HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1996.
-
Upload
presley-whitfill -
Category
Documents
-
view
217 -
download
0
Transcript of HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1996.
HEALTH IN
SURANCE
PORT
ABILITY
AND
ACCOUNTABILI
TY A
CT
1
99
6
WHEN HIPAA WAS PASSED - WHAT DID IT DO?
2
WHO DOES HIPAA AFFECT? – COVERED ENTITIES
A Covered Entity is:
• A Health Plan• A Health Care Provider (who
uses electronic transactions)• A Clearinghouse
See 42 USC 1320d – 1320d-9 for Privacy related statutes; 45 CFR Parts 160 and 164
3
WHAT IS PROTECTED HEALTH INFORMATION (PHI)
• Comes from a health care provider or health plan
• Identifies an individual or could be used to identify an individual
• Describes the health care, condition, or payments of an individual
4
PHI - CONT.
• Describes the demographics of an individual, including such things as name, address, date of birth, telephone number, social security number, medical records number, or any other unique identifying characteristic
• Excludes FERPA protected information, employer held information, and records re a person dead for over 50 years
45 CFR 160.1035
HIPAA BUSINESS STRUCTURES
Covered Entities
Hybrid Entities
Business Associates
6
HYBRID ENTITIES
AZ government took a unique approach and declared itself a Hybrid. It looked at each agency’s business operations and determined which components would be HIPAA covered. DHS, AHCCCS, ADOA, DES, DCS, and Universities all have HIPAA covered components
Many other states started at the agency level only; cf AZ has a state privacy officer at ADOA
7
BUSINESS ASSOCIATE
A Business Associate (BA) is an agent or contractor that provides a service on behalf of the covered entity and comes into contact with PHI. 45 CFR 160.103
A Business Associate Agreement (BAA) should be executed prior to the services taking place
The AG’s Office is a BA to DHS, DES, and DCS. AGO Business and Finance is the keeper of these agreements
AGO or state contractors who see/hold an AZ HIPAA covered client’s PHI are also Business Associates. This may include experts, consultants, law firms, and court reporters
8
PORTABILITY OF PHI
Transactions/sharing of PHI between Covered Entities and Business Associates for the purposes of Treatment, Payment, and Health Care Operations (TPO) are allowable without an individual’s authorization 45 CFR 164.502(a), -506, and -508(a)(2)
9
PUBLIC HEALTH AUTHORITIES
10
Disclosures to a Public Health Authority are allowable
A Public Health Authority is an entity that is responsible for public health matters as part of its official mandate • Preventing or controlling disease, injury, and disability• Vital events like deaths and births
The AZ Department of Health Services is the primary state Public Health Authority in Arizona
Other Public Health Authorities are agencies that perform activities authorized by law, including audits, inspections, licensure, and civil, administrative, and criminal investigations• State and local health departments• FDA• Centers for Disease Control and Prevention• Agencies authorized to take reports of child/adult abuse or neglect45 CFR 164.501 and -512(b) and (c)
HEALTH OVERSIGHT AGENCIES
11
A Health Oversight Agency is one that performs activities authorized by law including audits, investigations, inspections, licensure, and civil, administrative, and criminal investigations/prosecutions. 45 CFR 164.501 and -512(d)
The goals of these public agencies include:• Preventing fraud • Ensuring non-discrimination • Improving quality of care• Monitoring safety • Ensuring compliance with legal requirements
Examples of agencies that fall in this category are:• Medicaid Fraud Units • US DOJ
• State Insurance Commissioners
• Professional Licensing Boards
• OSHA • US DHHS Office for Civil Rights
• EPA • FDA
RELEASE OF PHI TO LAW ENFORCEMENT
12
• With an authorization• With a subpoena, court order, or summons• When the PHI pertains to specific injuries such as a gun shot
wound, powder burn, or knife wound (state law may require = “required by law”)
• In an attempt to minimize imminent danger (avert a serious threat)
• Necessary to locate a suspect, fugitive, material witness, or missing person and the disclosure will avoid or minimize an imminent danger
• The information is related to the victim of a crime• The information is regarding a crime on the covered entity’s
property• The reporting of child or vulnerable adult abuse or neglect and
other mandatory reporting • Special considerations for homeland security and national
security45 CFR 164.512(f)
AUTHORIZATIONS
A subpoena, court or administrative tribunal order, or an authorization is needed for anything outside of disclosures for TPO, those mandated by law, or to a health care oversight agency or public health authority45 CFR 164.502(a) and -512; ARS 12-2294.01
An authorization is always needed for psychotherapy notes. 45 CFR 164.501 and -512
13
ELEMENTS OF AN AUTHORIZATION
• The authorization must be written in plain language
• Is to contain a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
• Has the name or other specific identification of the person(s), or class of persons authorized to make the requested use or disclosure
• Contains a description of each purpose of the requested use or disclosure
• Has an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure
• Is signed by the individual (or a personal rep.) and dated
14
REQUIRED STATEMENTS
• The individual’s right to revoke the authorization in writing and:• A description of how the individual
may revoke the authorization; and• The ability or inability to condition
treatment, payment, enrollment, or eligibility for benefits on the authorization
• The consequences to individuals if they refuse to sign the authorization
45 CFR 164.508(b)
15
AUTHORIZED REPRESENTATIVE OR DESIGNATED REPRESENTATIVE
16
An Authorized or Designated Representative may sign an authorization as long as the entity releasing the information has a record of this conveyance of authority on file. 45 CFR 164.502(g)
Under HIPAA, this is a state law determination and is the individual who makes health care decisions for another individual (a parent, via a specific power of attorney, guardianship order, etc.)
RE-DISCLOSURE
Unless prohibited by Federal or State law, PHI authorized by an individual for disclosure may be subject to re-disclosure and no longer protected by HIPAA .45 CFR 164.508(c)(2)(iii)
Whether the information remains protected depends on whether the recipient is subject to other Federal or State privacy laws, court protective orders, or other lawful process
17
RE-DISCLOSURE IN LITIGATION
Once the medical or behavioral health records are obtained by a party in civil litigation, they will likely be subject to discovery unless another law protects them or they are deemed not relevant by a court Efforts to protect the privacy interests of complainants in suits brought by the State may result in both disclosure of the records or even court sanctions
18
TORT: MEDICAL MALPRACTICE, NEGLIGENCE, WRONGFUL DEATH…..
19
When a HIPAA covered provider such as a hospital, doctor’s office, dentist, or clinic is sued by a former patient or the estate of a former patient, it may use and disclose the PHI of the alleged victim as part of the litigation (subject to being sealed by a court)
This is allowable under “Health Care Operations.” 45 CFR 164.501
If the HIPAA covered entity is not a party to the proceeding, then a HIPAA authorization, court order, subpoena, or other lawful process must be used to obtain the PHI
CORRECTIONAL INSTITUTIONS
20
PHI may be shared with a correctional institution if it is to be used for the provision of health care to the inmate or for the health and safety of employees of the institution and/or other inmates. 45 CFR 164.501
The AZ Department of Corrections is not a covered entity as long as it does not engage in electronic billing
HIPAA only applies to providers performing electronic billing (unless they opt in) 45 CFR 160.103
Inmates are not entitled to a Notice of Privacy Practices. They may not obtain copies of their medical records if it poses a threat to the health and safety of the inmate, other inmates, or staff of the institution
BREACH
Misuse or loss of PHI is a breach and must be mitigated, along with notification to both the Secretary of the US DHHS and the client/patient
If the loss or misuse affects more than 500 individuals, then the media must be notified45 CFR 164.402, -404, -406, and -408
21
HHS OFFICE FOR CIVIL RIGHTS
22
Date Entity Violation OCR Settlement(Cost of mitigation and notification not included)
June 23, 2014 Parkview Health System
Medical records dumping
$800,000
April 22, 2014 Concentra Health Services
Stolen Laptop $1,975,220
December 27, 2013
Adult & Pediatric Dermatology P.C.
Lack of policies and procedures in place to address breach notifications
$150,000
August 14, 2013
Affinity Health Plan
Photocopier memory not deleted before sale
$1,215,780
July 11, 2013 WellPoint Inc. Web Portal breach $1,700,000
May 21, 2013 Idaho State University
Patient data was accessible due to the firewall being disabled
$400,000
January 2, 2013
Hospice of North Idaho
Stolen Laptop –affecting less than 500 individuals
$50,000
June 26, 2012 Alaska Medicaid Stolen USB Drive $1,700,000
September 17, 2012
Massachusetts Eye and Ear Infirmary
Stolen Laptop $1,500,000
PHI MUST BE SECURED IN ALL FORMS
• Written information (reports, charts, letters, messages, etc…)
• Oral communication (phone calls, meetings, informal conversations, etc….)
• E-mail, computerized and electronic information (computer records, faxes, voicemail, etc…)
23
COMPLAINTS
All patients/clients and employees have the right to file a written complaint with the Covered Entity or with the US DHHS if they feel their or another individual’s HIPAA rights have been violated45 CFR 164.530
Once a complaint has been filed, retaliation is prohibited45 CFR 164.530DM 4119229 Aug. 2014
24