600 likes | 614 Vues
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P. Outline of Presentation. HIPAA Overview Transactions and Code Set Rule Security Rule Privacy Rule. HIPAA Overview.
E N D
Overview of HIPAA Administrative Simplification and Privacy RegulationsDarrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
Outline of Presentation • HIPAA Overview • Transactions and Code Set Rule • Security Rule • Privacy Rule
HIPAA Overview • “Health Insurance Portability and Accountability Act of 1996” • Regulations • Facilitate electronic exchange of health information • Protect the privacy and security of health information
HIPAA Regulations • Final Form • Transactions and Code Set Rule • Security Rule • Privacy Rule • National Standard Employer Identifier Rule • Remaining are unpublished or in proposed form.
Applicability • The regulations apply to “covered entities:” • Health care providers that electronically bill for services (e.g., most ambulance suppliers, physicians, hospitals), • Health plans, and • Health care clearinghouses.
Transactions and Code Set Rule • Purpose • To encourage the use of electronic exchanges • To reduce the administrative burden associated with using different formats • Specifies the content and format standards for eight common types of health information transactions.
Standard Transactions • Transactions are composed of: • Format data – define and control the structure of the transaction (e.g., the data element is a dollar amount) • Data content – all data elements and code sets inherent to a transaction and not related to the format of the transaction (e.g., the actual dollar amount)
Transactions • The eight standard transactions include: • Health care claims or equivalent encounter information, • Health care payment and remittance advice, • Coordination of benefits, • Health care claim status, • Enrollment and disenrollment in a health plan, • Referral certification and authorization, • Eligibility for a health plan, and • Health plan premium payments. • No standards promulgated for first report of injury and health claims attachments.
Compliance • Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. 16, 2003.
Implementation • HIPAA Awareness – understand the rule and educate workforce. • Operational Assessment – assess and identify internal implementation issues and develop a work plan to address issues. • Development and Testing - finalize development of, install, and train staff on, applicable software and perform all software and systems testing.
Security Rule • Final rule published Feb. 20, 2003. • Compliance required by April 21, 2005. • Requires covered entities to: • Assess risks and vulnerabilities, • Maintain appropriate security measures, and • Document these methods.
Security Rule • Requires covered ambulance suppliers to: • Apply administrative, physical, and technical safeguards • That reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information • That they create, receive, maintain or transmit.
Examples – Required Safeguards • Administrative • Sanction policy • Business associate contracts • Physical • Disposal of device and media controls • Workstation security • Technical • Person or entity authentication • Unique user identification
Privacy Rule • Applicability • Uses and Disclosures • Patient Rights • Administrative Requirements • Penalties • Interaction with State Law
Compliance Date • Covered ambulance suppliers must be in compliance with the Privacy Rule by April 14, 2003.
Applicability of the Privacy Rule • Applies directly to covered entities. • Regulates protected health information maintained by covered entities.
Protected Health Information • Protected health information (“PHI”) is information in any form that: • Identifies or reasonably could be used to identify the patient, • Relates to the past, present, or future health or condition of a patient, payment for care, or provision of care, and • Is created or received by a covered entity, provider or employer.
Protected Health Information • It includes: • Medical information • Billing information • Patient demographic information • Information stored electronically • Information you convey on the phone • Information maintained on paper
Business Associates • Requires covered entities to contractually bind their business associates to some of the requirements of the Privacy Rule.
Definition • A business associate is an entity that • creates or receives PHI • to provide a service or function for or on behalf of a covered entity.
Examples - Business Associates • Disclosures of PHI to: • An accreditation organization perform accreditation services. • A billing and collection service to assist with reimbursement. • A transcription service to transcribe notes.
Examples - No Business Associate • Disclosure of PHI: • To a provider for treatment of a patient. • Inadvertently to a janitorial agency that provides cleaning services. • To researchers for research purposes. • No business associate relationship with your employees.
Business Associate Agreements • You must enter into written agreements with your business associates to: • Limit use and disclosure of PHI, • Safeguard PHI, and • Ensure certain patient rights (e.g., providing a patient with access to PHI).
Overview of Uses and Disclosures • Covered ambulance suppliers may use or disclose PHI only: • For purposes expressly required or permitted by the rule, or • With patient authorization.
Examples When Authorization Required • To provide a list of names of patients involved in automobile accidents to a company that offers automobile insurance. • To provide a list of patient names to a national association for the association’s fundraising purposes.
Examples When Authorization Not Required • To use and disclose PHI for your own treatment, payment and health care operations (TPO). • To disclose PHI for the treatment or payment activities of another covered entity. • In limited situations, to disclose PHI for the health care operations of another covered entity.
Health Care Operations • Generally, no authorization required if the disclosure is: • To a covered entity that also has a relationship with the patient and • For quality assessment and improvement activities, case management and coordination, fraud and abuse detection or compliance, and other similar activities.
Disclosures to Family Members • May disclose PHI to family members or others involved in the patient’s care or payment for care if: • The patient agrees (or agreement is inferred), or • The patient is not present or is incapacitated and you believe that it is in the patient’s best interest. • Also may notify of the patient’s location, general condition, or death.
Other Purposes • May use and/or disclose PHI without authorization if certain criteria are met: • To avert a serious threat to health or safety • As required by law • For limited marketing activities • For public health activities • For health oversight activities • For research
Other Uses and Disclosures – Avert Serious Threat • May use or disclose PHI based on your good faith belief that the use or disclosure is necessary: • To prevent/lessen a serious and imminent threat to the health or safety of a person or the public; or • Under limited circumstances, for law enforcement authorities to identify or apprehend an individual.
Written Authorization – The Default Category • May use and disclose PHI for any reason with the written authorization of the patient. • Must be in writing and contain certain statements and information that ensures patient knows how his or her information will be used and disclosed.
Minimum Necessary Standard • Covered entities may use, disclose and request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure or request.
Minimum Necessary Exceptions • Disclosures to and requests by providers for treatment (but it does apply to uses) • Disclosures to the patient who is the subject of the PHI • Uses and disclosures pursuant to authorization
Incidental Uses and Disclosures • An incidental use or disclosure is that which occurs as a result of another use or disclosure that is permitted (e.g., a conversation between EMTs treating a patient overheard by another patient).
Incidental Uses and Disclosures • Incidental uses and disclosures are permitted as long as a covered entity has: • Applied reasonable safeguards, and • Implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.
Patient Rights • Receive a notice of privacy practices • Receive an accounting of certain disclosures of PHI • Access their information • Amend their information • Request a restriction on the use or disclosure of information • Request confidential communications
Content of Notice • A header indicating the purpose of the notice • A description the uses and disclosures that you may make • A statement of patient rights and how to exercise them • A statement of your duties • Instructions for filing complaints • Contact information
Provision of Notice - First Service Delivery • General Rule: • Provide the patient with your notice no later than the first service delivery on or after April 14, 2003; and • Make a good faith effort to obtain a written acknowledgment of receipt of notice. • If not obtained, document good faith efforts and reason why not obtained.
Obtaining Acknowledgment • Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be retained by the ambulance supplier • Tear off sheet to mail back to the ambulance supplier • Combine an acknowledgment with consent
Good Faith Effort – Reason Not Obtained • Patient refused • Patient failed to mail back acknowledgment • Patient unconscious or agitated
Provision of Notice - First Service Delivery • EXCEPTION - Emergency Treatment Situations: • Notice: Provide the notice as soon as reasonably practicable after the emergency situation. • Acknowledgment: NOT required to make a good faith effort to obtain the acknowledgment.
Provision of Notice • You also must make the notice available by April 14, 2003: • Upon request; • At the delivery site (notice must be posted and available for individuals to take with them); and • If you maintain a web site about your services or benefits, prominently on your web site and make the notice available electronically through the site.
Accounting • Don’t need to track disclosures • To carry out treatment, payment, or health care operations • To patients who are the subject of the PHI • Pursuant to an authorization