HIPAA

Michigan Cancer Registrars Association 2005 Annual Educational Conference

Sandy Routhier

HIPAA History

• Health Insurance Portability and Accountability Act of 1996 “Administrative Simplification!”

• Federal Law – Published in Federal Register• Department of Health and Human Services

(HHS) issued the regulation: Standards for Privacy of Individually Identifiable Health Information

• The Office for Civil Rights (OCR) is the department responsible for implementing and enforcing the privacy regulation

HIPAA Privacy Regulations

• Compliance Date: April 14, 2003• Primary Resource: http://www.hhs.gov/ocr/hipaa• Final Regulation (12/28/00, 8/14/02): http://

www.hhs.gov/ocr/hipaa/finalreg.html• Summary of Regulation: http://

www.hhs.gov/ocr/privacysummary.pdf• State of Michigan’s Medical Record Access Act

– House Bill 4706 signed by Governor Granholm on April 1, 2004, effective immediately

– www.michiganlegislature.org (search for bill 4706)

Official Privacy Website

http://www.hhs.gov/ocr/hipaa/

Other HIPAA Initiatives

SECURITY REGULATIONS:• Compliance Date: April 21, 2005• Final Regulation (2/13/03):

http://www.hipaadvisory.com/regs/Regs_in_PDF/finaltrans.pdf• Fearsome Four: Audits, Activity Review, Risk Planning &

Disaster Recovery

TRANSACTION & CODE SET STANDARDS:• Final Rule published: 8/17/00, Final Modifications: 2/20/03• Compliance Date: October 16, 2003 (July 2004)• Final Regulation:

http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf

More HIPAA To ComeNATIONAL PROVIDER IDENTIFIERS (NPI):• Final Rule published: 1/23/04 (See CMS website)• Can begin application process 5/23/05• Compliance Date: 5/23/07

NATIONAL EMPLOYER IDENTIFIERS:• Final Rule published: 5/31/02• Compliance Date: 7/30/04

NATIONAL HEALTH PLAN IDENTIFIERS

NATIONAL PATIENT IDENTIFIERS

Link to all HIPAA Regulations:

http://www.cms.hhs.gov/hipaa/hipaa2/regulations/default.asp

PRIVACY REGULATIONSPurpose

– To protect and enhance the rights of patients by providing them with access to their health information and controlling the inappropriate use of that information

– To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for privacy protection

PATIENT PRIVACY

• With or without HIPAA, protecting privacy of health information is important to consumers

• Consumers are concerned about unauthorized disclosures of personal health information

• Rightly or wrongly, consumers are distrustful of providers, plans and employers in regard to their personal health information

PRIVACY BASICS• Covered Entities

– Health care providers, Health Plans & Clearinghouses

• Business Associates• Privacy Officer• Notice of Privacy Practice (Privacy Notice)• PHI = Protected Health Information

– Oral - Written - Electronic

• Minimum Necessary• Incidental Uses & Disclosures

Privacy Basics

• TPO = Treatment, Payment, Healthcare Operations

• Accounting for Disclosures• Directory – Hospital/Clergy• Reasonable Safeguards

– Role based Access

• Request for Amendments• Request for Restrictions• Complaint Process

Penalties

• Civil penalties of $100 per violation, up to $25,000 per standard violated per year

• Criminal penalties up to $250,000 and 10 years imprisonment

Security Basics• Administrative Procedures

– Policies & Procedures

• Physical Safeguards– Theft - Snooping– Vandalism - Environment– Disaster Recovery

• Technical Security– Authorizing– Accounting for Access– Encryption

Cancer Registry Impact

• Access to PHI

• Reporting data

• Patient follow up

• Accounting for disclosures

• Business Associate Agreements