HIPAA WORKSHOP UTA – HCAD Students By Barbara Odom-Wesley, PhD, RHIA May 27, 2003
OBJECTIVES • Review the value of Medical Records • Review Federal & State Requirements for Medical Record Privacy • Update procedures regarding confidentiality & release of healthcare information • Study the impact of HIPAA on medical practices
Medical Record Definition • A compilation of pertinent facts • Of a patient’s life and health history, including past and present illnesses and treatments • Written by the health professionals contributing to that patient’s care • Compiled in atimely manner • And contains sufficient data toIdentify the patient Justify the treatmentSupport the diagnosis Document the results
MEDICAL RECORD DOCUMENTATION Arrangement Forms Management Compliance Policies Analysis
WHY MEDICAL RECORDS? CLINICAL • Patient Care Management • Quality Review • Research • Public Health • Education LEGAL • Documentary Evidence • Confidentiality FINANCIAL • Medical Necessity • Complexity • Detail Services • Substantiate Claims
STANDARDS • JCAHOJoint Commission on Accreditation of Healthcare Organizations • NCQANational Committee for Quality Assurance • HEDISHealth Plan Employer Data & Information Set • AAAHCAccreditation Association for Ambulatory Health Care • TSBMETexas State Board of Medical Examiners
MORE STANDARDS • Conditions of Participation (Medicare) • Uniform Ambulatory Care Data Set • Professionally Accepted Practices
OIG Compliance Plan • Auditing & Monitoring • Standards & Procedures • Compliance Officer • Training & Education • Corrective Action Plan • Communication Lines • Disciplinary Standards
CONFIDENTIALITYCONCEAL OR REVEAL? • Physician-patient relationship • Medical Record ownership • Texas Legal StatutesSenate Bill 667Senate Bill 975 • Senate Bill 11 • Federal LawHIPAA
Senate Bill 667 • Authored to reduce confidentiality threats • Debated in four legislative sessions • Passed by House and Senate May, 1995 • Effective: January 1, 1996 • 1997 Revisions: SB 975 • Support: THA, TxHIMA, Trial Lawyers
Added Exceptions:Directory InformationTransporting EMSClergyOrgan or tissue procurementAmerican Red CrossPoison Control CenterUtilization Review Agent incompetent to incapacitated Clarified court subpoena FeesDocument certificationWritten questions($10.00)None for patient examinationNone for Workers’ Comp. 1997 Revisions (SB 975)
Senate Bill 11The Texas extended arm of HIPAA • Disclose PHI for health research only with individual consent or IRB waiver. • Composition & conduct of privacy board • Disclose for health research if represented as necessity. • Authorizes subject of research access to information at conclusion of trial. • Use of PHI for public health activities without authorization. • Prohibits re-identifying without authorization
SENATE BILL 11 PROVISIONS • Prohibits disclosing, using, selling, or coercing consent for marketing purposes • Extended to parties not covered by HIPAA (holder of insurance license) • Amends insurance code to require authorization to disclose any nonpublic PHI • Right of patient to revoke authorization • Exempt: nonprofits, Workers’ Comp., Red Cross, offenders with mental impairments, educational records, public health authority • Effective 9/1/01; insurance code amendments 1/1/02
HIPAAHealth Insurance Portability and Accountability Act of 1996 Congress failed to adopt by August 21, 1999 as required by HIPAA History of Legislation Privacy Standards developed by DHHS Effective: 4/14/2001
HIPAAhttp://aspe.os.dhhs.gov/admnsimp/ • Pub.L.104-191Federal Register vol. 65 no. 250, pp 82462-82829 • Enacted April 14, 2001Privacy implementation: April 14, 2003 • Amended Public Health Service Act (PHS),Employee Retirement Income Security Act of 1974 (ERISA)Internal Revenue Code of 1986 • Final Regulations August 14, 2002
Simplification StandardsExtension: www.cms.gov/hipaa2/default/asp • Electronic Exchange • Unique Health Identifiers • Code Sets • Security • Electronic Signatures • Transmission of Data • Privacy
HIPAA Privacy GOALS • Protect & enhance rights of consumers by providing them with access to their health information & controlling the inappropriate use of that information • Improve the quality of healthcare in the US by restoring trust in the healthcare system • Improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection
Paper & verbal Preempts state law Mechanism for complaints Office of Civil Rights Administers Mitigation for Policy Violation Privacy Training Organization Requirements Definitions for appropriate release HIPAA Highlights
Covered Entities Protected Health Information Consents Authorizations Rights of Individuals Privacy Officer Staff Training Business Associate Relationships Administrative Requirements Preemption Accounting for Disclosures Guidelines for Release PRIVACY STANDARDS
Covered Entities (CE) • All but “small” health plans(<5 mil revenue) Implementation by 4/14/2004 • Large health plans & healthcare providersImplementation by 4/14/2003 • Health Care Clearinghouse • Health Care Provider of Services or Supplies(direct/indirect treatment relationship)
COVERED ENTITIES (CE) • Direct Care Providers – treatment relationship • Indirect – delivers healthcare based on ordersProvides service, product or report to another provider • Clearinghouse – process or facilitates processing PHI received from CE
Organized Healthcare Arrangement • Separate covered entities • Establish clinically & operationally integrated systems • Permitted to share information for TPO • May use common Notice and Consent • Example: hospital & its associated medical staff
Are you a CE? • Cardiology Associates keeps medical records on paper and in file drawers and does not have electronic records. They only use the computers for accounting, scheduling and other limited purposes • YES
COMPLIANCE DATE APRIL 14, 2003
What Information is Covered?Protected Health Information (PHI) • Identifies an individual • Relates to health, treatment, healthcare payment • Created or received by CE • Maintained or disclosed electronically, on paper, orally
Information Not Covered Individual health information loses its protections and may be used or disclosed freely if it can’t be used to identify an individualMust Remove all 18 identifiers
Covered Business Associates Performs or assists in the performance of a function or activity for the Covered Entity, not part of workforce. Confidentiality contract required: Attorneys Actuaries Accountants Consultants Computer Vendors Outsourced Services
BUSINESS ASSOCIATE TEST • On behalf of CE • Other than workforce • Involves use of PHI
Requirements for Business Associates • Assurance they will safeguard information • Contracts should set permitted uses & disclosures • Contracts should stress privacy • Safeguard PHI from misuse • CE is not liable for violations
Enforce Contracts If the provider becomes aware of a “pattern of practice” that is a violation of contractual obligations, “reasonable steps” must be taken to solve the problem or the contract must be terminated. If the contract can’t be broken, the provider must report the problem to HHS.
Business AssociatesFinal Reg. Changes • Additional year to incorporate BA agreements not up for renewal (April 2004)
Identifying Business Associates • WeCare, Inc., a local nursing home, hires a law firm to defend it in an elder abuse case. ASC discloses PHI to a health plan for payment purposes. Which of these entities, the law firm or the health plan would be a BA? • The law firm is a BA. The health plan is not a BA.
PATIENT RIGHTS • To consent for uses or disclosures of PHI to carry out treatment, payment, or healthcare operations, & the right to notice of privacy practices as part of the required consent form or process • To access Protected Health Information (PHI) • To accounting of how their PHI has been disclosed outside normal patient care channels • To agree or object to certain disclosures • To request amendment or correction to PHI • To request restrictions on use of PHI for treatment, payment or healthcare operations
CONSENTS Individual Consents required for: Payment Treatment Healthcare Operations PERMITTED DISCLOSURE
Consent CoverageTPO • TreatmentDirect and Indirect • PaymentUR, medical necessity, determination of coverage • OperationsQA, credentialing, peer review, quality analysis, accreditation, fraud/abuse monitoring
Requirements for CONSENTS • May be written in general terms • Provider can refuse to treat individuals who do not consent to uses & disclosures for treatment, payment, healthcare operations • Can be combined into a single document covering all three activities & combined with other types of legal permission • Consents may be revoked in writing at any time.
Consents not Required • Indirect treatment relationship • Inmates • Required by law to treat • Substantial barriers to communicate • Emergency treatment (must obtain as soon as reasonable)
Psychotherapy Records • CE’s must obtain the individual’s authorization to use or disclose psychotherapy notes to carry out TPO(other than originator of notes) • Differs from other records because they do not include information that is needed typically for TPO Final rule, Section 164.508
Final Rule Changes to Consents • Optional • Direct Provider CE • Written Acknowledgement alternativeDocument receipt of “Notice of Privacy Practices” • Not required for emergencies • Layered Notice encouragedPatient-friendly summaryFull notice layered beneath • Allows disclosure of PHI for another provider (TPO)
Need a Consent? • A primary care physician sees a patient who has been experiencing arrhythmia. The physician refers the patient to a cardiologist for testing. The physician’s office calls the cardiologist’s office to arrange for an appointment for the patient. The patient would be new to the cardiologist’s practice. May the cardiologist schedule the appointment and review the patient’s information prior to the patient signing a consent? • Under the final changes, prior consent is not required. A “Notice” is required to be provided.
Consent Required? • An elderly woman is bedridden and is unable to leave the house to pick up her medications. She calls a friend and asks the friend to pick up the prescription for her. May the pharmacist give the prescription medication to the friend? • Yes, there is implied consent. Prior consent is not required. The “Notice” should be given to the friend.
AUTHORIZATIONS • Allows use & disclosure of PHI for purposes other than those covered by consent • Must be written in specific terms with essential elements • May not condition treatment on signing • Can be revoked at any time.
Written, Dated Signed:Patient Legally Authorized Representative:Parent/GuardianAdult GuardianDurable Power of Attorney/AgentAttorney ad litem Information & Time Purpose To whom Facility to Release Right to withdraw Validity date (90 days) Photocopy valid VALID AUTHORIZATIONS
General language One time consent Allows full exchange among treatment team Refuse treatment without Allows for TPO May be revoked in writing Specific, detailed Required for each release May not condition care on refusal Psychotherapy records Non-TPO purposes Must keep a record CONSENTS vs. AUTHORIZATIONS
Authorization Required? • A person injured in a car crash is treated at an ASC. The ASC receives a request for medical records from an attorney who represents the driver in the automobile accident. The request states the attorney represents the drier who has been sued for negligence by the patient and to send the records to the lawyer within 15 days of receipt of the request. May the center disclose the patient’s records to the attorney without authorization from the patient? • No, it requires an authorization or court order.
Authorization for Marketing? • A group of oncologists have been approached by a pharmaceutical company to purchase the group’s patient list so the company may develop a new marketing plan for its pharmaceuticals. May the group sell its patient list? • No, not without authorizations from each patient.
GUIDELINES FOR RELEASE • Minimum Necessary • Minors • Deceased • By Fax • Subpoenas • Copy Fees
Minimum Amount Necessary Covered Entities must make all reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
Minimum Necessary Guides • Establish role-based access for workforce • Standard guidelines for recurring/routine disclosures • Make determinations for “non-routine” disclosures • Exception: disclosures for treatment • Incidental disclosure not violation