HIPAA Health Insurance Portability & Accountability Act of 1996
HIPAA Administration Simplification • Multi-phased law • Enacted to reduce health care administrative costs through standardization of electronic health care transactions • Need to protect security and privacy
Basic Principles of HIPAA Privacy Rules • It gives individuals more control over their health information. • It sets boundaries on the use and release of health information. • It establishes safeguards that covered entities must achieve to protect the privacy of health information. • It holds violators accountable, by imposing civil and criminal penalties if they violate an individual’s privacy rights.
Who Has to Comply with HIPAA? Each Covered Entity (CE) must comply Covered entity means: • A health plan • A health care clearinghouse • A health care provider that transmits any health information in electronic form in connection with a standard transaction.
What is PHI? • Any information, oral or recorded in any form or medium, that: • Is created or received by a health plan, health care provider, healthcare clearing house; and • Relates to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual; and • Is individually identifiable (as defined)
Any of the following numbers: Social Security Medical Record Account & Health Plan beneficiary #’s Certificate/license Vehicle ID or plate URL or IP addresses Device identifiers Biometric identifiers Full face or comparable images Names Geographic units Dates (month/day relating to any individual including birth, treatment) Ages over 89 Phone, fax numbers Email addresses Any other unique identifiers Identifiers:
Use and Disclosure of PHI General Rule • A covered entity may not use or disclose PHI, except as required or permitted by the regulations. Permitted Uses and Disclosures (TPO) • Treatment • Payment • Health care Operations
Business Associate Agreement • By law, the HIPAA privacy rule applies only to covered entities. • However, most CEs do not conduct all business activities and functions alone. What is a Business Associate? • A person who, on behalf of a covered entity: Uses/accesses/re-discloses PHI either • To perform or assist in the performance of a function • Provides services to a covered entity • Must involve the use of individually identifiable health information • An employee of the employer sponsoring the plan is not a business associate.
Legal Accounting Data aggregation Administration Consultants Actuarial Accreditation Management Financial Services Health Care Operations -Business Associates provide Services involving disclosure Third Party Administrators Contractors, vendors of covered entities Employers and other plan sponsors Any person relying on any covered entity as source of health information
Business Associates • Business Associates may perform functions for covered entities with “satisfactory assurance” of appropriate safeguards for PHI. • The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Business Associates ContractsRequired Elements45 CFR 164.504 (e) • Describe the permitted and required uses of PHI. • Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than provided for by the contract.
Forms of Patient Permission to Use or Disclose PHI There are three possible forms of “permission” needed to use or disclose PHI: • For TPO or for “public purposes” (such as cooperating enforcement, public health agencies or courts). • Verbal Agreement – For disclosure to people involved in the health care of the patient, or for facility directory listings. • Authorization – For all other circumstances.
Authorizations • Authorizations are required by the Privacy Rule 45 CFR 164.508 (a) • CE are required to obtain an authorization for use and disclosure of PHI. • CE may use only authorizations that meet the requirements of 45 CFR 164.508 (b) • Any such use or disclosure will be lawful only to the extent it is consistent with the terms of such authorization.
Penalties for Non-Compliance • $100 fine per day for each unmet standard (Up to $25,000 per person, per year, per standard). • $50,000 fine PLUS one year in prison for knowingly disclosing health information for improper use or to unauthorized entities • $100,000 fine PLUS five years in prison for obtaining health information under false pretenses. • $250,000 fine PLUS ten years in prison for using health information to sell, transfer, or use for commercial advantage, personal gain or malicious harm.
Remember…. PHI should be seen only by those who are authorized to see it. PHI should be heard by only those who are authorized to hear it. PHI should be transmitted to or shared with only those who are authorized to receive it.