1

HIPAA PRIVACY: A PRACTICAL APPROACH

April 14, 2003 is the deadline for health care providers to develop formal privacy procedures and to notify patients of their privacy rights. The following presentation outlines an approach for the smaller practice to access reasonable compliance solutions.

2

HIPAA COMPLIANCE:

WHAT IT MEANS FORYOUR OFFICE

PAUL A. GILMAN, ESQ.ANDREW S. WILLIAMS, ESQ.

ARONBERG GOLDGEHN DAVIS & GARMISAONE IBM PLAZA SUITE 3000CHICAGO, ILLINOIS 60611

(312) 828-9600

3

WHAT IS HIPAA?

Health Insurance Portability Accountability Act of 1996

Sets standards and requirements for maintenance and electronic transmission of patient health information

Covers 4 areas Privacy of information Security of data Transactions and code set standards for

electronic transactions Identifiers for providers, employers, and

payers

4

TO WHOM DOES HIPAA APPLY? Covered Entities

Health Plans Health care clearing houses Health care providers who transmit any health

information (including billing) in electronic form Who is a health care provider

A provider of medical or health services and any other person organization who furnishes, bills or is paid for health care in the normal course of business.

Includes: physicians, dentists, chiropractors, podiatrists, etc.

Others dealing with covered entities, such as Business Associates, will be impacted by HIPAA

5

WHAT INFORMATION IS COVERED?

HIPAA Regulates “Protected Health Information” (“PHI”)

PHI is: information, oral or recorded, in any form

or medium, that: Is created or received by a provider, plan,

etc.; and Relates to past, present or future

physical or mental health or condition of an individual, the provision of health care to an individual, or past, present or future payment for the provision of health care

6

WHAT IS THE PRIVACY RULE? A Covered Entity may only use or disclose PHI:

With notice to the individual and acknowledgement of how that information will be used (“Notice of Privacy Practices”) but only for treatment, payment or healthcare operations (“TPO”)

Without Notice of Privacy Practices under certain circumstances, such as per subpoena, to avert serious threat to health or safety

With a specific written authorization for disclosure for use permitted for other than TPO

Even with Notice of Privacy Practices, Covered Entity must make reasonable efforts to limit use or disclosure of PHI to the “minimum necessary” amount to accomplish the intended purpose of the use or disclosure of the PHI

7

WHAT IS THE SECURITY RULE?

Applies to physical, technical and administrative requirements to protect maintenance, availability and confidentiality of PHI

Closely intertwined with Privacy Rule Requires appropriate technological measures and physical security

safeguards to maintain the security of PHI Final rules expected in October, 2002 Compliance mandated 26 months after publication of final rules. Will require Policies and Procedures and training for:

Password Maintenance Access Controls Physical Controls

Logging off computers Screensavers Locking doors and files cabinets

E-Mail Risks Other

8

WHAT IS THE TRANSACTIONS AND CODE SET RULE?

Covers 8 EDI transactions between or within Covered Entities (or their Business Associates)

Claims Remittances COB Eligibility Referral Certification Claim Status Enrollment Premiums

Providers conducting electronic transactions must conduct “standard transactions”

Standard Codes Minimum data sets

9

KEY COMPLIANCE DATES

RULE COMPLIANCE DATE

Transactions and Code Set October 16, 2002 (October 16, 2003 if extension

requested by

October 15, 2002)

Identifiers Summer/Fall, 2004 (est.)

Privacy April 14, 2003

Security Summer/Fall 2004 (est.)

10

SANCTIONSWHY DO WE CARE ABOUT HIPAA?

100 Per violation, up to $25,000 per year for each offense

Wrongful disclosure may result in fine of $50,000 or jail

Enforcement by Office of Civil Rights (OCR)

May be next hotbed of consumer litigation

11

OTHERS IMPACTED BY HIPAA:BUSINESS ASSOCIATES

Disclosure to Business Associates (“BA”) is generally permitted A person or organization that performs a function or activity on behalf of

a Covered Entity and has access to PHI in the course of performing the function or activity, but is not part of the Covered Entity’s workforce

Examples of Business Associates:Accountants Accreditation Services

Non-owned Providers Attorneys

On Call

Locum Tenens

Billing Service Companies Coding Providers

Collection Agencies Collection Agencies

Consultants Copy Services

DME Document Shredding Services

Laboratories Lawyers

Management Services Marketing Services

Medical Record Storage Transcription Services

Vendors (software, hardware, etc.)

12

BUSINESS ASSOCIATE CONTRACTS Required by HIPAA Specify permitted uses and disclosures of PHI Require Business Associates to report improper use and

disclosure to Covered Entity Authorize Contract termination for material breach Require subcontractor compliance Allow patient access, amendment and disclosure accounting Allow Department of Health and Human Services to access BA’s

books and records Return or destroy PHI, if feasible, and otherwise ensure no

disclosure or improper use when contract ends Written contract existing with BA before 10/13/02 and not

modified or concluded before 4/13/03, will be compliant until earlier of:

Modification or conclusion before 4/14/04 or 4/14/04

13

KEY PRIVACY COMPLIANCE POINTS

Requires a cultural change PRIVACY IS ABOUT CONSCIOUSNESS-

RAISING: THINK PRIVACY BEFORE USE OR DISCLOSURE

If it’s not documented, it didn’t happen HIPAA does not require a complete overhaul of

business

14

STEPS TO COMPLIANCE Appoint a Privacy Officer and Contact Person (can be the same person)

Required Responsible for development and implementation of privacy-related

programs, policies and procedures Identify all categories of persons whose duties require access to PHI (by

job functions) Conduct “GAP Analysis”

Gather Baseline information Hardware Software Networks Data location, access, flow Current policies and procedures

Identify and document GAPs in actual uses and disclosures of PHI against HIPAA’s requirements

Assess the GAP – What is needed to close the GAP

15

Identify Business Associates

Draft Business Associate Agreements

Communicate with and enter into agreements with Business Associates

Develop Required Forms, Policies and Procedures

Forms – Examples

Notice of Privacy Practices

Consents

Authorization

Request for Restriction on Use or Disclosure

Request to inspect and copy PHI

Request to amend or correct PHI

Request to receive an accounting of uses and disclosure

Accounting of uses and disclosure of PHI

Complaint forms

16

Policies Notice of privacy practices Minimum necessary use and disclosures De-identification of health information Other Policies Workforce training Patient privacy compliance Marketing Release of information Patient requests Information access control Disciplinary action Media controls; Access levels Disaster recovery plan Facility security plan

Develop and implement privacy training program For existing employees, training must occur by April 14, 2003 For new employees, within a reasonable period after hire

Monitor Compliance On-Going Basis

17

HIPAA TRAINING

Assess own culture for best learning opportunities. Key Questions:

Who gets trained on which aspects of HIPAA? Does everyone get trained on all of HIPAA or just parts?

When do we begin? How will we conduct on-going training? What form will training take? How do we track who got what training?

18

WHAT DO I TRAIN? Privacy Rule requires that a Covered Entity train all members of its workforce

on its policies and procedures with respect to PHI as necessary and appropriate to carry out their function with the Covered Entity

Training must be scaled to size of office and workforce No “one size fits all” solution All employees must understand requirements of the Privacy Rule

Rights of individuals Duties and responsibilities of BA Impact of requirements on their day-to-day work

Policies and Procedures Sanctions for Violations

Security Rule Training – Train in Conjunction with Privacy Training Password Management Physical Access Virus Protection Backup and Disaster Recovery Procedure Locking drawers, bins and files Clean desk awareness Faxes, printouts and reports Visitor access to records area

19

PRIVACY TRAINING DEADLINES

Existing Employees – before 4/14/03 – Must develop Policies and Procedures before training can begin

New Hires – within a reasonable period of time after hire date

On-Going Training – as changes to law or policies and procedures affect job function

20

HOW DO I TRAIN?

Determine the best way to reach employees. Classroom style Audio conference Web-based Self-directed learning – manuals, videos, etc. Simple approach – distribute manual, including

Policies and Procedures, distribute tips & FAQ’s, etc.

21

CONCLUSION Don’t Panic Resources are available

Web Sites Seminars Guide Books (ADA, etc.) Trade Associations

Remember what is necessary for a large office may not apply to a smaller office