how to hipaa. hipaa how to hipaa health insurance portability & accountability act of 1996...
Post on 29-Dec-2015
221 Views
Preview:
TRANSCRIPT
How to HIPAA
HIPAA
How to HIPAA
Health Insurance Portability & Accountability Act of 1996
Presented by: Jeniece Poole,
U of A Privacy Officer
HIPAA Privacy & Research
Understanding YOUR responsibilities
Why Was HIPAA Created?
To establish minimum federal standards for safeguarding the privacy of individually identifiable health information
The History of HIPAA
Regulation has 3 areas of focus
Portability of/ and access to Health Benefits Preventing Fraud and Abuse Administrative Simplification
Teaching Hospital Physician’s Fraud
OIG Sanctions Teaching Hospital Physicians’ Fraud A four year investigation into billing practices in the University of
Washington Medical System ended with the University's physician practice plans agreeing to pay $35 million in restitution, damages and penalties to the state and federal governments for over billing Medicare and Medicaid. This FCA settlement is the largest ever paid by a practice group related to a teaching hospital for failing to comply with Federal billing regulations. As a result of the investigation, two University physicians were convicted of criminal charges in connection with the fraud, and a former University neurosurgeon pleaded guilty to obstruction of a Federal criminal health care investigation. In addition, a University-affiliated nephrologists pleaded guilty to health care billing fraud and admitted engaging in fraudulent conduct spanning approximately 11 years during which the defendant wrote notes in patients’ dialysis records indicating that he was present when he was not.
Clinical Laboratory Fraud
The owner of a medical testing laboratory extradited from the Philippines pleaded guilty to defrauding the Medicare program by submitting bills for blood testing that was never performed. The owner admitted the lab submitted fraudulent bills to the Medicare and Medicaid programs for tests for RBC Protoporphyrin ( a test that detects iron deficiency and lead poisoning) , Thin Layer Chromatography ( a test used to detect drug metabolytes), and several more specialty blood tests. The laboratory did not have the ability to perform these tests. In the course of seventeen months, the lab submitted approximately $2.2 million in fraudulent bills. Medicare paid approximately $1.3 million of those claims.
HIPAA aka Administrative Simplification Rule Includes:
EDI (Electronic Data Interchange) Privacy Security Unique Identifiers
PURPOSE OF ADMINISTRATIVESIMPLIFICATION Protect the privacy and security of health
information
Define standards for electronic submissions
Improve efficiency and effectiveness of the healthcare system
PURPOSE
Compliance with the rule involves implementation by a covered entity of policies and procedures to ensure the confidential use and disclosure of protected health information by all staff
PURPOSE
Protect the confidentiality and security of health information as it is used, disclosed and electronically transmitted
Create a framework, using standardized formats for transmitting electronic health information more efficiently
What Happened before HIPAA
Various State Laws Applied
No consistent rules
Most states had privacy regulations
Few states had financial resources to enforce strict compliance with regulations
Arizona law for privacy and medical record safekeeping is over 150 years old
Regulatory Agencies
Health and Human Services (HHS)
Office of Civil Rights (OCR)
Office for Human Research Protections (OHRP)
Agency for Healthcare Research and Quality (AHRQ)
Centers for Disease Control and Prevention (CDC)
National Institutes of Health (NIH)
Food and Drug Administration (FDA)
THE PRIVACY RULE
Assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote quality health care and to protect the public’s health and well being
Rule attempts to balance the important uses of information with the protection of the privacy of people who seek care and treatment
Privacy(effective 04/14/03)
Requires Covered Entities to safeguard patient health care information Covered Entities are defined as:
Health Care Providers Health Care Plans Health Care Clearinghouses
EDI (Effective 10/16/03)Electronic Transmission of healthcare data
transferred or received
• Most commonly used for claims processing and payment
• Reduction in paper transactions
• Reduces risk of lost paper documents
Security Regulations(effective 04/21/05)
Electronic data integrity and confidentiality
Access only to authorized individuals
Availability of information
Security and PrivacyRule Distinctions Inextricably linked Protection of the privacy of the information
depends on the security measures to protect the information
The Security Rule applies to information in electronic form
The Privacy Rule applies to information in any form
Who Must Complywith HIPAA??
Health Plans Health Care Clearinghouses Health Care providers that transmit
information electronically in connection with a HIPAA “standard transaction” Researchers are not covered entities unless they
are covered health care providers or
are employed by covered entities
What is patient health care information? Individually Identifiable Health Information
(IIHI) Protected Health Information (PHI) Relates to the past, present or future physical
or mental health condition of an individual
Personal Identifiers
This information can be in various forms and must be protected:
• Electronic• Paper• Oral
What are Personal Identifiers?1. names 2. geographic subdivisions smaller than a state, including
street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89
4. telephone numbers 5. fax numbers 6. electronic mail addresses 7. social security numbers 8. medical record numbers
More Personal Identifiers9. health plan beneficiary numbers
10.account numbers
11.certificate/license numbers
12.vehicle identifiers and serial numbers including license plate numbers
13.device identifiers and serial numbers
14.Web Universal Resource Locator (URL) 15.biometric identifiers, including finger or voice prints
16. full face photographic images and any comparable images
17. internet protocol address numbers
18.any other unique identifying number characteristic or code
What is Research?
Research is defined as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”
Distinguish from quality assurance Distinguish from public health activities
Impact of HIPAA on Research
Confusion!! Potential reduction in health care providers
willing to share for (PHI) research Places addition burden on IRB’s
Research and HIPAA
This rule applies to health care providers, including researchers when they provide health care (e.g., in a clinical trial)
Even if researcher do not provide health care, they must abide by the rule
The definition of “protected health information” includes information relevant to the provision of health care as well as information generated in the context of clinical research Although some research information may not have
proven clinical validity, the Privacy Rule considers it identifiable
Research and HIPAA
The regulation covers information – not tissue -except to the extent any identifiable medical information is attached to the tissue sample
Genetic information is not provided a higher standard of privacy coverage under this federal regulation
The regulation covers individually identifiable information in any form, including written, electronic or oral.
HIPAA vs. the Common Rule
FocusCommon Rule: safety and
welfare of human subjects
HIPAA: Privacy of the health
information of subjects
Research Privacy Regulations
Common RuleFederally funded or regulated
researchProtects Rights and WelfareHuman Subject (living) subject to
researchBoard reviews All research
protocols
Annual and Continuing ReviewsInformed Consent to participate in
Research
HIPAAAll research where CE uses or
discloses PHIProtects Privacy and WelfareIndividual (living or deceased)
subject informationEstablishes Privacy BoardIRB may act as Privacy BoardBoard Reviews Authorizations for
waiversNo continuing review requirementAuthorization & consent to PHI
IDI AND OTHER REGUALTIONS
HIPAAPHI is individually identifiable
information that is transmitted or maintained in any form or medium by a CE or its business associate excluding school or employment records
FDA Title 21 CFR 50& 56Do not define Individually
Identifiable Health Information
HHS Human Subjects Protection
Title 45CFR part 46
Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject may be ascertained by the investigator or associated with the information
Use of PHI
Types of PHI
De-identifiedData
LimitedData Set
Identified
HOW CAN INFORMATION BE USED OR SHARED?
De-Identify PHI Remove listed identifiers, determine
statistically that very small risk that information could be used to identify, or code identifiers
Tissue and blood is not PHI unless correlated with identifiers
How Can Information Be Used Or Shared?
Limited Data Set or partially de-identified: may use data related to individual, address (except street level) and other identifiers not listed
Must have “data use agreement” in place Obtain subject authorization
How Can Information BeUsed Or Shared?
HIPAA requires numerous elements (refer to checklist)
HIPAA authorization requires IRB approval IRB or Privacy Board may waive the need for
an authorization If PHI is solely to prepare for research and
will not be removed from the premises
Waiver of Authorization
Minimum risk to PRIVACYo Plan to protect identifierso Plan to destroy identifiers, ASAPo Written assurance not to reuse/rediscloseo Research cannot be done without Waivero Research cannot be done without PHIo PHI is the minimum necessaryo Disclosures are tracked
HIPAA and Research
Under HIPAA, individual authorization is required to use or disclose PHI for research
HIPAA specifies required elements or statements, which are far more detailed that then information traditionally provided in the Common Rule consent
USE AND DISCLOSURE OF PHI
USE = Sharing of PHI within an entity or component
DISCLOSURE = Sharing of PHI outside an entity or component
Under HIPAA, patients have the rights to request a complete listing of ALL disclosures of PHI for 6 years
Use and Disclosure of PHI
HIPAA applies to USE & DISCLOSURE of certain health information that:
Identifies the individual Relates to the individuals past, present or future Health, healthcare treatment, or health care
payment Is maintained or disclosed electronically, on
paper or orally
HIPAA’s Individual Rights
Primary purpose of HIPAA is to assure that individuals:
Are informed as to the uses or discloses of PHI (Notice of Privacy Practices)
Give appropriate permission for use or disclosure
Benefit from safeguards in place to protect privacy
What if I don’t want to share my health information?
Each Notice of Privacy Practices contains information on who will be able to view your PHI, how it is shared and how it maintained
It is assumed that you agree with the provisions of the NOPP
If you do not want to share
your information, you may exercise
the opt-out option
Protecting My PHI
Opt-outs must be in writing Opt-outs must be dated An address will be provided in the NOPP You may specify the provisions you do not
want to have You may revoke your opt-out at any time
HIPAA Authorization Form for Research Specific description of PHI to be used or disclosed
in the research Name of persons or class of persons authorized to
make disclosure Name of persons or class of persons to whom
disclosure will be made Description of Specific research protocol or study Expiration date of event or statement that
authorization has not expiration
HIPAA Authorization Form for Research Statement of participant’s right to revoke the
authorization in writing and a description of how the person may revoke authorization
Statement that a participant may not revoke the authorization as to PHI already disclosed in research or description of other exceptions where participant may not revoke the authorization
Statement that the organization disclosing the PHI may not condition treatment, payment , enrollment or eligibility
HIPAA Authorization form for Research Statement that PHI disclosed for research
may be subject to redisclosure by the recipient and no longer protected by the rule
Must have participant’s signature and date If authorization is executed by a personal
representative of the participant, a description of the person’s authority to act for the participant
HIPAA Security
Security Standards effective 4/21/05 Adopts standards for the security of
electronic protected health information (ePHI) 18 standards supported by specifications
Security Standards
FDA’s latest guidance and HHS’s HIPAA Security Focus on Risk Assessment Documentation Supporting Training Role based access
Prevent Inadvertent Disclosure• Computer display screen should not be visible to
passers-by
• Paper documentation should never be left unattended. Always lock paper records in a desk or file drawer.
• Do not send personal identifiers in an e-mail or attachment without appropriate security (e.g., encryption/password protection of attached file)
• Curtail hallway/elevator discussions
• Shred document containing PHI , turn folders inward or turn upside down
• Fax procedures (e.g., cover sheet, secure location, verification of number)
Disposal• Documentation should only be destroyed
when the information is no longer needed and when it is not required to be maintained by law or as public record
• Paper records: Shedding/Recycling in Appropriate Containers (not the office receptacle)
• Digital records: Overwriting• Deleting files is NOT sufficient• Some storage systems may require physical destruction
Protect your data• Password protect your computer and screensaver• Password protect your storage devices and
removable media• Use appropriate passwords • Keep anti-virus software current• NEVER share passwords• Never leave the computer when you are logged on• Manually initiate screensaver when not sitting at
desk• Lock office door when you leave• Don’t leave written password where others can find
them
Violations of Privacy
• HIPAA specifies the penalties for misuse of personal identifiers
• PERSONAL as well as INSTITUTIONAL liability
• If you are not following University policies/procedures, you will be personally liable
• Civil Penalties: $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated
Violations of Privacy
• Criminal Penalties: Up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to 5 yrs in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
University Policy: Be Informed
http://arizona.eduhttp://vpr2.admin.arizona.edu/
HIPAA/HIPAA.htmOther websites:
http://www.hhs.gov/ocr/hipaahttp://security.arizona.eduhttp://www.irb.arizona.edu
Recommended Confidentiality & Nondisclosure Language (page 2) Add to Fax Cover Page: This cover page and any documents accompanying this
facsimile transmission contain confidential information belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled,unless otherwise required by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this facsimile in error, please notify the sender immediately to arrange for destruction or return of these documents.
Recommended Confidentiality &
Nondisclosure Language Add to email signature:
Confidentiality/Nondisclosure Notice: This e-mail transmission (and any attachments)is confidential. IT may also be privileged or otherwise protected by law. If you have received it by mistake, please let the sender know by e-mail reply or you may call sender at Name of Entity in Tucson, Arizona at 520/-------- and delete it from your system. You may not copy this message or disclose its contents to anyone.
top related