hipaa training workshop #1 council of community clinics – san diego february 7, 2003 by kaye l....
TRANSCRIPT
HIPAA Training Workshop #1
Council of Community Clinics – San Diego February 7, 2003
by
Kaye L. RankinRankin Healthcare Consultants, Inc.
Today’s Topics
Minimum Necessary – A real challenge! Authorizations or How to make something
really complicated! Access to Protected Health Information –
The Defense Industry is going to have nothing on us!
A Covered Entity must make a reasonable effort to use, disclose or request only the minimum amount of information necessary for its purpose.
Policies and procedures identifying persons or classes of persons needing access to PHI and the conditions that would apply
Polices and procedures limiting identified persons or classes of persons to needed access
Minimum Necessary
Defined routine and non-routine disclosures
Disclosures made on a routine basis must have policies and procedures limiting disclosure to minimum necessary (with an exception for treatment).
Non-routine disclosures – must have policies and procedures for determining and limiting information to the minimum necessary (case by case basis)
Business Associates – polices and procedures describing routine disclosures
Minimum Necessary
Disclosure of the entire medical record not permitted unless specifically justified in a policy
Minimum Necessary
How are you going to identify users requiring access?
How do you identify what they need access to?
What are the conditions under which they need access?
How do you inform the gate keepers about who should have access and who should not have access?
Who Needs What and Why?
Option #1: Minimum Necessary Matrix– Pros
• Basis for Access Authorization Log for Security Regulation
• Easy for gatekeepers to determine if request is appropriate
• Can be used for electronic systems as well as paper
– Cons• Will probably require an employee survey or review of job
descriptions
• Will require maintenance
Handout: Minimum Necessary Matrix
Some Options
Option #2: Staff training and procedures requiring employees to verify access for any questionable requests– Pros
• Less work to implement
• Modifications of Job Description is logical
– Cons• Someone must be given the responsibility of fielding calls
and responding quickly
• Changes to job descriptions to document access/level
• More difficult to audit.
Some Options
First minimum necessary does not apply to:– Providers for treatment purposes
– To the individual
– Pursuant to an Authorization
– To the secretary of DHHS
– To comply with the transaction standards
How do we identify routine disclosures?
Handouts: Minimum Necessary Policy
Identifying Routine Uses and Disclosures
Option # 1: Survey by job title
– Pros
• You find out if job descriptions really reflect what employees are doing.
• This should help in determining the conditions under which an employee will require access.
– Cons
• This is time consuming to do
Some Options
Option # 2: Departments/Programs management documents what should be routine.
– Pros
• Easier because not as many people involved
• Easier to document this limited set of routine disclosures
– Cons
• You may miss something and then it will need to be handled on a case-by-case basis until policies are changed.
Some Options
Managing non-routine uses, disclosures and requests (remember that word reasonable)
– How do we establish a consistent process for determining the reasonableness of a request?
– How do we document due diligence?
Non-Routine Uses and Disclosures
Criteria for reasonableness– Is the request specific with a clear purpose
– Could the disclosure potentially harm the patient
– Is the disclosure necessary to provide quality care or obtain reimbursement
– Could the disclosure impact the organization legally
– How many people would be provided access to the information
– How much information is being requested
– Could de-identified data meet the needs of the requestor
– Technology available to limit use/disclosure
– The cost of limiting the use or disclosure
Handout: Evaluating Non-Routing Uses and Disclosures
What’s Reasonable?
Time for a BREAK!
Authorizations Definitions
– Informed Consent = consent to receive treatment (retention 7 years)
– Consent = written permission to use or disclose PHI, with the exception of psychotherapy notes, to carry out treatment, payment or heath care operations - general consent (retention 6 years)
– Authorization = allows the use and disclosure of PHI for purposes other than treatment, payment or health care operations – must be specific and is required to use or disclose psychotherapy notes (retention 6 years)
Authorizations
Required elements– Everything that California Requires Plus
• Statement – May Not Condition Treatment on Authorization (some exceptions)
• Statement “Right to revoke”
• Termination date
• Potential for further disclosure – California prohibits
New conditions– Must provide copy
– May not combine with other authorizations (again some exceptions)
Now What?
Actions– Identify forms that meet the definition of a HIPAA
Authorization (look at consents and authorizations)
– Evaluate it against the Authorization Checklist
– Make necessary changes
– To Printer
Handout: Authorization Checklist
Authorizations just became complicated. Procedures
– Procedures to receive a revocation
– To notify interested parties within the organization of a revocation
– To notify business associates of a revocation
– To retain all documentation related to an authorization for 6 years.
Access to Protected Health Information Verification of Identity and Authority or Do I
know you?– Must verify the identity of a person requesting
protected health information and the authority of such person to have access to protected health information, if the identity or any such authority of such person is not known to the covered entity; and
– Obtain any documentation, statements or representations (oral or written) from the person requesting the protected health information when such documentation is a condition of disclosure
Verification of Identity and Authority Who are we talking about here?
– Health oversight auditors– Public health authorities– Law enforcement– Personal representatives– Next of kin– Others
Verification Procedures Require completion of a request form.
– Identity• Check drivers licenses, badges, or other official documentary
proof of who they are.• If the request is in writing is it on government letterhead
– Authority• Documented on government letterhead• Court order or other legal document• Legal documentation of personal representation• Proof of executorships or beneficiary
Obtain copies – retain 6 years
Handout: Example Request for Access
Accounting of Disclosures
An individual has the right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.
Note: The disclosure may be oral, written, printed, electronic, etc. but still must be recorded.
Accounting of Disclosures What doesn’t have to be recorded:
– Disclosures for treatment, payment or health care operations
– To the individual– Incidental disclosures– Pursuant to authorization– National security or intelligence purposes– Correctional institutions or custodial situations– If part of a limited data set
Handout: Accounting of Disclosures
What will we have to do? Keep a disclosure history on each patient
• Date of disclosure• Name of Organization or individual who received the
information• Description of information disclosed• Reason for disclosure• Copy of an individual’s authorization
Be able to provide a copy when requested. All documentation related to the request must be
retained for 6 years (including information provided)
The Clock is Ticking!