HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Transcription

1 HIPAA FUNDAMENTALS For Substance abuse Treatment Industry (c)firststepcounselingonline2014 1

2 At the conclusion of the course/unit/study the student will... ANALYZE THE EFFECTS OF TRANSFERING INFORMATION ; COMPARE THE PROS AND CONS FOR A BUSINESS ASSOCIATE ; RECOGNIZE THE CONSEQUENCS OF NOT FOLLOWING THE HIPPA RULES. (c)firststepcounselingonline2014 2

3 Understand the basic fundamentals of HIPAA law as it relates to practicing in the substance abuse treatment industry. Use your respective association s Code of Ethics to create a foundation for resolving ethical dilemmas. PURPOSE OF COURSE: The purpose of this continuing education course is to provide a current understanding of issues relevant to the HIPAA guidelines for patient privacy. Government facts, guidelines and confidentially reporting information is provided to assist counselors in clarifying paperwork. (c)firststepcounselingonline2014 3

4 If a substance abuse treatment program transmits health information electronically in connection with one or more of these Part 162 transactions, then it must comply with the Privacy Rule. Part 162 may be amended in the future to cover additional transactions. Part 2 protects any and all information that could reasonably be used to identify an individual and requires that disclosures be limited to the information necessary to carry out the purpose of the disclosure. See 42 CFR 2.11 and 2.13(a). Under the Privacy Rule, a program may not use or disclose protected health information (PHI) except as permitted or required by the Rule.8 See 45 CFR (a). (c)firststepcounselingonline2014 4

5 Neither rule applies to information that has been de-identified.9 See 45 CFR (a) (de-identification of PHI) and 42 CFR 2.11 (definition of patient identifying information ). The Privacy Rule permits programs to assign a code or other means of record identification to allow information that has been de-identified to be re-identified, as provided in 45 CFR (c). (c)firststepcounselingonline2014 5

6 Second, the Final Rule requires that any person or entity that meets the definition of business associate execute a business associate agreement. If the task involving the protected health information is delegated by the covered entity, the covered entity must be a party to the business associate agreement. If the task involving the protected health information is delegated by a business associate, the covered entity is not required to be a party to the business associate agreement. (c)firststepcounselingonline2014 6

7 In that case, the business associate delegating the task and the business associate receiving the task must execute the business associate agreement. Business associates who further delegate tasks involving the use or disclosure of protected health information must likewise execute business associate agreements. As a result, many entities not previously subject to HIPAA will be required to execute business associate agreements and to meet the HIPAA requirements that apply directly to business associates. In addition, new business associates will incur liability for civil and criminal penalties for violating those requirements. (c)firststepcounselingonline2014 7

8 Third, although the HITECH Act specified the Security Rule provisions that would be applicable to business associates, it left some uncertainty as to the other HIPAA requirements that would apply directly to business associates. In response, the Department specified that business associates are directly liable under the HIPAA. (c)firststepcounselingonline2014 8

9 Rules for the following: Impermissible uses or disclosures of protected health information; Failure to provide breach notification to the covered entity; Failure to provide access to a copy of electronic protected health information either to the covered entity, the individual, or the individual s designee (as specified in the business associate agreement); Failure to disclose protected health information where required by the Department to investigate or determine the business associate s compliance with HIPAA Rules; and Failure to provide an accounting of disclosures. (c)firststepcounselingonline2014 9

10 Any recipient of a delegated task that involves the creation, receipt, maintenance or transmission of protected health information is a business associate regardless of whether a covered entity or other business associate delegated the task. Accordingly, hereinafter references to business associates include persons and entities not previously included in the definition of business associate but who must create, receive, transmit or maintain protected health information to perform a permitted task that has been delegated to them. Defining business associate in this manner significantly expands the Department s authority over a group of people and entities that previously had no direct HIPAA obligations. (c)firststepcounselingonline

11 The Final Rule further explains that business associates must limit any permissible use or disclosure of protected health information to the minimum necessary amount to achieve a permitted purpose. The Department views the minimum necessary standard [as] a condition of the permissibility of many uses and disclosures of protected health information. (c)firststepcounselingonline

12 Consequently, a use or disclosure of protected health information for which the requisite minimum necessary amount of protected health information has not been identified or that exceeds the minimum necessary would be impermissible under HIPAA. Business associates must make this assessment for themselves although they may reasonably rely on requests from other business associates or covered entities as requesting the minimum necessary for disclosure. (c)firststepcounselingonline

13 The Final Rule specifies a number of changes to the content of business associate agreements to reflect changes required by the HITECH Act and to reflect the Department s new regulatory authority with respect to business associates These changes include: Eliminating the requirement to notify the Secretary in cases where there is a violation of business associate agreement when termination is infeasible; Requiring all business associates to comply with the minimum necessary standard; (c)firststepcounselingonline

14 Requiring all business associates to comply with the obligations to safeguard electronic protected health information; report breaches of unsecured protected health information; and require subcontractors that create or receive protected health information to agree to the restrictions and conditions that apply to business associates with respect to protected health information; and If the business associate is performing an obligation of the covered entity, complying with all HIPAA requirements that apply to a covered entity performing such obligation (c)firststepcounselingonline

15 The Final Rule has materially changed the way covered entities and business associates will operate going forward with respect to HIPAA compliance. Privacy and Security Officers should be working with legal counsel to (1) identify policies and procedures that must be updated to reflect changed requirements and to address new ones; and (2) identify any existing subcontractors that qualify as business associates under the expanded definition and execute business associate agreements with them. The two regulations have some differences in the definition of what information is protected (c)firststepcounselingonline

16 . For instance, the Privacy Rule treats medical record numbers as PHI, subject to all the same requirements as other PHI. Part 2 would permit a program to disclose a medical record number because the regulation does not apply to a number assigned to a patient by a program, if that number does not consist of, or contain numbers... which could be used to identify a patient with reasonable accuracy and speed from sources external to the program. See 42 CFR Programs subject to both rules must follow the Privacy Rule s protection of a medical record number. (c)firststepcounselingonline

17 Perhaps the best news in the Final Rule is its effective and compliance dates. The final rule is effective on March 26, 2013, but compliance with the new provisions will not be enforced until September 23, The Final Rule was officially published on January 25, 2013 so entities have approximately 8 months to comply. That is the good news. The bad news is that entities only have 8 months to get their HIPAA houses in order and to implement the changes. (c)firststepcounselingonline

18 1 See 78 Fed. Reg. 5566, 5669 (Jan. 25, 2013) (hereinafter the Final Rule ). The Final Rule also make[s] clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules. Id.; see also id. at 5689 (to be codified at 45 CFR ). (c)firststepcounselingonline

19 The Final Rule includes a grandfathering provision for business associate agreements in effect prior to January 25, 2013 (i.e., the publication date of the Final Rule) if the agreements (including any related service agreements) are not renewed or modified prior to the compliance date in the Final Rule (i.e., September 23, 2013).19 The grandfathering provision provides business associates meeting these specifications an extra year (i.e., until September 22, 2014) to amend the business associate agreements to comply with the new requirements (c)firststepcounselingonline

20 . The agreements will be deemed compliant with the Final Rule until either (i) the agreement is modified after the compliance date, or (ii) September 22, 2014, whichever occurs first. The grandfathering provision applies only to the business associate agreement requirement and not to any other provision of the Final Rule. (c)firststepcounselingonline

21 Covered Entities A Covered Entity is a health care provider or a health plan that submits bills electronically. Examples include: Hospitals; Physicians; Blue Cross Blue Shield of TEXAS; etc. All Covered Entities along with their Business Associates (that use or access patient information on the Covered Entity s behalf) are subject to HIPAA. (c)firststepcounselingonline

22 Question: If you have a document or an electronic device such as a thumb/flash drive that contains patient initials and medical record number(s), does your document or device contain PHI? Answer: Yes. Your document or device contains patient identifiers patient initials and medical record number that can be used to identify the patient(s). It does not matter that the full patient name is not included. (c)firststepcounselingonline

23 PHI is anything that is received, sent or stored in any form by a health care provider or health plan: - That identifies the patient or can be used to identify the patient; - That generally is about a patient s past, present and/or future treatment and payment of services. In other words: PHI is any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as to the individual s identity. (c)firststepcounselingonline

24 Treatment, Payment and Operations (TPO) Treatment [T] : Various activities related to patient care. Payment [P]: Various activities related to paying for or getting paid for health care services. Health Care Operations [O]: Generally refers to day-to-day activities of a covered entity, such as planning, management, training, improving quality, providing services, and education. NOTE: Research is not considered TPO. Written patient authorization is required to access PHI for research unless authorization waiver is approved by the IRB. See the education program on research for more information. (c)firststepcounselingonline

25 Business Associate: Vendors who have access to or use PHI on our behalf must have a Business Associate Agreement - a signed agreement promising to keep PHI confidential in accordance with HIPAA. Example: A company developing order entry software must see actual PHI so they would need a written agreement.. (c)firststepcounselingonline

26 Minimum Necessary Rule Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. Workers should access or use only the PHI necessary to carry out their job responsibilities. (c)firststepcounselingonline

27 What is Use of PHI? Use of PHI refers to how PHI is internally accessed, shared and utilized by the covered entity. For some counselors, use refers to accessing, sharing, and utilizing PHI within the health system. What is Disclosure of PHI: Disclosure of PHI refers to how PHI is shared with individuals or entities externally. For some counselors, disclosure refers to sharing PHI with others outside of (external to) the health system. Different rules apply to Use vs Disclosure of PHI (c)firststepcounselingonline

28 Notice of Privacy Practices (NPP) Providers and Health Plans must have a Notice of Privacy Practices (NPP) - it provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient s authorization. In general, anytime you release patient information for a reason unrelated to treatment, payment (e.g., billing) or healthcare operations (TPO), an authorization is required. (c)firststepcounselingonline

29 HIPAA transactions that a substance abuse treatment program might engage in include: Submission of claims to health plans Coordination of benefits with health plans Inquiries to health plans regarding eligibility, coverage or benefits or status of health care claims Transmission of enrollment and other information related to payment to health plans (c)firststepcounselingonline

30 Referral certification and authorization (i.e., requests for review of health care to obtain an authorization for providing health care or requests to obtain authorization for referring an individual to another health care provider). (c)firststepcounselingonline

31 What is an Authorization? A written permission signed by the patient or the patient s personal representative (e.g., a parent) to allow a Covered Entity to Use or Disclose a patient s PHI for reasons generally not related to Treatment, Payment or Healthcare Operations (TPO purposes). The Authorization must include: A detailed description of the PHI to be disclosed, who will make the disclosure, to whom the disclosure will be made, expiration date, and the purpose of the disclosure. (c)firststepcounselingonline

32 Types of Disclosures 3 Categories: 1.No Authorization Required 2.Authorization Required, but Must Give Opportunity to Object 3.Authorization Required (c)firststepcounselingonline

33 No Authorization is required to make the following disclosures: To disclose PHI to the patient. To use or disclose PHI for treatment, payment or healthcare operations (For examples: A physician discusses the patient s condition with another consulting physician; a health provider submit a bill to a health insurance plan; and patient records are reviewed for quality improvement purposes). Certain disclosures required by law (for example, public health reporting of diseases, child abuse/neglect cases, etc.). No Authorization is Required, but Must Offer Opportunity to Object: (c)firststepcounselingonline

34 -The Patient must be offered an opportunity to object before discussing PHI with a patient s family or friends. Before discussing patient information in an exam room, ask the patient if it is okay to discuss information in front of the patient s family member or friend. Alternatively, you can ask the family member or friend to leave, especially if the information is highly confidential. - Limited PHI (e.g., patient s hospital room/location number) is included in the Hospital Directory but patients are offered an Opt Out opportunity and certain disclosures to clergy members. (c)firststepcounselingonline

35 If a substance abuse treatment program transmits health information electronically in connection with one or more of these Part 162 transactions, then it must comply with the Privacy Rule. Part 162 may be amended in the future to cover additional transactions. B. Information that is protected under Part 2 and the Privacy Rule Part 2 protects any and all information that could reasonably be used to identify an individual and requires that disclosures be limited to the information necessary to carry out the purpose of the disclosure. See 42 CFR 2.11 and 2.13(a). (c)firststepcounselingonline

36 Under the Privacy Rule, a program may not use or disclose protected health information (PHI) except as permitted or required by the Rule.8 See 45 CFR (a). Neither rule applies to information that has been de-identified.9 See 45 CFR (a) (de-identification of PHI) and 42 CFR 2.11 (definition of patient identifying information ). (c)firststepcounselingonline

37 Authorization Is Required: Written authorization is required from the patient for the following: To access, use or disclose PHI for research (unless an Institutional Review Board such as the U-M IRBMED approves a waiver of authorization) To conduct certain fundraising activities For marketing activities (c)firststepcounselingonline

38 Incidental Disclosures Some disclosures are not completely avoidable. These are permitted under HIPAA and are called Incidental Disclosures Examples of Incidental Disclosures : Visitors hear a patient s name as it s called out in a waiting room; a hospital patient in a 2-bed room hears a physician speaking to the other patient. (c)firststepcounselingonline

39 HIPAA requires reasonable steps to be taken to minimize incidental disclosures such as: Speaking in soft tones when discussing PHI in open areas such as the recovery room, emergency department, etc.; Do not discuss PHI in public hallways, elevators or other public locations such as the cafeteria; Only use the minimum necessary minimize incidental disclosures. (c)firststepcounselingonline

40 This applies to Highly Confidential areas which include: Mental Health and Substance Abuse HIV/AIDS Testing or Treatment Psychotherapy Notes (which are not part of the medical record) Certain diagnostic and treatment services rendered to minors If you have questions about handling highly confidential information, ask your supervisor or privacy officer. (c)firststepcounselingonline

41 Most system to any other system is not considered secure (This includes to a college.edu address; csc.hctx.net (Adult probation) or to a hotmail, yahoo,, Comcast, or other type of personal address) Check with your supervisor for department-specific procedures for ing PHI outside of your System In all cases, use only the minimum necessary PHI. Use your electronic access to information systems only to perform your job-related duties and only access PHI on a need-to-know basis (c)firststepcounselingonline

42 All electronic systems are audited a log of all accesses is maintained and designed to protect patient privacy Inappropriate access to a patient s electronic medical record can lead to disciplinary action, up to and including discharge from employment. (c)firststepcounselingonline

43 Question: Would it be permissible for you to look up a coworker s address in the electronic medical record so you can send the coworker a get well card? Answer: No. You cannot access a coworker s electronic medical record. If you need information about a coworker, check with your supervisor. Accessing the electronic medical record system for purposes other than to complete your job responsibilities is not permitted. Inappropriate access to a patient s electronic medical record can lead to disciplinary action, up to and including discharge. (c)firststepcounselingonline

44 Use difficult to break passwords Never share your password with another person Change your password often Use a password-protected screensaver Log off from all electronic record applications (e.g., the electronic medical record system) before walking away from the computer Secure all electronic records using encryption Call technical support to set up secure electronic systems Do not save any PHI on portable electronic devices such as laptop computers, flash/thumb drives, electronic tablets, etc; and if any of these are stolen, notify your supervisor immediately. (c)firststepcounselingonline

45 Covered Entities and Individuals can be penalized for violating HIPAA Up to $1.5 million (per HIPAA violation per year) Criminal fines: $250,000/up to 10 years imprisonment NOTE: Individuals (This means You!) can be subject to criminal prosecution, fines and imprisonment. (c)firststepcounselingonline

46 Part 2 protects all information about any person who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program. See 42 CFR 2.11 (definition of a patient ). Information is subject to the Privacy Rule if it is individually identifiable information created, received, or maintained by the covered entity. (c)firststepcounselingonline

47 Former patients and deceased patients are protected under both Part 2 and the Privacy Rule. See 42 CFR 2.11 and 2.15 and 45 CFR and (f). Programs should generally continue to follow Part 2, but note that if PHI is received prior to a patient applying to a program, under the Privacy Rule, such information is protected. (c)firststepcounselingonline

48 Name or general designation of the program or person permitted to make the disclosure; Name or title of the individual or name of the organization to which disclosure is to be made; Name of the patient; Purpose of the disclosure; How much and what kind of information is to be disclosed; (c)firststepcounselingonline

49 Signature of patient (and, in some States, a parent or guardian); Date on which consent is signed; Statement that the consent is subject to revocation at any time except to the extent that the program has already acted on it; and Date, event, or condition upon which consent will expire if not previously revoked. (c)firststepcounselingonline

50 Part 2 permits programs to disclose limited information to law enforcement officers. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel. The Privacy Rule permits programs to disclose to law enforcement officials PHI that the program believes in good faith constitutes evidence of a crime that occurred on the program s premises. (c)firststepcounselingonline

51 Part 2 requires that programs notify patients that Federal law and regulations protect the confidentiality of alcohol and drug abuse patient records and give them a written summary of the regulations requirements. See 42 CFR The Privacy Rule requires that patients be given a notice of the program s privacy practices as well as their rights under the Privacy Rule. See 45 CFR Programs subject to both rules can combine their requirements into a single notice. (c)firststepcounselingonline

52 Promptly return to the patient (if feasible) or dispose of (in accordance with the organization's destruction procedures) any health information that is not used or not solicited. Consider developing policies and procedures that confine the ability to request health information from external sources and to place such information in the patient's record to specified staff or personnel. (c)firststepcounselingonline

53 Collaborate with clinicians to develop procedures for identifying external information that has been used in patient care. Once identified as such, provisions should be made for including this in the patient's record, whether paper or electronic. Within the record, consideration should be given to filing or indexing the external information under a separate tab or section of the electronic or paper record developed for this purpose. Review state statues that may require inclusion of external information. (c)firststepcounselingonline

54 Develop written policies and procedures as well as staff training for clinical users that address the use of external information. Train HIM staff on procedures related to redisclosure of health information. Identify the records the organization believes individuals have the right to access and amend under state and federal laws and regulations (c)firststepcounselingonline

55 Apply HIPAA's pre-emption standards where individuals' rights to access and amend are not the same under other federal or state laws and regulations. (c)firststepcounselingonline

56 Subpoenas and court-ordered disclosures Part 2 permits programs to release information in response to a subpoena if the patient signs a consent permitting release of the information requested in the subpoena. When the patient does not consent, Part 2 prohibits programs from releasing information in response to a subpoena, unless a court has issued an order that complies with the rule. See 42 CFR Part 2, Subpart E. Subpart E sets out the procedure the court must follow, the findings it must make, and the limits it must place on any disclosure it authorizes. (c)firststepcounselingonline

57 The Privacy Rule permits a program to disclose PHI pursuant to a subpoena without a prior written authorization, if it receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the individual has been given notice of the request for PHI and the opportunity to object, or reasonable efforts have been made to secure a qualified protective order. See 45 CFR (c)firststepcounselingonline

58 (e)(1)(ii). The Privacy Rule has different requirements regarding court orders, but programs can comply with both Part 2 and the Privacy Rule by continuing to follow the Part 2 s court order requirements. Unless the disclosure requires authorization under the Privacy Rule, the Part 2 consent form can be used. (c)firststepcounselingonline

59 Part 2 permits programs to comply with State laws that require the reporting of child abuse and neglect. See 42 CFR 2.12(c)(6). The Privacy Rule also permits such reporting. See 45 CFR (b)(1)(ii). However, Part 2 limits programs to making only an initial report; it does not allow programs to respond to follow-up requests for information or to subpoenas, unless the patient has signed a consent form or a court has issued an order that complies with the rule. Programs should continue to follow the rules established by Part 2. (c)firststepcounselingonline

60 "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version. Privacy Act of USC, Section 552A. Centers for Medicare and Medicaid Services. "Part 483? Requirements for States and Long Term Care Facilities." Title 42? Public Health. Chapter IV. Centers for Medicare and Medicaid Services. "State Operations Manual: Appendix PP? Guidance to Surveyors for Long Term Care Facilities." Revised December 2, (c)firststepcounselingonline