HIPAA

Health Insurance

Portability & Accountability

Act of 1996

HIPAA Administration Simplification

Multi-phased lawEnacted to reduce health care

administrative costs through standardization of electronic health care transactions

Need to protect security and privacy

Basic Principles of HIPAA Privacy Rules

It gives individuals more control over their health information.

It sets boundaries on the use and release of health information.

It establishes safeguards that covered entities must achieve to protect the privacy of health information.

It holds violators accountable, by imposing civil and criminal penalties if they violate an individual’s privacy rights.

Who Has to Comply with HIPAA?

Each Covered Entity (CE) must comply

Covered entity means:

1. A health plan

2. A health care clearinghouse

3. A health care provider that transmits any health information in electronic form in connection with a standard transaction.

What is PHI?

Any information, oral or recorded in any form or medium, that:– Is created or received by a health plan,

health care provider, healthcare clearing house; and

– Relates to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual; and

– Is individually identifiable (as defined)

Identifiers:

Any of the following numbers:

Social Security Medical RecordAccount & Health Plan

beneficiary #’sCertificate/licenseVehicle ID or plateURL or IP addressesDevice identifiersBiometric identifiersFull face or comparable

images

NamesGeographic unitsDates (month/day relating

to any individual including birth, treatment)

Ages over 89Phone, fax numbersEmail addressesAny other unique

identifiers

Use and Disclosure of PHI

General RuleA covered entity may not use or

disclose PHI, except as required or permitted by the regulations.

Permitted Uses and Disclosures (TPO)TreatmentPaymentHealth care Operations

Business Associate AgreementBy law, the HIPAA privacy rule applies only to covered

entities.However, most CEs do not conduct all business activities

and functions alone.

What is a Business Associate?A person who, on behalf of a covered entity:

Uses/accesses/re-discloses PHI either– To perform or assist in the performance of a function– Provides services to a covered entity

Must involve the use of individually identifiable health information

An employee of the employer sponsoring the plan is not a business associate.

Health Care Operations -Business Associates provide Services involving disclosure

Legal

Accounting

Data aggregation

Administration

Consultants

Actuarial

Accreditation

Management

Financial Services

Third Party Administrators

Contractors, vendors of covered entities

Employers and other plan sponsors

Any person relying on any covered entity as source of health information

Business Associates

Business Associates may perform functions for covered entities with “satisfactory assurance” of appropriate safeguards for PHI.

The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Business Associates ContractsRequired Elements45 CFR 164.504 (e)

Describe the permitted and required uses of PHI.

Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and

Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than provided for by the contract.

Forms of Patient Permission to Use or Disclose PHI

There are three possible forms of “permission” needed to use or disclose PHI:

1. For TPO or for “public purposes” (such as cooperating enforcement, public health agencies or courts).

2. Verbal Agreement – For disclosure to people involved in the health care of the patient, or for facility directory listings.

3. Authorization – For all other circumstances.

Authorizations

Authorizations are required by the Privacy Rule 45 CFR 164.508 (a)

CE are required to obtain an authorization for use and disclosure of PHI.

CE may use only authorizations that meet the requirements of 45 CFR 164.508 (b)

Any such use or disclosure will be lawful only to the extent it is consistent with the terms of such authorization.

Penalties for Non-Compliance$100 fine per day for each unmet standard (Up

to $25,000 per person, per year, per standard).$50,000 fine PLUS one year in prison for

knowingly disclosing health information for improper use or to unauthorized entities

$100,000 fine PLUS five years in prison for obtaining health information under false pretenses.

$250,000 fine PLUS ten years in prison for using health information to sell, transfer, or use for commercial advantage, personal gain or malicious harm.

Remember….

PHI should be seen only by those who are authorized to see it.

PHI should be heard by only those who are authorized to hear it.

PHI should be transmitted to or shared with only those who are authorized to receive it.