HIPAA Overview Health Insurance Portability and Accountability Act

HIPAA Overview (Health Insurance Portability and Accountability Act 1996) VACSB HIPAA Committee Developed by CVCS

Training Objectives * To provide an overview of HIPAA Regs * To review 4 Sections of HIPAA Regulations * * Privacy Rule requirements Security Rule requirements Administrative requirements Transaction/Code Sets requirements * To follow a CVCS “consumer” through our HIPAA compliant system * To problem solve around HIPAA concerns and questions

What is HIPAA? Health Insurance Portability & Accountability Act of 1996 • Public Law 104 -191 • Sponsored by - Kennedy &Kassebaum Five Titles: – Title 1: – Title 2: – Title 3: – Title 4: – Title 5: Insurability and Portability Administrative Simplification Tax Implications Group Health Revenue

What is the purpose of HIPAA ? * Reduce health care costs/fraud/abuse * Control use/disclosure of “protected health information” (PHI) * Identify provider responsibilities and accountability * Increase consumer’s rights - PHI * Regulate how PHI is transferred/managed by technology, individuals, and agencies * Provide consistent standards * Assure privacy and security of confidential protected healthcare information (PHI)

Covered Entities Who Must Comply Some healthcare organizations that capture & maintain individually identifiable healthcare data. Three categories: * Providers - conduct certain administrative and electronic transactions * Healthcare Plans * Clearinghouses

Administrative Simplification HIPAA Regulations and Deadlines * Electronic Transaction/Code Sets uniform standards. Deadline: October 2003 with Extension * Privacy Regulations Identifies what health care information is protected. Deadline April 14, 2003 * Security Regulations Identifies how information is to be protected. Deadline: Pending * Identifier Standards- Employer, Payer, National. Deadline: Employer ID finalized/Others Pending

HIPAA Definitions The nuts and bolts! Developed by CVCS

Healthcare Operations Includes “general administrative and business functions” necessary for a covered entity to remain a viable business (i. e. , audits, quality improvement functions, assessments)

Health Information Any information recorded in any form or medium which: * Is created/received by a Covered Entity that creates, receives, uses, or transmits PHI; * Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and * Identifies the individual.

Individually Identifiable Health Information • Identifies the individual, or • There is a reasonable basis to believe that the information can be used to identify the individual

Protected Health Information (PHI) All individually identifiable health care data or information collected, maintained, or transferred by a Covered Entity

Protected Health Information (PHI) * Name * Address * Social Security # * Birth Date * Demographic info. (some) * Email address * * * * Health Plan # License/Certificate # Vehicle identifiers Bio-metric identifiers Telephone numbers Place of employment Account numbers

Protected Health Information (PHI) * Consumer full-face * Web Universal photograph and any Resource Locators comparable images (URLs) * Fax number * Internet Protocol (IP) Address * Device identifiers Numbers and serial numbers

De-identified information * Health information which is stripped of individual identifying elements * Someone with sufficient statistical expertise, using accepted statistical standards, says the probability is very low that the information would identify a consumer * In this form, remaining data would not be sufficient to identify the consumer

Privacy Notice * Written document in plain language * Posted & shared with consumers at intake * Explains how their PHI will be used/disclosed by agency * Identifies consumer’s rights * Lists agency/provider duties to protect PHI, abide by the. Privacy Notice * Identifies how changes in notice will be communicated

Designated Record Set • A group of records maintained by or for a covered entity/agency • Includes any records used, in whole or in part, to make decisions, about the consumer’s treatment (medical record, billing, etc. )

Privacy Preemption & More Stringent Rules • HIPAA will preempt state laws relating to the privacy of PHI except for those that are more stringent (provide more privacy or consumer control over their PHI) than the federal HIPAA requirements

Use vs. Disclosure Use Sharing, utilization, examination, & analysis of PHI maintained internally within the agency Disclosure Release, transfer, access to, or sharing in any manner PHI outside the agency maintaining the information

Minimum Necessary Rule applies to Uses/Disclosures * Covered Entities must make reasonable efforts to limit use, disclosure, & requests for PHI to the “minimum necessary” in order to accomplish the intended purpose except when an authorization is obtained

Minimum Necessary Rule * Amount of information needed to achieve the purpose * Applies to all forms of communication * Use - Requires policies & procedures classifying staff by role/position and the PHI to which they may have access * Disclosure - Requires policies & procedures addressing criteria to limit disclosure & reviewing of requests * Must limit requests to that which is necessary * Does not apply to consumer requests/authorizations, disclosures required by law or healthcare provider for treatment purposes

Access to PHI (Protected Health Information) * Opportunity to approach, inspect, review, and make use of data or information * Actions by a consumer or healthcare provider with appropriate authorization

Acknowledgement & Authorization Acknowledgement * Document gives provider permission to carry out treatment, payment, or healthcare operations (TPO) Authorization * AKA - “Release of Information” * Document used for purposes other than TPO

Electronic Transaction & Code Set Standards Developed by CVCS

Electronic Transaction & Code Set Standards * National Electronic Standards relates to the automated transfer of certain healthcare data between healthcare payers, plans, and providers * Replaces nonstandard formats and code sets with standard electronic transactions and codes sets

Administrative & Financial Transactions * * * * * Health claim or encounter information Eligibility for a health plan inquiry Referral certification & authorization Healthcare claim status Healthcare payment and remittance advice. Health plan premium payments Enrollment & dis-enrollment in a health plan First notice of claim Health claim attachments Coordination of Benefits

Transaction/Code Sets Standards Code Sets Examples: * ICD - 9 - CM * CPT - 4 * HCPCS * DSM IV - TR Compliance Deadline with Extension: October 15, 2003

Benefits of Standardization of Electronic Transactions/Code Sets * Standardized Formats Will reduce number of – formats used for healthcare administrative and financial transactions nationwide * Billing becomes more efficient * Internal administrative savings related to staffing, response to complaint calls, and billing reconciliation

HIPAA’s Privacy Rule Developed by CVCS

Privacy Rule * Applies to all protected healthcare information (PHI) * Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within the agency * Written Acknowledgement required

Privacy Rule Impacts * * * Acknowledgement/Authorization Privacy Notifications Uses & Disclosures of PHI Healthcare Operations Consumer Rights Consumer Access/Amendment of PHI * Business Associate Agreements * Provider Responsibilities

Privacy Rule Highlights Protects privacy of medical records and covers: * Electronic records & printouts of records * Written records * Oral communications Consumer acknowledgement that PHI may be used for routine purposes (TPO) Privacy Notice - Documents consumer’s rights and the agency’s responsibilities to protect and manage PHI

Consumers’ Rights under HIPAA Consumers may: * Inspect/copy their medical record information * Request to amend information if they believe it to be inaccurate or incomplete * Request must to be in writing * Agency must respond within 15 days (VA law) * If request is denied - consumer may appeal this decision to the CSB or federal government

Consumer’s Rights under HIPAA Consumers may: * Request a. Disclosure History * Request confidential communications through alternative addresses/phone numbers * Have access to a designated individual or Office of Civil Rights at Health & Human Services to report violations of their rights * Request restriction on use/disclosure of their PHI

Business Associate Agreements 1. Business Associates - An entity that does things on our behalf and with whom we share/give access to PHI 2. Business Associate Agreement - Establishes permitted uses, disclosures, andsafeguards for PHI Examples: CSB Attorney, CARF, social services, auditors…

Privacy Regulations * Allow flow of PHI for treatment, payment, & related health care operations (TPO) * Prohibit flow of PHI unless voluntarily authorized by the consumer * Allow consumer to know who is accessing their PHI outside of TPO use * Allow consumers to obtain access to their records & request amendment of records if the consumer feels they are inaccurate or incomplete

Provider Responsibilities * Provide formal complaint handling system * Office of Consumer Services * Allow use of de-identified data * Follow “minimum necessary” requirements * Establish Business Associate Agreements * Duty to mitigate damage if violations occur * Establish sanctions for HIPAA violations * CVCS Standards of Conduct & CVCS HIPAA Sanction Policy

Privacy Penalties Wrongful Disclosure. Offense: $50, 000 fine, imprisonment of not more than one year, or both. Offense Under False Pretenses: $100, 000, imprisonment, or not more than 5 years, or both. Offense with Intent to Sell Information: $250, 000 fine, imprisonment of not more than 10 years, or both.

Uses/Disclosures not requiring Authorization • To the consumer or legally authorized representative of the consumer • To health oversight agencies • To the Department of Health & Human Services for investigation and enforcement purposes • By court order (as outlined in CFR 42 - strictest)

Uses/Disclosures not requiring Authorization • To U. S. Public Health Authorities - to prevent or control disease, injury, or disability • In following disclosure procedures for deceased consumers as outlined in VA law • To consumers exposed to communicable disease or at risk of contracting or spreading disease under law & public health intervention/investigation

Uses/Disclosures not requiring Authorization • For reports of suspected child abuse or neglect to the appropriate authority • For reports about an adult victim of abuse, neglect, or domestic violence State’s mandatory reporting laws – Inform the individual of the report – Seek the individual’s agreement when possible – Can report without the individual’s agreement

Uses/Disclosures not requiring Authorization Healthcare Oversight Activities Authorized by Law: • • Audits Investigations (as permitted by CFR 42) Inspections (i. e. , Health Inspection of facilities) Civil/criminal/administrative proceeding/action by properly executed court order (CFR 42) • Other appropriate oversight actions: • Government regulatory programs • Government benefit programs - for eligibility

Privacy Preemption HIPAA Will preempt other federal or state laws relating to PHI (Except for those more stringent than HIPAA)

Security Regulations Developed by CVCS

Security Rule Deals with how PHI is secured: * Access to PHI * Minimum Disclosure Rule * Encryption/digital signatures * Background checks * Physical (facility) security

Organizational Practices - Security * * * * Policies/procedures for workstation use Security of workstation locations Security Incident Reporting Termination procedures Media controls Audit trails Encryption

Organizational Practices - Security * Role based access * Remote site access * Electronic/wireless devices (laptops and PDAs) * Authentication of users through passwords * p. ASs 379 wor. D

HIPAA Identifier Standards Developed by CVCS

HIPAA Identifier Standards HIPAA Regulation: * Employer ID = Tax ID # Other Final Identifiers Pending: * Provider ID * Payor ID

Mr. Hipp goes to CVCS Scenario Under HIPAA Law Putting It All Together Developed by CVCS

Admission/Intake Mr. Hipp arrives at CVCS and is given a copy of our Privacy Notice, which is also posted in the lobby. Mr. Hipp completes the admission paperwork including the Acknowledgement of receipt of the Privacy Notice.

Authorizations Mr. Hipp is referred to treatment by his probation officer. He will need to sign an Authorization giving the CSB permission to share information with his probation officer. However - Mr. Hipp can refuse to sign the Authorization and treatment can not be contingent on this signing.

Minimum Necessary Mr. Hipp has insurance!!! The CSB and the Insurance Company can exchange information necessary to complete the transactions around billing. The Insurance Company is required to request only the minimum necessary information to accomplish this action. (If Mr. Hipp has Medicaid and arrives by transport, what information can be shared with this Provider? ? ? )

Emergency Situations Mr. Hipp passes out from the heat while being transported to an AA meeting. E S M is called and arrives to provide care. What information can be shared with the emergency personnel under HIPAA’s “minimum necessary guidelines? ”

Indirect Treatment Provider While in treatment, Mr. Hipp has weekly urine screens. Because the relationship between Mr. Hipp and the Lab is an indirect treatment relationship - covered under a Business Associate Agreement. No Authorization is needed from the consumer.

Calls to Alert Law Enforcement of a Crime Another consumer in Mr. Hipp’s group breaks into an office and steals some cash. In calling “ 911” regarding a crime committed on the premises, the following PHI is permitted to be disclosed to law enforcement: – The nature and commission of the crime – The location of the crime – The identity, description, and location of the perpetrator of the crime

Criminal Conduct on the Premises of the Agency When contacting the police, you should only disclose a limited amount of PHI (name, address) if the agency believes in “good faith” that the information provides evidence of a crime committed on agency premises.

Death of a Consumer HIPAA allows disclosure of PHI to: • Coroners or Medical examiners • Funeral directors • Law enforcement –If evidence death result of criminal conduct Use “minimum necessary” to report required & appropriate information. (Note: In the case of a consumer death on agency premises - must contact Executive Director)

Intelligence and National Security Issues Mr. Hipp is off of his medication and has threatened the President. – Disclosure of consumer PHI to law enforcement officials is allowed under the National Security Act 1947 – Covered under protective services to the President under. Section 3056, Title 18 of the U. S. Code

Consumer Rights under HIPAA Developed by CVCS

Alternative Means of Communication Mr. Hipp does not want his wife to know he is in treatment. He asks that we not contact him at home. Under HIPAA, consumers have the right to receive confidential communications concerning their treatment and handling of their PHI. Mr. Hipp can request alternate communication and identify an alternative address/phone number for billing or contact purposes.

Consumer Rights Under HIPAA Mr. Hipp is aware of his right to access, review, and receive a copy of his medical record upon request. He also has a right to request amendment of his record.

VA Law Rules on Access to Records If access to record is agreed to: VA Law requires Providers (agency) to respond to a request to access medical records within 15 calendar days of a written request by the consumer.

Mr. Hipp is Denied Access to Record Mr. Hipp can be denied access to his record if a review by the staff physician determines that inspection or copying would likely endanger the life or physical safety of the Mr. Hipp or another person. Or if… The information in the chart was about another person and its release could result in harm to that person. Or if…

Mr. Hipp Denied Access (Continued) The information was obtained by the agency in the course of a clinical trial, and consumer agreed not to request access to this information while trial was being conducted. Or if … The information was compiled in anticipation of criminal, civil, or administrative proceeding initiated by a properly executed court order (CFR 42).

Requesting Amendment to Record Mr. Hipp has a right to request amendment of his designated record set as long as the agency maintains the information. The agency can require a written request with the rationale for change. The agency has 60 days to respond to the request with a possible extension of another 30 days.

Requesting Amendment to Record • If granted: – Must notify individual amendment accepted – Must notify B. Associates if possessing PHI • If denied: agency provides written notice to consumer: – Explaining reason(s) for denial – Right to submit written statement of disagreement or have request included with future disclosures – Right to complain to Agency or HHS – Agency can prepare a rebuttal statement to consumer’s statement of disagreement, with copy to consumer

Consumer Rights Under HIPAA Mr. Hipp has the right to receive a written copy of agency’s. Privacy Notice at intake and upon request. He also can request a Disclosure Listing (log) on past disclosures of his record to include: (previous 6 yrs. ) * Date of disclosure * Name & address of organization/ person who received PHI * Description of the information disclosed * Copy of Authorization or Request for information

HIPAA’s Exceptions to Disclosure Tracking Include: – – – Payment, Treatment, Healthcare Operations To the Individual For national security or intelligence purposes Prior to compliance date Under Authorizations * CVCS has decided to track all disclosures. Must act on “Request” within 60 days. One free accounting/year.

Consumer Rights Under HIPAA Mr. Hipp may request a restriction on the use & disclosures of his PHI. However the agency does not have to agree. If the agency does agree - it must comply and, as a result, can only release restricted information in an emergency. Either Mr. Hipp or the agency can end the restriction.

Business Associate Agreement Mr. Hipp’s chart may be reviewed by a CARF surveyor. Such reviews are allowable via Business Associate Agreements, which make all contracted oversight agents with access to PHI responsible for security of this information.

Consumer Complaint System Mr. Hipp feels his confidentiality may have been violated but is unsure who to contact to discuss his concerns. He does not want to talk to his therapist. Mr. Hipp may contact the CVCS Consumer Services Complaint System Office of Consumer ( Services). He should be given the contact’s name and offic phone number.

De-identified Information A student completing an internship at the agency wants to write a paper on Mr. Hipp to fulfill a course requirement. • This is allowable if all identifying PHI elements relating to Mr. Hipp, his relatives, employer, and household members are stripped from the data. • If PHI remains it must be reviewed by a designated person knowledgeable in clinical stats and privacy regulations to assure there is no or minimal risk of reidentification of the data prior to use.

Research Protocol While in treatment Mr. HIPP enters a clinical research study/trial concerning the effectiveness of his medication. Mr. Hipp has signed an authorization for use of his consumer PHI (FDA Regulations). The clinical trial must meet specific waiver requirements approved by an Independent Review Board (IRB) or privacy board. Research protocol must be approved by the IRB.

Case Consultation, Review, & Auditing Mr. Hipp’s case is reviewed in staffing & audited by the Quality Improvement Dept. This is included under “normal healthcare operations” (TPO). Mr. Hipp’s chart can be reviewed in the clinical disposition meeting, by the clinician’s supervisor for supervisory training, and by QI and in peer audits.

Access Control Issues The agency staff safeguard Mr. Hipp’s PHI by: • • • Controlling access of PHI based on role/position Maintaining confidentiality of PHI in all forms Maintaining workstation security Complying with minimum necessary disclosures Maintaining the security of media containing PHI Securing passwords

Marketing Restrictions Mr. Hipp has now completed treatment and is taking medication for his depression. A pharmaceutical company “Moremeds” wants a list of consumers & addresses for contact to offer discount medications. This is not permitted under HIPAA.

This is the list of staff who have accessed Mr. Hipp’s PHI during his visit with CVCS: • Intake worker(s) • Medical Records Technicians • Clinician(s) • Supervisor • Lab Technician • Lawyer • Medicaid Auditor • Student Intern • Disposition Treatment Team • Peer Audit Reviewers • Nurse • Doctor • QI Specialists • Insurance Company • Transportation Company • Case Manager • Billing/Coding Personnel

HIPAA is not added red tape but. . . Applying BEST PRACTICESto protect Mr. Hipp’s confidential healthcare information in a world where inappropriate sharing of PHI could result in: – Identity theft – Loss of privacy and control over healthcare information – Possible discrimination practices – Consumer Rights violations

Your HIPAA Committee Helping to keep you on your toes. List your HIPAA Committee members names here including: – Privacy Officer – Security Officer – Consumer Services Complaint Contact

For more information or questions on HIPAA contact: List your HIPAA contact or committee chair here

Remember!!! Together we are making a difference. 9/18/02

Disclaimer Notice • This training module was developed by CVCSB staff with editing assistance from Ted Groves of Chesterfield CSB. Since it was originally designed for CVCSB staff, it contains some specific policy/practice references. • Be sure to review, edit, and use this module based on your particular CSB needs, practices, and HIPAA law. • HIPAA is a moving target - You will need to revise this module based on updated changes in HIPAA. • If you have any specific feedback/questions regarding its content or design…please notify me. Thank you. Beth Ludeman-Hopkins (434 -847 -6074) or bethl@lynchburg. net