HIPAA Privacy and Media
Ed Goldman, J.D.Health System Legal officeMay 12, 2003
It’s HIPAA Not HIPPO!
HIPPA (NO, it’s HIPAA!) stands for:Help Impoverished Plaintiff Attorneys
Aggrandize? No because there is no private right of action.
Help Improve Privacy Across America? Yes because it’s a Federal regulation designed to establish one set of rules for privacy.
Background
HIPAA (Health Insurance Portability and Accountability Act of 1996)
Administrative Simplification Section: Purpose is to standardize electronic transmission of health data.
Includes: Provider/Employer Identifiers (pending); Electronic Transactions (09/16/03); Security (04/21/05); e signature (10/01/00) and Privacy (04/14/03).
Philosophy
“A journey of a thousand miles must begin with a single step.”
-Chinese Proverb
New Philosophy
“A journey to protect the privacy and security of protected health information must begin with a single step, a dedicated committee and a lot of money.”
-HIPAA Proverb
Important Dates
HIPAA Privacy regulations were final 04/14/01 and effective 04/14/03.
HIPAA Security regulations are effective 04/21/05.
HHS can modify once per year. Last modification was 08/02.
Overview
Regulations. Apply to Covered Entities (CE):
1. Health Plans-provide or pay for health care including HMO’s, benefit plans.
2. Health Care Clearinghouses3. Health Care providers who transmit
any health information in electronic form.
Overview
Regulations cover: Individually identifiable health/billing information. AKA: Protected Health Information (PHI):
Information kept in any form (oral, written, electronic) created or received by CE relating to a persons physical/mental health or payment for health care. Covers both living and deceased patients.
Overview
Regulations also include: Business Associates (BA): Non-employees who, on behalf of a CE, perform a service involving PHI. Ex: Claim processing; record copy; malpractice defense; audit; consulting; software development; quality assurance.
Included entities: NCQA; UHC; JCAHO; non-covered portions of UM
Preemption of State Law
State law is preempted except if:HHS determines it serves to prevent
fraud or serve a compelling State interest,
it is “more stringent” (provides more privacy protection),
it is a disease reporting law,it is a State audit/licensing law.
Enforcement
Patients can file complaints with the HHS Office of Civil Rights (www.hhs.gov/ocr/hipaa)
CE must keep records and allow HHS access to audit
Civil fines: $100/violationCriminal fines: $250,000/up to 10 years
(Disclosure for commercial purposes)
The Privacy Rule
Rule: CE cannot disclose PHI except:to the patientwith a general consent to the treatment
team (Emergency exception)as specifically authorized by the patientas required by lawin a directory (if follow the rules) and
allow for opt-out
The “Minimum Necessary” Rule
Disclosure must be limited to the “minimum necessary to accomplish the intended purpose” except all PHI can be disclosed to treatment team and to patient and to HHS for audit or as required by law.
NOTE: De-identified information (removal of 19 elements) is not PHI.
Elements of the Regulation
1. Notice of Privacy Rights2. General acknowledgement for
treatment, payment, health care operations
3. Specific authorizations4. Exceptions for required reporting5. Patient access, amendt and audit rights6. Privacy officer and administrative rules
Notice of Privacy Rights
Must be provided to all patients (except emergency).
Must include all the rules with examples of uses of PHI.
Must have person to contact for complaints.
Lots of specific requirements. Posted at: med.umich.edu/hipaa.
General Acknowledgement
Must be signed prior to rendering treatment, payment, health care operations (TPO).
Health care operations include:QACredentialingCompliance; business planningEducation of students, trainees, workforce
(but not research)
Specific Authorizations
Required for all disclosures for any other purposes (research, disclosure to 3rd party, release of “psychotherapy notes”, etc.)
Care cannot be conditioned on obtaining an authorization (exception for research coupled with treatment or enrollment in health care plan)
Required Reporting
Disclosures required by law (child abuse, FDA, product recalls, communicable diseases)
To employer for workers comp with written notice to employee
In response to a Court orderFor law enforcement purposesTo Coroner, funeral directors, organ
donation.
Patient 3A’s Rights
Patient may access PHI, obtain copy (for fee)Patient may request amendments and Facility needs a process to review request
Patient may (for 6 years) request and obtain an accounting of all persons who have seen the patients’ PHI for other then TPO.
Therefore, CE needs a reliable audit system.
Disclosure to Business Associates
Only pursuant to a written agreement with assurances of protection and no re-disclosure.
PHI returned or destroyed at end of contract
Rules have lots of specific requirements for the contract.
Facility Directories
Patients name, location, condition in general terms can be provided IF Notice says so and IF patient has opportunity to restrict/prohibit use (opt out) Except: Emergency.
Family, close personal friends, press (if ask by name), clergy or those identified by the patient can have this information.
What to Tell the Press?
Except if the patient has been notified and has objected the CE can, upon request with patient name, disclose:
1. Patient name2. Location3. Condition in general terms that do
not communicate specific medical information
Marketing/Fundraising
Marketing: Need Authorization except if: face to face encounter for products of nominal value which may be useful to patient and any financial remuneration to CE is disclosed, or description of UMHS services.
Fundraising: Need Authorization except if fundraising for CE only and use only demographic information or service dates.
Examples
General newsletter OKGeneral mailing to all patients OKIf CE wants to target all cancer
patients then a specific Authorization is needed because CE will need to look at information about the patients’ specific disease.
Fundraising/marketing need opt-out.
Referring Physicians
If part of the treatment team then full PHI can be shared pursuant to the Notice of Privacy.
If referral with no expectation of providing further care to the patient then written authorization from patient required to disclose information.
Administrative Rules
CE must:designate a Privacy Officerestablish a complaint officehave safeguards for PHI protectiontrain staffdocument complaintscreate contracts with BA’s
Administrative Rules 2
Discipline workforce members who violate the rules
mitigate any harmful effects of disclosurerefrain from intimidation of patients who
exercise their rights under the regulationsallow access to HHS for auditCreate amendment/audit system
“How Can PR help?”
UMHS will need editing and website help. See website at med.umich.edu/hipaa
Also need publications/publicity about the new regulation.
And, any other help you can think of will be cheerfully accepted!
Where to Find Out More?
Http://aspe.os.dhhs.gov/admnsimp gets you to the administrative simplification page.
Www.hhs.gov/ocr/hipaa gets you to the Office of Civil Rights page with lots of current information.
www.epicurious.com gets you to some great food.
Question and Answer
Currently most useful answer is: These regulations are complex and evolving but the institution must comply for the benefit of our patients. For media we must be sure to protect privacy. No use of images without permission. No disclosure of PHI without full compliance with the regulations.
Top Related