A general review of HIPAA standards and privacy practices 2016
45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records 41 CFR, Parts 412, 413, 422, and 105 HITECH Workplace Reminders
Health Insurance Portability and Accountability Act of 1996 (HIPAA): effective April 2003. Created standards for privacy & security of personal health data. Established standardized patient rights. Established minimum necessary standard for disclosure of protected health information (PHI). Mandates annual privacy training for all healthcare employees & a designated Privacy Officer (PO).
Definition of healthcare entity: Entity: healthcare provider, healthcare payer, or healthcare clearinghouse that processes healthcare claims electronically. If not a healthcare entity, then a business associate agreement (BAA) should be in place - with specific HIPAA language.
Major purpose of the Privacy Rule is to define and limit the circumstances in which an individual s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information as the individual who is the subject of the information (or the individual s personal representative) authorizes in writing.
Allows for disclosure of PHI without written consent when used for treatment, payment and health care operations between covered entities: Provider (entity) to another provider (entity): referred care Provider to insurance company Provider to another provider of other related services: Transportation services: specialized van/bus Durable medical equipment: home deliveries of medical equipment and/or supplies; discharge planning
Treatment: the provision, coordination, or management of health care and related services for an individual by one or more health care providers PHI may be disclosed to other providers involved in patient care including diagnostic, rehabilitative, maintenance, or palliative care Diagnostic services Therapies (OT, PT, chemo) Hospice, home healthcare agencies
Payment: PHI can be disclosed to third party payers Medicare, Medicaid, private insurance companies, worker s compensation for reimbursement, pre-authorization, and utilization review activities: Was medical necessity documented? Were clinical measures met? Billing audits
Healthcare operations: Administrative, financial and legal activities of organization: Training & education: internal & external Signed collaborative agreements with higher education institutions; internal privacy training with PO Statistical reporting for funding IHS, grants Generally de-identified but some information may be patient specific Public health activities: immunizations only may be disclosed to schools Mandated reporting: Child abuse and neglect Communicable diseases Other required reporting for medico-legal reasons
Certain law enforcement activities allowed under 45 CFR 164.512 (f)(1)(ii)(a,b,c) Death as result of a (suspected) crime Victim of crime: gunshots and stabbings Warrants, subpoenas, and court orders Must be signed by a judge, not clerk or attorney Official letterhead and compliant with HIPAA Valid requests for PHI/records to HIM; other administrative requests to Administration Tribal attorneys notified
Given to all patients effective April 13, 2003 Details patient rights and how entity may disclose PHI Details HIPAA privacy rule; includes two examples each of treatment, payment and health care operations Updated notice September 2013 for HITECH changes; found on website & posted at each health center lobby. In addition, SNHS Privacy Policy on Policy Tech
Patient rights: To access information To obtain copy of information To request an amendment to his/her information if patient believes it contains an error To request a restriction for disclosure: HITECHpatient pays for claim in full and can restrict disclosure to third party payer To file a privacy complaint Requests should be in writing and signed by the patient.
Not all requests have to be approved Process for amendments can take up to 90 days: Can only be approved by author of note Must be valid request; facts cannot be altered because patient didn t like what was documented. Restriction for disclosure does not have to be approved if interferes with treatment, payment and health care operations. HITECH: restriction to third party payer only one that has to be honored.
Certain information is considered sensitive Requires specific authorization before disclosure of sensitive PHI Authorization for disclosure form (ROI) needs to be checked and signed: Drug and alcohol abuse treatment records HIV and AIDS includes testing Mental health and psychotherapy notes Sickle cell anemia Includes STDs as part of SNHS practice
Behavioral Health Unit follows HIPAA regulations, but more stringent guidelines under 42 CFR, Part 2, take precedence. Patient/client must specifically indicate & sign for disclosure of sensitive information. BHU employees should refer to 42 CFR, Part 2 and departmental policies for specific information regarding disclosure.
Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any drug abuse prevention function be confidential and be disclosed only the purposes authorized under subsection (b) of this section.
Whether or not the patient gives his written consent, the content may be disclosed as follows: To medical personnel to meet a bona fide medical emergency. To qualified personnel for the purpose of conducting scientific research. If authorized by an appropriate order of a court of competent jurisdiction.
Specific form to use if not for TPO Patient or personal representative must have legal authority to sign. Over 18 years of age unless emancipated minor Power of attorney specifically states healthcare Legal guardian appointed by court of competent jurisdiction Either natural parent may sign unless legally unable to do so Minor may sign for own child
HIPAA clear on releasing only the minimum necessary protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or to carry out a function. Key element of the HIPAA Privacy Rule. Entities must enhance efforts to limit unnecessary or inappropriate access.
A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment and healthcare operations, based on those who need access to the information to do their jobs. Who? Why? What type of access? Access based on need-to-know for work related duties.
Employees should not look up own or family members information unless a normal function of duties. If information is needed, follow proper procedure: ROI, appointments or scheduling, referrals, test results, etc. Don t look because you have an inquiring mind!
HIPAA doesn t require soundproofing or extensive remodeling, but Healthcare entities should make reasonable efforts to minimize incidental disclosure. Change passwords, limited EMR access based on job duties, annual privacy training. Practice auditory privacy. EMR: different levels of access, including the Practice Management (PM) for billing and financial report, or Electronic Medical Record (EMR) for patient records.
41 CFR, Parts 412, 413, 422 and 105, Health Information Technology for Economic and Clinical Health 45 CFR, Part 170, effective February 2009 for entities using an EMR system Established security standards for entities. Established meaningful use in Stages 1 3 Established stringent breach assessment guidelines. Provides incentives if standards are met, however this expires after 2016
Established: national standards to protect individuals electronic personal health information that is created, received, used or maintained by a covered entity. Requires: appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Mandates entities have an Information Security Officer (ISO) responsible for security.
Personally identifiable information PII obtained during course of daily business must also be protected. Examples of PII: Name Address SSN** Date of birth Account numbers Phone number E-mail address Medical Record number Photo Any license or ID number Potential for identity theft, healthcare fraud & prescription abuse.**ssn most often cited.
Right to alternative means of communication: phone, e-mail, letter, different mailing address When leaving messages, don t be too specific. Less is better. Do not give out test results or details of treatment or referral plan when leaving auditory messages. Brief message This is Jane at the health center calling for John. Please call back at this number and extension.
Social media is not a secure method of communication. Do not post PHI/PII or other official communications on social media. SNHS not set up to text PHI - for employees, do not use personal cell phones to contact patients. Not secure & phone numbers of patients are protected (PII). Photos should not be taken of patients without proper consent. Never post patient photos to social media!
PHI can be e-mailed to an outside e-mail address if it is the patient s preference. Advise patient that the message may not be secure or at risk for incidental disclosure (hacking). Message should be encrypted. See attached for how to encrypt at SNHS. Process will be changing in the coming months. Do not place patient s name, SSN, or DOB in the subject line.
After new message has been created and before being sent, click on Options on message header.
Expand options by clicking on small arrow in bottom right corner to open up the Properties Change Sensitivity level to confidential before sending message
Required as part of HITECH Stage 2 of meaningful use for entities using an EMR system. Alternative means of communication Patients need to sign up at Registration Electronic access for only certain PHI in the EMR. New portal application will be purchased in the future.
Lock out monitor (control-alt-delete) when leaving computer unattended. Limit access to your office or work station to avoid an incidental disclosure. Practice auditory privacy don t discuss patient care if others can overhear.
Limit printing, and when done, shred or dispose of document properly. No strip shredders for PHI or PII Use common sense - place documents face down on desk. Never give out or share your password. Level of access Audit trail
Penalties civil and criminal can be issued. US Office of Civil Rights (OCR) investigates privacy complaints for non-compliance. Employee and/or entity can be held responsible for non-compliance. Fines and/or incarceration can be levied. US Department of Justice responsible for prosecution.
HHS/OCR Investigated Resolutions - April 14, 2003 - March 31, 2013 No Violations 9146 (34%) Investigation and Enforcement 19306 (66%)
Impermissible Uses and Disclosure Not permitted under TPO or unauthorized disclosure Lack of Safeguards of PHI Administrative, Technical and Physical Lack of Patient Access to PHI Restricted disclosures to patient Uses and Disclosures more than Minimally Necessary Lack PHI Administrative Safeguards Access policies, need-to-know
Privacy complaints against the organization or an employee can be made by patient, employee or general public. SNHS complaint/grievance process will be used. Contact Privacy Officer for guidance. PO does not take action against employee; Supervisor & HR responsible for following disciplinary process if complaint is found to be valid. Disciplinary action, including termination, may result in breach or unauthorized disclosure. SNI HR policy also requires confidentiality.
Pharmacy records were disposed in unsecured containers. They were not shredded and contained personally identifiable information (PII) regarding specific patients. Organization failed to implement written policies and procedures as required by HIPAA. Organization fined $125,000 and correction action included implementing policies and develop & provide training for staff.
A nurse and an orderly at a hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. (Non-compliant with auditory privacy) Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter.
Among other actions taken, the hospital took further disciplinary action with the nurse, which included: one year probation; referral for peer review; and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the organization entered into a monetary settlement agreement with the patient.
A hospital employee's supervisor accessed, examined, and disclosed PHI from an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not.
Corrective actions to resolve the specific issues in the case: a letter of reprimand was placed in the supervisor's personnel file; the supervisor received additional training about the Privacy Rule. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate.
45 CFR, Parts 160 and 164 42 CFR, Part 2 41 CFR, Parts 105, 412, 413, 422 Centers for Medicare and Medicaid Services US Office of Civil Rights Indian Health Service SNI HR Policy