Your SlideShare is downloading. ×
0
To HIPAA and BeyondTo HIPAA and Beyond
The Law of ConfidentialityThe Law of Confidentiality
and Securityand Security
Publi...
DocumentationDocumentation
Substantiates proof of services
Provides continuity of care
Documentation must be objective ...
The “Golden Rule ofThe “Golden Rule of
Documentation”Documentation”
The “Golden Rule of Documentation:”
If it ain’t wrote ...
Confidentiality-Confidentiality-
Access to Records GenerallyAccess to Records Generally
All patient information is strict...
Conditions forConditions for
Release of InformationRelease of Information
Conditions for release of information:
◦ Prior ...
TB/STD/DC RecordsTB/STD/DC Records
Special ConfidentialitySpecial Confidentiality
STD/TB/disease control information not
...
Disease Control GuidelinesDisease Control Guidelines
Information considered not confidential:
Final completed report writ...
ConfidentialConfidential InformationInformation
(EPI)(EPI)
Epidemiologic interview sheets
Required reports
Work papers,...
Released With AuthorizationReleased With Authorization
A notifiable disease record generated by
the Department or in the ...
Written AuthorizationWritten Authorization
Not Required:Not Required:
10
Transfer information from one county health
depa...
What Makes a ValidWhat Makes a Valid
Authorization?Authorization?
Description of the info to be released
Name or descrip...
Note Concerning CertainNote Concerning Certain
InformationInformation
CHR 6A states: pt. is made
aware that s/he is relea...
Release of ContactRelease of Contact
Information – Don’t Do It!Information – Don’t Do It!
The medical record or informati...
Confidentiality – Access toConfidentiality – Access to
Medical Records of MinorsMedical Records of Minors
If a minor is q...
Access to Medical Records ofAccess to Medical Records of
Minors – Rights of the ParentsMinors – Rights of the Parents
All...
HIPAA – In BriefHIPAA – In Brief
HIPAA stands for The Health Insurance
Portability and Accountability Act (1996)
Address...
PHI – What is it?PHI – What is it?
Patient name
Patient address
Patient phone number
Patient date of birth
Patient so...
The Privacy Rule:The Privacy Rule:
What and Who IsWhat and Who Is
Covered?Covered?“Protected Health Information” (PHI):
I...
Releases without WrittenReleases without Written
ConsentConsent
Treatment
Payment
Operations
Where required by law
19A...
Business AssociatesBusiness Associates
Business associates follow the same level of
protection in the privacy rule and inc...
Business Associates and AARABusiness Associates and AARA
Must also adhere to the Security Rule like
CEs and are subject t...
HIPPA Privacy Rule:HIPPA Privacy Rule:
Who is Not Covered?Who is Not Covered?
Life insurance companies
Auto insurance co...
HIPPA Privacy Rule:HIPPA Privacy Rule:
What Is Not Covered?What Is Not Covered?
PHI does not include
◦ Education records ...
HIPAA - What it Doesn’tHIPAA - What it Doesn’t
DoDoDoes not override state laws that provide
more patient privacy than HI...
HIPAA and ADPH PrivacyHIPAA and ADPH Privacy
25
See ADPH HIPAA Privacy
Policy 06-008
◦ “Minimum Necessary”
Concept
◦ Pati...
How Uses/DisclosuresHow Uses/Disclosures
Are RegulatedAre Regulated
Minimum necessary rule
When using or disclosing PHI,...
Permitted DisclosuresPermitted Disclosures
“Minimum” info may be disclosed
To “public officials”
To public health
To la...
Disclosure to PoliceDisclosure to Police
Pursuant to subpoenas or by verbal request
As “otherwise required by law
For I...
Disclosure to NationalDisclosure to National
Security AgenciesSecurity Agencies
CEs may disclose PHI to authorized federal...
DisclosureDisclosure ToTo Public HealthPublic Health
Disclosure permitted to:
“public health authority that is
authorized ...
Child or Elder Abuse NoticeChild or Elder Abuse Notice
Examples of specific public health-based
exceptions include disclo...
Information on DecedentsInformation on Decedents
May be released to:
Law enforcement
Transporting emergency medical
pers...
Maintenance of DocumentationMaintenance of Documentation
Maintain documentation of policies and
procedures for 6 years
M...
HIPAA - The Security RuleHIPAA - The Security Rule
Primary objective: protect the
confidentiality, integrity, and
availab...
What about e-PHI?What about e-PHI?
Same as PHI, but created, received,
or maintained electronically
Does not include tel...
Security of the PremisesSecurity of the Premises
HIPAA requires security of the
premises, i.e., door locks. See ADPH
Secu...
Building SecurityBuilding Security
Post the Department’s Notice of Privacy
Practices where clients can see it
Maintain v...
Paper SecurityPaper Security
Clean Desk
◦ Keep patient records covered or in folders
◦ Lock records up at end of day or w...
Use of Department ComputersUse of Department Computers
Use ADPH furnished equipment/software
CSC/Tech Support will purch...
Use of ComputersUse of Computers
Change password every 60 days
Use only for lawful activity
Report suspected viruses an...
Email and Internet SecurityEmail and Internet Security
Email
◦ Do not open email from an unknown
source; especially unkno...
Laptop SecurityLaptop Security
Keep laptop out of view when traveling
Do not leave in hot vehicle for long time
Do not ...
Patient AccountingPatient Accounting
Patients may ask for listing of disclosures
of their PHI up to six (6) years prior i...
Patient AccountingPatient Accounting
Other disclosures which are not
required to be accounted for:
National security or i...
HIPAA LogHIPAA Log
45
A single file which relates to pt. files
Kept with medical records
Documents “non-routine”
disclo...
Required Logged ItemsRequired Logged Items
Unauthorized releases on the AIR Form
Releases required by law
Releases base...
DisclosuresDisclosures NotNot LoggedLogged
TPO disclosures
Disclosures made to the patient or rep.
Pursuant to a valid ...
HIPAA BreachesHIPAA Breaches
When there is a breach of phi or e-PHI
You have a duty to report on an ARIA
Call if it is ser...
BREACHES - PENALTIESBREACHES - PENALTIES
Breach may subject employees and the
Covered Entity:
To criminal penalties (up t...
Program ManagementProgram Management
The HIPAA program and certain
other similar programs are under the
management of the...
Red Flag RegulationsRed Flag Regulations
Federal Trade Commission Regulations
designed to protect against identity theft
...
Categories of “Red Flags”Categories of “Red Flags”
Alerts, notifications, or warnings from a
consumer reporting agency;
...
See Also Policy DocumentsSee Also Policy Documents
98-07 Fax Policy
03-10 Notice of Privacy Practices (NOPP)
◦ Under Rev...
For A Copy of the PresentationFor A Copy of the Presentation
See “HIPAA For Area 2” a
download on Slideshare 7
http://ww...
Upcoming SlideShare
Loading in...5
×

Hipa afor area2

716

Published on

HIPAA for Area 2

Published in: Education, Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
716
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Substantiates proof of services
    Provides continuity of care
    Documentation must be objective facts, not opinions
  • If it ain’t wrote down . . .
    it didn’t happen!
    The way it is wrote down is the way it happened regardless of the way it happened
  • All patient information is strictly confidential. See Department policy: Employee Handbook 10-02
    It is the policy of the Alabama Department of Public Health (Department) to maintain strict confidentiality of personal information, written or unwritten, such as medical, financial and demographic information (e.g., addresses, social security numbers, telephone numbers, etc.) given to a Public Health employee in any discipline. Information can be released to individuals outside the Department’s system of care only upon the written consent of the individual client, or parent/guardian as applicable, or as otherwise provided by law. Employees of the Department who handle personal information are required to uphold the individual’s right to privacy. Individual employees may be held personally liable for any adverse consequences to the client or inappropriate release of information or breaches of confidentiality. Any proven violation of confidentiality will not be tolerated and is grounds for disciplinary action up to and including termination of employment and/or legal action. Furthermore, employees are protected from any discrimination, harassment or retaliation for the reporting of a violation of this policy.
    PROCEDURES
    Employees authorized to have access to confidential information must treat the information as Departmental property for which they are personally responsible. Confidential information may be discussed within the Department as minimally necessary.
    Employees are prohibited from attempting to obtain confidential information for which they have not received authorization.
    All suspected breaches of confidentiality must be reported immediately by telephone through the appropriate supervisory chain to the Privacy Officer in the Office of General Counsel.
    The Privacy Officer in conjunction with the Office of Personnel and Staff Development will determine the appropriate response.
    An ARIA Form regarding any suspected breach of confidentiality must be filed in.
    Some Bad Scenarios.
    Dr’s ofc. Clerk
    Hospital nurse and HIV and boyfriend.
    Bad scenarios equal bad liability. We’ll see more about penalties. Later.
  • Conditions for release of information
    Prior written consent of patient, parent/guardian.
    Subpoena in accordance with departmental policy
    Otherwise provided by law
    Note: with a signed release, we can release any records, even STD/HIV/AIDS with certain exceptions
  • Notifiable disease information is not subject to inspection, subpoena, admission into evidence in any court except by the health department to compel the testing, examination, commitment or quarantine of an individual. Code of Ala. 1975, § 22-11A-2
    Request for notifiable disease medical record should be forwarded to the legal office for resolution. Call 334.206.5209.
    See Policy No. 2004-02 for specifics.
  •  
     Disease Control has new guidelines on when and how information is released
    The determination regarding release of epidemiologic documents will rest with the Bureau Chief in coordination and consultation with the Office of General Counsel.
    The following information is not confidential, is considered to be public records, and may be released upon subpoena or other written request:
    Final completed report written in blank, not identifying any persons whether sick patrons or employees in conventional form.
    The name of businesses, establishments, restaurants involved in an investigation.
    Aggregate statistical information (e.g., number of cases of reportable conditions/diseases and outbreaks of public health significance).
    Any other public document such as press clippings and internet postings.
    Regular environmental inspection reports and daycare reports made in the normal course of business such as periodic inspections and notices of violation.
  • The following information, whether retained as documents or by electronic means, is confidential and not considered to be public record but may be released pursuant to a lawful HIPAA compliant subpoena if personal health information (PHI) is redacted. PHI includes, but is not limited to name, address, telephone numbers, social security numbers, workplace.
    epidemiologic interview sheets
    any information provided by a medical provider, lab, school authority or other required reporting entity
    work papers, notes and analyses
    disclosure of actual numbers of cases, sample sizes or any other description or numeric value which has the potential to identify any person
    Correspondence including on a particular investigation
    Complaint generated environmental and other inspection reports
    incomplete drafts of reports
    Other document received privately
  • The following information is confidential but may be released only pursuant to a valid authorization from a patient/client: A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual.
    One patient’s authorization, however does not release other person’s names or information
  • Written consent not required for transfer of information from one county health department to another or to the state office, transfer of information to physicians, nurse practitioners or other health professionals who have a contract or other provider arrangements to provide care to our patients.
    Some practitioners require consents to transfer out of abundance of caution, we do not.
  • A Valid authorization contains:
    Description of the info to be released
    Name or description of info receiver
    Name of patient
    Description if the use of the info
    Expiration date or continuous
    Right of revocation by pt.
    Notice of possible re-disclosures
    Signature of pt or representative
    See CHR Form 6A and instructions
  • CHR 6A states that pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records
    This is NOT required if other providers’ releases meet the earlier criteria
  • The “medical record” or information regarding notifiable diseases cannot be released without the written consent of the patient or the parent/guardian.
    Even with consent, the “medical record” should not include contact information. If your patient has an STD or HIV, record medical condition in your documentation. Do not write identifying information about how the patient contracted the STD/HIV.
  • If a minor is legally qualified to consent for services and in fact signs the “consent for treatment”, only the minor can sign to release the medical information regarding those services.
    If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release of medical records.
  • Alabama statue provides that all information, including medical records, pertaining to a child must be equally available to both parents in all types of custody arrangements unless otherwise ordered by a court of law. Code of Ala, § 30-3-154
    If the parent or guardian gave consent for medical services, then the parent or guardian of the minor is generally entitled to his or her child’s medical record. This information would also be available to the other parent.
    If the child gave consent for services, neither parent may have access to the records without that child’s consent.
  • HIPAA stands for The Health Insurance Portability and Accountability Act
    The Health Insurance Portability and Accountability Act (HIPAA)1 was passed on August 21, 1996. Among other things, it included rules covering administrative simplification, including making healthcare delivery more efficient. Portability of medical coverage for pre-existing conditions was a key provision of the act as was defining the underwriting process for group medical coverage. It also provided standardization of electronic transmittal of billing and claims information. Congress recognized that standardizing the electronic means of paying and collecting claims data increased the potential for abuse of people's medical information. So a key part of the act also increased and standardized confidentiality and security of health data. HIPAA privacy regulations require that access to patient information be limited to only those authorized, and that only the information necessary for a task be available to them. And finally that personal health information must be protected and kept confidential.
    Amended by “ARRA,” or “HITEC”, the American Recovery and Reinvestment Act of 2009 and it includes as one component the Health Information Technology for Economic and Clinical Health (HITECH) Act which authorizes $36 billion of funding to put in place an electronic health information technology (HIT) infrastructure.
  • Patient name
    Patient address
    Patient phone number
    Patient date of birth
    Patient social security number, Medicaid number, etc
    Diagnosis
    Treatment information
    Financial information
  • What is covered?
    “Protected Health Information” (PHI):
    Individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally 45 C.F.R. §160.103
    ADPH is a covered entity. Who is covered?
    Health care providers that conduct certain electronic transactions, i.e.. billing or hybrid entities (like ADPH)
    Health care plans
    Health care clearinghouses 45 C.F.R. §160.103
  • You can use protected health information (PHI) without the patient’s authorization for:
    Treatment - provision, coordination or management of health care and related services
    Payment - includes the various activities of health care providers to obtain payment or be reimbursed for their services
    Operations – administrative, financial, legal, and quality improvement activities that are necessary to support the core functions of treatment and payment
    Where required by law
  • Business associates of CEs are bound by contract with the CE and new amendments to follow the same level of protection in the privacy rule and include:
    Claims or data processors; billing companies;
    Quality assurance providers; lawyers;
    Utilization reviewers; accountants and
    Financial service providers
    45 C.F.R. §160.103
  • Business Associates of Covered Entities must now adhere to the Security Rule like covered entities
    They must establish administrative, physical, and technical safeguards for Protected Health Information (PHI)
    They must have their own policies and procedures to comply with the safeguards
    Business Associates now have an affirmative duty to ensure they are only using or disclosing PHI in accordance with HIPAA.
    Violation for knowing of a pattern of activity or practice by the CE that would constitute a violation and not reporting to HHS
    Same types of penalties and criminal sanctions as CEs for HIPAA violations
    Rat Fink provisions – they must turn in their principals.
  • Entities not covered:
    Life insurance companies
    Auto insurance companies
    Workers’ compensation carriers
    Employers
    Others who acquire, use, and disclose vast quantities of health data, However, PHI cannot be bought and sold.
  • PHI does not include
    Education records covered by FERPA
    Employment records held by a covered entity in its role as employer
    Non-identifiable health information
    45 C.F.R. 160.103
  • HIPAA -What it Doesn’t Do
    State laws stay in force
    Only limited encryption of communications
    No requirement of major facility restructuring
    Incidental disclosures not totally eliminated
    Reporting not changed
    Relationships not changed
  • Under HIPAA You can use protected health information (PHI) without the patient’s authorization for: Treatment - provision, coordination or management of health care and related services; Payment - includes the various activities of health care providers to obtain payment or be reimbursed for their services; Operations – administrative, financial, legal, and quality improvement activities that are necessary to support the core functions of treatment and payment; and where required by law. See ADPH HIPAA Privacy Policy 06-008 which discusses the “Minimum Necessary” Concept, patient verification requirements, fax Confidentiality, the “HIPAA Log”, and breach sanctions.
    The Policy needs updating, as it refers to policies subsumed in the Employee Handbook.
    See CHR Manual and New Employee Handbook 2010-02 as well.
  • The “Minimum Necessary Rule”
    When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Under HITEC, OIG is supposed to promulgate guidance on what they think the “minimum necessary” is – I can’t wait.
  • Permitted disclosures”
    Disclosure of PHI to “public officials” to lessen the effects of the emergency
    To law enforcement for their necessary activities. We’ll see more later
    To national security and intelligence agencies
    To Public Health authorities
    To judicial authorities
    To Researchers
    To DHR for limited purposes
    Whatever we disclose, Covered Entities and their Business Associates should not use or disclose PHI beyond what is reasonably necessary for the purpose of the use or disclosure
  • The law enforcement purposes for which PHI may be released without authorization are:
    Pursuant to process and as otherwise required by law. 45 CFR §164.512(f)(1)
    For identification and location purposes (limited information only). 45 CFR §164.512(f)(2)
    In response to request for such information about an individual who is or is suspected to be a victim of a crime. 45 CFR §164.512(f)(3)
    For purpose of alerting law enforcement official about a suspicious death. 45 CFR §164.512(f)(4)
    For purpose of reporting evidence of criminal conduct occurring on premises of covered entity. 45 CFR §164.512(f)(5).
    An provider who is providing care in response to a medical emergency my alert law enforcement regarding information pertaining to crime. 45 CFR §164.512(f)
    (1) May use or disclose PHI if the use or disclosure:
    (i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
    (B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or
    Is necessary for law enforcement authorities to identify or apprehend an individual
  • CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities.
    If it is national security, we disclose any information they need. It is not subject to the law enforcement limitations.
  • Disclosures to Public Health
    The public health exception allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and … controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”
  • Examples of specific public health-based exceptions include disclosures About victims of abuse, neglect, or domestic violence To prevent serious threats to persons or the public.
  • Information on decedents may be released to
    Law enforcement
    Transporting emergency medical personnel
    Coroners and their personnel
    Mortuary personnel
    Bureau of Health Statistics
    But, just because they are dead does not remove the general protection of the record.
  • CEs must maintain all documentation (e.g., policies, procedures) required by the Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, CEs must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of EPHI.
  • The rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. IIHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
  • Same as PHI, but created, received, or maintained electronically.
    Does not include telephone calls, copy machines, fax machines, most voice mail.
    Does not include de-identified information.
  • HIPAA Security Rule
    HIPAA requires security of the premises, i.e., door locks. Watch out for strange people who don’t need to be there.
    HIPAA also requires security of the electronic records (computer security).
    Information should be password protected.
    Don’t share your password with anyone except IT staff.
    Put computers where outsiders can’t see them.
    Screen savers must be used and should be on a short delay.
    Always lock out computer when you walk away from it.
    Never leave anyone in the room when you leave without the lockout.
    Be careful about your computer, don’t get it infected with a virus or spy ware. Don’t visit strange websites, don’t download off the internet. Run an anti virus program frequently if you don’t have IT staff to do this.
    If information stays within the facility need not be encrypted. But if you take it outside either sending an E-mail or on a laptop, disk or thumb drive, such info should be encrypted using an encryption program.
    HIPAA requires security of the paper. It should be locked when not needed and not left lying around.
    Name badges might be a good idea to help tell who is supposed to be there. ADPH requires them, but HIPAA does not per se.
  • Post the Department’s Notice of Privacy Practices where clients can see it
    Maintain visitor sign-in logs and have visitors sign in and out (this includes repair persons)
    Use ADPH and Visitor ID badges always when at work.
    Keep back doors locked or monitored during business hours
    Keep server rooms locked
    Keep PHI storage areas locked when unattended
  • Clean Desk
    Keep patient records covered or in folders
    Lock records up at end of day or when away from desk
    Fax/Copy Machines
    Put fax & copiers in secure area away from traffic flow
    Remove faxes/copies promptly
    File Cabinets
    Keep locked when unattended
    Locate in secure area
    Limit access
    Shred it!
  • Only use Department furnished equipment and software. (Security Manual, lILC. Workstation and State Electronic Equipment Use Policy)
    CSC/Tech Support will purchase and install all network-connected devices. (Security Manual, lIl.C. Workstation and State Electronic Equipment Use Policy)
    All personal computers and laptops will have password protection and will have an automatic screensaver, which will activate after 15 minutes or less of unattended use. (Security Manual, lILC. Workstation and State Electronic Equipment Use Policy)
    CSC/Tech Support will install software updates for security and antivirus weekly onpersonal computers. (Security Manual, II.F.2 Protection from Malicious Software)
    Users will connect laptops to the network at least once a month, log into the master database, and receive updates for security and antivirus software. (Security Manual, III.D. Workstation Security Policy)
    Users will back up critical data or e-PHI stored on their personal computer or laptop to their assigned folder on the server. Users do not need to back up data created and stored in an enterprise information system such as PHALCON, McKesson, or ACORN, because CSC/Tech Support automatically performs backups of these systems. (Security Manual, lILE.4. Data Backup and Storage)
  • The Department will require password changes every sixty days. Users will create a new password when prompted and will keep passwords secured. (Security Manual, ILFA. Password Management)
    Users will not use equipment for unlawful activities, distributing pornography, gambling, offensive/harassing messages and images. Supervisors will be responsiblefor monitoring employees' usage through observation and will handle violations in accordance with Department disciplinary procedures. (Security Manual, IlLC. Workstation and State Electronic Equipment Use Policy)
    Users should report suspected security violations, virus attacks, cyber criminal attacks, or physical compromises to CSC Support Desk immediately. (Il.G.l Security Incident Response and Reporting) Contact the help desk at 334-206-5268 to report.
    When an employee begins work and requires a computer and access to information systems, the bureau/office/local administrator will notifY the CSC Support Desk. (Security Manual, Il.E.2. Access Authorization)
    When an employee leaves the Department or transfers to a new office, the bureau/office/local administrator will notifY the CSC Support Desk and complete a Computer Access Removal Form. (Security Manual, ILE.2. Access Authorization)
    When salvaging or transferring computer/electronic equipment, the Department must remove all sensitive or e-PHI from the device. To do that, the officelbureau will salvage the item using the Department equipment salvage procedures. CSC will properly destroy the memory storage components in the equipment. (Security Manual, ILE.l. Device and Media Disposal and III.E.2. Media Re-use)
    ADPH facilities must be limited to authorized users and safeguarded from unauthorized access, tampering, and theft. Each officelbureau will have procedures for physical security to include locking, key control, electronic device and media protection, employee identification badges, and visitor logs. (IlLB.2. Facility Security Plan and Security Manual, IlLB.3. Physical Access Control and Validation Procedures)
    Be careful with portable storage devices
  • Safe to email within ADPH Notes system. Email to outside sources should encrypt protected information.
    Email
    Do not open email from an unknown source; especially unknown attachments
    Verify email recipients; make sure email is going to intended recipient
    Always encrypt email and attachments containing protected information
    Read security reminders
    Avoid risky internet sites
  • Keep laptop out of view when traveling
    Do not leave in hot vehicle for long time
    Do not check with luggage when flying
    Password protect
    Set screen saver to require password
    Log on to network once a month to update virus protection software
    Encrypt protected information
  • Patients may ask for a listing of disclosures we have made of their PHI for up to six (6) years prior to the request in paper or electronic form (not including disclosures made prior to April 14, 2003).
    The following disclosures are NOT required to be accounted for:
    Treatment, Payment, Healthcare Operations (TPO)
    Disclosures authorized by the patient or authorized representative
    Disclosures to the patient or persons involved with their care
  • Other disclosures which are not required to be accounted for:
    National security or intelligence purposes
    Correctional institutions or law enforcement officials having lawful custody of an inmate
    Incidental disclosures
    Limited Data Sets used for research purposes
    An accounting is required for disclosures of which the patient may not be aware, e.g., those which are required by law (such as abuse or communicable diseases) or accidental disclosures. Accidental disclosures should also be reported to your Privacy Officer.
    If we have it in electronic form, we may be required to give it in electronic form.
    If we have it in electronic form, we may be required to give it in electronic form.
  • The HIPAA Log is a single file which relates to pt. files. It is kept with medical records. You should document the following “non-routine” disclosures.
    The information that must be documented for each disclosure is:
    the date of the disclosure;
    the name of the entity or person who received the PHI and, if known, the address and contact information;
    a brief description of the PHI disclosed (e.g., records for visit on June 7, 2003, all radiology reports related to broken wrist, etc.); and
    a brief statement of the purpose of the disclosure that reasonably informs the patient of the basis for the disclosure.
  • Required Logged Items
    Unauthorized releases on the AIR Form, soon to be the ARI/A E-form
    Releases required by law
    Releases based upon subpoena
    Releases to law enforcement for ID
    Requests to limit releases
    Requests to amend or correct PHI
    Requests by the patient for accounting
    Reports about victims of abuse, neglect, or domestic violence
  • DISCLOSURES NOT REQUIRED TO BE LOGGED:
    made to carry out treatment, payment, or healthcare operations;made to the patient;
    made pursuant to a valid and effective authorization (one that complies with the requirements of state law as well as with the HIPAA Privacy Regulations) signed by the patient;
    made to persons involved in the patient's care or other notification and location purposes;to federal officials for national security or intelligence purposes;
    to a correctional institution or law enforcement official that has custody of a patient; that are part of a limited data set; andto a health oversight or law enforcement official
  • When there is a breach of phi or e-PHI , You have a duty to report on an ARIA
    Call if it is serious!
    When complaints or notice of breaches are received by privacy officer, the agency has a duty to:
    Investigate - Mitigate, Resolve, Respond, Document activities relating to the investigation, mitigation and response in HIPAA Log.
    Notification – we might have to notify the patient that his or her information has been compromised.
    Reporting - No report to HHS is required, though the process is subject to compliance audit.
    Remediation -The agency’s response may require amendment of privacy policies and procedures.
    Discipline - Response may require employee sanctions for employee breaches. HHS will look on an audit to see if this was followed up. See 45 CFR § 164.530(e-g). ADPH defines this in Policy 03-03.
    Criminal Penalties - A person’s knowing use or disclosure of PHI in violation of HIPAA may result in criminal penalties of up to $50,000 in fines and one year in prison. Uses or disclosures made under false pretenses may result in criminal penalties of up to $100,000 in fines and 5 years in prison. HIPAA Privacy Rule violations committed with intent to sell, transfer or use PHI for commercial or personal gain or malicious harm are punishable by a fine not to exceed $250,000 and/or 10 years in prison. A recent case in the Northwest has a hospital employee in big trouble.
    Civil Causes of Action - A violation of the HIPAA Privacy Rule creates a civil cause of action It also may create a civil cause of action.
    Furthermore, a failure to follow HIPAA privacy procedures may become the “standard of care” in common law breach of privacy actions under state law.
  • Breach may subject employees and the CE:
    To criminal penalties (up to $250,000); you are not covered by the Fund.
    To HHS civil penalties or lawsuits
    To adverse employment action, IE.,
  • The HIPAA program and certain other similar programs are under the management of the Risk Management Committee composed of the Privacy Officer, Security Officer, Code Specialist and other senior personnel
    Committee proposes HIPAA policy changes
    Committee receives and processes all accident/incident reports including possible HIPAA breaches
    The Committee oversees Red Flags instances
  • Federal Trade Commission Regulations designed to protect against identity theft
    As a “creditor”, ADPH has “covered transactions” with clients/patients
    ADHP has a duty to be on the lookout for certain red flags
    Develop a written program that identifies and detects “red flags” of identity theft
    Describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.
    Be managed by the Board of Directors or senior employees
    Include appropriate staff training, and
    Provide for oversight of any service providers.
  • Categories of Red Flags:
    Alerts, notifications, or warnings from a consumer reporting agency;
    Suspicious documents;
    Suspicious personally identifying information, such as a suspicious address;
    Unusual use of – or suspicious activity relating to – a covered account; and
    Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft
  • See also:
    98-07 Fax Policy
    03-10 Notice of Privacy Practices (NOPP)
    Sub revision
    03-30 Vital Records Policies
    04-02 Receipt of Legal Documents
    05-16 HIPAA Security Policy/Manual
    06-08 HIPAA Privacy Policy
    10-04 Contract Employee Handbook
    ARIA E-Form
  • Transcript of "Hipa afor area2"

    1. 1. To HIPAA and BeyondTo HIPAA and Beyond The Law of ConfidentialityThe Law of Confidentiality and Securityand Security Public Health Area IIPublic Health Area II December, 2010December, 2010 By John R.Wible, General Counsel Alabama Department of Public Health 1ADPH, 2010
    2. 2. DocumentationDocumentation Substantiates proof of services Provides continuity of care Documentation must be objective facts, not opinions 2ADPH, 2010
    3. 3. The “Golden Rule ofThe “Golden Rule of Documentation”Documentation” The “Golden Rule of Documentation:” If it ain’t wrote down it didn’t happen! “Wible’s corollary” The way it is wrote down is the way it happened regardless of the way it happened! 3ADPH, 2010
    4. 4. Confidentiality-Confidentiality- Access to Records GenerallyAccess to Records Generally All patient information is strictly confidential ◦ See Employee Handbook 10-02 Some Bad Scenarios Bad scenarios equal bad liability 4ADPH, 2010
    5. 5. Conditions forConditions for Release of InformationRelease of Information Conditions for release of information: ◦ Prior written consent of  Patient,  parent/guardian Subpoena in accordance with Departmental/ institutional policy Otherwise provided by law 5ADPH, 2010
    6. 6. TB/STD/DC RecordsTB/STD/DC Records Special ConfidentialitySpecial Confidentiality STD/TB/disease control information not public. Not revealed even by subpoena Not admissible into evidence except for commitment hearings ADPH requests for notifiable disease records to be forwarded to Legal ◦ Call 334.206.5209. See ADPH Policy 04-02 for specifics 6ADPH, 2010
    7. 7. Disease Control GuidelinesDisease Control Guidelines Information considered not confidential: Final completed report written in blank, not identifying any persons The name of businesses, establishments, restaurants involved in an investigation Aggregate statistical information Any other public records Regular environmental and daycare inspection reports 7ADPH, 2010
    8. 8. ConfidentialConfidential InformationInformation (EPI)(EPI) Epidemiologic interview sheets Required reports Work papers, notes and analyses Actual numbers of cases or IDs Correspondence on a case Complaint generated environmental and other inspection reports incomplete drafts of reports Other document received privately 8ADPH, 2010
    9. 9. Released With AuthorizationReleased With Authorization A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual One patient’s authorization, however does not release other person’s names or information 9ADPH, 2010
    10. 10. Written AuthorizationWritten Authorization Not Required:Not Required: 10 Transfer information from one county health department to another or to the state office Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care Some practitioners require consents to transfer out of abundance of caution ADPH, 2010
    11. 11. What Makes a ValidWhat Makes a Valid Authorization?Authorization? Description of the info to be released Name or description of info receiver Name of patient Description if the use of the info Expiration date or continuous Right of revocation by pt. Notice of possible re-disclosures Signature of pt or representative  See CHR Form 6A and instructions 11ADPH, 2010
    12. 12. Note Concerning CertainNote Concerning Certain InformationInformation CHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records This is NOT required if other providers’ releases meet the earlier criteria ADPH, 2010 12
    13. 13. Release of ContactRelease of Contact Information – Don’t Do It!Information – Don’t Do It! The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient Even with consent, it should not include contact information. Don’t write identifying information about how the patient contracted the disease 13ADPH, 2010
    14. 14. Confidentiality – Access toConfidentiality – Access to Medical Records of MinorsMedical Records of Minors If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release 14ADPH, 2010
    15. 15. Access to Medical Records ofAccess to Medical Records of Minors – Rights of the ParentsMinors – Rights of the Parents All information pertaining to a child must be equally available to both parents However, if the child gave consent for services, neither parent may have access to the records without that child’s consent. ◦ Code of Ala, § 30-3-154 15ADPH, 2010
    16. 16. HIPAA – In BriefHIPAA – In Brief HIPAA stands for The Health Insurance Portability and Accountability Act (1996) Addresses privacy and security of health data Includes verbal, written, or electronic data Privacy Rule, (2003), includes both paper & e-PHI Security Rule, (2003), includes only e-PHI HHS makes the rules Amended (2009) by “the Stimulus Package – ARRA (HITEC)
    17. 17. PHI – What is it?PHI – What is it? Patient name Patient address Patient phone number Patient date of birth Patient social security number, Medicaid number, etc Diagnosis Treatment information Financial information
    18. 18. The Privacy Rule:The Privacy Rule: What and Who IsWhat and Who Is Covered?Covered?“Protected Health Information” (PHI): Individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally  45 C.F.R. §160.103 ADPH is a “covered entity” 18ADPH, 2010
    19. 19. Releases without WrittenReleases without Written ConsentConsent Treatment Payment Operations Where required by law 19ADPH, 2010
    20. 20. Business AssociatesBusiness Associates Business associates follow the same level of protection in the privacy rule and include: ◦ Claims or data processors; ◦ Billing companies and financial service providers ◦ Quality assurance providers and utilization reviewers ◦ Lawyers, accountants & other professionals 45 C.F.R. §160.103 20ADPH, 2010
    21. 21. Business Associates and AARABusiness Associates and AARA Must also adhere to the Security Rule like CEs and are subject to same penalties Establish administrative, physical, and technical safeguards for Protected Health Information (PHI) Establish policies and procedures for safeguards Only use or disclose PHI in accordance with HIPAA “Rat Fink Provision” 21ADPH, 2010
    22. 22. HIPPA Privacy Rule:HIPPA Privacy Rule: Who is Not Covered?Who is Not Covered? Life insurance companies Auto insurance companies Workers’ compensation carriers Employers Others who acquire, use, and disclose vast quantities of health data AARA may place some requirements - ◦ E.g., PHI cannot be bought and sold 22ADPH, 2010
    23. 23. HIPPA Privacy Rule:HIPPA Privacy Rule: What Is Not Covered?What Is Not Covered? PHI does not include ◦ Education records covered by FERPA ◦ Employment records held by a covered entity in its role as employer ◦ Non-identifiable health information ◦ 45 C.F.R. 160.103 23ADPH, 2010
    24. 24. HIPAA - What it Doesn’tHIPAA - What it Doesn’t DoDoDoes not override state laws that provide more patient privacy than HIPAA Does not require that all risk of incidental disclosures of patient information be eliminated  Examples:  Cubicles  Shield-type dividers  Sign-in sheets 24ADPH, 2010
    25. 25. HIPAA and ADPH PrivacyHIPAA and ADPH Privacy 25 See ADPH HIPAA Privacy Policy 06-008 ◦ “Minimum Necessary” Concept ◦ Patient Verification ◦ Fax Confidentiality ◦ The “HIPAA Log” ◦ Breach Sanctions ◦ Needs updating ADPH, 2010 •See also CHR Manual and Employee Handbook
    26. 26. How Uses/DisclosuresHow Uses/Disclosures Are RegulatedAre Regulated Minimum necessary rule When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request 26ADPH, 2010
    27. 27. Permitted DisclosuresPermitted Disclosures “Minimum” info may be disclosed To “public officials” To public health To law enforcement To national security and intelligence agencies To judicial authorities To researchers To DHR for abuse reporting 27ADPH, 2010
    28. 28. Disclosure to PoliceDisclosure to Police Pursuant to subpoenas or by verbal request As “otherwise required by law For ID and location purposes Do not give disease information Individual is a victim of a crime To alert about a suspicious death When criminal conduct occurs on premises In emergency setting, to alert regarding information pertaining to crime 28ADPH, 2010
    29. 29. Disclosure to NationalDisclosure to National Security AgenciesSecurity Agencies CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities 29ADPH, 2010
    30. 30. DisclosureDisclosure ToTo Public HealthPublic Health Disclosure permitted to: “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….” 30ADPH, 2010
    31. 31. Child or Elder Abuse NoticeChild or Elder Abuse Notice Examples of specific public health-based exceptions include disclosures ◦ About victims of abuse, neglect, or domestic violence ◦ To prevent serious threats to persons or the public 31ADPH, 2010
    32. 32. Information on DecedentsInformation on Decedents May be released to: Law enforcement Transporting emergency medical personnel Coroners and their personnel Mortuary personnel Bureau of Health Statistics 32ADPH, 2010
    33. 33. Maintenance of DocumentationMaintenance of Documentation Maintain documentation of policies and procedures for 6 years Make documentation available to workforce who administer the policy Review and documentation periodically Ensure the confidentiality, integrity, and availability of ePHI 33ADPH, 2010
    34. 34. HIPAA - The Security RuleHIPAA - The Security Rule Primary objective: protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted. Applies to identifiable electronic protected health information (ePHI) related to: ◦ Past, present or future medical or mental condition ◦ The individual’s health care ◦ Payment records 34ADPH, 2010
    35. 35. What about e-PHI?What about e-PHI? Same as PHI, but created, received, or maintained electronically Does not include telephone calls, copy machines, fax machines, most voice mail Does not include de-identified information
    36. 36. Security of the PremisesSecurity of the Premises HIPAA requires security of the premises, i.e., door locks. See ADPH Security Policy No. 05-16. HIPAA also requires security of the electronic records (computer security) HIPAA requires security of the paper HIPAA requires security of your mouth 36ADPH, 2010
    37. 37. Building SecurityBuilding Security Post the Department’s Notice of Privacy Practices where clients can see it Maintain visitor sign-in logs and have visitors sign in and out (this includes repair persons) Use ADPH and Visitor ID badges Keep back doors locked or monitored during business hours Keep server rooms locked Keep PHI storage areas locked when unattended
    38. 38. Paper SecurityPaper Security Clean Desk ◦ Keep patient records covered or in folders ◦ Lock records up at end of day or when away from desk Fax/Copy Machines ◦ Put fax & copiers in secure area away from traffic ◦ Remove faxes/copies promptly File Cabinets ◦ Keep locked when unattended ◦ Locate in secure area ◦ Limit access Shred it!
    39. 39. Use of Department ComputersUse of Department Computers Use ADPH furnished equipment/software CSC/Tech Support will purchase and install all network-connected devices Use strong password protection & disclaimer ◦ Don’t give out your password CSC/Tech Support will install updates Connect laptops to the network once a month for audit Back up critical data ◦ See Policy 2005-016 and Security Manual 39ADPH, 2010
    40. 40. Use of ComputersUse of Computers Change password every 60 days Use only for lawful activity Report suspected viruses and attacks Supervisors notify CSC on new employee starting work or leaving employ service Appropriately salvage computers Limit access to Department workspace Be careful with portable storage devices 40ADPH, 2010
    41. 41. Email and Internet SecurityEmail and Internet Security Email ◦ Do not open email from an unknown source; especially unknown attachments ◦ Verify email recipients; make sure email is going to intended recipient ◦ Always encrypt email and attachments containing protected information ◦ Read security reminders Avoid risky internet sites
    42. 42. Laptop SecurityLaptop Security Keep laptop out of view when traveling Do not leave in hot vehicle for long time Do not check with luggage when flying Password protect Set screen saver to require password Log on to network once a month to update virus protection software Encrypt protected information
    43. 43. Patient AccountingPatient Accounting Patients may ask for listing of disclosures of their PHI up to six (6) years prior in paper or electronic form The following disclosures are NOT required to be accounted for: ◦ Treatment, Payment, Healthcare Operations (TPO) ◦ Disclosures to the patient or persons involved with their care ◦ Disclosures authorized by the patient or authorized representative 43ADPH, 2010
    44. 44. Patient AccountingPatient Accounting Other disclosures which are not required to be accounted for: National security or intelligence purposes Correctional institutions or law enforcement Incidental disclosures Limited Data Sets used for research purposes 44ADPH, 2010
    45. 45. HIPAA LogHIPAA Log 45 A single file which relates to pt. files Kept with medical records Documents “non-routine” disclosures: ◦ date of the disclosure; ◦ the name/address of receiver ◦ brief description of the PHI disclosed ◦ brief statement of the purpose of the disclosure ADPH, 2010
    46. 46. Required Logged ItemsRequired Logged Items Unauthorized releases on the AIR Form Releases required by law Releases based upon subpoena Releases to law enforcement for ID Requests to limit releases Requests to amend or correct PHI Requests by the patient for accounting Reports about victims of abuse, neglect, or domestic violence 46ADPH, 2010
    47. 47. DisclosuresDisclosures NotNot LoggedLogged TPO disclosures Disclosures made to the patient or rep. Pursuant to a valid authorization National security or intelligence purposes; To a correctional institution or law enforcement official that has custody of a patient; To a health oversight official 47ADPH, 2010
    48. 48. HIPAA BreachesHIPAA Breaches When there is a breach of phi or e-PHI You have a duty to report on an ARIA Call if it is serious! ADPH as a duty to: To report to or notify clients To report to HHS and the media if >500 To mitigate the damage To examine employees, policies, equipment and facilities to prevent it happening again 48 “Teton Dam Breach” ADPH, 2010
    49. 49. BREACHES - PENALTIESBREACHES - PENALTIES Breach may subject employees and the Covered Entity: To criminal penalties (up to $250,000) You are NOT covered by the Fund To HHS civil penalties or lawsuits To adverse employment action, IE., 49ADPH, 2010
    50. 50. Program ManagementProgram Management The HIPAA program and certain other similar programs are under the management of the Risk Management Committee Committee proposes HIPAA policy changes Committee receives and processes all ARIA reports including possible HIPAA breaches The Committee oversees Red Flags instances 50ADPH, 2010
    51. 51. Red Flag RegulationsRed Flag Regulations Federal Trade Commission Regulations designed to protect against identity theft As a “creditor”, ADPH has “covered transactions” with clients/patients ADHP has a duty to be on the lookout for certain red flags 51ADPH, 2010
    52. 52. Categories of “Red Flags”Categories of “Red Flags” Alerts, notifications, or warnings from a consumer reporting agency; Suspicious documents; Suspicious personally identifying information, such as a suspicious address; Unusual use of – or suspicious activity relating to – a covered account; and Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft 52ADPH, 2010
    53. 53. See Also Policy DocumentsSee Also Policy Documents 98-07 Fax Policy 03-10 Notice of Privacy Practices (NOPP) ◦ Under Revision 03-30 Vital Records Policies 04-02 Receipt of Legal Documents 05-16 HIPAA Security Policy/Manual 06-08 HIPAA Privacy Policy 10-04 Contract Employee Handbook Online ARIA Form 53ADPH, 2010
    54. 54. For A Copy of the PresentationFor A Copy of the Presentation See “HIPAA For Area 2” a download on Slideshare 7 http://www.slideshare.net/jwible 54 7Slideshare ADPH, 2011
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×