HIPAA PRIVACY RULE: AN OVERVIEW HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSESGUIDE FOR BUSINESSES

Written byWritten by

PRIYAL PARMARPRIYAL PARMAR

7557 Rambler Road, Suite 14657557 Rambler Road, Suite 1465

Dallas, Texas 75231Dallas, Texas 75231

(214) 891-5960(214) 891-5960

(214) 891-5966 – Facsimile(214) 891-5966 – Facsimile

pparmar@owenfazio.compparmar@owenfazio.com

INTRODUCTIONINTRODUCTIONHIPAA was enacted on August 21, 1996 as a set of HIPAA was enacted on August 21, 1996 as a set of basic national privacy standards and fair basic national privacy standards and fair information practices to protect the privacy of the information practices to protect the privacy of the health information of consumers, and to protect an health information of consumers, and to protect an individual’s right to access and control the use of individual’s right to access and control the use of personal health information (PHI)personal health information (PHI)

This presentation provides a summary of the This presentation provides a summary of the HIPAA Privacy rule. The HIPAA Privacy rule. The goalgoal of this presentation of this presentation is to provide a guideline that businesses can use to is to provide a guideline that businesses can use to ensure compliance with HIPAA. This information is ensure compliance with HIPAA. This information is not exhaustive and the attorneys at Owen & Fazio, not exhaustive and the attorneys at Owen & Fazio, P.C. can provide more detailed guidance upon P.C. can provide more detailed guidance upon request. request.

WHO HAS TO COMPLY WITH WHO HAS TO COMPLY WITH HIPAA?HIPAA?

Covered entitiesCovered entities – This includes: – This includes: All health plansAll health plans – individual or group health plan that provides, or – individual or group health plan that provides, or

pays the cost of, medical care (includes health insurers)pays the cost of, medical care (includes health insurers) A health plan that has >50 participants is automatically a covered A health plan that has >50 participants is automatically a covered

entityentity An entity is not considered to be a health plan for Hipaa purposes if:An entity is not considered to be a health plan for Hipaa purposes if:

It falls under the Public Health Service ActIt falls under the Public Health Service Act It provides It provides incidentalincidental health care services health care services

All health care clearing housesAll health care clearing houses – any public or private entity that – any public or private entity that processes (or facilitates the processing) of health information processes (or facilitates the processing) of health information received from another entity in a non standard formatreceived from another entity in a non standard format

Health care providersHealth care providers – provide medical and health services and – provide medical and health services and any person or organization that furnishes, bills, or is paid for health any person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of businesscare services or supplies in the normal course of business

Those health care providers that transmit health information in Those health care providers that transmit health information in electronic form in connection with a standard transactionelectronic form in connection with a standard transaction

Examples of standard transactions:Examples of standard transactions: eligibility request, claim eligibility request, claim submission, claim status inquiry, claim payment, referral request, submission, claim status inquiry, claim payment, referral request, medical services authorizationmedical services authorization

WHAT IS COVERED?WHAT IS COVERED?Protected Health Information (PHI) – Information that:Protected Health Information (PHI) – Information that:

Relates to the past, present, or future physical or mental health or Relates to the past, present, or future physical or mental health or condition of an individual, condition of an individual, OR OR

Relates to the provision of health care to an individual, Relates to the provision of health care to an individual, OR OR Relates to the past, present, or future payment for health care, Relates to the past, present, or future payment for health care, ANDAND Is individually identifiable, Is individually identifiable, ANDAND Is transmitted by electronic media, maintained in any medium Is transmitted by electronic media, maintained in any medium

described in the definition of electronic media or transmitted or described in the definition of electronic media or transmitted or maintained in any other form or medium. maintained in any other form or medium.

What is excluded from PHI?What is excluded from PHI? PHI in education records covered by Family Educational Right and PHI in education records covered by Family Educational Right and

Privacy Act - FERPAPrivacy Act - FERPA Employment records held by the covered entity in its role as an Employment records held by the covered entity in its role as an

employeremployer De-identified information. This can be accomplished by using two De-identified information. This can be accomplished by using two

methods:methods: MIT methodMIT method – qualified people use statistics and scientific methods to show – qualified people use statistics and scientific methods to show

that there is a very small risk that the information could be used by others that there is a very small risk that the information could be used by others to identify a subject of the information. to identify a subject of the information.

Safe-harbor methodSafe-harbor method – remove all of the 18 enumerated identifiers – remove all of the 18 enumerated identifiers

USES AND DISCLOSURESUSES AND DISCLOSURES

Those that require no patient permissionThose that require no patient permission TreatmentTreatment PaymentPayment Health care operationsHealth care operations Public policy activitiesPublic policy activities

Those that require patient’s oral agreementThose that require patient’s oral agreement Directory information – name, location, general condition, religious Directory information – name, location, general condition, religious

affiliationaffiliation Disclosures to persons involved in the individual’s care or payment of Disclosures to persons involved in the individual’s care or payment of

carecare Disclosure to family members of the patient’s general condition and Disclosure to family members of the patient’s general condition and

death for the purpose of notification death for the purpose of notification

Those that require patient’s written authorizationThose that require patient’s written authorization Disclosure of psychotherapy notesDisclosure of psychotherapy notes Disclosure for marketing purposesDisclosure for marketing purposes

REQUIRED ELEMENTS OF A REQUIRED ELEMENTS OF A WRITTEN AUTHORIZATIONWRITTEN AUTHORIZATION

1.1. Specific description of the information to be disclosedSpecific description of the information to be disclosed2.2. Specific identification of the covered entity authorized to make the use or Specific identification of the covered entity authorized to make the use or

disclosuredisclosure3.3. Specific identification of the person(s) to whom the covered entity may Specific identification of the person(s) to whom the covered entity may

make disclosuremake disclosure4.4. Specific description of each purposeSpecific description of each purpose5.5. Expiration date or event Expiration date or event 6.6. Signature of the individual Signature of the individual 7.7. DateDate8.8. Information regarding right to revoke the authorization and the exceptions Information regarding right to revoke the authorization and the exceptions

to itto it9.9. Ability or inability of the covered entity to condition treatment, payment, Ability or inability of the covered entity to condition treatment, payment,

enrollment in the health plan, or eligibility for benefits, on the authorizationenrollment in the health plan, or eligibility for benefits, on the authorization10.10. Potential for the information disclosed pursuant to the authorization to be Potential for the information disclosed pursuant to the authorization to be

subject to re-disclosure by the recipientsubject to re-disclosure by the recipient NOTE:NOTE:

The authorization must be written in plain languageThe authorization must be written in plain language Covered entity must provide the individual with a copy of the signed Covered entity must provide the individual with a copy of the signed

authorizationauthorization Covered entity must retain a copy of the signed authorization for Covered entity must retain a copy of the signed authorization for

itselfitself The authorization is considered defective if:The authorization is considered defective if:

Expiration date has passedExpiration date has passed It is not filled out completelyIt is not filled out completely It is known to be revokedIt is known to be revoked It contains false materialIt contains false material

REQUIRED REQUIRED DISCLOSURESDISCLOSURES

Must be disclosed:Must be disclosed:

When individual requests his/her own PHI When individual requests his/her own PHI

When the Department of Health and When the Department of Health and Human Services (DHHS) requests the PHI Human Services (DHHS) requests the PHI to investigate a covered entity’s to investigate a covered entity’s compliance with HIPAAcompliance with HIPAA

MINIMUM NECESSARY RULEMINIMUM NECESSARY RULE

Covered entity must make reasonable Covered entity must make reasonable efforts to limit PHI to the minimum efforts to limit PHI to the minimum necessary to accomplish the intended necessary to accomplish the intended purpose of the use, disclosure, or purpose of the use, disclosure, or requestrequest

If it is a routine disclosure, the covered If it is a routine disclosure, the covered entity is required to implement policies entity is required to implement policies and procedures to restrict such and procedures to restrict such disclosures to the minimum necessary disclosures to the minimum necessary standardstandard

INDIVIDUAL RIGHTSINDIVIDUAL RIGHTS Right to Receive NoticeRight to Receive Notice

PurposePurpose – to notify individual about protections of – to notify individual about protections of health information by the covered entityhealth information by the covered entity

Must post notice in a conspicuous place where Must post notice in a conspicuous place where patients are likely to look. Ex: payment windowpatients are likely to look. Ex: payment window

Must also keep copies for patients to takeMust also keep copies for patients to take

If the covered entity has a website, the notice must If the covered entity has a website, the notice must be posted on the website as wellbe posted on the website as well

Note:Note: The next 5 slides explore the Right to The next 5 slides explore the Right to Receive Notice in more detailReceive Notice in more detail

What are the components of the What are the components of the notice?notice?

It must contain a statement that additional It must contain a statement that additional uses and disclosures require written uses and disclosures require written authorizationauthorization

It must clearly outline the covered entities It must clearly outline the covered entities legal duties with respect to the informationlegal duties with respect to the information

It must give instructions on how to file a It must give instructions on how to file a complaint with the Department of Health complaint with the Department of Health and Human Services if the individual feels and Human Services if the individual feels that his/her privacy rights have been that his/her privacy rights have been violatedviolated

Who must give notice?Who must give notice? Any health care provider with a direct treatment (not Any health care provider with a direct treatment (not

indirect) relationship with the individual must give noticeindirect) relationship with the individual must give notice Indirect treatment relationshipIndirect treatment relationship – when a health care – when a health care

provider delivers health care to the individual based on provider delivers health care to the individual based on the orders of another health care provider and the the orders of another health care provider and the health care provider typically provides services or health care provider typically provides services or products, or reports the diagnosis or results associated products, or reports the diagnosis or results associated with the health care, directly to another health care with the health care, directly to another health care provider, who provides the services or products or provider, who provides the services or products or reports to the individualreports to the individual

Ex: radiologists, pathologists, clinical laboratoriesEx: radiologists, pathologists, clinical laboratories

Health care clearing houses, correctional institutions, and Health care clearing houses, correctional institutions, and group health plans that provide benefits through health group health plans that provide benefits through health maintenance organization (HMO) contracts are not maintenance organization (HMO) contracts are not required to give notice, but must provide one upon request required to give notice, but must provide one upon request by an individualby an individual

Affiliated covered entities under common ownership or Affiliated covered entities under common ownership or control may designate themselves as one single entity and control may designate themselves as one single entity and produce a single noticeproduce a single notice

When must notice be given?When must notice be given?

At the time of enrollment of new client At the time of enrollment of new client or time of first service deliveryor time of first service delivery

Within 60 days of making a material Within 60 days of making a material revision to the noticerevision to the notice

Any time patient requests a noticeAny time patient requests a notice

A health plan should remind enrollees A health plan should remind enrollees about how to obtain a copy of the notice about how to obtain a copy of the notice at least once every 3 years. at least once every 3 years.

Who must the notice be Who must the notice be given to?given to?

o EACH ENROLLEE, EACH ENROLLEE, NOTNOT each each covered spouse or dependentcovered spouse or dependent

Acknowledgment Acknowledgment

Once notice is given, a covered entity Once notice is given, a covered entity should obtain a written should obtain a written acknowledgement by either:acknowledgement by either:

Signature on the noticeSignature on the notice Initials on the notice cover sheetInitials on the notice cover sheet Signature on a separate listSignature on a separate list

If covered entity is unable to obtain If covered entity is unable to obtain acknowledgement, it must document its acknowledgement, it must document its good faithgood faith attempts to obtain it and attempts to obtain it and reason(s) why it was not obtainedreason(s) why it was not obtained

RIGHT TO ACCESS PHIRIGHT TO ACCESS PHI Patients have right to inspect Patients have right to inspect

and copy their PHI in a and copy their PHI in a designated record setdesignated record set (group of (group of records maintained by or for a records maintained by or for a covered entity that are medical covered entity that are medical records, billing records, records, billing records, enrollment, payment, claims enrollment, payment, claims adjudication, case management adjudication, case management record systems or records used record systems or records used by covered entities to make by covered entities to make decisions about individuals)decisions about individuals)

Exceptions Exceptions Psychotherapy notesPsychotherapy notes Information in anticipation Information in anticipation

of legal proceedingsof legal proceedings PHI that is subject to Clinical PHI that is subject to Clinical

Laboratory Improvement Laboratory Improvement Amendments (CLIA) to the Amendments (CLIA) to the extent the provision of extent the provision of access to the individual access to the individual would be prohibited by law would be prohibited by law or exempt from CLIAor exempt from CLIA

Covered entity must comply in a Covered entity must comply in a timely manner, usually timely manner, usually 30 days 30 days

For records not maintained on For records not maintained on site, covered entity has site, covered entity has 60 days60 days to to complycomply

A one time extension of A one time extension of 30 days30 days is is allowed, but covered entity must allowed, but covered entity must give individual the need and the give individual the need and the reason(s) for the extension. reason(s) for the extension.

Covered entity must have a procedure Covered entity must have a procedure in place to challenge denial of accessin place to challenge denial of access

Two situations when access can be Two situations when access can be denied and no appeal is available:denied and no appeal is available:

Inmates of a correctional Inmates of a correctional institutioninstitution

Research participants, but only Research participants, but only until research is completed. until research is completed.

If access is denied, individual must If access is denied, individual must receive a written explanation of the receive a written explanation of the basis for denial. It should be easy to basis for denial. It should be easy to understand and inform of any existing understand and inform of any existing appeal rights. It must also alert the appeal rights. It must also alert the individual of the availability of the individual of the availability of the right to complain to the covered entity right to complain to the covered entity or the DHHS. or the DHHS.

RIGHT TO AMEND PHIRIGHT TO AMEND PHI

Individuals have the right to Individuals have the right to amend incorrect or incomplete amend incorrect or incomplete PHIPHI

A covered entity must respond A covered entity must respond timely to the request for timely to the request for amendment within 30 to 60 daysamendment within 30 to 60 days

RIGHT TO AN ACCOUNTING OF RIGHT TO AN ACCOUNTING OF DISCLOSURES OF PHIDISCLOSURES OF PHI

Individuals have the right to receive an accounting of disclosures of PHI made Individuals have the right to receive an accounting of disclosures of PHI made by a covered entity in the by a covered entity in the 6 years6 years prior to the date on which the accounting is prior to the date on which the accounting is requested. requested.

Accounting must include:Accounting must include: Date of disclosureDate of disclosure Name of the entity or person who received the PHI and address if knownName of the entity or person who received the PHI and address if known Brief description of PHI disclosedBrief description of PHI disclosed Brief statement of the purpose of the disclosure Brief statement of the purpose of the disclosure

Exceptions to the right to receive an accounting:Exceptions to the right to receive an accounting: To individuals or their personal representatives for treatment, payment, or To individuals or their personal representatives for treatment, payment, or

healthcare operationshealthcare operations For national security or intelligence reasonsFor national security or intelligence reasons For a facility’s directoryFor a facility’s directory PHI made prior to the April 14, 2003 compliance deadlinePHI made prior to the April 14, 2003 compliance deadline Pursuant to an authorizationPursuant to an authorization To correctional institutions or law enforcement officialsTo correctional institutions or law enforcement officials Incident to a use or disclosure otherwise permitted or required by this Incident to a use or disclosure otherwise permitted or required by this

subpartsubpart

Covered entity must act on the request within Covered entity must act on the request within 60 days60 days

The first accounting in a The first accounting in a 12 month12 month period is free but subsequent requests may period is free but subsequent requests may be charged a reasonable cost-based feebe charged a reasonable cost-based fee

APPOINTMENT OF PRIVACY APPOINTMENT OF PRIVACY OFFICEROFFICER

A covered entity must appoint a A covered entity must appoint a privacy officer who is in charge of privacy officer who is in charge of developing and implementing developing and implementing policies and procedures policies and procedures

It must also designate a It must also designate a person/office for receiving person/office for receiving complaintscomplaints

WORKFORCE TRAININGWORKFORCE TRAINING

All members of the workforce must All members of the workforce must be trained by the compliance datebe trained by the compliance date

New members must be trained within New members must be trained within a reasonable timea reasonable time

If material changes are made, all If material changes are made, all workforce members affected by the workforce members affected by the change must be trained within a change must be trained within a reasonable time. reasonable time.

PENALTIES AND ENFORCEMENTPENALTIES AND ENFORCEMENT Individuals can lodge complaints with the attorney general, state Individuals can lodge complaints with the attorney general, state

insurance commissioner, state medical board or the United States insurance commissioner, state medical board or the United States Department of Health and Human Services (DHHS) Office for Civil Department of Health and Human Services (DHHS) Office for Civil RightsRights

DHHS can impose civil penalties between DHHS can impose civil penalties between $100,000 to $250,000$100,000 to $250,000

Civil penalties can only be imposed for Civil penalties can only be imposed for willfulwillful violations violations

If a reasonable cause is found, no penalties are given as long as If a reasonable cause is found, no penalties are given as long as the covered entity corrects the non-compliance within the covered entity corrects the non-compliance within 30 days30 days

Civil penalties cannot be imposed if criminal penalties have Civil penalties cannot be imposed if criminal penalties have already been imposedalready been imposed

Criminal penaltiesCriminal penalties Knowing violations of HIPAA = Knowing violations of HIPAA = $50,000$50,000 or less and/or or less and/or 1 year1 year or or

less in prisonless in prison Using false pretenses to violate HIPAA = Using false pretenses to violate HIPAA = $100,000$100,000 or less or less

and/or and/or 5 years5 years or less in prison or less in prison Intent to gain personally or commercially or with intent to Intent to gain personally or commercially or with intent to

cause malicious harm by the misuse of IIHI = cause malicious harm by the misuse of IIHI = $250,000$250,000 or less or less and/or and/or 10 years10 years or less in prison. or less in prison.

COMPLIANCE DATESCOMPLIANCE DATES

Health care providers, health care Health care providers, health care clearinghouses, and health plans clearinghouses, and health plans must comply by April 14, 2003must comply by April 14, 2003

Small health plans must comply by Small health plans must comply by April 14, 2004April 14, 2004

BUSINESS ASSOCIATESBUSINESS ASSOCIATES A person or organization outside the covered entity that performs, or assists in A person or organization outside the covered entity that performs, or assists in

the performance of, function and activities of HIPAA. Ex: legal, actuarial, the performance of, function and activities of HIPAA. Ex: legal, actuarial, accounting, etc.accounting, etc.

HIPAA does not apply HIPAA does not apply directlydirectly to a business associate, but may apply to them to a business associate, but may apply to them indirectlyindirectly if there is a business associate agreement if there is a business associate agreement

A A business associate agreementbusiness associate agreement is a contract between a covered entity and a is a contract between a covered entity and a business associate and must contain the following required elements:business associate and must contain the following required elements:

Establish permitted uses and disclosuresEstablish permitted uses and disclosures State that the business associate will not use information for further uses State that the business associate will not use information for further uses

and disclosures not in the agreementand disclosures not in the agreement State that the business associate will use appropriate safeguards to prevent State that the business associate will use appropriate safeguards to prevent

the use or disclosure of information other than as provided by the contractthe use or disclosure of information other than as provided by the contract The business associate will report to the covered entity regarding any use or The business associate will report to the covered entity regarding any use or

disclosure not in the agreementdisclosure not in the agreement Business associate must agree to get all of its subcontractors to comply with Business associate must agree to get all of its subcontractors to comply with

the business associate agreementthe business associate agreement Business associate must make PHI available for inspection and copyingBusiness associate must make PHI available for inspection and copying Business associate must make PHI available for amendmentBusiness associate must make PHI available for amendment Business associate must make its records available to the Secretary of DHHS Business associate must make its records available to the Secretary of DHHS

to check the covered entity’s compliance with HIPAAto check the covered entity’s compliance with HIPAA Business associate must agree to return or destroy all information at the end Business associate must agree to return or destroy all information at the end

of the contract if feasible to do soof the contract if feasible to do so Agreement must establish that the covered entity can terminate the contract Agreement must establish that the covered entity can terminate the contract

with the business associate for any violationswith the business associate for any violations

STATE PREEMPTIONSTATE PREEMPTION

HIPAA preempts any state law unless HIPAA preempts any state law unless the state law is more stringent. the state law is more stringent.

HIPAA WEB SITESHIPAA WEB SITES

Association of American Medical Colleges, Association of American Medical Colleges, www.aamc.orgwww.aamc.org

American Health Information Management American Health Information Management Association, Association, www.ahima.org/journalwww.ahima.org/journal

Department of Health and Human Services, Department of Health and Human Services, www.aspe.dhhs.govwww.aspe.dhhs.gov

Health Privacy Project, Health Privacy Project, www.healthprivacy.orgwww.healthprivacy.org United States Department of Health and Human United States Department of Health and Human

Services, Services, www.hhs.gov/news/facts/privacy.htmlwww.hhs.gov/news/facts/privacy.html Phoenix Health Systems HIPAAdvisory, Phoenix Health Systems HIPAAdvisory,

www.hipaadvisory.comwww.hipaadvisory.com

REFERENCESREFERENCES Alex Bednar, HIPAA Implications for Attorney-Client Alex Bednar, HIPAA Implications for Attorney-Client

Privilege, St. Mary’s University Law Journal, 35 St. Mary’s L. Privilege, St. Mary’s University Law Journal, 35 St. Mary’s L. J. 871 (2004)J. 871 (2004)

Texas Administrative Agencies Tackle Compliance with the Texas Administrative Agencies Tackle Compliance with the Health Insurance Portability and Accountability Act’s Privacy Health Insurance Portability and Accountability Act’s Privacy Rule, Texas Tech Journal of Texas Administrative Law, 5 Rule, Texas Tech Journal of Texas Administrative Law, 5 Tex. Tech J. Tex. Admin. L. 87 (2004)Tex. Tech J. Tex. Admin. L. 87 (2004)

Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, The HIPAA Privacy Rule: An Overview of Compliance The HIPAA Privacy Rule: An Overview of Compliance Initiatives and Requirements, Defense Counsel Journal, 70 Initiatives and Requirements, Defense Counsel Journal, 70 Def. Couns. J. 127 (2003)Def. Couns. J. 127 (2003)

Department of Health and Human Services, Department of Health and Human Services, www.aspe.dhhs.govwww.aspe.dhhs.gov

Health Privacy Project, Health Privacy Project, www.healthprivacy.orgwww.healthprivacy.org United States Department of Health and Human Services, United States Department of Health and Human Services,

www.hhs.gov/news/facts/privacy.htmlwww.hhs.gov/news/facts/privacy.html 45 C.F.R. 160 and 16445 C.F.R. 160 and 164