Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

HIPAA

advertisement 
HIPAA
The Privacy Rule 2003
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
The 104th Congress passed the Act, Public Law
104-191, in 1996
 U.S. Department of Health and Human Services
(HHS) drafted privacy regulations after Congress
failed to within three years of the Act’s passage
 President Bush and HHS Secretary Tommy G.
Thompson allowed the rule to take effect April 14,
2001.
 HIPAA requires covered entities to comply with
the final rule’s provisions by April 14, 2003
(45 CFR 164.534)

What is HIPAA?

HIPAA is a federally enacted law containing
five provisions designed to:
 Assure portability of health insurance;
 Decrease health care fraud and abuse;
 Improve efficiency and effectiveness of
health care; and
 Guarantee security and privacy of patient
health information
Organizational HIPAA

Sharron Stevens
Privacy Officer
 Pat W. Myrick, CCRP, CIP
Compliance Officer
 Barbara Love
Credentialing Officer
HIPAA Privacy Rule
(65 Fed. Reg. 82462)

Title II: Administrative Simplification
–
–
–
–
–

Transaction Standards
Standard Code Sets
Unique Health Identifiers
Security
Privacy
Privacy code includes: Research & Public
Health
Who Must Comply?
The Code refers to, “Covered Entities”
 “Covered Entities,” include health plans,
health care clearinghouses and health care
providers who conduct financial and
administrative transactions – such as
electronic billing and funds transfers –
electronically.
(45 CFR 160.103)

What Does HIPAA Protect?

ALL medical records and other individually
identifiable health information used or
disclosed by a covered entity in any form –
electronic, paper, oral – are covered by the
final Privacy Rule.
(45 CFR 164.501 and 45 CFR 164.502)
Minimum Disclosure . . .

Disclosures of patient information will be
limited to the minimum necessary for the
purpose of the disclosure, except for
purposes of treatment.
45 CFR 164.502(b)(1)
Permitted Disclosures

The Privacy Rule permits, but does not require,
covered entities to disclose health information
without authorization for certain public
responsibilities:
–
–
–
–
–
–
Emergencies
Identity of deceased, determine cause of death
Public Health needs
Judicial and administrative proceedings
Law enforcement
National defense and security
New Patient Rights Issued

Privacy Notice: Covered entities must notify
patients in writing how they may use or disclose
their patient’s protected health information (PHI).
45 CFR 164.520

Access: Patients will be able to access and get
copies of their heath records. They may also
request amendments to those records. A history of
non-routine disclosures must also be accessible to
patients.
45 CFR 164.526
New Patient Rights

Consent = Authorization: Health care
providers who see patients must obtain patient
consent (authorization) before sharing their
information for treatment, payment and health care
operations. Treatment may be conditioned on
receiving consent unless other legal obligations exist,
such as the Federal Emergency Medical Treatment
and Active Labor Act (EMTALA), also known as
COBRA. 45 CFR 164.506(a)(1)
New Patient Rights

Authorization: A separate patient authorization
must be obtained by non-routine disclosures –
such as Public Relations activities, marketing,
fundraising – and most non-health care purposes.

Treatment may not be conditioned upon
receiving authorization. 45 CFR 164.508(a)(1)
New Patient Rights

Restrictions: Patients will have the right to
request restrictions on the uses and disclosures of
their information.
45 CFR 164.522

Recourse: Patients may file formal complaints
with a covered entity or with the Department of
Health and Human Services (HHS).
45 CFR 160.306(a)
Three Mandates Under HIPAA

Adopt written privacy policies and
procedures detailing:
– Who has access to protected information;
– How protected information will be used within
the covered entity;
– When protected information may be disclosed;
– And ways to ensure business associates protect
privacy of health information.
Three Mandates Under HIPAA

Train employees in privacy procedures.
– Design and implement training plan
– Track and audit employee training
45 CFRF 164.530(b)(1)

Designate privacy officer to ensure policies and
procedures are followed. The ETSU Privacy Officer
is Sharron Stevens, stevenss@mail.etsu.edu. The VAMC
Privacy Officer is Angela Mullins,
Angela.Allen@med.va.gov.
– Develop and implement a method to report complaints
– Investigate complaints
– Conduct routine and random audits
45 CFR 164.530(a)(1)
Ensure Business Associates
Safeguard Information

A covered entity may disclose protected health
information to a “business associate” and allow it
to receive health information on its behalf ONLY
after the covered entity is assured the business
associate will safeguard the information. Even
though business associates aren’t covered directly
under the law, covered entities are liable for their
business associates’ actions if they disclose
protected health information.
45 CFR 164.502(e)(1)
Penalties for Covered Entities

Civil Penalties: $100 per violation, up to $25,000 per
person, per year for each requirement or prohibition
violated
(65 Fed. Reg. At 82470)

Federal criminal penalties for knowing
violations:
– Up to $50,000 and one year in prison
– Under “false pretenses” – up to $100,000 and up to five
years in prison
– Intent to sell, transfer or use – up to $250,000 and up to
10 years in prison
Pre-emption of State Law

State laws which may be contrary to the rule are
preempted unless one of four conditions are met.
Legal counsels will be tasked with evaluating how
HIPAA will impact state law.
– DHHS determined that the state law is necessary to prevent fraud and
abuse, to regulate insurance or health plans, is for reporting health care
delivery or costs, or is serving a compelling need related to health, safety
and welfare, or its principal purpose is regulation of controlled substances.
– State law is more stringent than the privacy rule.
– State law provides for reporting of disease, injury, child abuse, birth or
death, or provides for conduct of public health surveillance.
– State law requires a health plan to report or provide access to info. for
management of financial audits, program monitoring and evaluation, or
licensure or certification of people or facilities. (45CFR160.203)
Enforcement

The DHHS Office for Civil Rights (OCR) will
enforce the Privacy Rule. The agency is using a
$3.2 million budget allocation to hire new agents.
Enforcement will likely be compliance driven and
investigations will be conducted by one of 10
regional offices. OCR is still faced with clarifying
terms on hearing and appeal procedures and
defining civil (monetary) penalties for violations.
65 Fed. Reg. At 82472
This Introduction to HIPAA,
PowerPoint presentation is
made available for educational
purposes only.
Acknowledgements







45 CFR 164
45 CFR 160
65 Fed. Reg. At 82462
65 Fed. Reg. At 82470
65 Fed. Reg. At 82472
Hall, E., (2002). Privacy Officer, A301 Kentucky Clinic, Lexington,
KY, 40536-0284
Irvine, K., & Hilton, E. (2003). Ensuring a HIPAA-compliant informed
consent process. A guide for clinical research professionals. Boston,
MA: Thomson-Centerwatch
Related documents
Privacy Confidentiality Minor
Privacy Confidentiality Minor
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
Download
advertisement