HIPAA Privacy

HIPAA Privacy

GETTING HIPAA PRIVACY TO FLY……A REALISTIC, PRACTICAL

APPROACH

Dr. Quack: Getting HIPAA to Fly

2

HIPAA Privacy

History & Background Brief Review of Notice of Privacy

Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested

changes


3

HIPAA Privacy

(What it is NOT) Electronic Data Interchange Medicare electronic claim regulations Computer software regulations

EDI due in October 2003


4

HIPAA Privacy



changes


5

Background / History

HIPAA Privacy 1996 Federal law Protects patient privacy Gives patient access to their records Allows patients to amend their

records


6


Constantly morphing process over years

Finally gelled last quarter of 2002 Final federal rules published in

October OCR Guidelines published in

December


7


AOA HIPAA Privacy Manual published 160 pages Charts (directions) Worksheets Policy suggestions


8

HIPAA Privacy



changes


9

Review of Notice of Privacy Practices

Policy 14B on pages 31-32 & copy for posting at end of Manual

Dr. Platypus et

al

Dr. Donald Duck and Daisy Duck

Dr. Daffy Duck and Peking Duck

THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA


10

Review of Notice of Privacy Practices

This notice describes how medical information about you may be used (in our office) or disclosed (outside our office) and how you can gain access to this information.


11

Treatment, Payment and Health Care Operations

The most common reason why we use or disclose your health information is for treatment, payment or health care operations


12


Setting up an appointment for you; Testing or examining your eyes; Prescribing glasses, contact lenses, or

eye medications and

Rx


13


Faxing them to be filled; showing you low vision aids;

Referring you to another doctor or clinic for eye care or low vision aids or services; or

Getting copies of your health information from another professional that you may have seen before us.

Rx


14


Asking you about your health or vision care plans, or other sources of payment;

Preparing and sending bills or claims; and

Collecting unpaid amounts (either ourselves or through a collection agency or attorney).

$


15


Administrative and managerial functions

Financial or billing audits; Internal quality assurance; Personnel decisions;


16


Participation in managed care plans; Defense of legal matters; Business planning; and Outside storage of our records.


17


We routinely use your health information inside our office for these purposes without any special permission.

If we need to disclose your health information outside of our office for these reasons, we usually will not ask you for special written permission.


18


We will ask for special written permission when it is required by law.


19

Other Uses or Disclosures Without Permission

In some limited situations, the law allows or requires us to use or disclose your health information without your permission.

Not all of these situations will apply to us;

Some may never come up at our office at all.


20


When a state or federal law mandates that certain health information be reported for a specific purpose;


21


For public health purposes, such as contagious disease reporting, investigation or surveillance; and

Notices to and from the federal Food and Drug Administration regarding drugs or medical devices;


22


Disclosures to governmental authorities about victims of suspected abuse, neglect or domestic violence;

Uses and disclosures for health oversight activities, such as for the licensing of doctors;

For audits by Medicare or Medicaid; or for investigation of possible violations

of health care laws;


23


Disclosures for judicial and administrative proceedings, such as in response to Subpoenas Orders of courts Administrative agencies;


24

Other Uses or Disclosures Without Permission Disclosures for law enforcement

purposes, such as To provide information about

someone who is or is suspected to be a victim of a crime;

To provide information about a crime at our office; or

To report a crime that happened somewhere else;


25

Other Uses or Disclosures Without Permission Disclosure to a medical examiner to

identify a dead person or to determine the cause of death; or

To funeral directors to aid in burial; or To organizations that handle organ or

tissue donations; Uses or disclosures for health related

research; Uses and disclosures to prevent a

serious threat to health or safety;


26


Uses or disclosures for specialized government functions, such as For the protection of the president or

high ranking government officials; For lawful national intelligence

activities; For military purposes; or For the evaluation and health of

members of the foreign service;


27


Disclosures of de-identified information; Disclosures relating to worker’s

compensation programs; Disclosures of a “limited data set” for

research, public health, or health care operations;


28


Incidental disclosures that are an unavoidable by-product of permitted uses or disclosures;

Disclosures to “business associates” who perform health care operations for us and who commit to respect the privacy of your health information;

Other uses and disclosures affected by state law.


29

Uses & Disclosures: Unless You Object…

Unless you object, we will also share relevant information about your care with your family or friends who are helping you with your eye care.


30


Appointment Reminders We may call or write to remind you of

scheduled appointments, or that it is time to make a routine appointment.

We may also call or write to notify you of other treatments or services available at our office that might help you.


31


Appointment Reminders We will mail you an appointment

reminder on a post card, and/or Leave you a reminder message on

your home answering machine or with someone who answers your phone if you are not home.


32

Uses & Disclosures: Only With Authorization We will not make any other uses or

disclosures of your health information unless you sign a written “authorization form.” Federal law determines the content of an “authorization form”.

Sometimes, we may initiate the authorization process if the use or disclosure is our idea.

Sometimes, you may initiate the process if it’s your idea for us to send your information to someone else.


33

Uses & Disclosures: Only With Authorization

Typically, in this situation you will give us a properly completed authorization form, or you can use one of ours.

If we initiate the process and ask you to sign an authorization form, you do not have to sign it.

If you do not sign the authorization, we cannot make the use or disclosure.


34

Uses & Disclosures: Only With Authorization

If you do sign one, you may revoke it at any time unless we have already acted in reliance upon it.

Revocations must be in writing. Send them to the office contact person

named at the end of this Notice.


35

YOUR RIGHTS Regarding your PHI

The law gives you many rights regarding your health information….


36

YOUR RIGHT to ask us to restrict uses & disclosures

Ask us to restrict our uses and disclosures for purposes of treatment (except emergency treatment), payment or health care operations.

We do not have to agree to do this, but if we agree, we must honor the restrictions that you want.

To ask for a restriction, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.


37

YOUR RIGHTS: Confidential Communication

Ask us to communicate with you in a confidential way, such as by phoning you at work rather than at

home, by mailing health information to a

different address, or by using E-mail to your personal E

Mail address.


38

YOUR RIGHTS: Confidential Communication

We will accommodate these requests if they are reasonable, and if you pay us for any extra cost.

If you want to ask for confidential communications, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.


39

YOUR RIGHTS: Photocopies

Ask to see or to get photocopies of your health information.

By law, there are a few limited situations in which we can refuse to permit access or copying.


40

YOUR RIGHTS: Photocopies For the most part, however, you will be

able to review or have a copy of your health information within 30 days of asking us (or sixty days if the information is stored off-site). You may have to pay for photocopies in advance.

If we deny your request, we will send you a written explanation, and instructions about how to get an impartial review of our denial if one is legally available.


41

YOUR RIGHTS: Photocopies By law, we can have one 30 day

extension of the time for us to give you access or photocopies if we send you a written notice of the extension. [Nebraska?]

If you want to review or get photocopies of your health information, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.


42

YOUR RIGHTS: Amending your PHI

Ask us to amend your health information if you think that it is incorrect or incomplete.

If we agree, we will amend the information within 60 days from when you ask us.

We will send the corrected information to persons who we know got the wrong information, and others that you specify.


43


If we do not agree, you can write a statement of your position, and we will include it with your health information along with any rebuttal statement that we may write.


44


Once your statement of position and/or our rebuttal is included in your health information, we will send it along whenever we make a permitted disclosure of your health information.

By law, we can have one 30 day extension of time to consider a request for amendment if we notify you in writing of the extension.


45


If you want to ask us to amend your health information, send a written request, including your reasons for the amendment, to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice


46

YOUR RIGHTS: Lists of PHI disclosed Get a list of the disclosures that we have

made of your health information within the past six years (or a shorter period if you want).

By law, the list will not include: disclosures for purposes of treatment, payment or health care operations; disclosures with your authorization; incidental disclosures; disclosures required by law; and some other limited disclosures.


47

YOUR RIGHTS: Lists of PHI disclosed

You are entitled to one such list of disclosures per year without charge.

If you want more frequent lists, you will have to pay for them in advance.

We will usually respond to your request within 60 days of receiving it, but by law we can have one 30 day extension of time if we notify you of the extension in writing.


48

YOUR RIGHTS: Lists of PHI disclosed

If you want a list of disclosures, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.


49

YOUR RIGHTS: Copies of Privacy Practices Get additional paper copies of this Notice

of Privacy Practices upon request. It does not matter whether you got one

electronically or in paper form already. If you want additional paper copies, send a

written request to the office contact person named at the end of this Notice.

Use the address, fax or E Mail shown at the beginning of this Notice


50

OUR NOTICE OF PRIVACY PRACTICES

By law, we must abide by the terms of this Notice of Privacy Practices until we choose to change it.

We reserve the right to change this notice at any time as allowed by law.


51

OUR NOTICE OF PRIVACY PRACTICES

If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future.

If we change our Notice of Privacy Practices, we will post the new notice in our office, have copies available in our office, and post it on our Web site.


52

COMPLAINTS

If you think that we have not properly respected the privacy of your health information, you are free to complain to us or the U.S. Department of Health and Human Services, Office for Civil Rights.

We will not retaliate against you if you make a complaint.


53

COMPLAINTS

If you want to complain to us, send a written complaint to the office contact person named at the end of this Notice.

Use the address, fax or E Mail shown at the beginning of this Notice.

If you prefer, you can discuss your complaint in person or by phone.


54

HIPAA Privacy



changes


55

NOA (AOA) Manual Handout

NOA adaptations of AOA Manual HIPAA job title on policies instead of

name Tables added (Job titles, etc.) State law addressed Index added Formatted for letterhead Underline replaces brackets


56

Inserted Tables (NOA unique)

Personnel names vs. job title Job Titles vs. PHI HIPAA Officers’ names


57


Personnel names vs. job title Every employee listed For each employee

Check each job they perform Enter date they completed HIPAA training


58


Job Titles vs. PHI Every Job Title listed Using analysis forms provided

Worksheet 6 or Dr. Quack Assessment

Worksheet 24 Check each type of PHI accessed


59


HIPAA Officers’ names List every person with HIPAA role Check HIPAA role(s) they will perform Enter date they completed HIPAA

training


60

HIPAA and Nebraska Law

Briefly describes Nebraska state law section at the back of the manual

Inserted here to indicate that there has been a section added


61

Policy 3A: Affiliated Covered Entities

2 or more entities (example: corporations)

Connected ownership or control Comply with HIPAA as a single unit

Dr. Quack


62

Policy 3B: Health Care Components

Affects hybrid entities (example: retail & optometry)

Should designate portion of business as “health care component”

Only health care component must comply with HIPAA

Otherwise, entire entity must comply with HIPAA

Dr. Merganser Duck


63

Policy 5A: Privacy Officer

Qualifications Duties Who is appointed (refers to HIPAA

Personnel Roster)


64

Policy 5B: Public Information Officer

Qualifications Duties Who is appointed (refers to HIPAA

Personnel Roster)


65

Worksheet 6 or Dr. Quack’s Assessment

Gather Information on use of PHI in your office Complete one form for each job

description Keep on hand, proving you made the

effort


66

Worksheet 8: No authorization needed for some use of PHI

Treatment Payment Heath Care Operations


67

Policy 7A 8A 10A: No Authorization Required for Certain Disclosures of PHI Treatment, Payment, Health Care Oper. Business Associates Use or Disclosure required by Law Others mentioned in Notice of Privacy

Practices (Also addressed in State Law Appendix)


68

Policy 9A: Facility Directory

Directory policy applies to an entity where a directory is kept of patients in process of a procedure, et cetera. 9A: Describes what must take place if

you have a directory 9A No Directory: ODs who do not

maintain a directory need not comply with this section.


69

Policy 9B: Providing Information to Family & Friends

General policy explained Oral agreement with patient okay


70

Worksheet 10: Public Policy Disclosures

For Policy 7A, 8A, 10A (previously reviewed)

See state law section for Dr. Quack’s assessment


71

Worksheet 11: Marketing & Advertising

Read policy 11A. Authorization not needed for

marketing described in item #4 or #7. (Covers most marketing done by ODs)

Other marketing requires individual authorization of each occurrence.


72

Policy 11A: Marketing & Advertising

Cannot release PHI to others w/o written authorization Pictures Testimonials Patient lists to marketers

Can “market” to individual patient Services you provide Materials you provide Give promotional gifts of limited value


73


Can market w/o use of PHI General TV ads Brochures to occupant

Read the policy carefully


74


OCR Changes since AOA printing CAN leave non-specific message on

answering machine (glasses are ready, appointment tomorrow, due for exam)

CAN send postcard with appointment time

Unless patient requests otherwise


75

Policy 12A: Disclosures for Research

Need to read carefully if you Participate in clinical trials Conduct research


76

Worksheet 13: Prepare PHI Disclosure Authorization Form

Use as you feel necessary after reading policies


77

Policy 13A: PHI Disclosure Authorization Form

Detailed description of what is to be released

Specific purpose Expiration date New form for every disclosure


78

Policy 13B: Personal Representative for Patients

Addresses “standing in the shoes” of the patient regarding PHI Parents (and divorced parents) Guardians Emancipated minors (not in

Nebraska?) Deceased patients representatives


79

Policy 13B: Personal Representative for Patients

Policy refers to state law section (p. 80) (see items #29, #68, and #69 in parts II & III)

Not specific regarding state law HIPAA does not appear to present new

problems Dr. Quack cannot give legal advice See your attorney with real questions


80

Policy 14A: Prepare Notice of Privacy Practices

Post in reception area (back of handout) Keep stock in reception area Distribute to every patient Request patient to sign receipt (must try) Receipt/denial kept in record (verify each

visit) Update next visit if policy changes


81

Policy 14B: Actual Notice of Privacy Practices

Reviewed earlier


82

Policy 15A (& 16A): Defines Designated Record Set

Contents of patient’s clinical chart Contents of billing materials Contents of treatment, orders,

laboratory information


83

Policy 15B: Patient Access to their own PHI

Nebraska Hospital Association’s evaluation of Nebraska statute vs. HIPAA (p. 82) Reasons for denial: follow HIPAA

standard Charges for copying:Nebraska statute

Dr. Quack’s evaluation: Time to respond: follow state law (30

days)


84

Letters responding to Patient Requesting Access to PHI

Letter 1: extension (legal in Nebraska?) (toss??)

Letter 2: agree to access Letter 3: denial of access


85

Policy 16B: Amendment of PHI

Patient can request to amend record If Dr agrees,

Amendment added New information forwarded to others with

record If Dr Disagrees and denies amendment,

Patient can submit letter of disagreement Dr can attach denial letter & rebut in writing


86

Letters responding to Patient Requesting Amendment

Letter 1: decline to amend Letter 2: agree to amend Letter 3: delay in amending


87

Policy 17A: Accounting for Disclosures of PHI

Don’t need to account for disclosures For treatment, payment, H. C. operations To patient To family, friends, or care givers Authorized Incidental Marketing & advertising per exceptions


88

Policy 17A: Accounting for Disclosures of PHI

Do need to account for disclosures violating policy 11A

If you did everything right there should be nothing to disclose


89

Letters responding to Patient Requesting An Accounting of Disclosures of PHI

Letter 1: delay of accounting


90

Policy 18A: Restrictions to Use of PHI

Must allow patient to request to restrict use of PHI that would otherwise not be restricted

You do not have to agree to request If you do agree you must abide by

agreement Can terminate in writing May be better never to agree


91

Policy 19A: Confidential Communication Methods

Must have policy to allow patients to specify special methods of communication with them. Examples: No answering machines No post cards Call at office only Never call at office Email only

Must comply with requests agreed to.


92

Worksheet 20: Business Associates

AOA’s Joanne Lax J.D. recommends the following steps to determine who is a business associate.

Step One: Identify all outside companies with which you do business


93


Step Two: Flag companies that perform health care services in your behalf (ie those to which you have outsourced) Billing service Optical lab Quality assurance Staff training


94


Step Three: Also, flag the companies that perform the following services Legal Accounting Consulting Management (office, building,

software, etc)


95


Step Four: Of the companies you have flagged, flag again those companies that need to generate, maintain, use, or disclose PHI in order to do there job. Examples: Billing agents Software support that sees PHI Collections agencies Outside medical transcriptionist service

Companies with two flags are your business associates


96


Business associates that need attention right now fall into any of the following groups: You do not currently have a written services

contract with them. You have a written services contract with them,

but you entered into it after October 15, 2002. You have a written services contract, but it will

expire or need to be renewed before April 14, 2003.


97

Worksheet 20:Business Associates

Business associates that do not need immediate action: You have an contract that existed before

October 15, 2002, that Automatically renews, or Will not expire or renewed before April 14, 2003.

You have to act on this latter group on the earlier of: The date that you will renew the contract, or April 14, 2004.

Note these business associates on the worksheet & complete the columns.


98


Negotiate a business associate contract with each of your business associates, except: A business associate that only uses,

generates, maintains or discloses PHI for treatment purposes.

OCR also excludes payers…


99

Business Associate Agreements

Policy 21A: BA agreement with AOA language

Policy 21A: BA agreement without AOA language

Your Notice of Privacy Practices must be supplied to BA


100

BA Follow-up

Do not have to monitor BA for compliance Do not have to train BA If learn of non-compliance, must

Mitigate where possible (per subsequent policy)

Insist BA comply or terminate contract If fails to comply, must find another

vendor


101

Worksheet 23: You must safeguard PHI

Safeguards come in many forms. The three general categories are: Administrative (policies &

procedures). Physical (physical plant). Technological (relating to electronics).


102


Examples of safeguards include: Locks on records’ storage rooms or

cabinets (or monitoring). Phones in confidential locations. Closing doors.


103


Computer passwords, Computer screen savers or screen

shields. Limited field access for electronic

data.


104


Turning charts to face the wall in boxes outside patients’ exam rooms.

Prohibiting calls to pharmacies or other providers where they can be overheard.

Prohibiting staff from discussing clinical issues with patients where they can be overheard.

Shredding discarded PHI


105


This aspect of HIPAA requires Unique, individualized solutions Based upon your office layout, Opportunities to easily make physical

plant changes, Budget for physical & technological

gadgets, Workable policies & procedures.


106


You are not required to go to extremes to guarantee that no PHI will ever be inadvertently disclosed.

“Incidental” disclosures – e.g. unavoidable disclosures secondary to a permitted use or disclosure – are permitted under HIPAA, So long as you use reasonable

safeguards and You observe minimum necessary rule.


107

Worksheet 24: Minimum Necessary PHI

Using worksheet 6 (or Quack assessment) Determine which job descriptions

must access what PHI Determine whether the minimum

necessary rule is currently being abided by

Determine what changes should be made, if any


108

Policy 24A: Minimum Necessary Uses

Complete the table titled “Access to PHI by Job Category” found at the front of this manual

Modify records & procedure where practical so that Information for a particular task is

segregated, But clinical needs & operations are not

compromised in the process of segregation.


109

Policy 24A: Minimum Necessary Disclosures

For routine disclosures of PHI, determine the minimum necessary amount of PHI needed to respond. Eye exam report to school (w/ authorization

or give to parent) For non-routine disclosures of PHI,

decide how your PO will determine the minimum amount of PHI necessary to respond.


110

Policy 24A2: Confidentiality Agreement Referred to but not included in AOA

Manual Fabricated by Dr. Quack All staff should sign a confidentiality

agreement stating their commitment to accessing only the minimum amount of PHI necessary to do their job


111

Policy 25A: Verification Before Disclosing PHI You must check the identity &

authority of someone Signing an authorization on behalf of

a patient or Seeking PHI without an authorization,

if you don’t know this information already.


112

Policy 25A: Verification Before Disclosing PHI This should include obtaining copies of

applicable documents, such as Guardianship papers, Power of attorney for health care, or Official badge.

You can rely on documents that appear valid.

You must resolve questions or problems before you can accept the authorization or disclose requested PHI.


113

Policy 26A: You Must Mitigate Harm from Improper Disclosure

The duty only applies if you "know" of the harm. You do not have to actively monitor for evidence of harm. You only have to mitigate harm if it is

"practical" for you to do so. You have full discretion to evaluate

each situation, & to take mitigation steps appropriate to it.


114

Policy 26A: You Must Mitigate Harm from Improper Disclosure

Mitigation can be As simple as an apology or correction. An attempt to get back the PHI

disclosed. Obtaining a signed agreement from

receiver not to use or disclose improperly released PHI.

It's up to you in each case.


115

Policy 27A: Complaints about Violations

Must have a written office policy to accept, thoroughly investigate, and resolve

complaints from patients who believe their privacy has not been properly respected.


116

Policy 28A: De-Identification of PHI

Should you want to use PHI without HIPAA restrictions…

None of HIPAA’s use & disclosure rules apply to information stripped of all identifiers.


117

Policy 28A: De-Identification of PHI

You can de-identify PHI in one of two ways: A statistical expert can give an

opinion that PHI has been de-identified; or

You can remove the specific identifiers listed in HIPAA’s “safe harbor” method.


118

Policy 29A & 29B: Limited Data Sets

A limited data set is stripped of some identifiers

You can then disclose PHI for research, public health, or health care operations


119

Policy 29A & 29B: Limited Data Sets

Examples of sharing for health care operations: Business planning for a health plan or

provider. Sale or merger of a health plan, or Financial management of a health plan or

provider.


120

Policy 29B: Limited Data Set: Data Use Agreement Similar to Business Associate Agreement Describes recipient’s uses & disclosures Requires recipient to use appropriate

safeguards Requires recipient to tell you of wrongful

use or disclosure Prohibits recipient from identifying or

contacting the patient Requires recipient’s agents abide by same

conditions as the recipient


121

Worksheet 30: Train All Employees

Work force includes more people than your payroll. Work force includes: All W2 employees. Students (all kinds). Volunteers. Any independent contractor working

on-site & under your direct control that you have not treated as a business associate. (See chart 20.)


122

Worksheet 30: Train All Employees

Training can take any form. It can be: Live lectures. Purchased on-line training modules. Review of policies/procedures. Workbooks. Any other method that you devise.

Training needs to be job specific


123

Worksheet 31: State Law vs. HIPAA

State law that relates to the privacy of PHI but is not contrary to HIPAA remain fully effective after HIPAA. You must

comply with both the state law & HIPAA. A state law that relates to the privacy of

PHI & is contrary to HIPAA & “less stringent than” HIPAA HIPAA wipes out the state law, which is no

longer effective.


124

Worksheet 31: State Law vs. HIPAA

A state law that relates to the privacy of PHI & is contrary to HIPAA, but is “more stringent than” HIPAA. All such laws remain in effect after HIPAA.

You must comply with the state law, not HIPAA.


125

Dr. Quack’s State Law Appendix

I: The concept of pre-emption II: Nebr. Hospital Assoc. Review of

Statutes 70 statutes & their relationship to HIPAA Quack comments on effect on optometry

III: More detail on statutes effecting ODs

Subpoenas & HIPAA in Nebraska


126

State Law: Before & After HIPAA It appears little state law is truly pre-empted

based on Hospital Association evaluation State law is therefore unchanged & should

prove no greater problem that previously Optometrists should read & review last two

sections of Quack appendix: Detail on sections possibly related to optometry Subpoenas (discovery)

Seek legal advice with additional questions


127

HIPAA Privacy



changes


128

OCR Guidelines

The HIPAA Privacy Rule is not intended to impede these

customary & essential communications & practices &, thus,

does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.


129

OCR Guidelines

Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses reasonable safeguards minimum necessary policies &

procedures


130

Reasonable Safeguards

Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;

Avoiding using patients’ names in public hallways & elevators


131

Reasonable Safeguards

Posting signs to remind employees to protect patient confidentiality;

By supervising, isolating, or locking file cabinets or records rooms;

By providing additional security, such as passwords, on computers maintaining personal information.


132

More Safeguards

Ask waiting customers to stand a few feet back from a counter used for patient counseling.

Use of cubicles, dividers, shields, curtains, or similar barriers where multiple patient-staff communications routinely occur


133

Minimum Necessary Rule

Requires limit of access to PHI, based on needs to perform job duties.

Unimpeded access to PHI, where not necessary for the job at hand, is not applying the minimum necessary standard.

Any incidental use or disclosure that results from not applying the Minimum Necessary Standard would be an unlawful.


134

Minimum Necessary Rule

The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes


135

OCR Guidelines FAQs....... confidential conversations

Q: Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?

A: Yes, when using reasonable safeguards.


136


Free to engage in communications as required for quick, effective, & high quality health care.

Overheard communications in these settings may be unavoidable & are allowed as incidental disclosures.


137


When using Reasonable Safeguards: Health care staff may orally coordinate

services at hospital nursing stations. Staff may discuss a patient’s condition

over the phone with the patient, a provider, or a family member.

A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.


138


HIPAA Privacy does not require Private rooms. Soundproofing of rooms. Encryption of wireless or other

emergency medical radio communications

Encryption of telephone systems.


139

OCR Guidelines FAQs....... Mailings & phone calls

Q: May physician’s offices or pharmacists leave messages at patient’s homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?


140

OCR Guidelines FAQs....... Mailings & phone calls

A: Yes. Limit the PHI disclosed on the answering

machine. Consider leaving only name & number &

PHI necessary to confirm an appointment

Or ask the individual to call back. May leave a message with a family

member or other person who answers the phone when the patient is not home.


141

OCR Guidelines FAQs....... Confidential Conversation

Where a patient has requested confidential communication, you must accommodate that request, if reasonable. Examples,

mailings in an envelope, not postcard.

mail sent to a P.O. box, not to home receive calls at the office, not at

home


142

OCR Guidelines FAQs....... Sign-in sheet

Q: May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

A: Yes. But the sign-in sheet may not display medical information that is not necessary for the purpose of signing in.


143

OCR Guidelines FAQs....... Charts on doors

Q: Are charts outside of exam rooms prohibited

A: No. Using reasonable safeguards & the minimum necessary rule, covered entities must simply

evaluate what measures make sense in their environment

tailor their practices & safeguards to their particular circumstances.


144

OCR Guidelines FAQs....... Charts on doors

You May maintain patient charts outside of exam rooms, displaying patient names on the outside of patient charts…

Possible safeguards may include: Supervise area place patient charts facing the wall

or otherwise covered


145

OCR Guidelines FAQs....... Announcing names

You May: Announce patient names & other information over a facility’s public announcement system.

Possible safeguards may include: limiting the information disclosed

over the system, such as referring the patients to a reception desk.


146

OCR Guidelines FAQs....... Overheard conversation

A provider may be overheard, in the reception area, instructing staff to bill a patient for a particular procedure

A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.


147

OCR Guidelines FAQs....... Office re-design

Q: Are covered entities required to restructure workflow systems, redesign office space & upgrading computer systems to comply with the HIPAA Privacy Rule’s?

A: The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses.

Use reasonable safeguards and minimum necessary rule listed earlier


148

OCR Guidelines FAQs....... Configuring records

When considering record configuration, take into account your ability to configure their record

systems to allow access to only certain fields, &

the practicality of organizing systems to allow this capacity.


149


It may not be reasonable for a small, solo practitioner using paper records to limit one employee to only some fields and other employees complete access to the record.

In this case, appropriate training of employees may be sufficient.


150


Alternatively, a hospital [or large clinic] with an electronic patient record system may reasonably implement such controls.


151

OCR Guidelines FAQs....... Business Associate

Examples of Business Associates. A third party administrator that assists

a health plan with claims processing. A CPA firm whose services involve

access to PHI. An attorney whose services involve

access to PHI. A consultant that performs utilization

reviews for a hospital.


152

OCR Guidelines FAQs....... Business Associate

Examples of Business Associates. A health care clearinghouse that

translates a claim from non-standard to standard format & forwards to a payer.

An independent medical transcriptionist that provides transcription services to a physician.


153

OCR Guidelines FAQs....... BA Agreement NOT needed

A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.

A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.


154


When a health care provider discloses PHI to a health plan for payment purposes, or

when the health care provider simply accepts a discounted rate to participate in the health plan’s network.

A provider that submits a claim to a health plan & a health plan that assesses & pays the claim are each acting on its own behalf as a covered entity, & not as the “business associate” of the other.


155


With persons or organizations whose functions do not involve the use or disclosure of PHI (e.g., janitorial service, copier maintenance, electrician).

With a conduit for PHI, for example, the US Postal Service, certain private couriers, & their electronic equivalents.

When a financial institution processes consumer-conducted financial transactions


156

OCR Guidelines FAQs....... Business Associate Q: Is a software vendor a business

associate of a covered entity? A: Maybe. The mere selling or providing

of software to a covered entity does not give rise to a business associate relationship.

If the vendor has access to PHI of the covered entity in order to provide its service, the vendor would be a business associate.


157

OCR Guidelines FAQs....…….. No permission needed

Q: Can a patient have a friend or family member pick up a prescription for her?

A: Yes. A pharmacist may use professional judgment & experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription.


158


Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?

A: Yes. A covered entity or their business associate (e.g., a collection agency), may disclose PHI as necessary to obtain payment for health care, & there is no limit to whom such a disclosure may be made.


159


However, the Privacy Rule requires you Place a reasonable limit the amount

of information disclosed, Abide by any reasonable requests for

confidential communications Honor any agreed-to restrictions on

the use or disclosure of PHI.


160


Q: Does the HIPAA Privacy Rule prevent health plans & providers from using debt collection agencies?

A: The Privacy Rule permits use of debt collection agencies through a business associate arrangement.

Disclosures to collection agencies are governed by provisions such as the business associate & minimum necessary requirements.


161


Q: Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company?

A: Yes. The disclosure of PHI by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, & is permitted under the Privacy Rule at 45 CFR 164.506.


162


Q: Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization?


163


A: Yes. The HIPAA Privacy Rule permits disclosure of PHI without authorization to another health care provider for treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity.


164

OCR Guidelines FAQs... Marketing

Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes?


165

OCR Guidelines FAQs....... Marketing

A: No. While covered entities may share PHI with “business associates”, that PHI must be used to perform or assist in the performance of certain health care operations on behalf of covered entities.

Thus, business associates, with limited exceptions, cannot use PHI for their own purposes.


166


Alternative treatment Communications about alternative

treatments are excluded from the definition of marketing & do not require a prior authorization.

Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients.


167


The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service.

Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications.


168

OCR Guidelines FAQs....... Public Health

Q: May providers disclose PHI concerning pre-employment physicals, drug tests, or fitness-for-duty examinations to an individual’s employer?

A: In very limited circumstances, providers may disclose PHI to the individual’s employer without authorization.


169


1st, the service must be provided at the employer’s request or as a member of the employer’s workforce.

2nd, the service must relate to medical surveillance of the workplace or to detect or assess work-related illness or injury.


170


3rd, the employer must have a duty under OSHA or similar law to keep records on, or act on, such information.


171

OCR Guidelines FAQs....... Workers’ Comp

HIPAA Privacy does not apply to workers’ compensation insurers, administrative agencies, or employers.

These entities need access to the PHI of individuals with work related injury or illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems.


172


The Privacy Rule permits disclosures of PHI for workers’ compensation purposes, sometimes requiring patient authorization, other times not.

Nebraska Law 48-120(4) [Manual pg 84] “Records relevant to the injury shall be made available on demand to employer, employee, carrier, and compensation court”

State law not pre-empted. Follow both.


173


HIPAA: Disclosures Without Individual Authorization. To provide benefits for work-related

injuries or illness without regard to fault.

Limited to what the law requires. For obtaining payment for any health

care provided to the injured or ill worker.


174


HIPAA: Disclosures With Individual Authorization. May disclose PHI when the individual

has provided authorization for the release of PHI.

The Minimum Necessary Rule applies.


175

OCR Guidelines FAQs....... Oral Communication

Q: Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?

A: No. The term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner.


176

OCR Guidelines FAQs....... Oral Communication

Q: Does the HIPAA Privacy Rule require that covered entities document all oral communications?

A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations


177

HIPAA Privacy



changes


178

Physical Changes

HIPAA does not require that you make radical, expensive changes to your office.

The following are some reasonable alterations in office layout to assist in complying with HIPAA


179

Doors

Close doors when discussing PHI, e.g., History Pre-examination Examination


180

Always speak quietly

Hearing impaired? Speak slowly Get closer

Take special care when speaking in hallways and other common areas


181

Mult-patient areas (Check-in, Check-out, Dispensary)

Speak reasonably quietly Use “PLEASE WAIT HERE” signs if

appropriate Provide “PLEASE WAIT HERE”

chairs if appropriate Incidental disclosure is acceptable


182

Business Office Areas

Place HIPAA reminder signs at work stations

Place HIPAA reminder signs on computer monitors

Place HIPAA reminder signs on file cabinets


183

Computer Monitors

Rotate screen away from public Put a plant next to monitor Use Screen saver or “Minimize”

screen Place HIPAA reminder sign on

monitor Remember, patients can see their

own PHI!


184

Patient Records

Keep records closed except when in use

When practical, divide each record into sections, e.g., Demographics Examination Claims

Staff should use only that portion of record needed for the task at hand


185

Patient Record Storage

Post HIPAA reminder signs in record storage areas

Reasonably monitor record storage areas

Reasonably monitor records in hallways


186

HIPAA Privacy



changes


187

THE END

Thank You!

HIPAA Privacy

Documents

Transcript of HIPAA Privacy