HIPAA Privacy The Morning After Panel
Download
Report
Transcript HIPAA Privacy The Morning After Panel
HIPAA Privacy
The Morning After Panel
What do we do now?
William R. Braithwaite, MD, PhD (moderator)
Washington, DC
Ross Hallberg, Corporate Compliance Officer
John Muir/Mt. Diablo Health System
Walnut Creek, CA
Ronald Margolis, Chief Information Officer
University Hospitals, University of New Mexico
Albuquerque, NM
Tina Sernick, Manager
Deloitte & Touche LLP
New York, NY
Principles of Fair Info Practices
Notice
– Existence and purpose of record-keeping systems must be known.
Choice
– information is:
– collected only with knowledge and permission of subject.
– used only in ways relevant to the purpose for which the data was collected.
– disclosed only with permission or overriding legal authority.
Access
– Individual right to see records and assure quality of information.
» accurate, complete, and timely.
Security
– Reasonable safeguards for confidentiality, integrity, and availability of
information.
Enforcement
– Violations result in reasonable penalties and mitigation.
Individual’s Rights
Individuals
have the right to:
– A written notice of information practices from
health plans and providers.
– Inspect and obtain a copy of their PHI (DRS).
– Obtain an accounting of disclosures.
– Amend their records.
– Request restrictions on uses and disclosures.
– Accommodation of reasonable communication
requests.
– Complain to the covered entity and to HHS.
E-mail
Misconception:
HIPAA prohibits email between
doctor and patient.
Fact: HIPAA allows it. Encryption requirement
on internet transmissions was reduced to
‘addressable’ so that such interactions could
continue.
Drug Reps
Misconception:
HIPAA prohibits drug reps
from coming into the back office.
Fact: Given that reasonable efforts have been
made to prevent incidental disclosures (to other
patients, fax repairman, etc.), HIPAA does not
prohibit such activity. HIPAA does, however,
prohibit sharing PHI with drug reps (and others)
without patient authorization.
Prescriptions
Misconception:
Friend can’t pick up
prescription without written permission
(authorization) from patient.
Fact: Specifically allowed in HIPAA.
Family
Misconception:
Doctor can’t talk to family
about patient without written permission.
Fact: Specifically allowed in HIPAA unless
patient objects.
Medical Decisions
Misconception:
HIPAA sets new rules for who
can make medical decisions for patients.
Fact: HIPAA defers such decisions 100% to
state law.
Medical Records
Misconception:
Medical Records department
can’t send records to MD office for follow-up
without patient authorization.
– Newspapers report “lengthy and complicated legal
forms are required.”
Fact: Any
PHI may be disclosed to any health
care provider for treatment purposes without
patient permission of any kind.
– Note: does not conflict with state law which MAY
require such permission.
Marketing
Misconception:
HIPAA prevents any marketing
activity without patient permission.
Fact: New definition of “marketing” excludes
most activity commonly thought of as
marketing as long as it has something to do
with health.
– e.g., drug switch letters are not “marketing” under
the privacy rules.
Costs
Misconception:
Complying with HIPAA is
extremely costly and will push health care
organizations to bankruptcy.
Fact: Most requirements of HIPAA privacy are
things that should already be in place. Cost of
new documentation requirements are more than
offset by savings from implementation of
transaction standards.
Directory
Misconception:
HIPAA does not allow a
hospital to list patients in their directory without
their explicit permission.
Fact: Although the patient must be given the
opportunity to object, no permission is required.
– Routinely, when asked for by name, hospital may
disclose location and general condition of patient.
– If patient objects, no information may be disclosed
without authorization.
Clergy
Misconception:
Clergy cannot get a list of
patients with their religions.
Fact: Unless a patient objects, clergy may
receive a list of patients with their location,
general condition, and religious preference.
– If a patient objects, they must be left off such a list.
Mandated Disclosures
Misconception:
HIPAA mandates new
disclosures (including to law enforcement) and
removes the right to consent.
Fact: HIPAA requires disclosure of PHI in only
two cases:
– Patient access to their own PHI is required.
– HHS access to PHI when investigating a complaint.
– All other use and disclosure is permissive -- NOT
required.