Virginia Department for the Aging HIPAA Overview April 24, 2002
Agenda • What is HIPAA? • The Four Components of Administrative Simplification • Who does HIPAA Apply to? • Privacy Standards • Additional Information
What is HIPAA ? Health Insurance Portability & Accountability Act of 1996 (HIPAA) • Public law 104-191 • Portability: Transfer of healthcare when employees change jobs • COBRA - Completed • Accountability: Fraud/Abuse & Administrative Simplification
The Four Components of Administrative Simplification • Electronic Health Transactions • Examples:Claims, Recipient Eligibility, Coordination of Benefits (COB’s), Claims Status • Unique Health Identifiers and Standard Medical Code Sets • Examples of Health Identifiers: National Provider ID, National Employer ID, Health Plan ID, National Individual ID • Example of Medical Code Sets: National Drug Codes (NDC)
Administrative Simplification (con’t) • Security Standards & Electronic Signatures • Security and privacy standards for administrative procedures • Technical security services against unauthorized access to data • Physical safeguards
Administrative Simplification (cont.) • Privacy • Signed by the Secretary of DHHS under Clinton Administration • Posted to the Federal Register on 12/28/00 • Comply as of 04/13/2003 • Focus on Policy and Procedures protecting Individuals’ rights, and audit trails of disclosures of personally identifiable health information (regardless of whether in electronic form). • Privacy Officer for Each Organization
If You Remember Only One Thing About HIPAA? • Focus on Policy and Procedures protecting Individuals’ rights, and audit trails of disclosures of personally identifiable health information (regardless of whether in electronic form).
Who does HIPAA Apply to? Examples of “Covered Entities” are: • Health Care Providers • Doctors, Dentists, Hospitals • Payers/Plans • HCFA (Medicare/Medicaid) • Collection Agencies • HMO’s, Group Health Plans • Prescription Drug Dispensing/Testing • Pharmaceuticals, Drug Stores, Labs • Clearinghouses/Donor Organizations • CDC, Blood banks, Organ Donors
Privacy Standards • Protected Health Information (PHI) by the regulation • Information relating to an individual’s physical or mental health, health care treatment, or payment for health care. • Protection continues as long as information in the hands of covered entity • Covered entities are encouraged to de-identify health information by removing, encoding, encrypting identifiers. • Personally identifiable health information in any form or medium.
Privacy Standards • Covered Entity must enter into a contract requiring that identifiable information be kept confidential by a Business Associate receiving information from or on behalf of a covered entity
Privacy Standards • Obligations of health care plans and providers • Provide Training to all staff who have access to PHI • Establish administrative, technical, and physical safeguards • Establish Policies and Procedures • Develop and apply sanctions from re-training to reprimand to termination • Have available documentation with the regulation requirements • Develop methods to disclose minimum amount of PHI • Develop and use contracts with business partners
Privacy Standards • Minimum Necessary Standard: “Must maintain every effort not to use or disclose, internally or externally, any more information than is necessary to accomplish the intended purpose.” • Preemption: Provides a “floor” of privacy protection. State laws that are “less protective” of privacy are preempted. States are free to enact “more stringent” statutes.
Privacy Standards • Penalties and Enforcement • Civil Liability for each standard provision violated the penalty up to $25,000 in any calendar year • Federal Criminal penalties are fines up to $50,000/and or 1 year imprisonment for using or disclosing individual identifiable health information • If disclosure is “under false pretenses, $100,000 fine and/ or up to 5 years imprisonment” • If offense is with intent to sell, transfer, or use individual identifiable information for commercial gain, $250,000 and / or imprisonment of up to 10 years • Enforcement has been delegated to the Office for Civil Rights (OCR) for civil enforcement and Department of Justice (DOJ) for criminal enforcement
Compliance Gaps – Privacy • Paper copies of patient records aren’t shredded • Registration terminals can be viewed by visitors • General lack of awareness as to where identifiable health information is being sent • Staff discuss patient care in public places such as elevators, cafeterias, and waiting rooms • Facsimile copies are sent to physicians at unidentified phone numbers • Lack of ongoing privacy training for workforce Provided by Phoenix Health Systems
References • (www.healthprivacy.org) • http://aspe.hhs.gov/admnsimp/ • http://www.hipaadvisory.com/ HIPAA questions to – HIPAA-QUESTION@list.nih.gov Privacy question to – email@example.com