hipaa privacy the morning after panel what do we do now? william r. braithwaite, md, phd (moderator)...
TRANSCRIPT
HIPAA PrivacyThe Morning After Panel
What do we do now?
William R. Braithwaite, MD, PhD (moderator)Washington, DC
Ross Hallberg, Corporate Compliance OfficerJohn Muir/Mt. Diablo Health System
Walnut Creek, CA
Ronald Margolis, Chief Information OfficerUniversity Hospitals, University of New Mexico
Albuquerque, NM
Tina Sernick, ManagerDeloitte & Touche LLP
New York, NY
Principles of Fair Info PracticesNotice– Existence and purpose of record-keeping systems must be known.Choice – information is:– collected only with knowledge and permission of subject.– used only in ways relevant to the purpose for which the data was collected.– disclosed only with permission or overriding legal authority.Access– Individual right to see records and assure quality of information.
» accurate, complete, and timely.
Security– Reasonable safeguards for confidentiality, integrity, and availability of
information.Enforcement– Violations result in reasonable penalties and mitigation.
Individual’s Rights Individuals have the right to:
– A written notice of information practices from health plans and providers.
– Inspect and obtain a copy of their PHI (DRS).– Obtain an accounting of disclosures.– Amend their records.– Request restrictions on uses and disclosures.– Accommodation of reasonable communication
requests.– Complain to the covered entity and to HHS.
E-mail Misconception: HIPAA prohibits email
between doctor and patient. Fact: HIPAA allows it. Encryption requirement
on internet transmissions was reduced to ‘addressable’ so that such interactions could continue.
Drug Reps Misconception: HIPAA prohibits drug reps
from coming into the back office. Fact: Given that reasonable efforts have been
made to prevent incidental disclosures (to other patients, fax repairman, etc.), HIPAA does not prohibit such activity. HIPAA does, however, prohibit sharing PHI with drug reps (and others) without patient authorization.
Prescriptions Misconception: Friend can’t pick up
prescription without written permission (authorization) from patient.
Fact: Specifically allowed in HIPAA.
Family Misconception: Doctor can’t talk to family
about patient without written permission. Fact: Specifically allowed in HIPAA unless
patient objects.
Medical Decisions Misconception: HIPAA sets new rules for who
can make medical decisions for patients. Fact: HIPAA defers such decisions 100% to
state law.
Medical Records Misconception: Medical Records department
can’t send records to MD office for follow-up without patient authorization.– Newspapers report “lengthy and complicated legal
forms are required.” Fact: Any PHI may be disclosed to any health
care provider for treatment purposes without patient permission of any kind.– Note: does not conflict with state law which MAY
require such permission.
Marketing Misconception: HIPAA prevents any marketing
activity without patient permission. Fact: New definition of “marketing” excludes
most activity commonly thought of as marketing as long as it has something to do with health.– e.g., drug switch letters are not “marketing” under
the privacy rules.
Costs Misconception: Complying with HIPAA is
extremely costly and will push health care organizations to bankruptcy.
Fact: Most requirements of HIPAA privacy are things that should already be in place. Cost of new documentation requirements are more than offset by savings from implementation of transaction standards.
Directory Misconception: HIPAA does not allow a hospital
to list patients in their directory without their explicit permission.
Fact: Although the patient must be given the opportunity to object, no permission is required.– Routinely, when asked for by name, hospital may
disclose location and general condition of patient.– If patient objects, no information may be disclosed
without authorization.
Clergy Misconception: Clergy cannot get a list of
patients with their religions. Fact: Unless a patient objects, clergy may
receive a list of patients with their location, general condition, and religious preference.– If a patient objects, they must be left off such a list.
Mandated Disclosures Misconception: HIPAA mandates new
disclosures (including to law enforcement) and removes the right to consent.
Fact: HIPAA requires disclosure of PHI in only two cases:– Patient access to their own PHI is required.– HHS access to PHI when investigating a complaint.
– All other use and disclosure is permissive -- NOT required.