1 / 20

HIPAA CONFIDENTIALITY

HIPAA CONFIDENTIALITY. Paul A. Stewart, Esq. Foley & Lardner One Maritime Plaza, 6th Floor San Francisco, CA pastewart@foleylaw.com. What’s to Simplify?. Health Claims Encounter Information Attachments to Health Claims Health Plan Enrollment/Disenrollment Eligibility Verification

hargravea
Télécharger la présentation

HIPAA CONFIDENTIALITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA CONFIDENTIALITY Paul A. Stewart, Esq. Foley & Lardner One Maritime Plaza, 6th Floor San Francisco, CA pastewart@foleylaw.com

  2. What’s to Simplify? • Health Claims Encounter Information • Attachments to Health Claims • Health Plan Enrollment/Disenrollment • Eligibility Verification • Claims Payments/Remittance Advice • Payment of Premiums • First Report of Injury • Referral Certification/Authorization • Claim Status • Coordination of Benefits

  3. Who Must Comply? • A “Health Care Provider” - Furnishes, Bills or Gets Paid for Health Care Services or Supplies • A “Health Plan” - Provides or Pays for Medical Care • A “Health Care Clearinghouse” - processes non-standard into standard data elements • “Business Partners” - Agents of Covered Entities

  4. To What Do Regulations Apply? • “Health Information” (security regulations) • Created by providers, health plans, public health authorities, employers, life insurers, schools or universities • Relates to the physical/mental condition, provision of health care, payment

  5. To What Do Regulations Apply? (cont’d) • “Protected Health Information” (“PHI”) (confidentiality regulations) • health information • identifies the individual or • could reasonably be used to identify the individual

  6. When To Comply? • Whenever health information is electronically transmitted or maintained (security regulations) • Whenever protected health information is electronically transmitted or maintained in connection with a standard transaction (confidentiality regulations) • Obligations apply to information, not documents

  7. Why Comply? • Civil Monetary Penalties: up to $100 Per Violation/Per Person, with $25,000 Annual Limit Per Each Standard Violated • Criminal Penalties for “Knowing Misuse”: $50,000–$250,000; Prison 1–10 years • Greatest Penalties Reserved for Intent to Sell/Transfer/Use for Commercial Advantage, Personal Gain or Malicious Harm

  8. What are the confidentiality Rules? • Disclosure/Use prohibited except as permitted by the regulation • Permitted Disclosures: • As authorized by the individual • For health care treatment, payment, operations (except research and psychotherapy notes) • In connection with national policy activities

  9. What are the Rules? (cont’d) • Required Disclosures • Request by the individual • Investigation of compliance by government • Circumstances Requiring Individual Authorization • Marketing; sale, rental, barter; eligibility; fundraising; employers; research unrelated to treatment; psychotherapy notes • Minimum Necessary

  10. What are the Rules? (cont’d) • Patient Rights • To Receive Adequate Notice of Information Practices • To Inspect and Copy PHI • To Request Amendment/Correction of PHI • To Request Restriction on Uses/Disclosure of PHI • To Receive Accounting of Uses/Disclosures

  11. What Do I Have To Do? • Designate a Privacy Official • Contact person/office • Assess whether HIPAA preempts state law • Assess current policies and procedures • Develop comprehensive policies and procedures • Draft contracts - Business partner/Chain of trust agreements

  12. Preemption • Assess whether HIPAA preempts state law • Federal standard, requirement or implementation specification contrary to state law • Exceptions • State law is necessary for certain purposes • State law is more stringent • State law relates to audits, licensure, certification, reporting of child abuse, births, deaths, injuries, public health activities

  13. Policies and Procedures • Assess current policies and procedures • What does your organization do to ensure PHI is not improperly disclosed? • How do you monitor compliance with your current policies and procedures? • What are the consequences in your organization if PHI is disclosed in violation of current legal requirements/p&p’s? • Are your policies and procedures written?

  14. Policies and Procedures (cont’d) • Develop comprehensive policies and procedures related to: • Determining when disclosures are permitted/required • Conditions applicable to certain permitted disclosures • Minimum necessary standard • Authorizations

  15. Policies and Procedures (cont’d) • De-identifying PHI • Business partners • Deceased individuals • Right to requests for restrictions • Right to notice of information practices • Right to access

  16. Policies and Procedures (cont’d) • Right to accounting of disclosures • Right to amendments and corrections • Verification of identity/authority of requester • Training • Sanctions • Complaints • Changes in policies or procedures

  17. Further Documentation • Must create documents related to the following and retain such documents for six years: • Requested restrictions • Contracts with business partners • Authorization forms • Notifications of information practices

  18. Further Documentation (cont’d) • Statements regarding access/denial to PHI • All accountings provided • Denials of amendment/correction requests • Employee certifications • Complaints

  19. Business Partner Contracts Examples: Lawyers, auditors, consultants, TPA’s, DP firms • Disclosures only as permitted/required • No disclosures if disclosure by covered entity would violate regulation • Safeguards established to prevent improper uses/disclosures • Improper uses/disclosures reported • Consistent subcontracts • Right of access provided

  20. Business Partner Contracts (cont’d) • Access by Secretary of DHHS to books/records pertaining to uses/disclosures • PHI returned/destroyed upon termination of contract • Amendments/corrections incorporated • Third party beneficiaries/Liability to Patients for breach • Termination upon improper use/disclosure • Material breach may be noncompliance • Need for audit trail

More Related