overview of hipaa administrative simplification and privacy regulations darrel j. grinstead, partner...
TRANSCRIPT
Overview of HIPAA Administrative Simplification and Privacy Regulations
Darrel J. Grinstead, PartnerAmy B. Kiesel, AssociateHogan & Hartson L.L.P.
Outline of Presentation
HIPAA OverviewHIPAA Overview Transactions and Code Set RuleTransactions and Code Set Rule Security RuleSecurity Rule Privacy RulePrivacy Rule
HIPAA Overview ““Health Insurance Portability and Health Insurance Portability and
Accountability Act of 1996”Accountability Act of 1996” RegulationsRegulations
Facilitate electronic exchange of health Facilitate electronic exchange of health informationinformation
Protect the privacy and security of health Protect the privacy and security of health informationinformation
HIPAA Regulations
Final Form Final Form Transactions and Code Set RuleTransactions and Code Set Rule Security RuleSecurity Rule Privacy RulePrivacy Rule National Standard Employer Identifier RuleNational Standard Employer Identifier Rule
Remaining are unpublished or in proposed Remaining are unpublished or in proposed form. form.
Applicability The regulations apply to “covered The regulations apply to “covered
entities:”entities:”Health care providers that Health care providers that
electronicallyelectronically bill for services ( bill for services (e.g.e.g., , most ambulance suppliers, physicians, most ambulance suppliers, physicians, hospitals),hospitals),
Health plans, andHealth plans, andHealth care clearinghouses.Health care clearinghouses.
Transactions and Code Set Rule
PurposePurpose To encourage the use of electronic To encourage the use of electronic
exchangesexchanges To reduce the administrative burden To reduce the administrative burden
associated with using different formatsassociated with using different formats Specifies the content and format standards for Specifies the content and format standards for
eight common types of health information eight common types of health information transactions.transactions.
Standard Transactions Transactions are composed of:Transactions are composed of:
Format data – define and control the Format data – define and control the structure of the transaction (structure of the transaction (e.g.e.g., the data , the data element is a dollar amount)element is a dollar amount)
Data content – all data elements and code Data content – all data elements and code sets inherent to a transaction and not related sets inherent to a transaction and not related to the format of the transaction (to the format of the transaction (e.g.e.g., the , the actual dollar amount)actual dollar amount)
Transactions The eight standard transactions include:The eight standard transactions include:
Health care claims or equivalent encounter information,Health care claims or equivalent encounter information, Health care payment and remittance advice,Health care payment and remittance advice, Coordination of benefits,Coordination of benefits, Health care claim status,Health care claim status, Enrollment and disenrollment in a health plan,Enrollment and disenrollment in a health plan, Referral certification and authorization,Referral certification and authorization, Eligibility for a health plan, andEligibility for a health plan, and Health plan premium payments.Health plan premium payments.
No standards promulgated for first report of injury and No standards promulgated for first report of injury and health claims attachments.health claims attachments.
Compliance
Compliance required by Oct. 16, 2002, Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. compliance deadline was extended to Oct. 16, 2003.16, 2003.
Implementation HIPAA AwarenessHIPAA Awareness – understand the rule and – understand the rule and
educate workforce.educate workforce. Operational AssessmentOperational Assessment – assess and identify – assess and identify
internal implementation issues and develop a internal implementation issues and develop a work plan to address issues. work plan to address issues.
Development and TestingDevelopment and Testing - finalize development - finalize development of, install, and train staff on, applicable software of, install, and train staff on, applicable software and perform all software and systems testing.and perform all software and systems testing.
Security Rule
Final rule published Feb. 20, 2003.Final rule published Feb. 20, 2003. Compliance required by April 21, 2005.Compliance required by April 21, 2005. Requires covered entities to:Requires covered entities to:
Assess risks and vulnerabilities,Assess risks and vulnerabilities, Maintain appropriate security measures, Maintain appropriate security measures,
andand Document these methods.Document these methods.
Security Rule
Requires covered ambulance suppliers to:Requires covered ambulance suppliers to: Apply administrative, physical, and technical Apply administrative, physical, and technical
safeguardssafeguards That reasonably and appropriately protect the That reasonably and appropriately protect the
confidentiality, integrity and availability of confidentiality, integrity and availability of electronicelectronic protected health information protected health information
That they create, receive, maintain or transmit.That they create, receive, maintain or transmit.
Examples – Required Safeguards
Administrative Administrative Sanction policySanction policy Business associate contractsBusiness associate contracts
PhysicalPhysical Disposal of device and media controlsDisposal of device and media controls Workstation securityWorkstation security
Technical Technical Person or entity authenticationPerson or entity authentication Unique user identification Unique user identification
Privacy Rule
ApplicabilityApplicability Uses and DisclosuresUses and Disclosures Patient RightsPatient Rights Administrative RequirementsAdministrative Requirements PenaltiesPenalties Interaction with State LawInteraction with State Law
Compliance Date
Covered ambulance suppliers must be in Covered ambulance suppliers must be in compliance with the Privacy Rule by compliance with the Privacy Rule by April 14, 2003.April 14, 2003.
Applicability of the Privacy Rule
Applies directly to covered entities.Applies directly to covered entities.
Regulates protected health Regulates protected health information maintained by covered information maintained by covered entities.entities.
Protected Health Information
Protected health information (“PHI”) is information in Protected health information (“PHI”) is information in any form that:any form that: Identifies or reasonably could be used to identify Identifies or reasonably could be used to identify
the patient,the patient, Relates to the past, present, or future health or Relates to the past, present, or future health or
condition of a patient, payment for care, or condition of a patient, payment for care, or provision of care, andprovision of care, and
Is created or received by a covered entity, provider Is created or received by a covered entity, provider or employer.or employer.
Protected Health Information
It includes:It includes: Medical informationMedical information Billing informationBilling information Patient demographic informationPatient demographic information Information stored electronicallyInformation stored electronically Information you convey on the phoneInformation you convey on the phone Information maintained on paperInformation maintained on paper
Business Associates
Requires covered entities to Requires covered entities to contractually bind their business contractually bind their business associates to some of the requirements associates to some of the requirements of the Privacy Rule.of the Privacy Rule.
Definition
A business associate is an entity that A business associate is an entity that
1.1. creates or receives PHI creates or receives PHI
2.2. to provide a service or function for to provide a service or function for or on behalf of a covered entity. or on behalf of a covered entity.
Examples - Business Associates
Disclosures of PHI to:Disclosures of PHI to: An accreditation organization perform An accreditation organization perform
accreditation services.accreditation services.
A billing and collection service to assist A billing and collection service to assist with reimbursement.with reimbursement.
A transcription service to transcribe A transcription service to transcribe notes.notes.
Examples - No Business Associate
Disclosure of PHI:Disclosure of PHI: To a provider for treatment of a patient.To a provider for treatment of a patient. Inadvertently to a janitorial agency that Inadvertently to a janitorial agency that
provides cleaning services.provides cleaning services. To researchers for research purposes.To researchers for research purposes.
No business associate relationship with your No business associate relationship with your employees.employees.
Business Associate Agreements
You must enter into You must enter into written agreements written agreements with your business associates to:with your business associates to:
Limit use and disclosure of PHI, Limit use and disclosure of PHI,
Safeguard PHI, and Safeguard PHI, and
Ensure certain patient rights (Ensure certain patient rights (e.g.e.g., , providing a patient with access to PHI).providing a patient with access to PHI).
Overview of Uses and Disclosures Covered ambulance suppliers may Covered ambulance suppliers may
use or disclose PHI only:use or disclose PHI only:For purposes expressly required or For purposes expressly required or
permitted by the rule, orpermitted by the rule, orWith patient authorization.With patient authorization.
Examples When Authorization Required To provide a list of names of patients To provide a list of names of patients
involved in automobile accidents to a involved in automobile accidents to a company that offers automobile company that offers automobile insurance.insurance.
To provide a list of patient names to a To provide a list of patient names to a national association for the association’s national association for the association’s fundraising purposes.fundraising purposes.
Examples When Authorization Not Required
To use and disclose PHI for your own To use and disclose PHI for your own treatment, payment and health care treatment, payment and health care operations (TPO).operations (TPO).
To disclose PHI for the treatment or payment To disclose PHI for the treatment or payment activities of another covered entity. activities of another covered entity.
In limited situations, to disclose PHI for the In limited situations, to disclose PHI for the health care operations of another covered health care operations of another covered entity.entity.
Health Care Operations
Generally, no authorization required if the Generally, no authorization required if the disclosure is:disclosure is:
To a covered entity that also has a To a covered entity that also has a relationship with the patient andrelationship with the patient and
For quality assessment and For quality assessment and improvement improvement activities, case management and activities, case management and coordination, fraud and abuse detection or coordination, fraud and abuse detection or compliance, and other similar activities. compliance, and other similar activities.
Disclosures to Family Members May disclose PHI to family members or others May disclose PHI to family members or others
involved in the patient’s care or payment for care involved in the patient’s care or payment for care if:if: The patient agrees (or agreement is inferred), or The patient agrees (or agreement is inferred), or The patient is not present or is incapacitated The patient is not present or is incapacitated
and you believe that it is in the patient’s best and you believe that it is in the patient’s best interest.interest.
Also may notify of the patient’s location, general Also may notify of the patient’s location, general condition, or death.condition, or death.
Other Purposes
May use and/or disclose PHI without May use and/or disclose PHI without authorization if certain criteria are met:authorization if certain criteria are met: To avert a serious threat to health or safety To avert a serious threat to health or safety As required by lawAs required by law For limited marketing activities For limited marketing activities For public health activitiesFor public health activities For health oversight activitiesFor health oversight activities For researchFor research
Other Uses and Disclosures – Avert Serious Threat
May use or disclose PHI based on your good May use or disclose PHI based on your good faith belief that the use or disclosure is faith belief that the use or disclosure is necessary: necessary:
To prevent/lessen a serious and imminent To prevent/lessen a serious and imminent threat to the health or safety of a person or threat to the health or safety of a person or the public; orthe public; or
Under limited circumstances, for law Under limited circumstances, for law enforcement authorities to identify or enforcement authorities to identify or apprehend an individual.apprehend an individual.
Written Authorization – The Default Category
May use and disclose PHI for any May use and disclose PHI for any reason with the written authorization of reason with the written authorization of the patient.the patient.
Must be in writing and contain certain Must be in writing and contain certain statements and information that ensures statements and information that ensures patient knows how his or her patient knows how his or her information will be used and disclosed.information will be used and disclosed.
Minimum Necessary Standard
Covered entities may use, disclose and Covered entities may use, disclose and request only the minimum amount of request only the minimum amount of PHI necessary to accomplish the PHI necessary to accomplish the purpose of the use, disclosure or request.purpose of the use, disclosure or request.
Minimum Necessary Exceptions
Disclosures to and requests by Disclosures to and requests by providers for treatment (but it does providers for treatment (but it does apply to uses)apply to uses)
Disclosures to the patient who is the Disclosures to the patient who is the subject of the PHIsubject of the PHI
Uses and disclosures pursuant to Uses and disclosures pursuant to authorizationauthorization
Incidental Uses and Disclosures
An incidental use or disclosure is that An incidental use or disclosure is that which occurs as a result of another use or which occurs as a result of another use or disclosure that is permitted (disclosure that is permitted (e.g.e.g., a , a conversation between EMTs treating a conversation between EMTs treating a patient overheard by another patient).patient overheard by another patient).
Incidental Uses and Disclosures
Incidental uses and disclosures are Incidental uses and disclosures are permitted as long as a covered entity has:permitted as long as a covered entity has:Applied reasonable safeguards, andApplied reasonable safeguards, and
Implemented the minimum necessary Implemented the minimum necessary standard, where applicable, with respect standard, where applicable, with respect to the primary use or disclosure.to the primary use or disclosure.
Patient Rights
Receive a notice of privacy practicesReceive a notice of privacy practices
Receive an accounting of certain disclosures of PHI Receive an accounting of certain disclosures of PHI
Access their informationAccess their information
Amend their informationAmend their information
Request a restriction on the use or disclosure of Request a restriction on the use or disclosure of informationinformation
Request confidential communicationsRequest confidential communications
Content of Notice A header indicating the purpose of the noticeA header indicating the purpose of the notice A description the uses and disclosures that you A description the uses and disclosures that you
may makemay make A statement of patient rights and how to exercise A statement of patient rights and how to exercise
themthem A statement of your dutiesA statement of your duties Instructions for filing complaintsInstructions for filing complaints Contact informationContact information
Provision of Notice - First Service Delivery
General Rule: General Rule: Provide the patient with your notice no later Provide the patient with your notice no later
than the first service delivery on or after than the first service delivery on or after April 14, 2003; and April 14, 2003; and
Make a good faith effort to obtain a Make a good faith effort to obtain a writtenwritten acknowledgment of receipt of notice.acknowledgment of receipt of notice.If not obtained, document good faith If not obtained, document good faith
efforts and reason why not obtained.efforts and reason why not obtained.
Obtaining Acknowledgment
Sign a separate sheet, list, log book, or Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be initial a cover sheet of the notice to be retained by the ambulance supplierretained by the ambulance supplier
Tear off sheet to mail back to the Tear off sheet to mail back to the ambulance supplierambulance supplier
Combine an acknowledgment with consentCombine an acknowledgment with consent
Good Faith Effort – Reason Not Obtained
Patient refusedPatient refused
Patient failed to mail back Patient failed to mail back acknowledgmentacknowledgment
Patient unconscious or agitatedPatient unconscious or agitated
Provision of Notice - First Service Delivery EXCEPTION - Emergency Treatment EXCEPTION - Emergency Treatment
SituationsSituations: : Notice:Notice: Provide the notice as soon Provide the notice as soon as as
reasonably practicable after the emergency reasonably practicable after the emergency situationsituation. .
Acknowledgment:Acknowledgment: NOT required to make a NOT required to make a good faith effort to obtain the good faith effort to obtain the acknowledgment.acknowledgment.
Provision of Notice You also must make the notice available by April You also must make the notice available by April
14, 2003:14, 2003: Upon request;Upon request; At the delivery site (notice must be posted and At the delivery site (notice must be posted and
available for individuals to take with them); andavailable for individuals to take with them); and If you maintain a web site about your services If you maintain a web site about your services
or benefits, prominently on your web site and or benefits, prominently on your web site and make the notice available electronically through make the notice available electronically through the site.the site.
Accounting
Don’t need to track disclosuresDon’t need to track disclosuresTo carry out treatment, payment, or To carry out treatment, payment, or
health care operations health care operations To patients who are the subject of the To patients who are the subject of the
PHIPHIPursuant to an authorizationPursuant to an authorization
Accounting
Must track disclosuresMust track disclosuresFor public health purposesFor public health purposesFor researchFor researchFor health oversight activitiesFor health oversight activitiesFor administrative/judicial proceedingsFor administrative/judicial proceedingsFor abuse/neglect reportingFor abuse/neglect reporting
Administrative Requirements
Designate a privacy officialDesignate a privacy official Designate a contact person or office for complaints Designate a contact person or office for complaints
and questionsand questions Establish and implement policies and procedures Establish and implement policies and procedures Provide training to workforce membersProvide training to workforce members Apply administrative, technical and physical Apply administrative, technical and physical
safeguardssafeguards Establish a process for individuals to make complaintsEstablish a process for individuals to make complaints
Administrative Requirement—Training Must train workforce on privacy policies and procedures Must train workforce on privacy policies and procedures
necessary and appropriate to their jobs.necessary and appropriate to their jobs. Training must occur:Training must occur:
For current employeesFor current employees: no later than the compliance : no later than the compliance date, date,
For new employees after the compliance dateFor new employees after the compliance date: within a : within a reasonable time after the person joins the workforce, reasonable time after the person joins the workforce, andand
For employees whose functions change due to a For employees whose functions change due to a subsequent change in privacy policies or proceduressubsequent change in privacy policies or procedures: : within a reasonable time after the change.within a reasonable time after the change.
Civil Penalties Any person who violates a provision is Any person who violates a provision is
subject to:subject to: A penalty of not more than $100 for each A penalty of not more than $100 for each
such violation andsuch violation and Total amount imposed on a person for all Total amount imposed on a person for all
violations of an identical requirement or violations of an identical requirement or prohibition during a calendar year may not prohibition during a calendar year may not exceed $25,000.exceed $25,000.
Criminal Penalties
Criminal penalties vary depending on the offense.Criminal penalties vary depending on the offense. A person can be fined not more than $250,000, A person can be fined not more than $250,000,
imprisoned not more than 10 years or both if:imprisoned not more than 10 years or both if: the offense is committed with the intent to sell, the offense is committed with the intent to sell,
transfer, or use PHI for commercial advantage, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.personal gain, or malicious harm.
Interaction with State Law Must comply with both the Privacy Rule and state laws.Must comply with both the Privacy Rule and state laws. If impossible (rare), comply with provision that provides If impossible (rare), comply with provision that provides
the patient with:the patient with: greater privacy rights, greater privacy rights, access to greater amounts of information, or access to greater amounts of information, or greater privacy protectionsgreater privacy protections..
State laws often have heightened protection for sensitive State laws often have heightened protection for sensitive information (information (e.g.e.g., HIV/STDs)., HIV/STDs).