HIPAA WORKSHOP
Download
Report
Transcript HIPAA WORKSHOP
HIPAA WORKSHOP
UTA – HCAD Students
By
Barbara Odom-Wesley, PhD, RHIA
May 27, 2003
OBJECTIVES
Review the value of Medical Records
Review Federal & State Requirements for
Medical Record Privacy
Update procedures regarding confidentiality
& release of healthcare information
Study the impact of HIPAA on medical
practices
Medical Record Definition
• A compilation of pertinent facts
• Of a patient’s life and health history, including
past and present illnesses and treatments
• Written by the health professionals contributing to
that patient’s care
• Compiled in a timely manner
• And contains sufficient data to
Identify the patient
Justify the treatment
Support the diagnosis Document the results
MEDICAL RECORD
DOCUMENTATION
Arrangement
Forms Management
Compliance Policies
Analysis
WHY MEDICAL RECORDS?
•
•
•
•
•
CLINICAL
Patient Care
Management
Quality Review
Research
Public Health
Education
LEGAL
• Documentary
Evidence
• Confidentiality
•
•
•
•
FINANCIAL
Medical Necessity
Complexity
Detail Services
Substantiate Claims
STANDARDS
• JCAHO
Joint Commission on Accreditation of Healthcare
Organizations
• NCQA
National Committee for Quality Assurance
• HEDIS
Health Plan Employer Data & Information Set
• AAAHC
Accreditation Association for Ambulatory Health Care
• TSBME
Texas State Board of Medical Examiners
MORE STANDARDS
• Conditions of Participation (Medicare)
• Uniform Ambulatory Care Data Set
• Professionally Accepted Practices
OIG Compliance Plan
•
•
•
•
•
•
•
Auditing & Monitoring
Standards & Procedures
Compliance Officer
Training & Education
Corrective Action Plan
Communication Lines
Disciplinary Standards
CONFIDENTIALITY
CONCEAL OR REVEAL?
• Physician-patient relationship
• Medical Record ownership
• Texas Legal Statutes
Senate Bill 667
Senate Bill 975
• Senate Bill 11
• Federal Law
HIPAA
Senate Bill 667
•
•
•
•
•
•
Authored to reduce confidentiality threats
Debated in four legislative sessions
Passed by House and Senate May, 1995
Effective: January 1, 1996
1997 Revisions: SB 975
Support: THA, TxHIMA, Trial Lawyers
1997 Revisions (SB 975)
• Added Exceptions:
Directory Information
Transporting EMS
Clergy
Organ or tissue
procurement
American Red Cross
Poison Control Center
Utilization Review
Agent
• incompetent to
incapacitated
• Clarified court
subpoena
• Fees
Document certification
Written questions ($10.00)
None for patient
examination
None for Workers’ Comp.
Senate Bill 11
The Texas extended arm of HIPAA
• Disclose PHI for health research only with
individual consent or IRB waiver.
• Composition & conduct of privacy board
• Disclose for health research if represented as
necessity.
• Authorizes subject of research access to
information at conclusion of trial.
• Use of PHI for public health activities without
authorization.
• Prohibits re-identifying without authorization
SENATE BILL 11 PROVISIONS
• Prohibits disclosing, using, selling, or coercing consent for
marketing purposes
• Extended to parties not covered by HIPAA (holder of
insurance license)
• Amends insurance code to require authorization to
disclose any nonpublic PHI
• Right of patient to revoke authorization
• Exempt: nonprofits, Workers’ Comp., Red Cross,
offenders with mental impairments, educational records,
public health authority
• Effective 9/1/01; insurance code amendments 1/1/02
HIPAA
Health Insurance Portability and
Accountability Act of 1996
Congress failed to adopt
by August 21, 1999
as required by HIPAA
History of
Legislation
Privacy Standards
developed
by DHHS
Effective: 4/14/2001
HIPAA
http://aspe.os.dhhs.gov/admnsimp/
• Pub.L.104-191
Federal Register vol. 65 no. 250, pp 82462-82829
• Enacted April 14, 2001
Privacy implementation: April 14, 2003
• Amended Public Health Service Act (PHS),
Employee Retirement Income Security Act of
1974 (ERISA)
Internal Revenue Code of 1986
• Final Regulations August 14, 2002
Simplification Standards
Extension: www.cms.gov/hipaa2/default/asp
•
•
•
•
•
•
Electronic Exchange
Unique Health Identifiers
Code Sets
Security
Electronic Signatures
Transmission of Data
• Privacy
HIPAA Privacy GOALS
1. Protect & enhance rights of consumers by
providing them with access to their health
information & controlling the inappropriate use
of that information
2. Improve the quality of healthcare in the US by
restoring trust in the healthcare system
3. Improve the efficiency and effectiveness of
healthcare delivery by creating a national
framework for health privacy protection
HIPAA Highlights
• Paper & verbal
• Preempts state law
• Mechanism for
complaints
• Office of Civil Rights
Administers
• Mitigation for Policy
Violation
• Privacy Training
• Organization
Requirements
• Definitions for
appropriate release
PRIVACY STANDARDS
• Covered Entities
• Protected Health
Information
• Consents
• Authorizations
• Rights of Individuals
• Privacy Officer
• Staff Training
• Business Associate
Relationships
• Administrative
Requirements
• Preemption
• Accounting for
Disclosures
• Guidelines for Release
Covered Entities (CE)
• All but “small” health plans (<5 mil revenue)
Implementation by 4/14/2004
• Large health plans & healthcare providers
Implementation by 4/14/2003
• Health Care Clearinghouse
• Health Care Provider of Services or
Supplies (direct/indirect treatment relationship)
COVERED ENTITIES (CE)
• Direct Care Providers – treatment
relationship
• Indirect – delivers healthcare based on
orders
Provides service, product or
report to another provider
• Clearinghouse – process or facilitates
processing PHI received from CE
Organized Healthcare
Arrangement
• Separate covered entities
• Establish clinically & operationally
integrated systems
• Permitted to share information for TPO
• May use common Notice and Consent
• Example: hospital & its associated medical
staff
Are you a CE?
• Cardiology Associates keeps medical
records on paper and in file drawers and
does not have electronic records. They only
use the computers for accounting,
scheduling and other limited purposes
• YES
COMPLIANCE DATE
APRIL 14, 2003
What Information is Covered?
Protected Health Information (PHI)
• Identifies an individual
• Relates to health, treatment, healthcare
payment
• Created or received by CE
• Maintained or disclosed electronically, on
paper, orally
Information Not Covered
Individual health information loses its
protections and may be used or disclosed
freely if it can’t be used to identify an
individual
Must Remove all 18 identifiers
Covered Business Associates
Performs or assists in the performance of a
function or activity for the Covered Entity,
not part of workforce.
Confidentiality contract required:
Attorneys
Actuaries
Accountants
Consultants
Computer Vendors
Outsourced Services
BUSINESS ASSOCIATE TEST
1. On behalf of CE
2. Other than workforce
3. Involves use of PHI
Requirements for Business
Associates
• Assurance they will safeguard information
• Contracts should set permitted uses &
disclosures
• Contracts should stress privacy
• Safeguard PHI from misuse
• CE is not liable for violations
Enforce Contracts
If the provider becomes aware of a “pattern of
practice” that is a violation of contractual
obligations, “reasonable steps” must be
taken to solve the problem or the contract
must be terminated. If the contract can’t be
broken, the provider must report the
problem to HHS.
Business Associates
Final Reg. Changes
• Additional year to incorporate BA
agreements not up for renewal (April 2004)
Identifying Business Associates
• WeCare, Inc., a local nursing home, hires a
law firm to defend it in an elder abuse case.
ASC discloses PHI to a health plan for
payment purposes. Which of these entities,
the law firm or the health plan would be a
BA?
• The law firm is a BA. The health plan is
not a BA.
PATIENT RIGHTS
• To consent for uses or disclosures of PHI to carry
out treatment, payment, or healthcare operations, &
the right to notice of privacy practices as part of the
required consent form or process
• To access Protected Health Information (PHI)
• To accounting of how their PHI has been disclosed
outside normal patient care channels
• To agree or object to certain disclosures
• To request amendment or correction to PHI
• To request restrictions on use of PHI for treatment,
payment or healthcare operations
CONSENTS
Individual Consents required for:
Payment
Treatment
Healthcare Operations
PERMITTED DISCLOSURE
Consent Coverage
TPO
• Treatment
Direct and Indirect
• Payment
UR, medical necessity, determination of
coverage
• Operations
QA, credentialing, peer review, quality
analysis, accreditation, fraud/abuse
monitoring
Requirements for CONSENTS
• May be written in general terms
• Provider can refuse to treat individuals who do not
consent to uses & disclosures for treatment,
payment, healthcare operations
• Can be combined into a single document covering
all three activities & combined with other types of
legal permission
• Consents may be revoked in writing at any time.
Consents not Required
•
•
•
•
•
Indirect treatment relationship
Inmates
Required by law to treat
Substantial barriers to communicate
Emergency treatment (must obtain as soon
as reasonable)
Psychotherapy Records
• CE’s must obtain the individual’s
authorization to use or disclose
psychotherapy notes to carry out TPO
(other than originator of notes)
• Differs from other records because they do
not include information that is needed
typically for TPO
Final rule, Section 164.508
Final Rule Changes to Consents
• Optional
• Direct Provider CE
• Written Acknowledgement alternative
Document receipt of “Notice of Privacy Practices”
• Not required for emergencies
• Layered Notice encouraged
Patient-friendly summary
Full notice layered beneath
• Allows disclosure of PHI for another provider
(TPO)
Need a Consent?
• A primary care physician sees a patient who has been
experiencing arrhythmia. The physician refers the patient
to a cardiologist for testing. The physician’s office calls
the cardiologist’s office to arrange for an appointment for
the patient. The patient would be new to the cardiologist’s
practice. May the cardiologist schedule the appointment
and review the patient’s information prior to the patient
signing a consent?
• Under the final changes, prior consent is not required. A
“Notice” is required to be provided.
Consent Required?
• An elderly woman is bedridden and is unable to
leave the house to pick up her medications. She
calls a friend and asks the friend to pick up the
prescription for her. May the pharmacist give the
prescription medication to the friend?
• Yes, there is implied consent. Prior consent is not
required. The “Notice” should be given to the
friend.
AUTHORIZATIONS
• Allows use & disclosure of PHI for
purposes other than those covered by
consent
• Must be written in specific terms with
essential elements
• May not condition treatment on signing
• Can be revoked at any time.
NO
BLANKET
AUTHORIZATIONS
VALID AUTHORIZATIONS
• Written, Dated Signed:
Patient
• Legally Authorized
Representative:
Parent/Guardian
Adult Guardian
Durable Power of
Attorney/Agent
Attorney ad litem
•
•
•
•
•
•
•
Information & Time
Purpose
To whom
Facility to Release
Right to withdraw
Validity date (90 days)
Photocopy valid
CONSENTS vs. AUTHORIZATIONS
• General language
• One time consent
• Allows full exchange
among treatment team
• Refuse treatment
without
• Allows for TPO
• May be revoked in
writing
• Specific, detailed
• Required for each
release
• May not condition
care on refusal
• Psychotherapy records
• Non-TPO purposes
• Must keep a record
Authorization Required?
• A person injured in a car crash is treated at an ASC. The
ASC receives a request for medical records from an
attorney who represents the driver in the automobile
accident. The request states the attorney represents the
drier who has been sued for negligence by the patient and
to send the records to the lawyer within 15 days of receipt
of the request. May the center disclose the patient’s
records to the attorney without authorization from the
patient?
• No, it requires an authorization or court order.
Authorization for Marketing?
• A group of oncologists have been
approached by a pharmaceutical company
to purchase the group’s patient list so the
company may develop a new marketing
plan for its pharmaceuticals. May the group
sell its patient list?
• No, not without authorizations from each
patient.
GUIDELINES FOR RELEASE
•
•
•
•
•
•
Minimum Necessary
Minors
Deceased
By Fax
Subpoenas
Copy Fees
Minimum Amount Necessary
Covered Entities must make all reasonable
efforts to limit protected health information
to the minimum necessary to accomplish
the intended purpose of the use, disclosure
or request.
Minimum Necessary Guides
• Establish role-based access for workforce
• Standard guidelines for recurring/routine
disclosures
• Make determinations for “non-routine”
disclosures
• Exception: disclosures for treatment
• Incidental disclosure not violation
Misuse of PHI
• The Widget Company establishes a group health plan for
the benefit of its employees. A couple of employees of the
company perform administrative functions for the group
health plan. They sometimes have access to PHI. One of
these employees learns that someone in the company has
contracted hepatitis and tells her boss about the condition.
The boss, fearful of the cost implications, decided to
include the employee in a reduction in workforce.
• This violates the standards.
Deceased
•
•
•
•
•
•
Executor
Spouse
Adult Child
Parent
Adult Sibling
Statutory beneficiary
Minors
• Emancipated: 16,
independent
• Active Duty Military
• Related to pregnancy
• Related to chemical
dependence
• Counseling for abuse,
suicide
• Infectious, contagious,
communicable diseases
Written Denial of Request
• Form letter on office letterhead
• We are unable to respond because…..
Incomplete identification of patient
Office not specified to release
Party to receive not specified
Information to release not specified
Authorization incomplete due to...
Responding to Requests
•
•
•
•
•
•
•
Deny invalid authorization
Never release originals
Furnish copy, summary, narrative
Delete information about others
Provide within 30 days
Notify patient of compulsory in 10 days
Exception: Physician determines harmful
Protect Confidentiality
• Post notice on copies
• Prohibit redisclosure
• Provide other’s records only for original
purpose of release
POST NOTICES
Prohibition on Redisclosure
This information has been disclosed from
confidential records which are protected by
federal law. Federal regulations prohibit the
redisclosure of the information without the
written consent of the person to whom it
pertains.
RECEIVING PHI
• Any person who receives information made
confidential by this Act may disclose the
information to others only to the extent consistent
with the authorized purposes for which consent to
release the information was originally obtained.
• Furnish copies including records received from a
physician or other health care provider involved in
the care or treatment of the patient only for
continued care or treatment.
EXCEPTIONS For Legal
Purposes:
• Patient legal
proceedings against
physician
• substantiate & collect
on claim
• Civil litigation or
administrative
proceeding
• Disciplinary
investigations
• Involuntary
commitments
• Criminal case
involving patient
• Execution of Will
• Court Order or
Subpoena
“COURT SUBPOENA”
• “As the author of S.B. 667, I can unequivocally state that it
was not my intent to limit subpoena power for medical
records to judges or remove that power from any legally
authorized officer of the court who was empowered with
such authority prior to the passage of SB 667. It was my
intent that the term “court subpoena”, as used in SB 667,
be interpreted to mean a subpoena issued by the officer of
the court under the authority of the Texas Rules of Civil
and Criminal Procedure or a subpoena issued under the
authority of Chapter 121 of the Texas Civil Practices and
Remedies Code.”
– Frank Madla, Texas State Senate, District 19, March 8, 1996
SUBPOENAS
Judicial
• Official legal order
• Issued by a court of law
• Compels to appear
Nonjudicial
• Notary, court reporting
service, record copying
service
• Patient consent is required
Court Order Required
Substance Abuse
Mental Illness
Communicable, contagious diseases
(STD)
Exceptions for Other Purposes:
• Governmental
agencies
• Law enforcement
• Management audits
• Other physicians &
personnel
• Collection of fees
• State Hospital
inquiries
• Education, QA, peer
review
• Custodial institutions
• IRB Research project
• HMO for statistics
Release by Fax
• Only when original hard copy, maildelivered will not meet needs of Immediate
patient care.
• Required for ongoing certification
• Use cover sheet (confidentiality statement)
• Verify receipt
• Photocopy thermal paper
$
REASONABLE FEES
$
• Ten day notification requiring payment
• Not required to release until paid
• May not deny release based on past due
account
• TSBME Effective: 4/16/96
First 20 pages = no more than $25.00
Each subsequent page = 15 cents
Mailing/Delivery = actual costs
Films/diagnostic imaging studies = $8.00
PREEMPTION
• HIPAA will preempt state laws relating to
the privacy of individually identifiable
information except for those that are
contrary to and more stringent than the
federal HIPAA requirements.
Individual Access
• To inspect & copy PHI for as long as CE
maintains information.
• No automatic right to access: psychotherapy notes,
information in criminal, civil, or administrative
action, PHI exempted by CLIA
• CE must act within 30 days (60 if offsite)
• CE may charge fees based on cost
• CE must maintain records of personnel
responsible for 6 years
Accounting for Disclosures
Right to accounting for 6 years prior to request
Exceptions:
•
•
•
•
•
For payment, treatment, or operations
To the individual patient
For the directory or those involved in care
National security or Intelligence purposes
To correctional institutions or law
enforcement
• Prior to compliance date
• Authorization received
Accounting for Disclosures
Guidelines
• CE must act within 60 days
• CE must provide one free per year
• Must include
date
person to whom released
description of information
copy of authorization
DISCLOSURE LOG
•
•
•
•
•
•
•
One in each patient record’
One line per disclosure
Date
Person/entity to whom released
Information released
Initials of staff who released
Comments regarding release
Accounting Required?
• Dr. Green must document each time she consults
the chart to answer a patient’s question.
• No, this is a use of the PHI, not a disclosure.
• What about when she calls another physician to
discuss the patient’s condition?
• No, exceptions are those disclosures for TPO.
Disclosures with authorization are also excepted.
Request for Amendment
•
•
•
•
•
CE may require written request with rationale
CE has 60 days to act
Notify individual that amendment accepted
Inform relevant persons
CE may deny request (written)
physician not available
not a part of designated record set(DRS)
accurate & complete
• CE can prepare rebuttal
• Include with future disclosures
Denying Request
•
•
•
•
•
•
Not created by CE
Not part of designated record set
Not available for inspection
Accurate and complete
Document denial
Individual right to statement of
disagreement
Designated Record Set (DRS)
• A group of records maintained by or for a
CE :
• Medical records and billing records
• Used in whole or in part, by or for the
covered entity to make decisions about
individuals
Notice of Privacy Practices
•
•
•
•
•
•
•
Written notice to patients including:
Uses & disclosures of PHI
Explanation of privacy rights
Charges
CE’s responsibility under HIPAA
How to file complaints with CE or HHS
Name/title/phone of contact person
Effective date of notice
Notice Introduction
This notice describes how medical
information about you may be used and
disclosed and how you can get access to this
information. Please read it carefully.
Include one example of each type of use and
disclosure (TPO) that CE is authorized to
make
NOTICE DISTRIBUTION
•
•
•
•
•
•
•
Post in office
Post on website
Post in treatment areas
Provide copies in office
Use e-mail with patient permission
No later than first service delivery
Patient must acknowledge receipt
NOTICE Procedures
• Retain copies of notices issued
Include version number & effective date
• Revise & communicate changes
• Do not combine with the consent except for
research
PRIVACY OFFICIAL
A CE must designate a privacy official who is
responsible for the development and
implementation of the privacy policies and
procedures of the entity.
AHIMA Certification CHP
Principles for Protecting PHI
• Notice – Existence & purpose known
• Choice – Collected & released with
knowledge
• Access – Accurate, complete, timely
• Security – Reasonable safeguards
• Enforcement – Mitigation & penalties
SECURITY REGULATIONS
Compliance: April 20, 2005
• Administrative Safeguards
policies & procedures to protect ePHI
manage conduct of workforce
• Physical Safeguards
unauthorized intrusions
natural & environmental hazards
• Technical Safeguards
technology to control access
Steps to HIPAA Compliance
•
•
•
•
•
•
•
Appoint Leadership Team (Privacy Officer)
Educate staff on requirements
Review current procedures
Conduct a gap analysis
Set goals
Identify resources needed
Develop timeline & document progress
Compliance & Penalties
• Dept. of HHS – Office of Civil Rights
Implementation & Enforcement
• Process complaints
• Civil: $100/violation to $25000/year
for identical violation
• Criminal: knowing violations, false
pretenses, personal gain/malice
Fines: $50,000 - $250,000
Imprisonment 1 – 10 years
OFFICE PREPAREDNESS
•
•
•
•
•
•
•
•
•
Appoint privacy officer
Develop confidentiality policies/ procedures
Define levels of access
Design consent & authorization forms
Include in Budget
Upgrade Equipment (paper & electronic)
Renovations for physical safeguards
Review contractual agreements
Train Staff
Release of Information Policies
• Limited Use Rule
for purposes compatible with reason for collection
• Limited Disclosure Rule
only for authorized purpose; employee confidentiality statement
• Minimal Disclosure Rule
minimum necessary to accomplish purpose
• Accounting for Disclosure Rule
maintain record of all access
• Security Rule
administrative, technical, physical safeguards
• Notice of Practices
PROCEDURES NEEDED
•
•
•
•
•
•
•
Consents
Authorizations
Amendments
Patient Access
Copying by Patient
Denial of Access
Nonretaliation for
whistleblowers
• Opt-out
(directories/marketing/
fundraising)
• Verification of
identification for
requestors
• Complaints
Handling
• Sanctions
• Release without
authorizations
Confidentiality &
Office Dynamics
•
•
•
•
•
•
•
Policies and Practices
Staff Awareness
Scheduling Appointments
Calling patients from waiting room
Posting information outside exam room
Conversations among providers
Architectural considerations
Sign-In Sheets
• Dr. Taylor’s practice utilizes patient sign-in sheets which
patients sign when they arrive for an appointment. When
Dr. Taylor is ready for her next appointment, the nurse
calls out the patient’s name in the waiting room
notwithstanding that there are others in the room as well.
• The intent of the regulations was not to prohibit this type of
practice, but to make sure reasonable safeguards are put
into place. Each provider will need to make their own
business decisions regarding what these safeguards must
be. There are reasonable options to these practices.
STAFF TRAINING
• Document for every employee with access
to PHI
• Entire workforce must be trained prior to
compliance date.
• New employees must be trained within
reasonable time
Impact on Internship Students
•
•
•
•
Workforce Training
Sign Confidentiality Statements
Demonstrate knowledge of standards
Receive PHI only as required for the
assignment
• Do not disclose PHI orally or in writing
• Respond appropriately to various situations
More Information
•
•
•
•
•
•
www.ama-assn.org
www.texmed.org
www.ahima.org
http://thomas.loc.gov
www.mgma.com
www.wedi.org
• www.hhs.gov/ocr/hipaa
•
•
•
•
www.ncqa.org
www.the-medicare.com
www.cms.gov
www.healthlawyers.org
• www.privacyassociation.org
Additional Websites
•
•
•
•
•
AdvanceforHIM.com
WhatIs.techtarget.com
Webopedia.com
NIST.gov
Goggle.com
•
•
•
•
•
HIPAAadvisory.com
WEDI.org
HIMinfo.com
CMS.gov
CDC.org
RESOURCES
• Model Forms
http://www.ama-assn.org/ama/pub/category/6698.html
• Physician Compliance Report
www.hcmarketplace.com
• Medical Office Manager: Newsletter for
Physician Officer Administrators
www.ardmorepublishing.com
PREPARE FOR THE FUTURE
• EDI transaction and code sets
• Security guidelines for technical
components of protecting access to PHI
• Medical Errors & Documentation
• Patient Participation In Documentation
• The Paperless Office