IMPLEMENTING THE HIPAA PRIVACY RULES

IMPLEMENTING THEHIPAA PRIVACY RULES

Presentation to theCoalition of Voluntary

Mental Health Agencies

May 31, 2002

Prepared By:Robert BelfortKalkines, Arky, Zall & Bernstein LLP1675 Broadway, Suite 2700New York, New York 10019(212) [email protected]

KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002

2

A BRIEF HISTORY OF THE PRIVACY RULE

Enactment ofHIPAA Statute

8/21/96

Deadline forCongressional action

8/21/99

HHS adheresto final rule

4/14/01

Final rule reopenedfor comment

3/14/01

Final ruleadopted

12/28/00

Proposedrule issued

11/3/99

HHS issuesguidance

7/6/01

Modificationsto rule proposed

3/27/02

End of commentperiod on

proposed changes

4/26/02

Adoption ofchanges to rule

Summer 2002?

Compliancedate

4/14/03


3

KEY COMPLIANCE ISSUES

Proper use and disclosure of protected health information (PHI)

Application of “minimum necessary” standard Execution of business associate contracts Accommodation of patient rights Creation of administrative, physical and technical

safeguards Issuance of privacy notice Appointment of privacy officer


4

Individually identifiable health information– created or received by provider, plan, clearinghouse

or employer

– relates to individual’s health, provision of care or payment for care

– identifies or could reasonably be used to identify the individual

Transmitted or maintained in any form

WHAT IS PHI?


5

HOW CAN PHI BE USED OR DISCLOSED?

PatientType of Use or Disclosure Approval

Required?1

Treatment, payment and health care operationsConsent optional (subject to limited exceptions)

Psychotherapy notes for most purposes Authorization required

Certain marketing and fundraising activities No authorization required

Facility directories, family members and disaster relief Opportunity for oralobjection by patient

IRB-approved research following specified protocols No authorization required

“National Priority” disclosures No authorization required

Other uses and disclosures not subject to specific exception Authorization required1 Assumes adoption of proposed amendments to rule.


6

Quality improvement

Reviewing provider qualifications and performance

Underwriting, rating and related activities

Medical review, legal services and auditing

Business planning and development

Business management and general administration

WHAT ARE HEALTH CARE OPERATIONS?


7

WHAT ARE PSYCHOTHERAPY NOTES?

Recorded by a mental health professional In any medium Documenting or analyzing contents of conversation

during private or group counseling session Separated from rest of medical record Excludes medication monitoring, session times,

modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress


8

WHEN MAY PSYCHOTHERAPYNOTES BE DISCLOSED?

By originator for treatment Mental health training programs Defense of legal action brought by patient Certain health oversight activities


9

Must specifically identify information being disclosed, its recipients and purpose of disclosure

May not be combined with other documents

Must include expiration date or event

Must be signed by patient or personal representative

WHAT ARE THE ELEMENTSOF AN AUTHORIZATION?


10

Types of marketing permitted without authorization– face-to-face

– products or services of nominal value

In name of covered entity

Disclosure of remuneration

Opt out procedures

Determination and disclosure of patient benefit if health status-based

MARKETING EXCEPTION


11

By covered entity, business associate or related foundation

Disclosable or usable information– demographic information

– dates of care provided

Opt out procedures

FUNDRAISING EXCEPTION


12

Required by law

Public health

Neglect and abuse

Health oversight

Legal proceedings

Law enforcement

Decedents

Cadaveric donations

IRB-approved research

Health or safety threat

Specialized government functions

Workers’ compensation

NATIONAL PRIORITY DISCLOSURES


13

When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

“MINIMUM NECESSARY” STANDARD


14

Treatment Disclosures to other covered entities Compliance with law Disclosures pursuant to patient’s authorization Disclosure to patient

EXCEPTIONS TO MINIMUM NECESSARY


15

Internal role-based access

Policies and procedures for routine disclosures

Criteria for all other disclosures

IMPLEMENTING MINIMUM NECESSARY


16

Provides specified functions to or on behalf of covered entity

Exceptions– Members of workforce

– Members of hospital medical staff

– Members of “organized health care arrangement”

– Plan sponsors

– Financial institutions processing consumer transactions

– “Conduits”

WHO IS A BUSINESS ASSOCIATE?


17

WHO IS A BUSINESS ASSOCIATE?

Billing companies Computer maintenance vendors Transcription services Attorneys Accountants Compliance consultants

Employees Student trainees Federal Express AOL Referring providers Third party payers

Yes No


18

Permitted uses and disclosures

Adoption of safeguards and reporting of unauthorized disclosures

Compliance by subcontractors

Access, amendment and accounting by patients

Access by HHS

Return or destruction of records if feasible

Termination for material breach

BUSINESS ASSOCIATE CONTRACTS


19

WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE?

Contract Status Compliance Date

Executed on or after April 14, 2003 Date of execution

Executed prior to April 14, 2003 with no amendments or April 14, 2004 renewals prior to April 14, 2004

Executed prior to April 14, 2003 with amendment or Date of amendment renewal between April 14, 2003 and April 14, 2004 or renewal


20

If covered entity knows of improper pattern of activity or practice

Covered entity must take reasonable steps to cure breach

If cure unsuccessful, covered entity must– terminate, if feasible; or

– report problem to HHS

WHEN ARE YOU LIABLEFOR BUSINESS ASSOCIATES?


21

PATIENT ACCESS TO PHI

Access or copies Time frames Appeal rights Reasonable copying charges Exception for psychotherapy notes


22

PATIENT AMENDMENT OF PHI

Time frames No obligation to amend Informing other entities Statement of disagreement


23

ACCOUNTING OF DISCLOSURES

Accounting Required Accounting Not Required

To HHS Permitted marketing Permitted fundraising Research without patient

authorization Public interest purposes not

covered by exemption

Treatment, payment and health card operations

Individual’s written authorization

To individual Pursuant to oral agreement National security or

intelligence Correctional institutions or

law enforcement agencies


24

Type of PHI Scope of Safeguards

WHAT SAFEGUARDS ARE REQUIRED?

Electronic

Paper

Oral

Rely on proposed security rules

Proposed security rules, where applicableFaxesPublic postingsFile cabinets

Proposed security rules, where applicableTelephoneHallway conversationsPublic announcements


25

Mandated header

Permitted uses and disclosures (examples)

Separate statement for certain uses

Individual rights

Covered entity’s duties

Complaints

Contact information

KEY ELEMENTS OF PRIVACY NOTICE


26

Provide at first contact after compliance date

Make good faith effort to obtain written acknowledgement

Make available on-site at patient request

Make available by mail at patient request

Post on-site in conspicuous location

PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS


27

Oversee implementation of policies and procedures

Answer questions

Handle complaints

Investigate privacy breaches

Conduct audits

Review contracts

Coordinate employee training

PRIVACY OFFICER DUTIES


28

HIPAA provides floor but not ceiling — more stringent state laws not pre-empted

Exceptions

– Certain state public health and auditing laws

– HHS determination based on specified factors

RELATIONSHIP TO STATE LAWS


29

SAMPLECOMPLIANCE TIMELINE

Education

Gap Analysis

Remediation

Testing

Training

May September January April2002 2003 2003 2003


30

ALTERNATIVECOMPLIANCE TIMELINE

Procrastination

Infighting

Half-hearted efforts

Panic

Finger-pointing

May September January April2002 2003 2003 2003


31

DEFINE THE COVERED ENTITY

Affiliates Hybrid entities/health care components Organized health care arrangements


32

CONSIDERATIONS IN DEFINING ENTITY

Standardization of policies Centralization of administration Sharing of information Liability concerns


33

GAP ANALYSIS OPTIONS

StaffResources

Financial Resources

Low

On-siteConsultants

ProfessionalSelf-AssessmentTool

Self-Assessment

High

Moderate

High

Low Moderate


34

CREATE PHI FLOW CHART

Patient

Clinician

Registration BillingMedicalRecords

OtherProviders

AccountsReceivable

Payers

DOH QA Patient

FinanceCollectionAgency


35

ANALYZE EACH USE AND DISCLOSURE

Consent or authorization required? Minimum necessary applicable? Satisfied? Business associate contract required? In place? Subject to accounting? Recorded?


36

REVIEW PATIENT RIGHTS’ POLICIES

Access and copying of records Amendment of records Restriction on uses


37

REVIEW ELECTRONIC DATA SAFEGUARDS

Administrative policies Physical plant security Technical security measures

– catalogue hardware and software (Y2K inventory)

– compare security features to security regulations


38

REVIEW OTHER POLICIES AND PRACTICES

Fax File cabinets Telephone Waiting room procedures Hallway conversations Posted information


39

EVALUATE COMPLIANCE OPTIONS

Prioritize initiatives Reasonableness considerations Scalability Documentation Maintaining confidentiality


40

KEY REMEDIATION STEPS

Revise policies and procedures Document policies and procedures Execute business associate contracts Upgrade security of software and hardware Secure physical plant Prepare privacy notice, consent and authorization form Appoint privacy officer


41

CONDUCT EMPLOYEE TRAINING

Differentiate by employee roles Initial training before April 14, 2003 Build into hiring process Regular refresher training


42

TRAINING OPTIONS

Internal trainer Outside attorney or consultant Written manual Videotape or CD-ROM


43

CIVIL PENALTIES

$100 per violation $25,000 per year cap for each type of violation Cooperative approach by HHS

– reasonable diligence standard– technical assistance– informal dispute resolution


44

MaximumOffense Maximum Fine Prison Term

Use of unique health identifier, or acquisitionof individually identifiable health information $50,000 One Year(“basic offense”)

Basic offense under false pretenses $100,000 Five Years

Basic offense for commercial advantage,personal gain or malicious harm $250,000 Ten Years

CRIMINAL PENALTIES


45

HELPFUL WEB SITES

http://aspe.hhs.gov/admnsimp

http://www.hhs.gov/ocr/hipaa

http://snip.wedi.org

http://www.cpri-host.org

http://www.ahima.org

251565

IMPLEMENTING THE HIPAA PRIVACY RULES

Documents

Transcript of IMPLEMENTING THE HIPAA PRIVACY RULES