Chapter 5 Flashcards
HIPAA
passed in 1996
intent to reduce the administrative costs of healthcare
Administrative Simplification Section of Title II
section of HIPAA that required the development of standardized transaction standards for content and transmission of the data, requirements for a single NPI number for all health care providers, as well as the Privacy and Security rules to protect the health information
Privacy Rule
effective April 15, 2003
2 essential approaches
1. assigns rights to individual patients to provide them with some control over their own health information
2. provides standards for the ways that health care providers, health plans and health clearing houses are permitted to access, use and disclose information
Security Rule
effective April 20, 2005
Preemption
-HIPAA statute has a preemption clause and is often termed a “floor” in that it provides a national standard for the protection of health information that can be pre-empted by state laws in certain limited respects
-necessary to understand state laws and how they may preempt the federal HIPAA regulation in your state
Health Information Technology for Economic and Clinical Health Act (HITECH)
-passed in February 2009
-designed to promote the widespread adoption and standardization of electronic health records
-includes notification requirements for breaches of unsecured information, increases the potential civil monetary penalties for violations of HIPAA, and strengthens certain privacy rights
Genetic Information Nondiscrimination Act (GINA)
-effective March 23, 2013
-Became known as the Omnibus Rule
-Made several modifications to the privacy practices that covered entities must implement
What does HIPAA Govern and Who must comply with these regulations?
HIPAA governs the use and disclosure or Protected health information by “covered entities” directly and their business associates indirectly
Covered Entity
health care providers that transmit any health information in electronic form, a health plan with more than 50 participants, and a health care clearinghouse that receives, processes, and transmits health information for payment purposes
Protected health information (PHI)
individually identifiable health information that is created, collected and stored by a covered entity and maintained in electronic or any other form
3 elements to determine if information is PHI
-health information that describes the past, present, or future health, condition, care, treatment, of an individual, or payment for such care or treatment
-information must reasonably identify the individual
-the information must be maintained in electronic or any other form
all three elements are required for the information to be PHI
De-identified Information
- approximately 18 identifying characteristics depending upon how they are categorized
-the presence of 1 does not mean the information is PHI
-All 18 identifiers must be removed for health information to be considered de-identified
Patient privacy rights
an overriding theme to the privacy regulations is to place control over health information squarely in the hands of the individual who is the subject of the information
Individual Rights under the Privacy Rule
-to access and obtain a copy of their PHI
-Right to amend their PHI
-Obtain an accounting or listing of disclosures of their PHI
-Right to receive a Notice of Privacy Practices
-to have communications about their PHI conducted in a confidential manner
-to restrict disclosure on certain uses and disclosures of their PHI
-to fine a complaint about a covered entity’s privacy practices to the covered entity as well as to the Office of Civil Rights (OCR)
Notice of Privacy Practices
Covered entity is bound by the notice
Covered entity is required to make a good faith effort to obtain an acknowledgement from the individual
If the first episode of care was via telephone, the covered entity must mail its notice to the individual within 24 hours
Access to health information
-individuals cannot necessarily have access to everything in the record
Ways a Covered entity can restrict an individuals access to their PHI
-psychotherapy notes
-info a covered entity compiled to prepare for actual or anticipated litigation
-PHI that the covered entity is prohibited from sharing pursuant to the Clinical Laboratory Improvements Amendments (CLIA) 1988
-Correctional institution if it would put the security of the individual, another inmate, or the institution at risk
-if obtained during a research study and the individual agreed to the restricted access in the authorization signed at the beginning of the study
Reasons a covered entity can deny an individual access to PHI
-sharing the information would put the individual or another person in danger
-the information was obtained from someone other than another health care provider and sharing the information would be reasonably likely to put that person at risk for substantial harm
-the request for access is by a personal representative and sharing the information would be reasonable likely to put the subject of the information or another person at substantial risk of harm
*if denied the covered entity is required to provide a method for the individual to appeal the denial. Another licensed health care professional must review the decision and the covered entity must abide by the decision of the reviewing official
Amending PHI
-have the right to request a covered entity to amend inaccurate or incomplete information
-original info documented in the medical record should not be altered in such a way as to completely eliminate the information
-not always required to amend the record
1. if entity determines the record is accurate and complete
2. or info was generated by another covered entity
3. Trying to amend info that he or she is not entitled to access
4. That info is not part of the designated record set
3 requirements to not disclose health information to a health plan
- Individual request that the info not be provided to the health plan
- Individual or family member has paid out of pocket for the service in full
- The health plan would normally obtain the info for payment or health care operations
Communication of PHI
If an individual makes a reasonable request to have PHI communicated in a specific manor, a health care provider is required to accommodate the request.
E.g can only call a specific number and leave a message
Accounting request of disclosures
HIPAA gives an individual the right to know who was received his or her PHI. If there is a request the covered entity must be prepared to provide the list of all disclosures it has made.
Reasons an accounting of disclosures is not required
-treatment, payment or healthcare operations
-an incidental disclosure
-made in a limited data set
-made with an authorization from the individual
-made for national security purposes
-disclosure prior to the enforcement date of the privacy regulation, April 14,2003
-disclosure to the subject of the information
-disclosure that only required giving the individual an opportunity to object
-disclosure to a correctional institution or other law enforcement official having custody of the individual for purposes of providing appropriate care to the individual
What’s included in the accounting of disclosure
-who
-date made
-brief description of information
-purpose of disclosure
May request an accounting that covers up to a six-year period
Office of Civil Rights
OCR
A department of Health and Human Services
Complaints about a covered entities privacy practices can be filed here
Three subcategories where PHI can be used or disclosed
- Uses and disclosures the covered entity is required or permitted to make without an individuals explicit permission
- Permitted uses and disclosures if the covered entity has given the individual an opportunity to object to the disclosure
- Uses and disclosures only with the individuals explicit permission
Permitted Disclosures
TPO - treatment, payment, and healthcare operations
If the use or disclosure of the PHI fits into one of these three definitions, the PHI can be used or disclosed without obtaining the explicit permission from the individual
TPO -Treatment
A physician can call his or her colleague in another specialty to get the colleague’s input on the care being provided
TPO-Payment
A physician’s staff can submit a bill to the individual’s insurance company to obtain payent for the service provided
TPO-Health Care Operations
A physician’s compliance staff can access the individual’s PHI to conduct an assessment of the physician’s coding and documentation practices
2 instances under the privacy regulations when a covered entity is required to disclose PHI
- When the information is requested by a secretary fo the department of health and human services to investigate an allegation of a privacy violation
- When the subject fo the information requests it
Disclosure in the public interest without having to obtain the individual’s explicit permission
-required by law
-public health activities
-reporting on victims of abuse, neglect, or domestic violence
-reporting for health oversight activities
-judicial or administrative proceedings
-law enforcement purposes
-information to coroners, medical examiners, and funeral directors about decedents
-information for organ donation
-certain research purposes
-disclosures to avert a serious threat to health or safety
-specialized governmental functions
-workers’ compensation
When covered entities have to provide an individual an opportunity to object prior to the use or disclosure occuring
*First purpose - when a covered entity includes limited information about the individual in its facility directory
—information in the directory could be name, location, general condition, and religious affiliation.
*Second disclosure - a disclosure can be made to family, friends, or others involved in the individual’s care or payment for the care
*Third- can disclose PHI under the provision for purposes of assisting in disaster relief
—Such disclosures would generally be made so the location and condition of the individual could be accessible to family and friends
Authorizations form for use and disclosures
Must include:
-description of PHI to be used or disclosed in a specific fashion
-who is authorized to make the use or disclosure
-who is authorized to receive the PHI
-description of purpose of each requested use or disclosure
-expiration date
-signature of the individual and date
-statement informing the individual of the right to revoke and instructions for how to revoke
-statement informing the individual that by signing is a precondition of treatment, participation in research, eligibility of benefits, or enrollment in a health plan if applicable
*if not all there the authorization is invalid and cannot rely on it to use or disclose PHI
Fundraising
HIPAA privacy allows the use of limited PHI without authorization
—name, address, or other contact info, insurance status and date of care
If additional PHI is wanted an authorization would be required
HITECH requires there to be a way to opt out of receiving further fundraising requests
*The covered entity is also prohibited from conditioning treatment or payment on the individual’s choice to opt out.
Marketing
The privacy rule prohibited the use of PHI for “marketing” proposes unless the patient had specifically authorized the disclosure of the info and that patient was notified by the provider that the provider was receiving direct or indirect remuneration for the disclosure of the information
* if marketing is face to face or if an item of minimal value is given to the individual, an authorization is not required
*HITECH requires a way to opt out
Overarching principles that are equally important components of the privacy regulations
- Minimum necessary standards
- Verification
- Disclosures to business associates, and breach notification requirements
Minimum Necessary Standards
-The amount of PHI that can be used or disclosed in a particular circumstance
Circumstances when minimum necessary evaluation is not required
-with and authorization
-to a provider for treatment
-to the subject of the information
-to the secretary of DHHS
-as required by law
-as required to comply with the regulations
*Case-by-case basis
Minimum necessary- role-based access
Means only allowing employees and others access to the information that is needed to perform their role in the organization
Minimum necessary- need-to-know
Is generally and education process
E.g. physician may be granted access to entire record
*the ability to access PHI does not equate to a need to know the information
Level of access
Covered entities must determine the appropriate level of access to be granted to various individuals based on their role. Next step is to educate those individuals regarding the proper uses and disclosures of the PHI to which they have been given access
Verification
A way to verify that the individual is who they say they are and has a right to receive the information
*Most important is that a covered entity has a process for verification, a rationale for why the process is reasonable, and evidence that the process is consistently followed.
Business Associate
A contracted external company of individual to provide services that are part of their health care operations.
E.G. accounting, legal council, coding and billing, transcription services, vendors of EHR
Under HITECH Act, BA are accountable to HHS and directly liable for criminal and civil penalties for uses and disclosures that would be a violation of the privacy rule.
The Omnibus Rule further extended the BA requirements to subcontractors of BA
What has to happen before PHI is shared with a business associate
The associate must provide satisfactory assurances that it will not use or disclose PHI in a manner that contradicts the Privacy Rule Agreements
A business associate agreement must define:
1. The function of the BA and the limitations on their uses and disclosures
2. What happens to PHI upon termination of agreement
Exceptions to what constitute a breach
-disclosures where there is a good faith belief that the recipient of the information would not reasonably have been able to retain the information
-certain unintentional acquisition, access or use of the information by persons or employees acting under the authority of the covered entity or business associate
-certain inadvertent disclosures among persons similarly authorized to access protected health information of a business associate or covered entity
Presumptively reportable
The covered entity must report any breach of unsecured PHI unless the covered entity determines that there is a low probability of compromise of the privacy and security of the PHI
HITECH Act and Omnibus additions for breach
HITECH- created an obligation on the part of covered entities an their BA to notify individuals of the breach in the event that the breach meets the standard for a reportable breach
Omnibus - modified the standard for a reportable breach to make breaches presumptively reportable if there is a violation of the Privacy regulations and the information was unsecured
National Institute of Standards and technology (NIST)
HHS issued guidance regarding securing health information and specifically the technologies and methodologies that would make the PHI unusual experience, unreadable and indecipherable.
The accepted methodology is encryption that is in compliance with NIST
NIST standards address data at rest, data in motion and data in use
Non-electronic formats
Methodologies include de-identifying the information, or shredding, pulping or otherwise treating the material so the information cannot be reconstructed
Who is to be notified if there is a reportable breach
-the individual or their representative
-Office for Civil Rights (OCR)
-if individuals are deceased the notice must go to their next of kin
Undeliverable notices of breach
-the covered entity must provide a substitute notice ASAP - email or phone
-more than 10 then the covered entity must post information about the breach in a conspicuous place on the homepage of its website along with a toll free number for individuals to obtain information about the breach
Four factors to assess to determine low probability of compromise
- Content
- Person
- Access
- Mitigation
How and when to report breaches when over 500 individuals
-involving over 500 individuals must be reported immediately to HHS via an online reporting system on the OCR website. The individuals violated must be notified ASAP but no later than 60 days after breach occurred
-if it is more than 500 in a singe state or jurisdiction, media outlets in the areas must be notified
How and when to report breaches when under 500 individuals
The covered entity must report the breaches in an annual disclosure to HHS within 60 days of the end of the prior calendar year through the same online reporting mechanism
The breach notice to individuals must include:
-a description of what happened, including the date of the breach and the date of the discovery
-description of the types of information involved in the breach
-steps individuals can take to protect themselves from harm
-description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and protect against future breaches
-contact information for individuals to ask questions
Who is responsible for the enforcement of the privacy rule?
The Office for Civil Rights (OCR)
HITECH tiers of penalty amounts
-Violations in which there was an inadvertent violation and the covered entity would have taken different action if they were aware of the violation, with a penalty for each violation of a minimal of $100 up to $50,000
-Violations due to reasonable cause but not willful neglect with penalties from a minimum of $1,000 up to $50,000.
-Violations due to willful neglect but the problem was corrected - $10,000 up to $50,000
-Violations due to willful neglect and the problem has not been corrected starts at a minimum of $50,000
The calendar year cap for any identical violation was raised from $25,000 under HIPAA to $1.5 million under HITECH
Privacy
Refers to the right of an individual to control his or her personal info and to keep it from being divulged or used by others against his or her wishes
Confidentiality
Is a means of protecting that information, usually by safeguarding it from unauthorized disclosure
-this only becomes an issue once an individual’s personal information has been received by another entity
Security
Applies to the spectrum of physical, technical, and administrative safeguards put in place to protect the integrity, availability and confidentiality of information and the systems in which it is stored
Distinction between security and privacy
Security regulations only apply to PHI maintained in the electronic medium (ePHI), whereas privacy rule applies to all PHI held by a covered entity
Three new terms related to business arrangements
-Organized Health Care Arrangements (OCHA)
-Affiliated Covered Entities (ACE)
-Hybrid Covered Entities (HCE)
Organized health care arrangements (OCHA)
Is a clinically integrated setting where the individual typically received health care from more than one health care provider
Example - hospital and its medical staff
*if a physician participates in an OHCA and agrees to join the joint notice, it is important to understand that the notice only applies to services provided within the OHCA. This means that the physician must still distribute a notice to the patients seen in a private practice clinic
Joint Notice
Agreeing to participate in an OHCA allows the covered entities to have a joint notice which covers the manner in which all members of the OHCA will use and disclose PHI about the individual
Affiliated Covered Entities (ACE)
Is a group of legally separate covered entities that share common ownership or control
Common ownership exists if an entity or entities possess 5% or greater ownership interest in another entity
Common control exists if one covered entity has the ability to significantly influence the actions or policies and procedures of another covered entity, either directly or indirectly
An ACE allows a group of covered entities to function as one covered entity for most purposes under HIPAA. However, the designation as an ACE does not make all the legally separate entities liable for privacy violations of the other entities
Hybrid Covered Entities (HCE)
Is a business that has, as one of its functions, an activity or activities that make it a health care provider, a health plan and/or a health care clearinghouse.
