and for what reasons• Components must also post their Notice in the facility and on their public web
site, if available– When
• Providers: At their first treatment encounter after 4-14-03
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
39
HIPAA Overview
Privacy Regulation Terminology
• Notice of Privacy Practices:– Contacts
• Notices must identify a person in the agency to contact for more information or for complaints.
• Notices must inform clients about contacting US DHHS to report violations of privacy practices.
– Rights• Notices must inform patients of their rights.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
40
HIPAA Overview
Privacy Regulation Terminology
• Designated Record Set:− A group of records maintained by or for a health plan or health care
provider: • The medical records and billing records about individuals maintained by or for
a covered health care provider; or• The enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for a health plan; that are • Used, in whole or in part, by or for the health plan or health care provider to
make decisions about individuals.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
41
HIPAA Overview
Privacy Regulation Terminology
• Business Associate:– A person (or agency) who, on behalf of a covered health care component
(but other than a workforce member), performs or assists in performing a function or activity; or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for the covered entity and involves the use or disclosure of protected health information (PHI).
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
42
HIPAA Overview
Privacy Regulation Terminology
• Workforce:– Workforce means employees, volunteers, trainees, and other persons whose
conduct, in the performance of work for a covered health care component, is under the direct control of such entity, whether or not they are paid by the covered entity.
− Member workforce test:• Performs a substantial portion of their activities on the premises of the
covered entity• Works under the direction and control of the covered entity• Must follow the policies/procedures of the covered entity• NOT a Business Associate.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
43
HIPAA Overview
Break
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
44
HIPAA Overview
What is Required to Comply With HIPAA Privacy:
• See Handouts:− What Covered Entities Must Do Before April 14, 2003− Detailed Countdown for HIPAA’s Implementing Individual Rights
• Determine/Confirm Your Organization’s Covered Entity Status Under HIPAA.
• Educate Agency Management and Identify Sources of Funds.
• Designate Local HIPAA Coordinator (Privacy Official).
• Appoint HIPAA Implementation Team Members.
• Define Roles and Responsibilities.
• Attend HIPAA Training Sessions.
• Conduct Baseline Assessments and Identify Gaps.
• Develop and Work Implementation Plan.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
45
HIPAA Overview
What is Required to Comply With HIPAA Privacy:
• Develop policies and procedures based on identified gaps in current practices toensure the protection of individually identifiable health information. Privacy Policies include:
− Privacy Protections (List of policies)
− Privacy Official (Requirement to identify Official)
− Workforce (Who is workforce/requirements)
− Safeguards (Privacy protections)
− Privacy Complaints (How to file a complaint)
− Business Associates (Who/What they need to do)
− Authorizations (Requirements and Form)
− De-identification (What/How/When)
− Minimum Necessary (What/When to use)
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
46
HIPAA Overview
What is Required to Comply With HIPAA Privacy:
• Privacy Policies include:− Notice of Privacy Practices (What/How/When)
− Client Rights (What/How to implement)
− Personal Representative (What/Who/Duties)
− Designated Record Sets (What/When to use)
− Use and Disclosure (What/When/How)
− Legal Occurrences (Laws/Regulations/Rules)
− Accounting of Disclosures (What/How)
− Research (What/When/How)
− Marketing and Fundraising (What/Limitations)
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
47
HIPAA Overview
What is Required to Comply With HIPAA Privacy
• Implement privacy requirements by incorporating new operationalprivacy practices into existing business practices.
• Implement appropriate and reasonable safeguards to protect individually identifiable health information.
• Define minimum necessary requirements.• Develop and provide applicable privacy training to staff.• Provide a designated contact for privacy complaints and assure that all
complaints are appropriately documented.• Assure appropriate use and disclosure of individually identifiable health
information .
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
48
HIPAA Overview
What is Required to Comply With HIPAA Privacy
• Develop procedures for obtaining client authorizations to release their health information.
• Define procedures for appropriate client accessibility to health information and toassure client rights regarding their health information.
• Evaluate physical safeguards (building and equipment) and implement physicalsafeguards.
• Develop disciplinary procedures for employees who intentionally violate privacy protection policies.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
49
HIPAA Overview Guidelines for Safeguarding Health Information
• See Handout: Guidelines for Safeguarding Privacy of Health Information. • Do not leave any records containing IIHI where others can see them or access
them. • Keep medical test results and all other medical information private.• Do not share IIHI in public areas. • Do not leave copies of IHI at copy machines, printers, or fax machines. Pick up
printouts immediately.• Verify and double check fax numbers before sending, and verify receipt of fax
wherever possible.• Do not send sensitive and confidential information via email.• Do not leave IIHI exposed in mail boxes or conference rooms.• Secure IHI when no one is in the area, either in locked file cabinets or locked in
your office.• Always safeguard IIHI when records are in your possession.• Return all records containing IIHI to their appropriate location when you no
longer require them.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
50
HIPAA Overview
HIPAA’s
• Do Not:• Share computer passwords or leave them visible.• Leave computer files open when leaving unlocked or shared work areas.• Leave IIHI in any public wall file trays unless enclosed in an interoffice envelope.• Discuss topics involving IIHI in front of other employees or visitors except on a“need to know” basis.
• Leave diskette boxes or Rolodex files containing IHI accessible in unlocked areas.• Reuse, share, or dispose of hard drives, floppy disks, CDs, etc., without propercleansing.
• Leave IIHI for shredding in unlocked/undesignated area.• Leave records opened and unattended.• Copy IIHI to your “personal” computer for use outside of authorized work areas.• Leave door, cabinet, or card keys unattended or share combination lock codes.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
51
HIPAA Overview
Final Thoughts on Privacy
• We must vigorously safeguard all client health information.
• We should use and share only the client information necessary to do thework.
• Clients have the right to ask about how their health information is usedand disclosed and by whom.
• It is the right thing to do, even without HIPAA.
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
52
HIPAA Overview
HIPAA’s Public Health Exemption Provisions
Public Law 104-191 (Health Insurance Portability and Accountability Act or HIPAA) carved out a specific provision to avoid impeding certain public health laws:
“Public Health. --Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” (P.L. 104-191, Sec. 1178(b)).
45 CFR Part 160§ 160.203 General rule and exceptions.
“A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met: …
(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
53
HIPAA Overview
HIPAA’s Public Health Exemption Provisions
45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …
(b) Standard: uses and disclosures for public health activities.…“(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;…”
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
54
HIPAA Overview
HIPAA’s Public Health Exemption Provisions
45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …
(d) Standard: uses and disclosures for health oversight activities. …“(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
(i) The health care system; (ii) Government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.”
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
55
HIPAA Overview
Final Thoughts on HIPAA
• HIPAA is not going away. • The regulations set new privacy standards and public expectations for privacy
protections and rights to access health information• There will be penalties and liabilities for non-compliance.• Additional regulations will be forthcoming.• Changes to standards are expected.• There will be an expanded use of electronic transactions.• There is continued Congressional pressure to tighten privacy protections (e.g.,
requiring consents, further restrictions on marketing).
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
56
HIPAA Overview Useful Links:
HIPAA Regulations (federal site)http://aspe.os.dhhs.gov/admnsimp/
Office of Civil Rights (privacy)http://www.hhs.gov/ocr/hipaa
Center for Medicare and Medicaid Serviceshttp://www.cms.hhs.gov/hipaa/
DPH HIPAA Officehttp://dhhs.state.nc.us/dph/
DHHS HIPAA Officehttp://dirm.state.nc.us/hipaa/
Institute of Governmenthttp://www.medicalprivacy.unc.edu/
Local Health Departmentshttp://sph.unc.edu/hipaa
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
57
HIPAA Overview
ContactDPH HIPAA Office
(919) 715-0411
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
58
HIPAA Overview
Break
July 23 and 24, 2003 Division of Public Health, Women's Health Branch
59
HIPAA Overview
Questions and Answers