August 8, 2011

Leslie J. Pfeffer, BS, CHP

Health Insurance Portability and Accountability ActHIPAA Privacy Rule

April 14, 2003HIPAA Security Rule

April 21, 2005HITECH Act

February 17, 2009Final Rule – 2011

Accounting of DisclosuresNPRM June 2011

2

HIPAA - TermsCovered Entity (CE) Healthcare Organizations who conduct financial

and administrative transactions electronically *Health Plans (Anthem, Medicare, Medicaid, etc.)Healthcare Clearinghouses (Claims Processing)Healthcare Providers (Physicians, Dentists,

Optometrists, Chiropractors, Pharmacies)

• Not Pharmaceutical Companies• Not Physicians/Providers who bill all claims on paper

* Qualified electronic transactions – must meet the requirements of the electronic code sets established by HIPAA

3

HIPAA - TermsWorkforce HIPAA defines the workforce to include

"employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.“

Persons who do not fall in these categories, but nonetheless perform services on behalf of the covered entity, would be considered part of the workforce of a Business Associate

4

HIPAA - TermsBusiness Associate

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  Not a member of the CE’s workforceNeed a Business Associate Agreement Another CE can be a Business Associate to a CEBusiness Associate requirements do not apply to

CEs who disclose PHI to providers for treatment purposes

5

HIPAA - TermsProtected Health Information (PHI)

Individually identifiable health informationTransmitted or maintained in any form or mediumInformation including demographic information

Is collected from an individual Includes demographics such as name, address, insurance

Is created or received by a covered entity Relates to past, present or future physical or mental health

conditions Relates to past, present or future payment Reasonable basis to believe information can be used to

identify an individual

6

HIPAA - TermsMinimum Necessary

HIPAA requires you take reasonable steps to limit the Use of Disclosure of Request for

PHI to the “Minimum Necessary” to accomplish the intended purpose

Reasonableness Standard calls for best practice

7

HIPAA – Indiana UniversityIU - Hybrid Covered Entity

Covered components include School of Dentistry School of Optometry IUB Health Center (soon IUPUI Health Center) Speech & Hearing Clinics Bloomington IU Health Plan (self-administered)

This means these areas conduct “Qualified” electronic transaction such as claims submissions using Indiana University’s Tax ID

8

HIPAA – Indiana UniversityHIPAA Applies directly to the Covered

Components:IU School of DentistryIU School of OptometryIU Speech & HearingIU Health Center Bloomington

HIPAA Applies to: Faculty associated with most Health Science

Schools*; Staff associated with most Health Science

Schools*; Researcher involved in Human Subject Research;

* Including those in the IU School of Medicine

9

HIPAA – Major ConceptsProvide Notice of Uses/Disclosures

How the organization might use the PHI Treatment Education Fundraising Research

Patient’s Rights Under HIPAA Inspect & Copy PHI Request an Accounting of Disclosures Notice of Privacy Practices Permission to Use PHI File a Complaint

Permission to access and use PHI for Research

10

HIPAA – Major ConceptsSafeguard PHI during use & disclosure

AdministrativePhysicalTechnical

HIPAA Awareness Training of WorkforceAll Forms of PHI

PaperElectronicOral Communication

11

HIPAA – Allowed UsesA Covered Entity or Covered Component

may use/disclose PHI to carry out certain Healthcare Functions without a written authorization from their patientsTreatment

Payment and

Healthcare Operations

aka TPO

12

HIPAA – Allowed UsesHealthcare Operations

Tasks necessary to run a businessQuality Assurance/AssessmentsAccountingConsulting ServicesTranscriptionAuditingEducation

*Research is not part of Healthcare Operations

13

HIPAA – Allowed UsesRequired NotificationsDisclosures required by law

Disclosures to public health authorities Registries Public Notification requirements

Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA

*Requires an Accounting of Disclosure

14

Access to PHI for ResearchSince Research is not part of:

TreatmentPayment orHealthcare Operations

Need HIPAA Authorization (patient’s permission) to use health information for research; or

IRB (Privacy Board) approved Waiver of Authorization

Must comply with the Minimum Necessary

15

HIPAA – ExceptionsDe-identified DataNamesGeographic designations

smaller than a StateDates relating to the

individualTelephone numbersFax numbersE-mail addressSocial Security numberMedical record numbersHealth plan beneficiary

numbersAccount numbers Certificate/license

numbers

Vehicle identifiers, including license plates

Device identifiers/Serial Numbers

Universal resource locators (URLs)

Internet protocol (IP) address numbers

Biometric identifiers – finger & voice prints

Full face photographic images & comparable images

Any other unique identifying number, characteristic, or code.

16

HIPAA – ExceptionsLimited Data SetLimited types of identifiers can be released for

research purposes (a Limited Data Set). Limited Data Sets can only be used and released

in accordance with a Data Use Agreement between the covered entity and the recipient.

The Limited Data Set can contain:Elements of Dates. City, town, state, and ZIP. Other unique identifiers, characteristics and codes not

previously listed as direct identifiers

17

HIPAA – Limited Data Set

18

HIPAA – Other ExceptionsReviews Preparatory to Research

Covered entity must obtain representation from the

researcher:The use or disclosure of PHI is sought

solely to prepare a protocol or for a similar preparatory purpose;

PHI will not be removed from the covered entity; and

PHI is necessary for research purposes

19

HIPAA – Other ExceptionsDecedent InformationResearcher must represent:Use or disclosure solely for research on

decedents' information. PHI is necessary for research, and Individual is a decedent, and provide

documentation upon covered entity's request.

* Even though an authorization is not required, this access requires an Accounting of Disclosure

20

AccountingPrivacy Rule grants to a patient a right to

request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects.

An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI.

21

Definitions: Use & DisclosureUSE

With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information with an entity that maintains such information.

DISCLOSUREDisclosure means the release, transfer,

provision of, access to, or divulging in any other manner of information outside the entity holding the information

22

AccountingWhen a Covered Entity discloses PHI without

the permission of the individual, the CE must provide the individual with an accounting of disclosures upon request.

Accounting must include:Date of the DisclosureName of the entity or person who received the

PHIA brief description of the information disclosedA brief purpose of the disclosure (research study

xyz)23

AccountingIf more than 50 records accessed

(used/disclosed) for research purposes:Form sent to the appropriate Medical Records

Department to notify individuals their record may have been accessed.

All the information listed on the previous page

If less than 50 records accessed must indicate in each individual record the appropriate information.

24

HIPAA – Research UsesRecruitmentHIPAA - Recruitment is Research

Special Rules for Research apply to Recruitment

AuthorizationMay need an authorization to recruit or Waiver of authorization

25

HIPAA - AuthorizationMust contain "core elements" & "required

statements," Signed copy must be given to the individual. May need to obtain Authorization for the use or

disclosure of PHI to create/maintain an IRB approved repository or database

Must be for a specific research studyAuthorization for future, unspecified research is not

permittedMust have an Expiration date

Can be indefinite but must be identified as such Subject must have ability to “revoke”

Include exceptions and processMinimum Necessary Rule Applies

26

HITECH Act 2009Health Information Technology for Economic

and Clinical Health (HITECH) Act, Part of the American Recovery & Reinvention Act (ARRA) of 2009HITECH creates significant incentives for an

expanded use of electronic health recordsClarified Criminal & Civil PenaltiesIncreased Civil Monetary PenaltiesExpansion of Privacy & Security Provisions &

Penalties to Business AssociatesBreach Notification Requirement

27

HITECH Act 2009Increased Civil Monetary Penalties

Violations occurring after Feb. 18, 2009

Tier based on nature of violation: Unknowing (least severe) Willful Neglect (most severe)

Per Violation per Person: $100; $1,000; $10,000 and $50,000

Annual maximum: $25,000; $100,000; $250,000; and $1.5

million.

28

HITECH Act 2009Business Associates

Business Associates must comply with the HIPAA Privacy Rule

Business Associates must comply with the HIPAA Security Rule The administrative, physical and technical

safeguards of the HIPAA Regulations applies directly to Business Associate

Imposes additional obligations upon Business Associates & their subcontractors regarding policies, procedures and documentation

29

HITECH Act 2009Business AssociatesWill require Business Associate

Agreements to be revised Criminal and Civil Penalties applied to

Covered Entities for violations of security and privacy regulations now will apply directly to Business Associates

30

HITECH Act 2009Notification of Breach

Required to notify affected individual(s) of a breach of “unsecure” protected health information.

Applies to:Covered EntitiesBusiness AssociatesVendors of Personal Health Records

(PHR)31

HITECH Act 2009Definition of Unsecure

Unsecured protected health information is PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the guidance. 

Secure PHI

PHI which is encrypted will be considered “Secure”

32

HITECH Act 2009Requirements of Notification Contact affected individuals in writing or

electronic (with individual’s permission)Posting on website (if 10 or more individuals

have outdated contact information and there is not a reasonable way to notify them)

If more than 500 people affectedNotice shall be provided to prominent media

outletsNotice must be immediately sent to HHS

33

Notice of Proposed Rule Making Hybrid Entities: The non-covered components of a

Hybrid Entity which provide services to covered components would be considered part of the covered components and HIPAA would apply directly.

Minimum Necessary: Rule requires the Office for Civil Rights (OCR) to provide guidance to help define minimum necessary (no longer would be the discretion of the CE)

Compound Authorization: Allow a single authorization to be used even when part of research might be conditioned and another part might be unconditioned.

34

Notice of Proposed Rule Making Authorization for Future Use: Allowing an

authorization for future use.Decedents: Information would not be covered by

HIPAA after an individual was deceased for 50 years.Required Restriction: If a patient pays out-of-

pocket for a medical service and request the covered entity not share this information with their insurer, the CE must accommodate this request. (no option)

Copy of Record: Electronic health record, the entity must be able to provide at the patient’s request an electronic version of their PHI

35

Notice of Proposed Rule Making Must account for disclosures related to

treatment, payment and operations; andMust provide an access report to an individual

that lists who accessed their designated record set – even within the covered entity.

36

Notice of Proposed Rule Making Accounting of Disclosures Under the HITECH

Act (June 30, 2011)HITECH Act changed the Accounting Requirement

by stating the exceptions of Treatment, Payment and Healthcare Operations no longer applies to an electronic health record (EHR).

Under section 13405(c), an individual has a right to receive an accounting of such disclosures made during the three (3) years prior to the request.

Must also provide disclosures by Business Associates or provide the names of the BA to the individuals to contact.

37

Notice of Proposed Rule Making Further indicates to apply this same

requirement to the entire Designated Record Set which will include Billing records.

38

ContactLeslie J. Pfeffer, BS, CHP

HIPAA & Research Compliance Managerlpfeffer@iupui.edu(317) 278-4521

39