1 HIPAA PRIVACY: A PRACTICAL APPROACH April 14, 2003 is the deadline for health care providers to...
-
Upload
arleen-smith -
Category
Documents
-
view
216 -
download
0
Transcript of 1 HIPAA PRIVACY: A PRACTICAL APPROACH April 14, 2003 is the deadline for health care providers to...
1
HIPAA PRIVACY: A PRACTICAL APPROACH
April 14, 2003 is the deadline for health care providers to develop formal privacy procedures and to notify patients of their privacy rights. The following presentation outlines an approach for the smaller practice to access reasonable compliance solutions.
2
HIPAA COMPLIANCE:
WHAT IT MEANS FORYOUR OFFICE
PAUL A. GILMAN, ESQ.ANDREW S. WILLIAMS, ESQ.
ARONBERG GOLDGEHN DAVIS & GARMISAONE IBM PLAZA SUITE 3000CHICAGO, ILLINOIS 60611
(312) 828-9600
3
WHAT IS HIPAA?
Health Insurance Portability Accountability Act of 1996
Sets standards and requirements for maintenance and electronic transmission of patient health information
Covers 4 areas Privacy of information Security of data Transactions and code set standards for
electronic transactions Identifiers for providers, employers, and
payers
4
TO WHOM DOES HIPAA APPLY? Covered Entities
Health Plans Health care clearing houses Health care providers who transmit any health
information (including billing) in electronic form Who is a health care provider
A provider of medical or health services and any other person organization who furnishes, bills or is paid for health care in the normal course of business.
Includes: physicians, dentists, chiropractors, podiatrists, etc.
Others dealing with covered entities, such as Business Associates, will be impacted by HIPAA
5
WHAT INFORMATION IS COVERED?
HIPAA Regulates “Protected Health Information” (“PHI”)
PHI is: information, oral or recorded, in any form
or medium, that: Is created or received by a provider, plan,
etc.; and Relates to past, present or future
physical or mental health or condition of an individual, the provision of health care to an individual, or past, present or future payment for the provision of health care
6
WHAT IS THE PRIVACY RULE? A Covered Entity may only use or disclose PHI:
With notice to the individual and acknowledgement of how that information will be used (“Notice of Privacy Practices”) but only for treatment, payment or healthcare operations (“TPO”)
Without Notice of Privacy Practices under certain circumstances, such as per subpoena, to avert serious threat to health or safety
With a specific written authorization for disclosure for use permitted for other than TPO
Even with Notice of Privacy Practices, Covered Entity must make reasonable efforts to limit use or disclosure of PHI to the “minimum necessary” amount to accomplish the intended purpose of the use or disclosure of the PHI
7
WHAT IS THE SECURITY RULE?
Applies to physical, technical and administrative requirements to protect maintenance, availability and confidentiality of PHI
Closely intertwined with Privacy Rule Requires appropriate technological measures and physical security
safeguards to maintain the security of PHI Final rules expected in October, 2002 Compliance mandated 26 months after publication of final rules. Will require Policies and Procedures and training for:
Password Maintenance Access Controls Physical Controls
Logging off computers Screensavers Locking doors and files cabinets
E-Mail Risks Other
8
WHAT IS THE TRANSACTIONS AND CODE SET RULE?
Covers 8 EDI transactions between or within Covered Entities (or their Business Associates)
Claims Remittances COB Eligibility Referral Certification Claim Status Enrollment Premiums
Providers conducting electronic transactions must conduct “standard transactions”
Standard Codes Minimum data sets
9
KEY COMPLIANCE DATES
RULE COMPLIANCE DATE
Transactions and Code Set October 16, 2002 (October 16, 2003 if extension
requested by
October 15, 2002)
Identifiers Summer/Fall, 2004 (est.)
Privacy April 14, 2003
Security Summer/Fall 2004 (est.)
10
SANCTIONSWHY DO WE CARE ABOUT HIPAA?
100 Per violation, up to $25,000 per year for each offense
Wrongful disclosure may result in fine of $50,000 or jail
Enforcement by Office of Civil Rights (OCR)
May be next hotbed of consumer litigation
11
OTHERS IMPACTED BY HIPAA:BUSINESS ASSOCIATES
Disclosure to Business Associates (“BA”) is generally permitted A person or organization that performs a function or activity on behalf of
a Covered Entity and has access to PHI in the course of performing the function or activity, but is not part of the Covered Entity’s workforce
Examples of Business Associates:Accountants Accreditation Services
Non-owned Providers Attorneys
On Call
Locum Tenens
Billing Service Companies Coding Providers
Collection Agencies Collection Agencies
Consultants Copy Services
DME Document Shredding Services
Laboratories Lawyers
Management Services Marketing Services
Medical Record Storage Transcription Services
Vendors (software, hardware, etc.)
12
BUSINESS ASSOCIATE CONTRACTS Required by HIPAA Specify permitted uses and disclosures of PHI Require Business Associates to report improper use and
disclosure to Covered Entity Authorize Contract termination for material breach Require subcontractor compliance Allow patient access, amendment and disclosure accounting Allow Department of Health and Human Services to access BA’s
books and records Return or destroy PHI, if feasible, and otherwise ensure no
disclosure or improper use when contract ends Written contract existing with BA before 10/13/02 and not
modified or concluded before 4/13/03, will be compliant until earlier of:
Modification or conclusion before 4/14/04 or 4/14/04
13
KEY PRIVACY COMPLIANCE POINTS
Requires a cultural change PRIVACY IS ABOUT CONSCIOUSNESS-
RAISING: THINK PRIVACY BEFORE USE OR DISCLOSURE
If it’s not documented, it didn’t happen HIPAA does not require a complete overhaul of
business
14
STEPS TO COMPLIANCE Appoint a Privacy Officer and Contact Person (can be the same person)
Required Responsible for development and implementation of privacy-related
programs, policies and procedures Identify all categories of persons whose duties require access to PHI (by
job functions) Conduct “GAP Analysis”
Gather Baseline information Hardware Software Networks Data location, access, flow Current policies and procedures
Identify and document GAPs in actual uses and disclosures of PHI against HIPAA’s requirements
Assess the GAP – What is needed to close the GAP
15
Identify Business Associates
Draft Business Associate Agreements
Communicate with and enter into agreements with Business Associates
Develop Required Forms, Policies and Procedures
Forms – Examples
Notice of Privacy Practices
Consents
Authorization
Request for Restriction on Use or Disclosure
Request to inspect and copy PHI
Request to amend or correct PHI
Request to receive an accounting of uses and disclosure
Accounting of uses and disclosure of PHI
Complaint forms
16
Policies Notice of privacy practices Minimum necessary use and disclosures De-identification of health information Other Policies Workforce training Patient privacy compliance Marketing Release of information Patient requests Information access control Disciplinary action Media controls; Access levels Disaster recovery plan Facility security plan
Develop and implement privacy training program For existing employees, training must occur by April 14, 2003 For new employees, within a reasonable period after hire
Monitor Compliance On-Going Basis
17
HIPAA TRAINING
Assess own culture for best learning opportunities. Key Questions:
Who gets trained on which aspects of HIPAA? Does everyone get trained on all of HIPAA or just parts?
When do we begin? How will we conduct on-going training? What form will training take? How do we track who got what training?
18
WHAT DO I TRAIN? Privacy Rule requires that a Covered Entity train all members of its workforce
on its policies and procedures with respect to PHI as necessary and appropriate to carry out their function with the Covered Entity
Training must be scaled to size of office and workforce No “one size fits all” solution All employees must understand requirements of the Privacy Rule
Rights of individuals Duties and responsibilities of BA Impact of requirements on their day-to-day work
Policies and Procedures Sanctions for Violations
Security Rule Training – Train in Conjunction with Privacy Training Password Management Physical Access Virus Protection Backup and Disaster Recovery Procedure Locking drawers, bins and files Clean desk awareness Faxes, printouts and reports Visitor access to records area
19
PRIVACY TRAINING DEADLINES
Existing Employees – before 4/14/03 – Must develop Policies and Procedures before training can begin
New Hires – within a reasonable period of time after hire date
On-Going Training – as changes to law or policies and procedures affect job function
20
HOW DO I TRAIN?
Determine the best way to reach employees. Classroom style Audio conference Web-based Self-directed learning – manuals, videos, etc. Simple approach – distribute manual, including
Policies and Procedures, distribute tips & FAQ’s, etc.