PRIVACY STANDARDS OVERVIEW

Transcription

1

2 PRIVACY STANDARDS OVERVIEW Basic Requirements What Entities Are Covered Practical Effects

3 BASIC REQUIREMENTS A Covered Entity may not use or disclose an individual s protected health information ( PHI ),except as otherwise permitted or required by this subpart Consent for Treatment, Payment or Healthcare Operations ( TPO ) Authorization for use or disclosure for non-tpo purposes Notice of Privacy Practices ( NPP )

4 BASIC REQUIREMENTS Required disclosures (Continued) Minimum Necessary standard Individual rights to accounting, amendments and complaints Administrative requirements Business Associates Others...

5 COVERED ENTITIES Health Care Providers Health Plans Healthcare Clearinghouses

6 SPECIAL CATEGORIES Affiliated Entities Hybrid Entities Multifunctional Entities Organized Health Care Arrangements

7 AFFILIATED ENTITIES Legally separate Covered Entities that are affiliated may designate themselves as a single affiliated Covered Entity for purposes of compliance with the Privacy Standards Separate Covered Entities may be affiliated if they are under common ownership or control

8 AFFILIATED ENTITIES Common ownership or control: Common ownership - exists if an entity or entities possess an ownership or equity interest of 5% or more in another entity Common control - exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity

9 AFFILIATED ENTITIES Affiliation must be elected and documented Affiliated Covered Entities may adopt uniform NPP and consent for all participating affiliates BUT, each affiliated Covered Entity must comply with Privacy Standards when using or disclosing PHI to an affiliated Covered Entity (e.g., Minimum Necessary Standards)

10 HYBRID ENTITIES Single legal entity that is a Covered Entity and whose covered functions are not its primary functions Covered functions are those functions which make the entity a health plan, healthcare provider or healthcare clearinghouse Primary functions subject to common sense evaluation

11 HYBRID ENTITIES Privacy Standards apply to healthcare components of hybrid entity, but not to entire entity Healthcare components: Components that perform covered functions Other components, to extent components perform activities with respect to covered functions that would make it a business associate of the component performing covered functions

12 HYBRID ENTITIES Must erect firewalls to protect against improper use or disclosure of PHI within or by the organization healthcare component cannot disclose PHI to another component if disclosure would be prohibited if other component was a separate legal entity Employee who performs services for healthcare component must not use or disclose PHI to another component except in accordance with Privacy Standards

13 MULTIFUNCTIONAL ENTITIES A Covered Entity which performs multiple covered functions which would make it any combination of a healthcare provider, health plan or healthcare clearinghouse must comply with the Privacy Standards applicable to the covered functions it performs

14 MULTIFUNCTIONAL ENTITIES A multifunctional entity may use or disclose PHI of individuals who receive plan or provider services (but not both) only for purposes of the function being performed

15 ORGANIZED HEALTH CARE ARRANGEMENTS New in Final Privacy Standards Included to describe certain arrangements in which participants need to share PHI about patients to manage and benefit the common enterprise

16 ORGANIZED HEALTH CARE 5 kinds of OHCA : ARRANGEMENTS Clinically integrated care setting in which individuals typically receive care from more than one provider (e.g., a hospital) Organized system of health care in which more than one Covered Entity participates and in which the Covered Entities hold themselves out to the public as participating in joint arrangement for purposes of utilization review, quality assessment or payment activities (e.g., IPA)

17 ORGANIZED HEALTH CARE ARRANGEMENTS (Continued) A group health plan and a health insurance issuer or HMO covering such group health plan, but only with respect to PHI of the group health plan members A group health plan and one or more other group health plans maintained by the same plan sponsor The group health plans described above and health insurance issuers or HMOs covering such group health plans, but only with respect to PHI of members of the group health plans

18 ORGANIZED HEALTH CARE ARRANGEMENTS OHCA may utilize a joint NPP: Must agree to common rules governing uses and disclosures of PHI Must reasonably identify the participating Covered Entities or class of Covered Entities Must identify service delivery sites, or class of service delivery sites, to which NPP applies Must state that participating Covered Entities will share PHI with each other as necessary to carry out TPO related to the OHCA Must satisfy all other NPP requirements applicable to a single Covered Entity

19 ORGANIZED HEALTH CARE ARRANGEMENTS Typical use of joint NPP - health care facilities where physicians and other providers have offices elsewhere and also provide services at the facility (e.g., hospital, residential facility) Providers generally required to have separate NPP for office practice Distribution of NPP requirements satisfied for all participating Covered Entities if one participating Covered Entity distributes joint NPP

20 ORGANIZED HEALTH CARE ARRANGEMENTS OHCA may utilize a joint consent: In general, consent obtained by one Covered Entity to use or disclose PHI for TPO is not effective to permit another Covered Entity to use or disclose PHI for TPO Exception for joint consent obtained for Covered Entities participating in an OHCA

21 ORGANIZED HEALTH CARE Joint consent: ARRANGEMENTS Must also have a Joint NPP Must include the name or other specific identification of the Covered Entities, or classes of Covered Entities, to which the joint consent applies Must meet all other requirements applicable to consent obtained by a single Covered Entity Covered Entity receiving revocation of Consent must notify other Covered Entities

22 ORGANIZED HEALTH CARE ARRANGEMENTS Typical use of joint consent - hospital and its associated emergency room physicians and other attending physicians Joint consent is the only type of consent by which one covered entity (e.g., a hospital) can obtain the individual s permission for another covered entity (e.g., a physician) to use or disclose PHI to carry out treatment, payment or health care operations.