welcome to the digital learning center · overview and scope of coverage under hipaa ... health...
TRANSCRIPT
![Page 1: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/1.jpg)
1
© Economedi x, LLC 2000 – Present
Welcome To The Digital Learning Center
Presented by …
Your Partner In Building High Performance Practices
© Economedi x, LLC 2000 – Present
Today’s Presentation
Annual Review of the HIPAA Privacy &Security Rules
© Economedi x, LLC 2000 – Present
Course Faculty
R. Thomas (Tom) Loughrey, MBA, CCS-P
• Chairman, CEO & Co-Founder of Economedix• Certified Coding Specialist • BS Degree from Pennsylvania State University• Earned an MBA in Health & Hospital Administration
from the University of Florida• Former Hospital Administrator• Former Owner of a Medical Billing Company• Consultant to Physician Practices & Medical Societies• Member of Various Professional Organizations
Dealing with Medical Practice Management• Developed and Presented Thousands of Seminars
& Workshops Dealing with Practice Management
![Page 2: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/2.jpg)
2
© Economedi x, LLC 2000 – Present
Introduction
Background of HIPAA Overview and Scope of Coverage Under HIPAA PHI: Its Use and Disclosure General Rules Patient Rights Practical Examples Purpose of Security Security Requirements Management and Implementation Policies and Procedures
HIPAA Privacy Rules
© Economedi x, LLC 2000 – Present
Overview of Privacy Rules Health Insurance Portability & Accountability Act (HIPAA)
Sets standards for privacy of individually identifiable health information
Allows information to be used and shared for the purposes of treatment, payment and health care operations (TPO)
Requires notification or authorization for use and disclosure
Creates processes to let patients know how information is to be used, ensures patients have access to their information and an ability to correct inaccuracies.
Requires health plans and providers to maintain administrative and physical safeguards on information
![Page 3: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/3.jpg)
3
© Economedi x, LLC 2000 – Present
Scope of HIPAA
Covers all providers of any size from University Medical Centers to solo physicians
Health Plans Health care clearing houses Business agents of the above who have
legitimate need to have information (consultants, employees, billing agencies)
Your practice is covered!
And you have to help make it work!
© Economedi x, LLC 2000 – Present
Protected Health Information (PHI)
All information relating to the diagnosis and treatment of a patient that is individually identifiable
Originally, this was only to apply to electronic data. In the final rule it has been applied to all information
HIPAA protects the information itself for privacy, it does not make patients anonymous!
© Economedi x, LLC 2000 – Present
HIPAA General Rules
Providers and others are prohibited from using or disclosing PHI except when authorized by the patient or for treatment, payment or health care operations (TPO)
TPO This is the normal, everyday business of conducting the
office and seeing patients, referring them for tests and other care and getting paid for the work you do.
It means staff can look at the chart, you can send needed information to other providers and you can provide a payer with information on the services and Dx
![Page 4: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/4.jpg)
4
© Economedi x, LLC 2000 – Present
HIPAA General Rules
Every patient must be notified of their privacy rights, the practice’s privacy policies and how PHI will be used. Patients must acknowledge this notification in writing. This means the practice must have privacy
policies that describe the patient’s rights
Patients must have an opportunity to see your policies and they must acknowledge in writing they have received this notification
© Economedi x, LLC 2000 – Present
HIPAA General Rules
The amount of information to be used or disclosed should be the minimum that accomplishes the purpose. Minimum Necessary Standard – you must make
reasonable efforts to limit the PHI to the minimum necessary to meet the purpose or request.
Disclosures to or requests from other providers for treatment are an exception to this rule.
Disclosures to or requests from the person for their own PHI is an exception to the rule
Practices must identify the staff who need access to the PHI
© Economedi x, LLC 2000 – Present
HIPAA General Rules
Business associates may have access to protected information under a contract with the provider. The agent then has the same responsibilities as the provider If you have a billing service that needs to see PHI
as part of their billing they are an agent
If you engage a consultant to review charts or engage in other practice work such as audits or QI/QA, they are an associate and are covered under the rules.
Collection agencies are business associates
![Page 5: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/5.jpg)
5
© Economedi x, LLC 2000 – Present
Uses and disclosures are permitted – not required except by law.
Only two disclosures are required: Disclosure to the patient on request Disclosures required by law (subpoenas,
federal payments, etc)
Information will be protected for two years following the death of the patient
HIPAA General Rules
© Economedi x, LLC 2000 – Present
When Is Personal Information Protected?
Does the information identify the patient or can it be used to identify the patient?
Does the information relate to the past, present or future health, treatment or payment for provision of services?
Was the information created by a health care provider, health plan, employer, life insurer, public health agency, school, health care clearinghouse?
© Economedi x, LLC 2000 – Present
When Can PHI be Used or Disclosed?
When the disclosure is to the patient For treatment, payment or health care
operations involving the patient Incident to a use that is permitted When the practice receives a valid authorization When the practice has obtained the patient’s
oral agreement When the law specifically does not not require
authorization
![Page 6: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/6.jpg)
6
© Economedi x, LLC 2000 – Present
Permissible Uses & Disclosures
Quality Assurance Activities Public health & emergencies affecting life or safety Research Judicial hearings Law enforcement Information to next-of-kin Identification of a body or cause of death Government Health Data Systems Facilities Data Systems Financial entities for processing claims Where mandated by law
© Economedi x, LLC 2000 – Present
Individual Rights
The right to receive written notice of the information practices of providers and health plans
The notice must describe the types of uses and disclosures the provider would make with the information
The right to access protected information
The right to request amendment of records The right to receive an accounting of when
protected information has been disclosed
© Economedi x, LLC 2000 – Present
Key Privacy Policies
Authorization and consents After the fact authorizations and consents
in emergencies• Facilities who obtain these documents cover
the providers in those facilities as well for services rendered at the facility
• Once the patient is seen in the practice for the first time a consent and authorization should be obtained
![Page 7: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/7.jpg)
7
© Economedi x, LLC 2000 – Present
Key Privacy Policies
Uses and Disclosures Involving Family and Friends Does not require an authorization but is not
required unless directly requested by patient
May also use PHI to notify a family member or responsible person of the patient’s location or condition• Patient must be able to provide consent or an
opportunity to object (and there is no objection)or reasonably infer the patient has no objection such as by being accompanied by a friend or family member
© Economedi x, LLC 2000 – Present
Key Privacy Policies
Dealing With Minors (or Personal Representatives) The parent/guardian or personal
representative may provide all consents and notifications on the patient’s behalf
Two exceptions:• If there is a reasonable belief that the patient
may be subjected to abuse by the requestor• If, under state law, the minor is emancipated or
the treatment concerns matters over which the state permits the minor to obtain health care without parental consent
© Economedi x, LLC 2000 – Present
Key Privacy Policies
Verification of Identity Employees must verify the identity and
authority of persons making requests for PHI Policies should describe minimal forms of
proper identification (which may include subpoenas)
Information should be provided in a secure and confidential manner
If you have a good faith belief that releasing the PHI will avert harm to the patient or the public you may release the information.
![Page 8: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/8.jpg)
8
© Economedi x, LLC 2000 – Present
Key Privacy Policies
Business Associates Tip: Make a list of all entities you believe are
business associates and request a new HIPAA compliant contract
The practice is not liable for the privacy violations of its business associates but it must exercise appropriate safeguards and have mechanisms to act if it becomes aware of such violations
Model contract language is available from CMS
© Economedi x, LLC 2000 – Present
Practical Examples
The patient is a minor and the patient’s mother wants to pick up a prescription for the patient.
© Economedi x, LLC 2000 – Present
A pharmacy calls wanting authorization to re-fill a prescription.
Practical Examples
![Page 9: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/9.jpg)
9
© Economedi x, LLC 2000 – Present
The patient is being referred to another practice and a copy of the most recent notes and lab findings are requested by the practice. Later they ask for the full chart.
Practical Examples
© Economedi x, LLC 2000 – Present
The patient is elderly and the patient’s adult daughter contacts the practice to get more information on her mother’s condition, treatment and plans.
Practical Examples
© Economedi x, LLC 2000 – Present
A father of a newborn wants medical records of the child but those records contain information on the mother as well.
Practical Examples
![Page 10: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/10.jpg)
10
© Economedi x, LLC 2000 – Present
A patient indicates in a conversation with the doctor she heard another patient, who is a friend, is going to have some tests ordered and wonders if she is going to be okay.
Practical Examples
© Economedi x, LLC 2000 – Present
The practice has a sign-in sheet listing the names of all patients seen that day at the front desk. Anyone signing in can see it.
Practical Examples
© Economedi x, LLC 2000 – Present
Lists of patients, including the reason they are being seen, are posted around the office as the daily schedule.
Practical Examples
![Page 11: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/11.jpg)
11
© Economedi x, LLC 2000 – Present
HIPAA FAQs
There is a great deal of authoritative information available from the Office of Civil Rights
http://www.hhs.gov/ocr/hipaa/
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
HIPAA Myths, facts and updates
http://www.cdt.org/issue/health-privacy
Security Rule Update
© Economedi x, LLC 2000 – Present
Overview of HIPAA Security Rule
The Final Rule was published in February 2003
The Rule took effect on April 21, 2005
Less a series of checklists and more a description of standards
Apply only to electronic Personal Health Information (ePHI)
![Page 12: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/12.jpg)
12
© Economedi x, LLC 2000 – Present
The Rule recognizes that cost of security is an issue and should be a factor in security decisions
It is clear “that adequate security measures be implemented… cost is not meant to free covered entities from this responsibility.”
General approach is now risk management based rather than mandatory controls
Overview of HIPAA Security Rule
© Economedi x, LLC 2000 – Present
Integration With The Privacy Rule
Language is consistent between rules
Supplements and defines the “mini-security rule” within the Privacy Rule
Most definitions between the rules are now the same (PHI, covered entity, Business Associate, etc)
Privacy rule still controls security of non-electronic PHI
© Economedi x, LLC 2000 – Present
Structural Elements of the Rule
Some standards are sufficiently self-contained that their implementation is explicit or implicit in the standard itself
Standards are grouped under three categories: Administrative Safeguards Physical Safeguards Technical Safeguards
![Page 13: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/13.jpg)
13
© Economedi x, LLC 2000 – Present
Thinking About Security
Covered Entities (that means your practice) must meet four security requirements: Ensure the confidentiality, integrity and availability
of all ePHI that is created, received, maintained or transmitted
Protect against any reasonably anticipated threat or hazard to the security or integrity of the ePHI
Protect against any reasonably anticipated uses or disclosure of ePHI that are not permitted
Ensure compliance by every member of the workforce
© Economedi x, LLC 2000 – Present
Thinking About Security
In meeting these rules the practice may factor in: Cost, size, complexity, technical infrastructure,
other capabilities and the likelihood and seriousness of potential security risks
The practice may use any security measures that allow it to reasonably and appropriately implement the standards
Required standards with no Implementation Specifications must be implemented as it requires
© Economedi x, LLC 2000 – Present
Thinking About Security
If the standard has a required Implementation Specification it must be met as required
If the standard has an addressable Implementation Specification it must be met if reasonable and appropriate If it is not, then the rationale for not meeting the
specification must be documented and the alternative methodology for meeting the standard must be explained
![Page 14: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/14.jpg)
14
© Economedi x, LLC 2000 – Present
Risk Analysis & Risk Management
The preamble to the rule states the administrative, physical and technical safeguards the practice employs must be reasonable and appropriate to to meet the standards
There is a two-step process for determining this: Step 1 is to assess the security risk the practice
faces Step 2 is to implement appropriate
countermeasures proportionate to the risk
The practice must then manage the countermeasures to keep up with new or increased risks
© Economedi x, LLC 2000 – Present
Risk Analysis & Risk Management
The Security Rule does not advocate any type of technology. The Rule only looks at analyzing risks and then meeting the risk with an appropriate countermeasure. For example, any computer may be compromised
by a “virus” or “worm” that can either destroy data or cause it to be sent to those who are not authorized to see the data. An appropriate countermeasure would include obtaining anti-virus software, keeping it up to date and providing training to users in how to avoid suspicious programs and e-mail attachments
© Economedi x, LLC 2000 – Present
Examples of PHI Not Covered
Paper to paper faxes are not covered Faxes to or from a computer are
covered
Voice telephone transmissions are not covered Data transmitted over telephone lines
is covered
![Page 15: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/15.jpg)
15
© Economedi x, LLC 2000 – Present
Security Management Processes
Practices must be able to track intrusions into the system and react quickly (incident response)
These security processes may require new and more technology than smaller practices possess now
Training is a security process that all practices must meet. Training should focus on threats and countermeasures
There are no “safe-harbors” under the Rule
© Economedi x, LLC 2000 – Present
Business Associate Agreements
Any entity to whom you provide ePHI that is not covered by the rule must have a contract with you obligating them to protect the information.
Requirements: Implement administrative, physical and technical
safeguards that protect the confidentiality, integrity and availability of ePHI
Ensure its agents and subcontractors do the same
Report to the practice any security incident it becomes aware of.
© Economedi x, LLC 2000 – Present
The agreement under this rule adopts all the rules applying to business associates under the Privacy Rule
No agreement is required if it relates to the treatment or payment for services to the patient
You are not liable for violations of Business Associates unless you know of a pattern or activity that is a violation and do nothing about it
Business Associate Agreements
![Page 16: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/16.jpg)
16
© Economedi x, LLC 2000 – Present
Implementation Plan
Establish policies and procedures designed to identify risks and ensure effective countermeasures
Ensure compliance Training for everyone in the administrative,
technical and physical safeguards of ePHI Policies and Procedures must be
documented
© Economedi x, LLC 2000 – Present
Implementation Plan
Avoid Liability and Bad Publicity Liability results when the practice either
has no policy or worse, does not enforce its policies
Even if the security breach does not involve a lawsuit it could result in bad publicity in the community and among the patients of the practice
© Economedi x, LLC 2000 – Present
Implementation Plan
Steps for Developing Security Policies & Procedures Assemble your team (a doctor, the
manager, front office and back office) Review the requirements with the team You may want to refer to published
standards for information security (National Institute of Standards & Technology –Series 800)
Begin Risk Analysis
![Page 17: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/17.jpg)
17
© Economedi x, LLC 2000 – Present
Risk Analysis
What is to be protected: Hardware, servers, workstations,
computers, software, data and databases, and your own users
Potential threats Accidents, natural disasters, loss of
electrical power, theft, maliciousness, carelessness, etc
© Economedi x, LLC 2000 – Present
Requirements of any P&P
Clear and concise Clearly state responsibilities of everyone,
what needs to be protected and how it is to be done
Understandable Written to the level of understanding for the
intended user. Techies vs. Staff Doable Must be realistic in terms of the staff size,
cost and technical requirements
© Economedi x, LLC 2000 – Present
Policies and Procedures
Start with a statement from the doctors and management Acknowledge the importance of security Indicate support for security throughout the
practice Commit to development, implementation
and enforcement of policies Define the intent of the security program
and how it relates to the business objectives of the practice.
![Page 18: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/18.jpg)
18
© Economedi x, LLC 2000 – Present
Policies and Procedures
Develop Policies General organizational policies
• Set overall vision of the program; a general framework
Functional policies• Focused on specific topics, applications or
functions.
• Generally deal with single topics
© Economedi x, LLC 2000 – Present
Policies and Procedures
Detailed Procedures This is how standards and guidelines are
put into action Plans May incorporate procedures such as in a “Disaster Recovery Plan”
Personnel Responsibilities Policies should identify the personnel to
carry out the policy and the functions to be performed
© Economedi x, LLC 2000 – Present
Policies and Procedures
Steps to Implementation of Procedures Must be flexible and strike a balance
between too much detail and not enough direction and guidance
Examples of Security Procedures Back-up server each night. Store offsite on
CD dated and identified to the server Back up all PHI on PC hard drives weekly
to CD dated and identified to the PC
![Page 19: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/19.jpg)
19
© Economedi x, LLC 2000 – Present
Successful Implementation of a Security Plan
Establish your team Establish your
objectives Identify the risks
and threats Assess your
current status Consider possible
solutions
Draft policies in conformance with HIPAA
Review with the stakeholders
Formalize the policies and procedures
Train Review and Revise
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA ARRA- American Recovery and
Reinvestment Act of 2009 Sweeping changes to the health
information privacy and security regulations HIPAA
These new provisions affect not only health care providers, health plans and health care clearinghouses, but a wide range of vendors and contractors that provide services to health care organizations.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Previously, HIPAA applied only to the use
and disclosure of PHI by health care providers, health plans, and health care clearinghouses (known collectively as "covered entities").
Vendors providing administrative services to covered entities, such as legal services, accounting, information technology, financial support and similar services, were not directly subject to HIPAA's privacy and security provisions
![Page 20: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/20.jpg)
20
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA
Vendors were required to sign business associate agreements and thereby agree by contract to maintain the privacy and security of protected health information.
Changes made by ARRA expand the scope and application of HIPAA
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA
Among the most far reaching provisions of ARRA are those that apply several of HIPAA's security and privacy requirements to business associates.
In addition, business associates will be subject to civil and criminal penalties and enforcement proceedings for violations of HIPAA.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA
The definition of a business associate is expanded to include organizations that provide data transmission of PHI to covered entities and business associates and that require access on a routine basis to that protected health information.
Examples of such organizations include health information exchange organizations, regional health information organizations and vendors that contract with covered entities to provide personal health records.
![Page 21: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/21.jpg)
21
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Currently, covered entities may use and disclose only
the "minimum necessary" protected health information for their business purposes, but have considerable latitude to determine what the minimum necessary information is under the circumstances.
Under ARRA, covered entities must first consider whether partially de-identified data, known as a limited data set, could be used to accomplish their objectives and must limit their uses and disclosures to limited data sets if possible.
A limited data set excludes basic identifying information such as the individual's name, social security number, postal addresses, email addresses, telephone numbers, and similar identifiers.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA
Restrictions on Disclosures Individuals will be able to bar health care
providers from disclosing protected health information to the their health plans if the individuals pay for the health care item or service in full out of pocket.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Marketing
The ability of covered entities to use protected health information for marketing purposes without the individual's authorization will be limited under ARRA.
Specifically, communications with an individual about products or services that encourage the individual to purchase or use the product or service will be permitted without the individual's authorization only if the communication is made • to describe a product or service provided by or included in the plan of
benefits of the covered entity making the communication, • for treatment purposes, or • for case management, care coordination, or to recommend alternative
therapies, providers, or settings of care. • In addition, subject to limited exceptions, the previously described
communications will require patient authorization if the covered entity receives direct or indirect payment for making them.
![Page 22: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/22.jpg)
22
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Reporting Security Breaches
Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed.
Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information.
Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Accounting of Disclosures
Covered entities using electronic health records will have to supply individuals with an accounting of disclosures from those records made for treatment, payment, or health care operations purposes during the three years that preceded the request.
This will significantly increase administrative burdens for covered entities, which currently are not required to account for such disclosures.
This provision is subject to rulemaking and the earliest date it will apply is January 1, 2011
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Charitable Fundraising Health care providers will have to give patients
a more conspicuous notice of their option to opt out of receiving charitable solicitations.
Sales of Protected Health Information It will be more difficult for a covered entity to
sell electronic protected health information without specific patient authorization.
![Page 23: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/23.jpg)
23
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Enforcement
ARRA gives power to state attorneys general to bring actions on behalf of state residents who have been, or are threatened or adversely affected by violations of HIPAA.
Previously, HIPAA did not permit individuals to obtain monetary damages for HIPAA violations and enforcement was handled at the federal level.
The financial penalties for violations of HIPAA have also been increased, and a percentage of the civil penalties collected will be distributed to individuals harmed by the violations.
© Economedi x, LLC 2000 – Present
2009 Updates - ARRA Effective Dates Vary Most provisions will be effective one year after
the date of ARRA's enactment (February 17, 2010)
The security changes will generally be effective 30 days after appropriate regulations are published.
The changes to the enforcement provisions are effective for violations occurring after February 17, 2009.
© Economedi x, LLC 2000 – Present
Summary
In one sense HIPAA privacy and security rules are nothing new. You have always treated information confidentially. Now there are uniform standards.
Common sense and good judgment will almost always work if you are keeping the best interests of the patient in mind
If in doubt, talk to your manager or supervisor.
![Page 24: Welcome To The Digital Learning Center · Overview and Scope of Coverage Under HIPAA ... Health Insurance Portability & Accountability Act (HIPAA) Sets standards for privacy of individually](https://reader033.vdocuments.us/reader033/viewer/2022052104/603ef527dcea6516c10a3852/html5/thumbnails/24.jpg)
24
© Economedi x, LLC 2000 – Present
Thank you for participating in this seminar presentation from
Economedix!
Please direct questions to …
To earn CME credits for this course please complete the Evaluation / CME Form and
FAX it back to Economedix within 7 days of the teleconference.
Please direct questions to …
To earn CME credits for this course please complete the Evaluation / CME Form and
FAX it back to Economedix within 7 days of the teleconference.