150 likes | 296 Vues
HIPAA: Health Insurance Portability and Accountability Act. Diane Dempsey Marr, Ph.D. Whitworth College. HIPAA.
E N D
HIPAA:Health Insurance Portability and Accountability Act Diane Dempsey Marr, Ph.D. Whitworth College
HIPAA • The original intent behind the Health Insurance Portability and Accountability Act of 1996 was to prevent insurance companies from arbitrarily excluding coverage of “pre-existing” conditions • In addition, the bill focused on the reduction of abuse and fraud connected to the health care insurance industry • Finally, administrative simplification was targeted to eventually bring the cost of health care under control while providing increased protection of confidential health information
What Mental Health Professionals Need to Know • The protection of client privacy is the main focus for counselors. Washington State law and the federal HIPAA regulations must be considered when collecting, storing, and disclosing protected health information. • Whenever state law and HIPAA disagree, the counselor should always choose that which provides the highest level of protection for the client. • Thus it is essential that counselors have a good working knowledge of both Washington State law and HIPAA regulations.
Key Definitions • If the identifiable health care information is not covered by the Family Rights and Privacy Act (FERPA), it is then covered under HIPAA and is defined as “Protected Health Information” (PHI) • The counselor, otherwise known as a “covered entity” (CE), typically uses PHI for TPO (treatment, payment, or health care operations)…are you dizzy yet? • The difference between “use” and “disclosure” of PHI… • Use: employing PHI for sharing, application, analysis, etc. within the CE’s domain • Disclosure: release or transfer of PHI outside the CE’s domain
More Key Definitions • Before providing treatment, the CE must get the client’s written consent. Before getting consent, the client must be informed of their rights and the counselor’s responsibilities within the treatment setting. To accomplish this in the state of Washington, the counselor must provide clients with a a client rights form, and in accord with HIPAA, a “Notice of Privacy Procedures” (NPP) • Client consent then connotes their understanding of the above information, and gives the CE the ability to use and disclose PHI for TPO • If the PHI is ever used for something other than TPI, or disclosed to someone outside of the CE’s domain, anauthorization(written release) must be obtained from the client …now I am dizzy!
The difference between a client’s clinical record and psychotherapy notes • “Clinical Record”:billing information; reasons assistance was sought; a description of the ways in which challenges impact the client’s life; pertinent medical, social, and treatment history; diagnoses; treatment goals and progress towards those goals; medication record; records or consultation information sent by other health providers; reports made to other providers or your insurance company; assessment or education reports. This information can be disclosed with client Consent. • “Psychotherapy Notes”:In addition to, and kept physically separate from the clinical record, counselors may want to keep a set of Psychotherapy Notes. It is not a requirement. Contents of these Notes vary from client to client, but can include contents and an analysis of in-session conversations, and how these impact treatment. They may also include sensitive information shared with the counselor that is not required to be a part of a client’s Clinical Record. These records can only be disclosed with the client’s written Authorization.
Disclosing Protected Health Information • HIPAA’s strict guidelines for the disclosure of PHI must be adhered to if the CE is to act within the law. • In-depth knowledge of these guidelines assures that clients’ PHI has maximum protection while disclosing the minimum necessary information for effective use. • There are several categories of disclosure that will be important to remember: • Disclosure without consent or authorization • Disclosure with consent • Disclosure with authorization
Disclosing Protected Health Information • Mandatory disclosure without consent or authorization: • To monitor HIPAA compliance (DHHS) • To disclose PHI to the client • Disclosure is permitted (clinician’s option) without consent or authorization: • For judicial and administrative proceedings • As required by law • For law enforcement purposes • For national defense or security • To report neglect, abuse, or domestic violence • To avert a serious threat to health or safety • For health oversight activities and public health activities • For Workers Compensation and employers • For research: Screening of PHI to determine eligibility for inclusion in a study • Identification of deceased or determination of death • For organ or tissue donation • Disclosure is also permitted without consent or authorization when: • The client is an inmate • In an emergency • There are major barriers to communication • Treatment is required by law, and all attempts to gain consent have failed • If you are an indirect service provider (such as when you provide assessment information to the main CE)
Disclosing Protected Health Information • Consent is mandatory: • For TPO which includes: • Other CE’s involved in treatment within the primary CE’s domain • Insurance companies • Standard Authorization is mandatory: • When collaborating with other health care providers outside of the CE’s domain • When communicating with significant others • When disclosing PHI to employers for a specified employment decision • Special Authorization is mandatory: • For disclosure of psychotherapy notes
HIPAA gives clients the right to… • Request limitations on disclosures of their PHI • Request alternative channels of communication • Review health information records; this includes psychotherapy notes • Ask for a copy of their records • Request that their record be amended or corrected • Ask for an accounting of disclosures • File a complaint with regard to privacy violations
Employee Adherence to HIPAA • Each agency or private practice group: • Provide training for employees to insure compliance to HIPAA regulations and standards. • Have a policies and procedures manual focused on compliance • Appoint a privacy officer who will oversee all activities, training, policy and procedure development and revision, and documentation. This person will also deal with client complaints regarding possible violations of HIPAA
Business Associates • Counselors are expected to protect client PHI when, in seeking outside services, they give their business associates (BA) access to such. • Business associates can include those who are hired to do billing, collect debts, or process claims. It may also include accountants, lawyers, computer support services, and the company hired to shred or incinerate PHI. • As required by law, a contract between the CE and the BA must be signed, holding the business associate accountable for adherence to HIPAA guidelines.
The Security Rule • Where the Privacy Rule pertains to all protected health information, the security rule is directed at PHI that is in electronic form. This includes transmitted and non-transmitted PHI, and PHI stored on disk. • CE’s are expected to take reasonable measures to secure all electronic data. • Compliance date for this rule is set for April, 2005. Why wait to have fun?
Resources There is a massive array of information available in the form of books, workshops, and continuing education courses, but few are offered at reasonable prices. Many of these resources are not state specific. The American Psychological Association provides a good analysis of the cross section between state and federal mandates. Their program, however, is quite expensive for non-members (up to $550). Thus far, the American Counseling Association has not provided any impressive support for its membership on this issue. There are many free public resources that can be found online, including the actual law: http://www.hhs.gov/ocr/hipaa/finalmaster.html