It s as AWESOME as You Think It Is!

Transcription

1

2 It s as AWESOME as You Think It Is!

3 Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. No comment or statement in this presentation or the accompanying materials is to be construed as an admission. The presenter reserves the right to qualify or retract any of these statements at any time. Likewise, the context is not tailored to any particular situation and does not necessarily address all relevant issues or necessarily reflect the current state of the law in any particular jurisdiction or circumstance as of the time of the presentation. Parties participating in the presentation or accessing of these materials should engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique situation. 3

4 Roadmap HIPAA Basics What is HIPAA? Who must comply? PHI, CEs, and BAs What is Allowed? Individual Rights TPO and non-tpo uses Improper Disclosures Breach vs. Non-breach Penalties for violations Audits 4

5 What Is HIPAA? Federal law concerning health information and health insurance coverage Passed in 1996, amended several times Focus of this training: HIPAA rules for Privacy of Protected Health Information (PHI)

6 HIPAA Privacy: This training focuses on the HIPAA Privacy Rule. The Privacy Rule provides federal protections for PHI, giving patients an array of rights with respect to that information, and imposing responsibilities on Covered Entities and Business Associates to protect it. PHI:

7 Who must comply? Covered Entities (CEs): places where PHI is generated: Medical Providers Health Insurance Plans AND Business Associates (BAs): individuals and companies that use, access, or store PHI on behalf of Covered Entities: Healthcare Clearing houses for billing, claims, etc. Insurance Companies and TPAs Vendors of Covered Entities that have access to PHI

8 What is allowed? CEs and BAs may access, use, disclose, and store PHI in two ways: -Without permission, but only in certain ways; or -With permission, but only as allowed by the individual Rules are the same for CEs and Bas Handling PHI in violation of the rules is a BIG deal (as in: it could cost MILLIONS of dollars in fines) -Penalties in this range are handed out regularly (discussed later)

9 Protected Health Information (PHI) PHI is any information held by a covered entity (or their business associates) which concerns health status, provision of health care, or payment for health care that can be linked to an individual. Think of it as a math equation: Identifying Info (Identifiers) + Health Info = PHI

10 EEOC Definition: Names Address Date of Birth Date of Service Date of Death Telephone # Fax # Addresses Vehicle Identifiers Device Identifiers Full face photographic images Social Security # Medical Record # Health Plan Beneficiary # Account # Certificate/License Number Web URLs of personal websites Internet Protocol address numbers Biometric identifiers (fingerprints) Any of these connected to health information is PHI.

11 HIPAA Equation Examples (Any Combo = PHI) Names Address Provider Social Security # Employee ID# Patient Account# DOB + Diagnosis Codes CPT Codes DOS Date of Death Eligibility Name of Provider Doctors Notes Genetic Information

12 Common Locations of PHI Medical Records Claims Network Pricing Insurance Billing/Reports s (internal/external) FTP sites Hard Drives Faxes Laptops Thumb drives EOBs Cell phones

13 Individual Rights Under HIPAA Individuals have several rights with regard to their PHI under HIPAA, including: Access to PHI Amending inaccurate PHI Receiving a Notice of Privacy Practices Receiving an accounting of disclosures Restricting access to PHI Confidential communications to them and to others regarding their PHI

14 Handling PHI Without Permission: TPO A CE or BA may access, use, disclose, or store PHI without permission discloses for the purposes of Treatment, Payment, or Healthcare Operations (TPO): Treatment: PHI used for the care of the individual, such as done by healthcare providers Payment: PHI used to pay for treatment, such as done by providers, insurers, employer health plans, clearinghouses, and TPAs for paying claims, coordination of benefits, case management, pre-certification of medical procedures, and processing medical claims Operations: PHI used to manage healthcare, such as underwriting, medical review, legal and auditing services (i.e. fraud and abuse detection and compliance programs), and cost management

15 Typical TPO Recipients When disclosing PHI for TPO reasons, the recipients are usually one of the following: Providers, and their internal staff Other providers caring for an individual Providers BAs (e.g., clearinghouses, facilities, etc.) Insurance companies and other payers Health Plans, and their BAs (e.g., Brokers, TPAs, Networks, UR Vendors, PBMs, etc.) Parents of minor children If you disclose PHI without written permission to someone not on this list, it s probably a violation of HIPAA!!

16 Unusual & Rare: No Permission & No TPO In some limited circumstances, HIPAA also permits access, use, and disclosure of PHI without permission of the individual to certain recipients without a TPO purpose, such as: For law enforcement purposes (i.e. warrants, subpoenas, etc.) For surviving family of the deceased (i.e. funeral arrangements) For medical research (strict guidelines apply) As required by Law (i.e. statute, regulations, court orders) For public health activities (e.g. FDA, CDC, etc.) For protection of victims of abuse, neglect of domestic violence (disclosure to government officials). DO NOT disclose PHI without permission for any non-tpo reason without consulting with a supervisor first!

17 Handling PHI With Permission: The Authorization HIPAA permits access, use, and disclosure of PHI with permission of the individual, but only as the individual instructs. ALWAYS get an Authorization Form signed by the individual before disclosing PHI: -For any non-tpo reason -To any non-authorized representative (e.g., a lawyer of the individual; someone who claims to have power of attorney; insurance adjuster; etc.) -In the form of psychiatric notes. Authorization forms must contain the following: -Name of individual whose PHI is to be released -Who the PHI be given to -What entity is releasing the PHI -Type of PHI -Purpose of release -Permission termination date or event

18 Authorized Representatives In some cases, individuals may appoint (or have appointed for them by the law or a court) a person to receive and control the individual s PHI on their behalf. The following can be personal representatives: Parents of Minor Children Guardian of child or incapacitated adult (must have court order) Medical (aka, healthcare) power of attorney (a general or durable POA is NOT enough) Executor of Estate (must have court documents) An authorized representative can do anything the individual could do with the individual s PHI.

19 Minimum Necessary Rule CEs and BAs must use, access, disclose, and store only the minimum amount of PHI necessary to accomplish the purpose, regardless of either: whether PHI is used, accessed, disclosed, or stored with or without permission, or the purpose of the use, access, disclosure, or storage.

20 Notice of Privacy Practices Providers and health insurance plans must distribute a Notice of Privacy Practices to patients/participants. The Notice of Privacy Practices must: Describe the uses of PHI, and Individuals rights regarding their PHI, including where to file a complaint

21 Health Insurance Plan Doc If you have a health insurance plan for your employees, the Plan Document must contain language that imposes restrictions on the plan sponsor s (i.e. your) use and disclosure of PHI. For example: you cannot use PHI for employment purposes, such as hiring/firing decisions

22 Improper Disclosure Any disclosure of PHI not allowed by HIPAA is improper. There are 2 types of improper disclosures of PHI: Breaches everything else. Breaches are a specific type of improper disclosure, and they are REALLY BAD. Breaches lead to notices, fines, and even criminal penalties.

23 Improper Disclosure Disclosures of PHI not allowed by HIPAA must be classified as Breaches or Non-breaches. As a result, in the event of an improper disclosure, CEs and BAs are required by HIPAA to: investigate, document, and in some cases, give notice to individuals affected.

24 Improper Disclosure: The Investigation All improper disclosures are presumed to be Breaches until the CE/BA demonstrates there is a low probability that PHI has been compromised. Whether there is a low probability of compromise is based on a risk assessment the CE/BA performs that considers at least the following factors: the nature and extent of PHI involved, including the likelihood of re-identification; the unauthorized person who used PHI or to whom the disclosure was made; whether PHI was actually acquired or viewed; and the extent to which the risk to PHI has been mitigated. ALL RISK ASSESSMENTS MUST BE DOCUMENTED!

25 Improper Disclosure: The Investigation All improper disclosures must be investigated and documented BAs must notify their CE of all improper disclosures, including a copy of the risk assessment CEs and BAs must keep a log of disclosures for 6 years, and provide the log and the documentation to individuals or federal government upon request

26 The New HIPAA Regs Final Rules issued in January 2013; compliance required by September 23, 2013 CEs are directly responsible for any Breaches by their BAs, regardless of whether the CE was at fault, or even knew about it Penalties for violations have increased exponentially, and the HIPAA police (Office of Civil Rights, or OCR) fund their budget in large part with fines they give out Two Words: Leon Rodriguez

27 Penalties for Violation of HIPAA Type of Violation Range of Fines per Incident Maximum Fines per Year Reasonable Diligence (i.e., in compliance, didn t know about violation, and no reason you should have known about it) $100 - $50,000 $1.5 million Reasonable Cause (i.e., in compliance, but made reasonable mistakes leading to violation) Willful Neglect Corrected (i.e., not in compliance, but fixed it after the fact) Willful Neglect Uncorrected (i.e., not in compliance, and did not bother fixing it after the fact) $ $50,000 $10,000 - $50,000 $50,000 $1.5 million $1.5 million $1.5 million

28 Criminal Penalties Individuals can now go to jail for willfully violating HIPAA. The penalties are: Knowingly disclosing = 1 year prison Using False pretenses to obtain PHI = 5 years Disclosing for marketing purposes = 10 years

29 Breach Notification to Affected Individuals If an improper disclosure is a Breach, the individuals affected must be notified by the CE or BA. If the Breach includes 500 or more individuals, the CE or BA must: Notify the OCR; and Notify a prominent media outlet (i.e. TV, internet, newspaper, etc.), to extend the reach of the notice to affected individuals YOU DO NOT WANT TO BE ON THE NEWS FOR VIOLATING HIPAA!

30 OCR Audits The OCR has received Federal money to perform LOTS of audits The OCR funds part of its budget from fines it collects Assume you will be audited, and act accordingly I m excited to meet you! BWAAHAHAHA!

31 It s as AWESOME as You Think It Is!

32