Understanding HIPAA Privacy Regulations

A guide to company policies and procedures

Prepared by:

The Privacy Rule is intended to:

Protect and enhance rights of consumers by providing them:

access to their protected health information control over PHI uses and disclosures

Improve healthcare quality by restoring public trust and willingness to share information

Improve efficiency and effectiveness by creating uniform nationwide privacy framework

Privacy Regulations apply to:

Covered entities, such as:

Health plans / insurance payers

Health care clearing houses

Health care providers i.e. HMEs, physicians, nursing homes, home health agencies, etc

Whoever “uses” or “discloses” protected health information (“PHI”)

Business associates: through contracts with covered entities that hold them to the same provisions of the law

Basics of HIPAA

Covers electronic, paper & oral information

Requires contracts with business associates to protect health information

Emphasizes "minimum necessary" access to information

Standards apply to "protected health information": all individually identifiable health information in any form

Basics of HIPAA

Protected Healthcare Information (PHI) Defined:Health information, including demographic information, which can reasonably identify the individual and relates to the person’s: Past, present or future physical health, mental

health, or condition; Provision of health care; or Past, present or future payment for the provision of

health

General Rule: “Protected health information may not be used or disclosed for reasons other than treatment, payment or healthcare operations without specific patient authorization”

Basic Patient Rights - HIPAA

Patients must receive written notice of provider's information practices describing patient rights; company must make good faith effort to obtain acknowledgement of receipt – All patients to receive “Privacy Notice” found in manual

Patients may inspect their own health information and obtain a copy

Patients may request amendment to health information

Basic Patient Rights - HIPAA

Patients may receive an accounting of disclosures for purposes other than treatment, payment, and healthcare operations

Patients may request that uses and disclosures of health information be restricted

Patients must be provided means to report a privacy complaint

Basics of Use and Disclosure

Providers must obtain a written patient Authorization before releasing PHI for purposes other than Treatment, Payment, and Health Care Operations.

Consent forms are optional when info used only for treatment, payment and health care operations

Basics of Use and Disclosure

Providers CAN release PHI without authorization:

for treatment, payment or healthcare operations (including to business associates)

when required by law for public health activities for victims of abuse, neglect, or domestic violence for health oversight – ex. Medicare audit for judicial proceedings for specific law enforcement activities

Basics of Use and Disclosure

Providers CANNOT release PHI without authorization when info used for:

marketing

medical research

fund-raising

Authorizations generally address a specific need and circumstance or span of time

Rules Governing Business Associates Providers must identify all Business Associates

that have access to or use/disclose protected health information of patients: Accrediting Bodies Consultants Billing Clearinghouse and Outsource companies Outcomes tracking outsourcing

Business Associate contracts must be established to ensure that Business Associates' practices support HIPAA's requirements

Sanctions must be applied by the company for non-compliance by Business Associates

Exceptions to the rule:

Providers may release patient's location, condition, or death when needed to family, friends, others involved in the care of the patient

Providers may make disclosures to family and others involved when in the patient's best interest – but you still have to follow state law when it comes to rights of minors

Exceptions to the rule:

Providers may make disclosures to “personal representatives” of the patient – i.e. those with Power of Attorney; the estate of a deceased patient

De-identified information is not subject to the privacy rules

Defined as removal of identifiers such as: Name Date Geographic Destinations Phone/Fax Numbers Email, etc.

Penalties for non-compliance

Criminal penalties - Intentional violation Up to $50,000 and up to one (1) year

imprisonment for knowing misuse Up to $100,000 and/or imprisonment

up to five (5) years if offense under false pretenses

Fine of not more than $250,000 and/or imprisonment of up to ten (10) years if offense is with intent

HPP1 – Uses and Disclosures General

“Use” of information is defined as that which is used WITHIN the organization

“Disclosure” of information is that which is released OUTSIDE the organization

Both are permitted without specific consent from the patient when info is used for treatment, payment or healthcare business operations – consent forms are optional in these circumstances

HPP1 – Uses and Disclosures General

TREATMENT – includes information shared between the referral source and the HME provider to accomplish patient care objectives

PAYMENT – includes information shared with insurance payers, billing clearinghouses, and outsource billing firms to obtain payment (billing firms are also business associates)

OPERATIONS – includes information shared with accrediting bodies, consultants, outcomes tracking firms, etc. (these are commonly also business associates)

HPP2 – Uses and Disclosures Restrictions

Patients have a right to restrict the use and disclosure of their PHI, even that used for treatment, payment, and healthcare operations – the “PRIVACY NOTICE” informs them of this

Company has the right to refuse to continue care for patient if restrictions interfere with treatment, payment, or healthcare operations, but must honor request until patient transferred to another provider

HPP2 – Uses and Disclosures Restrictions

Request can be verbal or in writing- both must be honored until company notified otherwise by patient (indefinitely)

Better to have a policy to document patient request – use “Restriction Agreement” Form

Keep a log of patients requesting restriction to PHI

Keep log on file for 6 years

HPP3 – Business Associates

A non-covered entity, defined as an organization or person other than a member of the company’s workforce who receives PHI from the company in order to provide services to or on behalf of the company: Healthcare billing clearinghouses Billing services Accreditation organizations Consulting firms Software vendors with access to company software

systems

HPP3 – Business Associates

Company must complete a contract with each business associates that holds them to the same privacy standards the company is held to as a “covered entity”

Specifies what kind of information will be disclosed and to whom

Identifies the responsibilities of the business associate to protect healthcare information

Specifies what measures will be taken to insure privacy of info upon termination of contract

HPP4 – Deceased Patients

Company must continue to protect info of deceased patient’s for as long as records are maintained

State Law usually says records should be maintained for 7 years (or, 7 years past the age of majority for minors)

PHI can be released to anyone with power of attorney (personal representative, to the patient’s estate)

HPP5 –Personal Representatives

Have the same rights as patients as defined in the “PRIVACY NOTICE”

Defined as: anyone with legal POA (healthcare or general); the estate of deceased patients; guardians of un-emancipated minors

Document the relationship of the personal representative to the patient in the medical / billing record

HPP5 –Personal Representatives

Recognize that some states allow minors to override the healthcare decisions of their guardians – HIPAA laws do not take precedence over state laws that are more stringent

Company is not obligated to disclose information to a personal representative if they reasonably believe that revealing such information may subject the patient to violence, abuse, or neglect

HPP6 - Confidential Communications

Patients are provided with their PHI upon request – treatment notes, billing information/details, etc.

They do not need to provide a reason for receiving the information

Verbal, faxed, or mailed responses to patient are permitted, based on patient request

Hard copy communications best to document company response

HPP7 - Consent

Use of consent form is optional if the information will only be used for treatment, payment and/or healthcare operations (whether information is used by the company, another “covered entity”, or a business associate)

Most companies already have a “Release of Information” statement in their paper work – this is adequate even for optional purposes

A form is provided in the manual to be used if company policy requires separate consent

HPP8 – Other Permitted Disclosures

To public healthcare authorities – infectious disease reporting; Medwatch; FDA requirements, etc.

When required by law enforcement, or to comply with state laws, or to prevent abuse and neglect of patient

To CMS or by CMS demand when investigating allegations of fraud and abuse

HPP9 – De-identified Information

Company is not required to comply with HIPAA regulations in regard to “de-identified” PHI

De-identified PHI has had all identifying information removed – name, phone, birth dates, addresses, HICN, SSN, etc

Can code the patient info with a number that will allow it to be “re-identified” later, within the company, so long as you don’t disclose coding methodology - common in outcomes tracking

HPP10 – Minimum Necessary Information

Company uses and discloses the minimum necessary information needed to accomplish treatment, payment, and healthcare operations

Need for information should be defined, by job description – company decides and puts in policy

Minimum necessary information for business associates should be defined within individual contracts

HPP10 – Minimum Necessary Information

Full access: Clinical staff Customer Service and Billing Operations and management personnel

Limited access: Delivery and warehouse personnel

No access: Maintenance and cleaning personnel

This is suggested policy – company decides!

HPP11- Notification of Privacy Policy

Provided to all patients or their representative upon initiation of care – see sample in manual

Contains list of patient rights to privacy and explanation of typical uses and disclosures of PHI

Must also provide a copy of notice upon request to any person requesting a copy

HPP11- Notification of Privacy Policy

Always document that the patient / personal representative received the notice – carbonless copy w/ signature

If amended, all current patients must receive a copy of the new, amended Privacy Notice

If amended, company must keep old versions (master copy) of Privacy Notice on file for 6 years past date of retirement of previous version of notice

HPP12- Right to Restrict

Patient has right to restrict use of information, even for treatment, payment, and healthcare operations

Company has right to refuse to treat patient under those circumstances, but must abide patient’s request as long as patient continues on service

Get it in writing – use Restriction form in manual

HPP13- Responding to requests

Ask patient / personal representative to make request for extensive release of PHI in writing so you have documentation

Ask patient / personal representative where they want the information sent – it can be mailed to someplace other than their primary address if they so choose; it can be provided via the telephone or by fax

You can charge the patient for copying and mailing the information

HPP13 & 14 - Responding to requests

Patient does not need to provide reason why they want the information

Respond to requests in a timely fashion – 30 to 60 days is reasonable

See policy HPP14 for examples of when info can be legally withheld

If info is legally withheld, must provide patient with written explanation as to why

HPP15 – Right to amend

Patients have a right to amend the info in their medical record after reviewing it, if they choose

The request should be in writing, and state why the patient is requesting the change

Company may deny request if: Info requested changed was not created by the

company If the employee making the entry that is to be

changed is no longer an employee If the info is currently accurate and complete, as is

HPP15 – Right to amend

In case of company denial to amend put both sides (patient and company) in writing and include in patient’s medical record

Release this amended information as well, as applicable, when disclosure to another person is provided at patient request

Complete process in timely fashion – 60 to 90 days

HPP16 – Accounting of Disclosures

Company needs to keep track of disclosures of patient information so they can be provided to patient / personal representative upon request

Exceptions to tracking:

Disclosures made directly to the patient Disclosures made for purposes of treatment,

payment, or healthcare operations Provided to employees of the company Provided for reasons of national security Provided before HIPAA regulations went into effect

HPP16 – Accounting of Disclosures

Must keep track of disclosures for 6 years past the disclosure

Tracking must include:

Date info released To whom info was released What info was released The purpose for which it was released

Document patient requests for accounting of disclosures and respond to them in 60 days or less

HPP17 – Privacy Officer

Company must designate one individual as responsible for protecting privacy

Job duties include: Ensuring confidentiality of all PHI Development and implementation of company HIPAA

policies Limited incidental disclosures Documentation & tracking of disclosures, and

responding to patient complaints

Name, location, and phone number of Privacy Officer should be posted in areas where patient have access

HPP18 – Employee Training

All current employees to receive training – level to be based on their access to confidential information

Employee orientation should include privacy training

Training must be documented in the employee’s personnel file

HPP19 – Securing Medical Records

Secured at the end of the business day, either in locked cabinets or a locked room

Only individuals with permission, consistent with their job duties, may access medical records

Electronic records controlled by logins and passwords to computer system

Documents containing identifiable PHI must be shredded prior to disposal

HPP20 – Patient Complaints

Patients have a right to file formal complaint when they feel their privacy has been violated

Complaints should be directed to the Privacy Officer

Privacy Officer is to: Document the complaint in a log Investigate the complaint Document the resolution to the complaint Inform the patient of findings / resolution

HPP21 – Employee Violations

Employees who violate patient privacy will be subject to company procedures for violations of policy

Company response will depend on the intention of the employee, and the severity of the violation

Company response may range from verbal warning, up to and including termination

All company responses to violations of privacy will be documented in the employee’s file

HPP23 – Protection of data

Computers must be set up to insure integrity of information (firewalls, passwords, etc)

Integrity of systems are routinely assessed

Back-ups are created daily (company may change policy on frequency of back-up)

Back-ups are stored off-site in a protected manner

HPP24 – Access to data

All individuals who need access to computer data are given an access code

A list of access codes and who has one are to be maintained by the company / Privacy Officer

Employees are trained re: privacy regulations before receiving access to data

Employee’s may not share their access code without prior approval of management

HPP25 – Mitigation of damage

If a breach in security is reported the Privacy Officer must take steps to minimize damage

Privacy Officer must investigate breach, determine cause, and suggest possible resolution

All actions on the part of the Privacy Officer should be documented

HPP26 – Access logging

The computer system should be capable of logging access to PHI – check with billing software vendors

The log should be generated routinely to check for unauthorized attempt to access PHI

Unauthorized attempts to access PHI will be followed up by the company’s Privacy Officer

HPP27 – Contingency Plan

The company has a contingency plan that details how the company will back-up, secure, and re-establish its electronic databases in emergency situations

HPP28 – Consent to Film - Record

The company has a policy that dictates what type of patient / client releases are required in order to film or record the patient for use in company training, or promotional activities that will be seen or heard by persons outside the company

HPP29 – Sale of PHI

With very few exceptions, the sale of PHI is prohibited

HPP30 – Notice of Obligation

The company is obligated to notify patients if their PHI has been breached.

This obligation stands, regardless of whether the breach was made by the company or one of its business associates.

This notification will be handled by the company owners, and/or the HIPAA privacy officer of the company.