Document
advertisement
An Overview of HIPAA Presented by the Office of the General Counsel HIPAA • • • • • Health Insurance Portability and Accountability Act HIPAA’s Goals • Simplify the Administration of Electronic Health Information • Protect an Individual’s Privacy Rights with regard to Health Information When is HIPAA effective? • First Deadline: October 2002 – Possible Extension until Oct. 2003 – AU must have Compliance plan • Privacy Regulations: April 2003 – AU target date for compliance Who Must Comply? “ Each Covered Entity who maintains or transmits health information” • • Health Plans Health Care Clearinghouse • Health Care Providers Who is a Provider? “Any person or entity that furnishes, bills, or is paid for health care in the normal course of business.” – Health Care = any “care, services, or supplies related to the health of an individual” Examples of Providers / Plans • Student Health Center • Psychology Clinics • EAP • Athletic Department • Hearing / Eye Clinics • Self – Insurance Health Plans 4 Key HIPAA Elements • Electronic Transaction & Code Set Standards • Security Standards • Privacy Regulations • National Identifiers Electronic Transaction & Code Set Standards • General Rule: “If a covered entity (either itself or through an agent) conducts a Covered Transaction electronically, the transaction must be conducted using the HIPAA form.” Electronic Transaction & Code Set Standards Required Elements 1. Covered Entity 2. Electronically transmits 3. Covered Transaction Covered Transactions • • • Submission of Claims for payment Checking eligibility Enrollment & Disenrollment • Referrals and precertification • Claims attachments • Payment & claims remittance • Coordination of Benefits • Checking claims’ status Electronic Transaction & Code Set Standards Requirements of ETS • • • Standard Formats Standard Data Content Standard Codes Electronic Transaction & Code Set Standards Where to find the ETS standards: • http://aspe.hhs.gov/admnsimp • www.wpc-edi.com/HIPAA • www.afehct.org Security Standards • Intended to protect against • Unauthorized access • Accidental / Intentional disclosure to unauthorized persons • Alteration, destruction, or loss Security Standards Who is Covered? • Any covered entity • That Stores information electronically • Does not have to be a covered transaction Security Standards - Elements • Administrative Procedures – Protects health info – Manages personnel Conduct • Physical Safeguards – Protects physical systems / buildings • Technical Security – Controls access to health information Administrative Procedures • • • • • • • Security Analysis Information access privileges Password & Authentication policies Plans for disasters & security breaches Disciplinary process & penalties Employee & Vendor Training Security Officer Physical Safeguards • Document ways computer & physical records are protected • Use of keys, locks, etc. to control access to computers • Restriction of access to authorized persons • Tracking of medical records • Workstation location policy Technical Security • Single sign-on technology • New user ID’s, passwords • Audit trails for health info Security Standards General Comments • Still in proposed form • Not technically specific • Amount of security required is scalable based on dept. size and resources Privacy Regulations • General Rule: “A covered entity may not use or disclose Protected Health Information (PHI) except as permitted by the privacy regulations.” Privacy Regulations • PHI – Protected Health Information – Individually Identifiable – Any form or medium • Electronic, Oral, or Written – Created or Received – Relates to past, present, future condition or payment of individual – Exception: FERPA records Privacy Regulations • General Requirement: “Must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish intended purpose.” Privacy Regulations Main Elements • Rules for Use & Disclosure of PHI • Patient’s Rights to Health Info • Administrative Procedures • Business Partner Requirement Rules for Use & Disclosure Consent vs. Authorization Consent: If a general written consent is obtained, a provider may use/disclose PHI for “TPO” Authorization: If use/disclosure is not for “TPO”, use/disclosure forbidden without a more specific authorization “TPO” = Treatment/Payment/Health Care Operations Rules for Use & Disclosure “TPO” = Treatment / Payment / Health Care Operations Treatment: Provision, coordination, management of healthcare Payment: Actions to obtain payment Operations: Internal day-to-day business Ex: QA, Peer Review, Customer Service Rules for Use & Disclosure Consent • Must be in plain language • Must specify use of PHI • Can make a prerequisite to treatment (Can refuse treatment) • Exceptions: Emergency, Required by Law, Communication barriers, Rules for Use & Disclosure • • • • Authorization Cannot be a condition of treatment Must Inform about specific use and right to refuse, revoke, and inspect Psychotherapy Notes require Authorization Examples • Research • Marketing • Fundraising Patient’s Rights • Right to Notice of Privacy Practices • Right of Access to PHI • Right to Accounting of Disclosures for 6 years • Right to request restriction of TPO use to family members – Not required to agree if TPO Administrative Procedures • Document policies, procedures, & systems to achieve compliance • Complaint Mechanisms • Employee Sanctions • Documented training of employees • Mitigation of harmful effects • Designated Privacy officer Business Associates • General Rule: – A covered entity must have a business associate contract to ensure that its business associates also are in compliance with HIPAA’s protection of PHI. Business Associates • Business Associates… – Perform a function involving use / disclosure of PHI on behalf of the covered entity – Perform legal, accounting, consulting, data aggregation, administrative, management, or financial services involving PHI for the covered entity Business Associates • Examples: – – – – – Billing companies Computer Vendors Attorneys, Accountants, Auditors Consultants Document storage / destruction companies Business Associates • Business Associate Contracts: – Restrict use & disclosure of PHI – Require appropriate safeguards – Require similar requirements of subcontractors – Require B.A. to disclose breaches – Require B.A. to remedy breaches or risk termination of contract Hybrid Entity • Requirements – Single Legal Entity – Primary business is not healthcare • Advantages – Only “Healthcare Components” must comply with HIPAA • Disadvantage – Firewall between HC Components and Non-Components Hybrid Entity • Auburn must… – Identify Healthcare Components – Identify Business Associates of the HC Components – Erect the ‘firewalls’ between HC Components & Non-Components Penalties for Non-Compliance ** Both Individuals & Entities can incur criminal and/or civil penalties Civil Penalties: $100 - $25,000 Criminal Penalties: Max 10 yrs. Prison Max $250,000 fine HIPAA Timeline • ETS Standards: October 16, 2002 – Extended to Oct. 2003 w/ University extension • Privacy Regs: April 14, 2003 • Security Regs: Date expected by August 2002 Next Steps toward Compliance 1. Fill out the AU HIPAA Survey 2. Review how PHI is stored, accessed, protected, & destroyed 3. Think about easy steps to better protect PHI 4. Designate 1+ person to review specific HIPAA policies For more HIPAA info… • www.hipaa.org – Links to complete final rules & proposed rules • www.hipaadvisory.com – News, primers, and complete rules • www.hrm.uab.edu/HIPAA – UAB’s training site Additional Questions? Contact the Provost’s Office
