1
The HIPAA Privacy & Security
Brian Martin
Privacy Program Manager
Navy Medicine Support Command
(904) 542-7200 ext. 8139
2
Learning Objectives
• Know Future CONOPS for Office of Privacy Program Management
• Know the purpose for Privacy Act and HIPAA
• Know key provisions or features of each law
• Know training requirements
• Understand disclosures and accounting of disclosures
• Understand TMA and DoN incident reporting requirements
• Know basic MTF requirements for HIPAA Privacy and Security compliance
3
References
• Public Law 104-191
• Privacy Act of 1974 as Amended
• DoD 6025.18R Health Information Privacy
• DoD 8580.02R Health Information Security
• DoD 5400.11 Privacy Regulation
• DoN 5211.5E Privacy Regulation
• DoD 8500.2 Information Assurance Implementation
• TRICARE Management Activity – training materials
4
Chief of Naval Operations (CNO)
Bureau of Medicine and Surgery (BUMED)
NMLCNMCPHCNMRCNAVMEDMPT&E NMIMC
Command Organization
Navy Medicine West (NMW)
Navy Medicine East (NME)
Navy Medicine Support Command
(NMSC)
Navy Medicine Support Command
(NMSC)
Navy Medicine National
Capitol Area (NMNCA)
Echelon 4
Echelon 1
Echelon 3
Echelon 2
6
Concept of Operations:
• Create an Office of Program Management at NMSC and appoint a full time Director to standardize and integrate HIPAA Privacy and Security execution throughout enterprise.
• Execute all BUMED policies and procedures pertaining to the DoD Health Information Privacy and Security regulations.
• Ensure risk analysis are conducted that include an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, stored, or transmitted by the organization as directed by and in coordination with NAVMISA.
• Provide technical support to Regional Commands and coordinate activities to improve compliance with privacy and security requirements.
Navy Medicine Support CommandOffice of Privacy Program Management
7
Title I
Health insurance portability and renewal
Title IITitle III Title IV Title V
AdministrativeSimplification
Tax provision for medical savings account
Group health plan provision enforcement
Revenue offsetprovisions
Certificate of Creditable
Coverage
Privacy-Apr 03
Security-Apr 05
TCS-Oct 03
Identifiers-May 05
HIPAA, Title I - V
9
HIPAA Privacy Rule Key Provisions
• Apply to the protection of information whether it be in oral, written or electronic form
• Provisions:
– More consumer control = Individual patient rights
– Specifies “what” health information must be protected
– Boundaries on use and release
– Accountability and penalties
– Preserving strong state laws
– Balancing public responsibility with protections
10
Who is Covered under HIPAA Privacy Rule?
• Directly applies to ……
Health Plans (e.g. TRICARE)
Healthcare Clearinghouses (e.g. process claims or perform electronic billing)
Healthcare providers who transmit information in electronic form for specified financial & administrative transactions.
• These groups/organizations referred to as “Covered Entities” (CE)
11
What is Covered under HIPAA Privacy?
• Health Information ….oral, paper, or electronic media and related to…….
– past, present, or future physical or mental health condition of an individual
– provision of health care to individual or
– payment for health care
• Individually identifiable - includes demographics
• Held by CE or their business associates
12
Features of Privacy Act and HIPAA
• Requires Fed agencies to
comply
• Restricts disclosure
• Allows individual access to
records about themselves
• Applies to contractors hired to
operate a system of records
• Provides judicial remedies for
PA violations
• Requires “covered entities” to comply-not just Fed agencies
• Restricts use and disclosure with key exceptions
• Expands patient rights --Notice of privacy practices, access, inspect, copy, amend, acct of disclosures, request restrictions, file complaints, alternate communications requests
• Applies to all members of the workforce
13
Pillars of Privacy-Key Areas
• Privacy Act--
• Consent
• Disclosures
• “Need to Know”
• HIPAA Privacy Rule--
• Notice of Privacy Practices
• Use and Disclosure
• Authorization
• Minimum Necessary
• Military Exemption
14
HIPAA Notice of Privacy Practices
Includes:
1. Use and Disclosure of PHI for TPO
2. Individual’s rights to access, control and
3. request restrictions on use.
4. Covered entities duties
5. Complaint procedures
6. Contact information
7. Effective date
·
15
Notice of Privacy Practices
• Obtain written acknowledgment of receipt of the
Notice of Privacy Practices.
• “Good faith effort”
• Exception--Emergency situations--delay having
to provide Notice until reasonably practicable
and exempt providers from good faith effort to
obtain acknowledgment
16
Use & Disclosure-Privacy Act vs.HIPAA
• No record disclosed without consent of individual to whom record pertains
• Exceptions: Ex: Need to know, released under FOIA, routine use, criminal law enforcement activity
• Disclosures not required if to DoD or DON personnel having a “need to know” in performance of official duties
• CE can use & disclose PHI for TPO of self plus other CE w/out authorization of individual - No “consent” required
• For Non-TPO uses, need authorization but there are exceptions
• Must provide accounting of disclosures for up to 6 years - only if non TPO
17
Exceptions under Privacy Act & HIPAA
• Need to know
• Released under FOIA
• Routine use
• Criminal/law enforcement activity
• Health or safety
• Committee of Congress
• Bureau of Census
• Statistical research
• National Archives
• Required by law
• Avert serious threat to health or safety
• Specialized govt. functions
• Judicial/administrative proceedings
• Cadaver, organ, eye or tissue donation purposes
• Law enforcement purposes
18
Exceptions under Privacy Act & HIPAA-
• Comptroller general for GAO
• Order of court of competent jurisdiction
• Consumer reporting agency
• Victims of abuse,neglect of domestic violence
• Inmates in correctional institutions/custody
• Worker’s compensation
• Research involving minimal risk
• Public health activities
• Health oversight activities
• About decedents
19
HIPAA Privacy Authorization
• Covered entities must obtain an individual’s authorization, signed written permission before using or disclosing PHI for purposes other than treatment, payment or healthcare operations
• Cannot condition provision of treatment, payment, enrollment or eligibility upon an authorization
• Individuals have the right to use an authorization to request a restriction on the use of their PHI
20
HIPAA Privacy Authorization Examples
• Authorization required :
– For research
– To send marketing materials
• Authorization NOT required:
– To fill prescriptions
– For referrals to specialists
– To communicate treatment options
21
HIPAA PrivacyMinimum Necessary
• All Uses and Disclosures subject to this standard
• Balancing act between protecting privacy against “reasonable ability” to limit information that is disclosed and still deliver quality care
• Exceptions:
– Disclosure to or request by provider for treatment
– Disclosure to the individual
– Under authorization - unless requested by CE
– Required by HIPAA standard transaction
– Required by law
– Required for law enforcement
22
HIPAA Privacy Military Exemptions
• Covered entities may disclose PHI of service members to Military Command Authorities if:
– For determination of member’s fitness for duty
– Necessary to assure proper execution of the military mission
23
Training Requirements-Privacy Act and HIPAA Privacy Rule
• Orientation
• Specialized training for specialized areas of job performance
• Management Training
• Provided shortly after assuming duties associated w/level of involvement
• All members of workforce must receive basic HIPAA privacy training
• Focused specialty training
• New employees
• When material change in policy-annual training
24
Civil Remedies/Criminal Penalties under Privacy Act and HIPAA
• Civil: denial of amendment request;denial of access; failure to meet record keeping standards--(against a naval activity)
• Criminal: wrongful disclosure, unauthorized records, wrongful request or obtaining records
• Civil: $100 for each violation for failure to comply with requirements of law privacy regulations
• Criminal: fines up to $50,000,imprisonment up to 1 year for wrongful disclosure by any person
• Requires CE to apply sanctions against members of its workforce who fail to comply with privacy policies and procedures.
25
MTF HIPAA Compliance Requirements
• Must have and introduce written Notice of privacy practices
• Must designate privacy/security officer in writing
• Must develop consent and authorization process for uses and disclosures
• Must provide privacy training to all staff
• Must maintain documentation regarding compliance with the regulation
• Must establish safeguards to protect health information
• Must conduct privacy assessment and modify policies and procedures to be in compliance with the Privacy rule
• Must develop and apply sanctions for violations
26
QUESTIONS??
27
Disclosures
Training Objectives -
• Accounting of Disclosures of Protected Health Information (PHI)
• Review of Disclosures
• Uses & Disclosures – General Information
• Suspension of Individual Rights
• Reporting of Disclosures
• Responding to a Request for Disclosures
• PHI Management Tool (PHIMT)
• Rights of Individuals
28
What is the HIPAA Privacy Rule?
• The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ personal health information in any form: paper, electronic, oral
• It sets boundaries on the use and release of health information
• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made
• It generally gives patients the right to gain access and obtain a copy of their own health records and request amendments and restrictions
29
§164.528 Accounting of Disclosures of Protected Health Information
• An individual has a right to receive an Accounting of Disclosures of Protected Health Information (PHI) made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures
– To carry out treatment, payment and health care operations
– For the facility’s directory or to persons involved in the individual’s care or other notification purposes
– For national security or intelligence purposes
– To correctional institutions or law enforcement officials
– That occurred prior to the compliance date of April 14, 2003
30
What is a Disclosure?
• A “disclosure" is generally defined as the sharing of health information with someone outside of the Military Health System
• Example: A disclosure of health information to a public health official to assist in tracking exposure of individuals to a contagious disease
• Example: Disclosures for family advocacy program offices and the Exceptional Family Member Program (EFMP)
31
Uses & Disclosures - General
Treatment Payment Healthcare Operations
• Provision of care
• Coordination or management of healthcare and related services
• Consultations between providers
• Referral of a patient from one provider to another
• Obtaining premiums
• Reimbursement
• Eligibility and coverage determinations
• Billing and claims management
• Utilization review activities
• Quality assurance
• Health improvement
• Education and training
• Legal services
• Medical review
• Business planning and development
• Management and general administrative activities
HIPAA allows the use and disclosure of PHI for treatment, payment & healthcare operations (TPO) without the patient’s permission
32
Suspension of Individual Rights Communicated in Writing
• An oversight agency or law enforcement official has the authority to request a suspension of an individual’s right to receive an accounting of disclosures if
– Such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to undermine the agency's investigation activities
– The agency must specify the time period for which the requested suspension is required
– Example: A law enforcement investigation of criminal activity when the knowledge of the individual might alter the nature of the investigation
33
Suspension of Individual Rights Communicated Orally
• If the request for suspension is made orally by an authorized agency, the covered entity must
– Document the request, including the identity of the agency or official making the statement
– Temporarily suspend the individual’s right to an accounting of disclosures subject to the request
– Limit the temporary suspension to a period of no longer than 30 days from the date of the oral statement, unless a written request is submitted during that time
34
Reporting the Disclosure
• For each disclosure, the account must include:
– The date of the disclosure
– The name of the entity or person who received the PHI and, if known, the address of such entity or person
– A brief description of the PHI disclosed
– A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure
35
Reporting Multiple Disclosures
• If the covered entity has made multiple disclosures of PHI during the period covered by the accounting to the same person or entity for a single purpose, the accounting may provide
– The information requested for the first disclosure during the accounting period
– The frequency, periodicity, or number of the disclosures made during the accounting period
– The date of the last such disclosure during the accounting period
– The PHIMT will separately track disclosures made for one record
Responsibility for Responding to a Request
• The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request
• If the covered entity is unable to provide the accounting within the 60-day timeframe, the covered entity may extend the time to provide the accounting by no more than 30 days and must
– Provide the individual with a written statement of the reasons for the delay, and
– The date by which the covered entity will provide the accounting
• The covered entity may have only one such extension on a request for an accounting
36
37
Accounting of Disclosures – PHI Management Tool (PHIMT)
• TRICARE will use the PHIMT to process the Accounting of Disclosures
• In addition to Accounting of Disclosures, the PHIMT utilized to process complaints, requests for amendments, requests for restrictions to PHI and for suspension of an individual’s right to a disclosure
• Overall Navy Medicine has a low utilization rate
38
Rights of Individuals
Right to an Accounting of Disclosures
• An individual has a right to receive an Accounting of Disclosures of PHI made by a covered entity in the six years (or a shorter time period at the request of the individual) prior to the date on which the accounting is requested
– Including disclosures to or by business associates of the covered entity
– Only applies to disclosures made after April 14, 2003
39
Rights of Individuals
Amendments• Individuals have the right to request that a Covered
Entity (CE) amend PHI• Amending PHI usually does not involve actually
removing information, but adding an amendment with the accurate data if appropriate
• A CE may deny an individual’s request for an amendment, if it determines that the PHI– was not created by the CE– is not part of the designated record set– is not available for inspection within the CE– is accurate and complete
40
Rights of Individuals
Right to Restrictions
• Individuals have the right to request that certain uses related to TPO and disclosures of PHI be restricted
• Exception to Right to Restrictions - Individuals do not have a right to request that a covered entity restrict a disclosure of PHI about them for
– workers’ compensation purposes or
– when that disclosure is required by law
41
Summary of Disclosure Tracking
• The following subjects have been reviewed
– HIPAA Privacy Rule
– Accounting of Disclosures of PHI
– What is a Disclosure is
– Uses & Disclosures – General Information
– Suspension of Individual Rights
– Reporting of Disclosures
– Responding to a Request for Disclosures
• Charge for an Accounting of Disclosure
– TRICARE’S Disclosure Tracking Tool - PHI Management Tool (PHIMT)
– Rights of Individuals
42
Resources
• DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003
• DoD 8580.02-R DoD Health Information Security Regulation
• www.tricare.osd.mil/hipaa TMA Privacy website
[email protected] for subject matter questions
• [email protected] for tool related questions
• Service HIPAA Privacy Representatives
43
HIPAA Security
This document contains proprietary information and should be handled in accordance with U.S. Navy Regulations. It is intended solely for official purposes only.
44
Agenda
• HIPAA Security Background
• Key Concepts and Terms
• Security Rule Organization
• Specifics
• Impact
• Compliance
45
Training Objectives
– Describe the organization and context of the HIPAA Security Rule
– Understand HIPAA security standards and implementation specifications
– Identify tools and other resources that support HIPAA security implementation
46
HIPAA Implementation Life Cycle
47
HIPAA Security Background
48
HIPAA Security BackgroundWhere Does This Fit In?
HIPAAHealth Insurance Portability and Accountability Act of 1996
Title IHealth Care Access,
Portability, and Renewability
Title II Title IIITax-Related
Health Provision
Title IVGroup
Health Plan Requirements
Title VRevenue Offsets
Preventing Health Care Fraud and
Abuse
Medical Liability Reform
Administrative Simplification
Unique Identifiers for• Providers• Employers
Electronic Data Exchange
Security Administrative Safeguards Physical Safeguards Technical Safeguards
Source: National Institute of Standards and Technology (NIST)
PrivacyCode sets for Health Care Plans
Preventing Health Care Fraud and
Abuse
Medical Liability Reform
Administrative Simplification
50
HIPAA Security BackgroundPurpose of the HIPAA Security Rule
• To adopt national standards for safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI)
51
HIPAA Security BackgroundPrivacy vs Security
Privacy
• HIPAA 1996
• Covered entities
• April, 14 2003
• PHI
• Uses and Disclosures
• Confidentiality
• OCR
Security
• HIPAA 1996
• Covered entities
• April 21, 2005
• EPHI
• Safeguards
• Confidentiality, Integrity, and Availability
• CMS
52
HIPAA Security Background Summary
• You should now be able to:
– Describe the purpose and applicability of the HIPAA Security Rule
– Identify how HIPAA Security fits in to the HIPAA Law
– Explain the differences between HIPAA Privacy versus HIPAA Security
53
Key Concepts and Terms
The Universe of Health Information
HIIIHIPHIE-PHI
EducationRecords
John Doe
HI:health informationIIHI: individually identifiable health information
PHI: protected health informationEPHI: electronic protected health information
PaperFilesCDs
BiomedDevices
54
QUESTIONS??