Washington County Health System

Amendment to Internal Revenue Code

H ealth

I information

P ortability &

A ccountability

A ct

November 2001

Purpose of HIPAA Legislation Improve portability and continuity of health

insurance coverage Combat waste, fraud, and abuse in health care Promote the use of medical savings accounts Improve access to long-term care services and

coverage Simplify the administration of health insurance

Preamble to Public Law 104-191 (“HIPAA”), Health Insurance Portability and Accountability Act of 1996

Purpose of Subtitle F

Reasons for HIPAA Simplifications…

Reduce administrative costs and burdens associated with healthcare

Standardize data Facilitate electronic transmission of

administrative and financial transactions

Privacy and Security

Electronic movement of health information creates privacy and security issues.

Secretary of Health & Human Services (HHS) has finalized standards regarding privacy.

Regulations regarding security are in draft form.

Title II - Administrative Simplification:

Standard Status Date

1. Electronic transactions Final 10/16/02and code sets

2. Unique identifiers National providers Draft 5/7/98 National employers Draft 6/16/98 Health plans TBA Individuals On Hold

3. Privacy Final 4/14/03

Title II - Administrative Simplification:

Standard Status Date

4. Security and Electronic Draft 8/12/98Signatures

5. Claims Attachments TBA

6. Enforcement TBA

Why is patient privacy an issue?

Boston Globe 8/8/00Following routine testing, an Orlando woman received a letter from a drug company advertising its treatment for her high cholesterol.

Washington Post 3/1/95A 13 year old daughter of a hospital employee took a list of patient names and phone numbers from the hospital when visiting her mother at work. As a joke, she contacted patients and told them they were diagnosed with HIV.

Why is patient privacy an issue?

USA Today 10/10/96A Tampa, FL public health worker walked away with a computer disk containing the names of 4,000 people who tested positive for HIV. The disks were sent to two newspapers.

Mr. Sickman arrives…Dr. Wellmaker and the hospital are required to: Obtain patient consent for use of

patient health information in treatment, payment and healthcare operations

Provide a notice of privacy practices

Nurses gets Mr. Sickman’s health history from the hospital information system.

Access controls such as passwords are required for security.

Nurse must be assigned computer privileges on a need-to-know basis.

Workstations must be located in secure areas.

Disaster recovery plans and data backups are required.

Mr. Sickman regains consciousness and stabilizes.

The hospital must… Obtain his consent to use health information

for payment, treatment and healthcare operations.

Provide him with a notice of privacy practices.

Tell him information will be placed in the patient directory and allow him a chance to object.

The physicians treating Mr. Sickman must also…

Obtain his consent and provide a notice of privacy practices.

The hospital and physicians may be considered an “organized health care arrangement.” Clinically integrated setting where individuals

usually receive healthcare from more than one provider.

Hospital and physicians may use a joint consent and notice of privacy practices.

Mr. Sickman’s family asks Dr. Wellmaker for an update on his condition and prognosis.

Dr. Wellmaker must tell Mr. Sickman he would like to discuss his condition with his family.

Mr. Sickman must have the opportunity to object or limit the information disclosed to his family.

The press sends a reporter demanding to know Mr. Sickman’s condition.

HIPAA allows release to the public of directory information including: Patient name Facility location Description of the patient’s general condition

Provided that… Mr. Sickman was informed and given a chance to

object. The press asked for Mr. Sickman by name.

Registration staff contacts Mr. Sickman’s health insurance to verify eligibility.

The health plan requests additional identifying information.

Standard formats for verifying eligibility. Health plan may only request the minimum

necessary information. The patient’s specific authorization is not

required; use of health information for payment is covered under the general consent.

Dr. Wellmaker admits Mr. Sickman to the hospital…

He dictates an emergency department note, which is transcribed by an outside vendor.

Transcription vendor is considered a business associate of the hospital.

Hospital must have a business associate contract with the vendor that meets HIPAA’s requirements.

Mr. Sickman recovers and is discharged.The hospital and physicians file claims with the patient’s health insurance plan.

Standard codes for diagnoses and procedures Standard formats for electronic transactions.

Paper claims are still permitted. Health plans MUST accept the standard electronic

transactions. May not modify standard transactions and code sets. Clearing houses may be used to convert non-standard

formats into standard electronic transmissions.

Later, the hospital’s development office contacts Mr. Sickman’s family for a contribution.

Privacy rules allow for such solicitations, as long as the patient was notified of the possibility in the notice of privacy practices.

The request for donation must tell Mr. Sickman how he can ask to be removed from the contact list for future mailings.

If Mr. Sickman asks to be deleted from the mailing list, the hospital must make reasonable efforts to honor his request.

Students who participated in Mr. Sickman’s care present his case as part of their coursework.

HIPAA’s definition of healthcare operations includes training programs

No specific authorization is necessary.

Mr. Sickman asks to review his medical record.

Patients have the right to review and obtain a copy of their medical record as long as the hospital maintains the information.

There is NO automatic right of access to: Psychotherapy notes Information in criminal, civil, or administrative

actions Protected health information exempted by the

Clinical Laboratory Improvements Act

Patients reviewing their medical record…

Hospitals may deny a patient’s request under some specific circumstances.

The hospital has 30 days to respond to the patient’s request; 60 days if the records are stored off-site.

Mr. Sickman wants to know to whom the hospital has released information in his record.

The following uses need not be included in the accounting for disclosures: Payment, treatment, or healthcare operations Disclosures to the patient him/herself For the facility directory or those involved in the

patient’s care For national security or intelligence purposes To correctional institutions and law enforcement Prior to the effective compliance date of the

privacy regulations

Disclosures

The hospital must provide the listing within 60 days (with a possible 30 day extension).

A patient is entitled to one free accounting per year; subsequent requests may be charged to the patient.

The written accounting of disclosures must include…

Date of disclosure Person/organization to whom information

was disclosed Brief description of information disclosed Copy of patient authorization or request for

disclosure

Disclosure documentation must be retained for at least 6 years.

Mr. Sickman finds errors in his medical record and asks to have his record amended.

Individuals may request amendments: To their medical record For as long as the hospital maintains the

information. The hospital…

May require a written request from the patient detailing why the record should be changed.

Has 60 days to make the changes, with a possible 30 day extension

Patient’s request to change the medical record…

If the patient’s request is granted, the hospital must… Notify the patient

that the amendment was accepted

Inform other parties affected by the change

Doctoral candidate requests information for research.

Requests information on all pneumonia cases treated by the hospital in the last year.

Unless the information is “de-identified”, it cannot be provided without the patient’s authorization.

To be “de-identified”, 18 specific items must be removed from all aspects of the medical record.

Summary

Privacy is becoming more important. Patients want to be more informed. Standardized transactions will increase

efficiency. Physical and computer safe guards will

be critical. Implementation will be very costly.

Washington County Health System

BUSINESSO PERATIO NS

TEAM

PO LICIES ANDPRO CEDURES

TEAM

TECHNICALTEAM

EDUCATIO NTEAM

HIPAATASK FO RCE

SENIO RM ANAG EM ENT

HIPAA Organizational Chart

Questions?