welcome to the digital learning center · overview and scope of coverage under hipaa ... health...

1

© Economedi x, LLC 2000 – Present

Welcome To The Digital Learning Center

Presented by …

Your Partner In Building High Performance Practices


Today’s Presentation

Annual Review of the HIPAA Privacy &Security Rules


Course Faculty

R. Thomas (Tom) Loughrey, MBA, CCS-P

• Chairman, CEO & Co-Founder of Economedix• Certified Coding Specialist • BS Degree from Pennsylvania State University• Earned an MBA in Health & Hospital Administration

from the University of Florida• Former Hospital Administrator• Former Owner of a Medical Billing Company• Consultant to Physician Practices & Medical Societies• Member of Various Professional Organizations

Dealing with Medical Practice Management• Developed and Presented Thousands of Seminars

& Workshops Dealing with Practice Management

2


Introduction

Background of HIPAA Overview and Scope of Coverage Under HIPAA PHI: Its Use and Disclosure General Rules Patient Rights Practical Examples Purpose of Security Security Requirements Management and Implementation Policies and Procedures

HIPAA Privacy Rules


Overview of Privacy Rules Health Insurance Portability & Accountability Act (HIPAA)

Sets standards for privacy of individually identifiable health information

Allows information to be used and shared for the purposes of treatment, payment and health care operations (TPO)

Requires notification or authorization for use and disclosure

Creates processes to let patients know how information is to be used, ensures patients have access to their information and an ability to correct inaccuracies.

Requires health plans and providers to maintain administrative and physical safeguards on information

3


Scope of HIPAA

Covers all providers of any size from University Medical Centers to solo physicians

Health Plans Health care clearing houses Business agents of the above who have

legitimate need to have information (consultants, employees, billing agencies)

Your practice is covered!

And you have to help make it work!


Protected Health Information (PHI)

All information relating to the diagnosis and treatment of a patient that is individually identifiable

Originally, this was only to apply to electronic data. In the final rule it has been applied to all information

HIPAA protects the information itself for privacy, it does not make patients anonymous!


HIPAA General Rules

Providers and others are prohibited from using or disclosing PHI except when authorized by the patient or for treatment, payment or health care operations (TPO)

TPO This is the normal, everyday business of conducting the

office and seeing patients, referring them for tests and other care and getting paid for the work you do.

It means staff can look at the chart, you can send needed information to other providers and you can provide a payer with information on the services and Dx

4


HIPAA General Rules

Every patient must be notified of their privacy rights, the practice’s privacy policies and how PHI will be used. Patients must acknowledge this notification in writing. This means the practice must have privacy

policies that describe the patient’s rights

Patients must have an opportunity to see your policies and they must acknowledge in writing they have received this notification


HIPAA General Rules

The amount of information to be used or disclosed should be the minimum that accomplishes the purpose. Minimum Necessary Standard – you must make

reasonable efforts to limit the PHI to the minimum necessary to meet the purpose or request.

Disclosures to or requests from other providers for treatment are an exception to this rule.

Disclosures to or requests from the person for their own PHI is an exception to the rule

Practices must identify the staff who need access to the PHI


HIPAA General Rules

Business associates may have access to protected information under a contract with the provider. The agent then has the same responsibilities as the provider If you have a billing service that needs to see PHI

as part of their billing they are an agent

If you engage a consultant to review charts or engage in other practice work such as audits or QI/QA, they are an associate and are covered under the rules.

Collection agencies are business associates

5


Uses and disclosures are permitted – not required except by law.

Only two disclosures are required: Disclosure to the patient on request Disclosures required by law (subpoenas,

federal payments, etc)

Information will be protected for two years following the death of the patient

HIPAA General Rules


When Is Personal Information Protected?

Does the information identify the patient or can it be used to identify the patient?

Does the information relate to the past, present or future health, treatment or payment for provision of services?

Was the information created by a health care provider, health plan, employer, life insurer, public health agency, school, health care clearinghouse?


When Can PHI be Used or Disclosed?

When the disclosure is to the patient For treatment, payment or health care

operations involving the patient Incident to a use that is permitted When the practice receives a valid authorization When the practice has obtained the patient’s

oral agreement When the law specifically does not not require

authorization

6


Permissible Uses & Disclosures

Quality Assurance Activities Public health & emergencies affecting life or safety Research Judicial hearings Law enforcement Information to next-of-kin Identification of a body or cause of death Government Health Data Systems Facilities Data Systems Financial entities for processing claims Where mandated by law


Individual Rights

The right to receive written notice of the information practices of providers and health plans

The notice must describe the types of uses and disclosures the provider would make with the information

The right to access protected information

The right to request amendment of records The right to receive an accounting of when

protected information has been disclosed


Key Privacy Policies

Authorization and consents After the fact authorizations and consents

in emergencies• Facilities who obtain these documents cover

the providers in those facilities as well for services rendered at the facility

• Once the patient is seen in the practice for the first time a consent and authorization should be obtained

7



Uses and Disclosures Involving Family and Friends Does not require an authorization but is not

required unless directly requested by patient

May also use PHI to notify a family member or responsible person of the patient’s location or condition• Patient must be able to provide consent or an

opportunity to object (and there is no objection)or reasonably infer the patient has no objection such as by being accompanied by a friend or family member



Dealing With Minors (or Personal Representatives) The parent/guardian or personal

representative may provide all consents and notifications on the patient’s behalf

Two exceptions:• If there is a reasonable belief that the patient

may be subjected to abuse by the requestor• If, under state law, the minor is emancipated or

the treatment concerns matters over which the state permits the minor to obtain health care without parental consent



Verification of Identity Employees must verify the identity and

authority of persons making requests for PHI Policies should describe minimal forms of

proper identification (which may include subpoenas)

Information should be provided in a secure and confidential manner

If you have a good faith belief that releasing the PHI will avert harm to the patient or the public you may release the information.

8



Business Associates Tip: Make a list of all entities you believe are

business associates and request a new HIPAA compliant contract

The practice is not liable for the privacy violations of its business associates but it must exercise appropriate safeguards and have mechanisms to act if it becomes aware of such violations

Model contract language is available from CMS


Practical Examples

The patient is a minor and the patient’s mother wants to pick up a prescription for the patient.


A pharmacy calls wanting authorization to re-fill a prescription.

Practical Examples

9


The patient is being referred to another practice and a copy of the most recent notes and lab findings are requested by the practice. Later they ask for the full chart.

Practical Examples


The patient is elderly and the patient’s adult daughter contacts the practice to get more information on her mother’s condition, treatment and plans.

Practical Examples


A father of a newborn wants medical records of the child but those records contain information on the mother as well.

Practical Examples

10


A patient indicates in a conversation with the doctor she heard another patient, who is a friend, is going to have some tests ordered and wonders if she is going to be okay.

Practical Examples


The practice has a sign-in sheet listing the names of all patients seen that day at the front desk. Anyone signing in can see it.

Practical Examples


Lists of patients, including the reason they are being seen, are posted around the office as the daily schedule.

Practical Examples

11


HIPAA FAQs

There is a great deal of authoritative information available from the Office of Civil Rights

http://www.hhs.gov/ocr/hipaa/

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

HIPAA Myths, facts and updates

http://www.cdt.org/issue/health-privacy

Security Rule Update


Overview of HIPAA Security Rule

The Final Rule was published in February 2003

The Rule took effect on April 21, 2005

Less a series of checklists and more a description of standards

Apply only to electronic Personal Health Information (ePHI)

12


The Rule recognizes that cost of security is an issue and should be a factor in security decisions

It is clear “that adequate security measures be implemented… cost is not meant to free covered entities from this responsibility.”

General approach is now risk management based rather than mandatory controls

Overview of HIPAA Security Rule


Integration With The Privacy Rule

Language is consistent between rules

Supplements and defines the “mini-security rule” within the Privacy Rule

Most definitions between the rules are now the same (PHI, covered entity, Business Associate, etc)

Privacy rule still controls security of non-electronic PHI


Structural Elements of the Rule

Some standards are sufficiently self-contained that their implementation is explicit or implicit in the standard itself

Standards are grouped under three categories: Administrative Safeguards Physical Safeguards Technical Safeguards

13


Thinking About Security

Covered Entities (that means your practice) must meet four security requirements: Ensure the confidentiality, integrity and availability

of all ePHI that is created, received, maintained or transmitted

Protect against any reasonably anticipated threat or hazard to the security or integrity of the ePHI

Protect against any reasonably anticipated uses or disclosure of ePHI that are not permitted

Ensure compliance by every member of the workforce



In meeting these rules the practice may factor in: Cost, size, complexity, technical infrastructure,

other capabilities and the likelihood and seriousness of potential security risks

The practice may use any security measures that allow it to reasonably and appropriately implement the standards

Required standards with no Implementation Specifications must be implemented as it requires



If the standard has a required Implementation Specification it must be met as required

If the standard has an addressable Implementation Specification it must be met if reasonable and appropriate If it is not, then the rationale for not meeting the

specification must be documented and the alternative methodology for meeting the standard must be explained

14


Risk Analysis & Risk Management

The preamble to the rule states the administrative, physical and technical safeguards the practice employs must be reasonable and appropriate to to meet the standards

There is a two-step process for determining this: Step 1 is to assess the security risk the practice

faces Step 2 is to implement appropriate

countermeasures proportionate to the risk

The practice must then manage the countermeasures to keep up with new or increased risks


Risk Analysis & Risk Management

The Security Rule does not advocate any type of technology. The Rule only looks at analyzing risks and then meeting the risk with an appropriate countermeasure. For example, any computer may be compromised

by a “virus” or “worm” that can either destroy data or cause it to be sent to those who are not authorized to see the data. An appropriate countermeasure would include obtaining anti-virus software, keeping it up to date and providing training to users in how to avoid suspicious programs and e-mail attachments


Examples of PHI Not Covered

Paper to paper faxes are not covered Faxes to or from a computer are

covered

Voice telephone transmissions are not covered Data transmitted over telephone lines

is covered

15


Security Management Processes

Practices must be able to track intrusions into the system and react quickly (incident response)

These security processes may require new and more technology than smaller practices possess now

Training is a security process that all practices must meet. Training should focus on threats and countermeasures

There are no “safe-harbors” under the Rule


Business Associate Agreements

Any entity to whom you provide ePHI that is not covered by the rule must have a contract with you obligating them to protect the information.

Requirements: Implement administrative, physical and technical

safeguards that protect the confidentiality, integrity and availability of ePHI

Ensure its agents and subcontractors do the same

Report to the practice any security incident it becomes aware of.


The agreement under this rule adopts all the rules applying to business associates under the Privacy Rule

No agreement is required if it relates to the treatment or payment for services to the patient

You are not liable for violations of Business Associates unless you know of a pattern or activity that is a violation and do nothing about it

Business Associate Agreements

16


Implementation Plan

Establish policies and procedures designed to identify risks and ensure effective countermeasures

Ensure compliance Training for everyone in the administrative,

technical and physical safeguards of ePHI Policies and Procedures must be

documented


Implementation Plan

Avoid Liability and Bad Publicity Liability results when the practice either

has no policy or worse, does not enforce its policies

Even if the security breach does not involve a lawsuit it could result in bad publicity in the community and among the patients of the practice


Implementation Plan

Steps for Developing Security Policies & Procedures Assemble your team (a doctor, the

manager, front office and back office) Review the requirements with the team You may want to refer to published

standards for information security (National Institute of Standards & Technology –Series 800)

Begin Risk Analysis

17


Risk Analysis

What is to be protected: Hardware, servers, workstations,

computers, software, data and databases, and your own users

Potential threats Accidents, natural disasters, loss of

electrical power, theft, maliciousness, carelessness, etc


Requirements of any P&P

Clear and concise Clearly state responsibilities of everyone,

what needs to be protected and how it is to be done

Understandable Written to the level of understanding for the

intended user. Techies vs. Staff Doable Must be realistic in terms of the staff size,

cost and technical requirements


Policies and Procedures

Start with a statement from the doctors and management Acknowledge the importance of security Indicate support for security throughout the

practice Commit to development, implementation

and enforcement of policies Define the intent of the security program

and how it relates to the business objectives of the practice.

18



Develop Policies General organizational policies

• Set overall vision of the program; a general framework

Functional policies• Focused on specific topics, applications or

functions.

• Generally deal with single topics



Detailed Procedures This is how standards and guidelines are

put into action Plans May incorporate procedures such as in a “Disaster Recovery Plan”

Personnel Responsibilities Policies should identify the personnel to

carry out the policy and the functions to be performed



Steps to Implementation of Procedures Must be flexible and strike a balance

between too much detail and not enough direction and guidance

Examples of Security Procedures Back-up server each night. Store offsite on

CD dated and identified to the server Back up all PHI on PC hard drives weekly

to CD dated and identified to the PC

19


Successful Implementation of a Security Plan

Establish your team Establish your

objectives Identify the risks

and threats Assess your

current status Consider possible

solutions

Draft policies in conformance with HIPAA

Review with the stakeholders

Formalize the policies and procedures

Train Review and Revise


2009 Updates - ARRA ARRA- American Recovery and

Reinvestment Act of 2009 Sweeping changes to the health

information privacy and security regulations HIPAA

These new provisions affect not only health care providers, health plans and health care clearinghouses, but a wide range of vendors and contractors that provide services to health care organizations.


2009 Updates - ARRA Previously, HIPAA applied only to the use

and disclosure of PHI by health care providers, health plans, and health care clearinghouses (known collectively as "covered entities").

Vendors providing administrative services to covered entities, such as legal services, accounting, information technology, financial support and similar services, were not directly subject to HIPAA's privacy and security provisions

20


2009 Updates - ARRA

Vendors were required to sign business associate agreements and thereby agree by contract to maintain the privacy and security of protected health information.

Changes made by ARRA expand the scope and application of HIPAA


2009 Updates - ARRA

Among the most far reaching provisions of ARRA are those that apply several of HIPAA's security and privacy requirements to business associates.

In addition, business associates will be subject to civil and criminal penalties and enforcement proceedings for violations of HIPAA.


2009 Updates - ARRA

The definition of a business associate is expanded to include organizations that provide data transmission of PHI to covered entities and business associates and that require access on a routine basis to that protected health information.

Examples of such organizations include health information exchange organizations, regional health information organizations and vendors that contract with covered entities to provide personal health records.

21


2009 Updates - ARRA Currently, covered entities may use and disclose only

the "minimum necessary" protected health information for their business purposes, but have considerable latitude to determine what the minimum necessary information is under the circumstances.

Under ARRA, covered entities must first consider whether partially de-identified data, known as a limited data set, could be used to accomplish their objectives and must limit their uses and disclosures to limited data sets if possible.

A limited data set excludes basic identifying information such as the individual's name, social security number, postal addresses, email addresses, telephone numbers, and similar identifiers.


2009 Updates - ARRA

Restrictions on Disclosures Individuals will be able to bar health care

providers from disclosing protected health information to the their health plans if the individuals pay for the health care item or service in full out of pocket.


2009 Updates - ARRA Marketing

The ability of covered entities to use protected health information for marketing purposes without the individual's authorization will be limited under ARRA.

Specifically, communications with an individual about products or services that encourage the individual to purchase or use the product or service will be permitted without the individual's authorization only if the communication is made • to describe a product or service provided by or included in the plan of

benefits of the covered entity making the communication, • for treatment purposes, or • for case management, care coordination, or to recommend alternative

therapies, providers, or settings of care. • In addition, subject to limited exceptions, the previously described

communications will require patient authorization if the covered entity receives direct or indirect payment for making them.

22


2009 Updates - ARRA Reporting Security Breaches

Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed.

Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information.

Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required.


2009 Updates - ARRA Accounting of Disclosures

Covered entities using electronic health records will have to supply individuals with an accounting of disclosures from those records made for treatment, payment, or health care operations purposes during the three years that preceded the request.

This will significantly increase administrative burdens for covered entities, which currently are not required to account for such disclosures.

This provision is subject to rulemaking and the earliest date it will apply is January 1, 2011


2009 Updates - ARRA Charitable Fundraising Health care providers will have to give patients

a more conspicuous notice of their option to opt out of receiving charitable solicitations.

Sales of Protected Health Information It will be more difficult for a covered entity to

sell electronic protected health information without specific patient authorization.

23


2009 Updates - ARRA Enforcement

ARRA gives power to state attorneys general to bring actions on behalf of state residents who have been, or are threatened or adversely affected by violations of HIPAA.

Previously, HIPAA did not permit individuals to obtain monetary damages for HIPAA violations and enforcement was handled at the federal level.

The financial penalties for violations of HIPAA have also been increased, and a percentage of the civil penalties collected will be distributed to individuals harmed by the violations.


2009 Updates - ARRA Effective Dates Vary Most provisions will be effective one year after

the date of ARRA's enactment (February 17, 2010)

The security changes will generally be effective 30 days after appropriate regulations are published.

The changes to the enforcement provisions are effective for violations occurring after February 17, 2009.


Summary

In one sense HIPAA privacy and security rules are nothing new. You have always treated information confidentially. Now there are uniform standards.

Common sense and good judgment will almost always work if you are keeping the best interests of the patient in mind

If in doubt, talk to your manager or supervisor.

24


Thank you for participating in this seminar presentation from

Economedix!

Please direct questions to …

[email protected]

To earn CME credits for this course please complete the Evaluation / CME Form and

FAX it back to Economedix within 7 days of the teleconference.

Please direct questions to …

[email protected]

To earn CME credits for this course please complete the Evaluation / CME Form and

FAX it back to Economedix within 7 days of the teleconference.

welcome to the digital learning center · overview and scope of coverage under hipaa ... health...

Documents