Download - IMPLEMENTING THE HIPAA PRIVACY RULES
IMPLEMENTING THEHIPAA PRIVACY RULES
Presentation to theCoalition of Voluntary
Mental Health Agencies
May 31, 2002
Prepared By:Robert BelfortKalkines, Arky, Zall & Bernstein LLP1675 Broadway, Suite 2700New York, New York 10019(212) [email protected]
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
2
A BRIEF HISTORY OF THE PRIVACY RULE
Enactment ofHIPAA Statute
8/21/96
Deadline forCongressional action
8/21/99
HHS adheresto final rule
4/14/01
Final rule reopenedfor comment
3/14/01
Final ruleadopted
12/28/00
Proposedrule issued
11/3/99
HHS issuesguidance
7/6/01
Modificationsto rule proposed
3/27/02
End of commentperiod on
proposed changes
4/26/02
Adoption ofchanges to rule
Summer 2002?
Compliancedate
4/14/03
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
3
KEY COMPLIANCE ISSUES
Proper use and disclosure of protected health information (PHI)
Application of “minimum necessary” standard Execution of business associate contracts Accommodation of patient rights Creation of administrative, physical and technical
safeguards Issuance of privacy notice Appointment of privacy officer
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
4
Individually identifiable health information– created or received by provider, plan, clearinghouse
or employer
– relates to individual’s health, provision of care or payment for care
– identifies or could reasonably be used to identify the individual
Transmitted or maintained in any form
WHAT IS PHI?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
5
HOW CAN PHI BE USED OR DISCLOSED?
PatientType of Use or Disclosure Approval
Required?1
Treatment, payment and health care operationsConsent optional (subject to limited exceptions)
Psychotherapy notes for most purposes Authorization required
Certain marketing and fundraising activities No authorization required
Facility directories, family members and disaster relief Opportunity for oralobjection by patient
IRB-approved research following specified protocols No authorization required
“National Priority” disclosures No authorization required
Other uses and disclosures not subject to specific exception Authorization required1 Assumes adoption of proposed amendments to rule.
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
6
Quality improvement
Reviewing provider qualifications and performance
Underwriting, rating and related activities
Medical review, legal services and auditing
Business planning and development
Business management and general administration
WHAT ARE HEALTH CARE OPERATIONS?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
7
WHAT ARE PSYCHOTHERAPY NOTES?
Recorded by a mental health professional In any medium Documenting or analyzing contents of conversation
during private or group counseling session Separated from rest of medical record Excludes medication monitoring, session times,
modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
8
WHEN MAY PSYCHOTHERAPYNOTES BE DISCLOSED?
By originator for treatment Mental health training programs Defense of legal action brought by patient Certain health oversight activities
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
9
Must specifically identify information being disclosed, its recipients and purpose of disclosure
May not be combined with other documents
Must include expiration date or event
Must be signed by patient or personal representative
WHAT ARE THE ELEMENTSOF AN AUTHORIZATION?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
10
Types of marketing permitted without authorization– face-to-face
– products or services of nominal value
In name of covered entity
Disclosure of remuneration
Opt out procedures
Determination and disclosure of patient benefit if health status-based
MARKETING EXCEPTION
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
11
By covered entity, business associate or related foundation
Disclosable or usable information– demographic information
– dates of care provided
Opt out procedures
FUNDRAISING EXCEPTION
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
12
Required by law
Public health
Neglect and abuse
Health oversight
Legal proceedings
Law enforcement
Decedents
Cadaveric donations
IRB-approved research
Health or safety threat
Specialized government functions
Workers’ compensation
NATIONAL PRIORITY DISCLOSURES
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
13
When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
“MINIMUM NECESSARY” STANDARD
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
14
Treatment Disclosures to other covered entities Compliance with law Disclosures pursuant to patient’s authorization Disclosure to patient
EXCEPTIONS TO MINIMUM NECESSARY
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
15
Internal role-based access
Policies and procedures for routine disclosures
Criteria for all other disclosures
IMPLEMENTING MINIMUM NECESSARY
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
16
Provides specified functions to or on behalf of covered entity
Exceptions– Members of workforce
– Members of hospital medical staff
– Members of “organized health care arrangement”
– Plan sponsors
– Financial institutions processing consumer transactions
– “Conduits”
WHO IS A BUSINESS ASSOCIATE?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
17
WHO IS A BUSINESS ASSOCIATE?
Billing companies Computer maintenance vendors Transcription services Attorneys Accountants Compliance consultants
Employees Student trainees Federal Express AOL Referring providers Third party payers
Yes No
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
18
Permitted uses and disclosures
Adoption of safeguards and reporting of unauthorized disclosures
Compliance by subcontractors
Access, amendment and accounting by patients
Access by HHS
Return or destruction of records if feasible
Termination for material breach
BUSINESS ASSOCIATE CONTRACTS
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
19
WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE?
Contract Status Compliance Date
Executed on or after April 14, 2003 Date of execution
Executed prior to April 14, 2003 with no amendments or April 14, 2004 renewals prior to April 14, 2004
Executed prior to April 14, 2003 with amendment or Date of amendment renewal between April 14, 2003 and April 14, 2004 or renewal
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
20
If covered entity knows of improper pattern of activity or practice
Covered entity must take reasonable steps to cure breach
If cure unsuccessful, covered entity must– terminate, if feasible; or
– report problem to HHS
WHEN ARE YOU LIABLEFOR BUSINESS ASSOCIATES?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
21
PATIENT ACCESS TO PHI
Access or copies Time frames Appeal rights Reasonable copying charges Exception for psychotherapy notes
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
22
PATIENT AMENDMENT OF PHI
Time frames No obligation to amend Informing other entities Statement of disagreement
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
23
ACCOUNTING OF DISCLOSURES
Accounting Required Accounting Not Required
To HHS Permitted marketing Permitted fundraising Research without patient
authorization Public interest purposes not
covered by exemption
Treatment, payment and health card operations
Individual’s written authorization
To individual Pursuant to oral agreement National security or
intelligence Correctional institutions or
law enforcement agencies
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
24
Type of PHI Scope of Safeguards
WHAT SAFEGUARDS ARE REQUIRED?
Electronic
Paper
Oral
Rely on proposed security rules
Proposed security rules, where applicableFaxesPublic postingsFile cabinets
Proposed security rules, where applicableTelephoneHallway conversationsPublic announcements
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
25
Mandated header
Permitted uses and disclosures (examples)
Separate statement for certain uses
Individual rights
Covered entity’s duties
Complaints
Contact information
KEY ELEMENTS OF PRIVACY NOTICE
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
26
Provide at first contact after compliance date
Make good faith effort to obtain written acknowledgement
Make available on-site at patient request
Make available by mail at patient request
Post on-site in conspicuous location
PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
27
Oversee implementation of policies and procedures
Answer questions
Handle complaints
Investigate privacy breaches
Conduct audits
Review contracts
Coordinate employee training
PRIVACY OFFICER DUTIES
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
28
HIPAA provides floor but not ceiling — more stringent state laws not pre-empted
Exceptions
– Certain state public health and auditing laws
– HHS determination based on specified factors
RELATIONSHIP TO STATE LAWS
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
29
SAMPLECOMPLIANCE TIMELINE
Education
Gap Analysis
Remediation
Testing
Training
May September January April2002 2003 2003 2003
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
30
ALTERNATIVECOMPLIANCE TIMELINE
Procrastination
Infighting
Half-hearted efforts
Panic
Finger-pointing
May September January April2002 2003 2003 2003
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
31
DEFINE THE COVERED ENTITY
Affiliates Hybrid entities/health care components Organized health care arrangements
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
32
CONSIDERATIONS IN DEFINING ENTITY
Standardization of policies Centralization of administration Sharing of information Liability concerns
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
33
GAP ANALYSIS OPTIONS
StaffResources
Financial Resources
Low
On-siteConsultants
ProfessionalSelf-AssessmentTool
Self-Assessment
High
Moderate
High
Low Moderate
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
34
CREATE PHI FLOW CHART
Patient
Clinician
Registration BillingMedicalRecords
OtherProviders
AccountsReceivable
Payers
DOH QA Patient
FinanceCollectionAgency
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
35
ANALYZE EACH USE AND DISCLOSURE
Consent or authorization required? Minimum necessary applicable? Satisfied? Business associate contract required? In place? Subject to accounting? Recorded?
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
36
REVIEW PATIENT RIGHTS’ POLICIES
Access and copying of records Amendment of records Restriction on uses
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
37
REVIEW ELECTRONIC DATA SAFEGUARDS
Administrative policies Physical plant security Technical security measures
– catalogue hardware and software (Y2K inventory)
– compare security features to security regulations
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
38
REVIEW OTHER POLICIES AND PRACTICES
Fax File cabinets Telephone Waiting room procedures Hallway conversations Posted information
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
39
EVALUATE COMPLIANCE OPTIONS
Prioritize initiatives Reasonableness considerations Scalability Documentation Maintaining confidentiality
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
40
KEY REMEDIATION STEPS
Revise policies and procedures Document policies and procedures Execute business associate contracts Upgrade security of software and hardware Secure physical plant Prepare privacy notice, consent and authorization form Appoint privacy officer
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
41
CONDUCT EMPLOYEE TRAINING
Differentiate by employee roles Initial training before April 14, 2003 Build into hiring process Regular refresher training
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
42
TRAINING OPTIONS
Internal trainer Outside attorney or consultant Written manual Videotape or CD-ROM
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
43
CIVIL PENALTIES
$100 per violation $25,000 per year cap for each type of violation Cooperative approach by HHS
– reasonable diligence standard– technical assistance– informal dispute resolution
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
44
MaximumOffense Maximum Fine Prison Term
Use of unique health identifier, or acquisitionof individually identifiable health information $50,000 One Year(“basic offense”)
Basic offense under false pretenses $100,000 Five Years
Basic offense for commercial advantage,personal gain or malicious harm $250,000 Ten Years
CRIMINAL PENALTIES
KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002
45
HELPFUL WEB SITES
http://aspe.hhs.gov/admnsimp
http://www.hhs.gov/ocr/hipaa
http://snip.wedi.org
http://www.cpri-host.org
http://www.ahima.org
251565