HIPAA Privacy Training - DAS

Keeping It To Ourselves!

Protecting Client Confidentiality…

Introduction

Vin Lombardo

Henry Jovanelly

Gene Shook (Keane) Purpose:

Comply with the training requirements of HIPAA

Topics of Discussion

What is HIPAA Privacy and Confidentiality

Standards

What This All Really Means

Use or disclose health information that identifies the individual for billing and collection (Payment) purposes only

When you do that, disclose the minimum necessary and know who you disclose to

What is HIPAA? Health Insurance Portability and Accountability Act of 1996

(August 21) Public Law 104 –191

Guarantees insurability of employees that change jobs (Portability)

Reduces fraud and abuse of federal entitlement programs (Accountability)

Improves efficiency through standardization of electronic transactions and codes

Protects individual’s private health information Establishes security standards for health care

information systems National standards for unique health identifiers

It came out of the failed health-care reform effort of the Clinton administration. In the early 1990s there was a lot of concern about people who were restrained in moving from one employer to another because they were afraid of losing their health insurance due to pre-existing conditions. So although the overall health-reform efforts failed, one of the things that came out of those efforts was this bill, which was aimed at allowing the portability of health insurance by preventing insurers from imposing requirements about pre-existing conditions when you move from one employer to another. At the time, employers were concerned that this was going to lead to an increase in health insurance costs. So there was an effort made to reduce costs in the health-care system as a way of offsetting the increased costs caused by these portability requirements.

People quickly identified the amount of administrative expense throughout the health-care system caused by inefficient communications. For example, there are more than 400 different transaction formats in use throughout the country related to services provided and payments made. So HIPAA contains within it a set of provisions under its administrative simplification section to standardize to 10 transactions. Congress recognized that this was going to result in enhanced flow of individually identifiable health information in electronic format. There was concern that this would increase the risk of private health information being improperly disclosed. So part of the administrative simplification rules deal with protective measures that health-care providers and payers have to take in order to protect the privacy and security of this individually identifiable health information.

Time Line

April2003

Oct 2003

April 2005

Privacy

Tran

saction

s & C

od

es

Secu

rity

Un

iqu

e Iden

tifiers

Enforcement

Firm

Estimated (awaiting publication of Final Rules)

Implementation Dates:

Healthcare Payers (Plan) An individual or group plan that provides, or pays

the cost of medical care Healthcare Clearinghouses (DAS Collections)

An entity that processes/facilitates processing of health information received from another entity

Healthcare Providers Who transmit health information in electronic format

Covered Entities

$30 Billion in savings over 10 years in administration costs ($18 Billion implementation cost)

• Title 1Insurability and Portability

• Title 3Tax Implications

• Title 4Group Health

• Title 5Revenue

HIPAA

•Title 2 Administrative Simplification•Title 2 Administrative Simplification

1. Electronic Health Transaction Standards and Code Sets

2. Privacy and Confidentiality Standards3. Security and Electronic Signature Standards

4. Unique Identifiers

AdministrativeSimplification Title II. Administrative SimplificationTitle II. Administrative Simplification

1. Electronic Health Transactions Standards and Code Sets

All payers, providers and clearinghouses using electronic healthcare transactions, must use a national standard format. The act designates standards for 10 specific transaction sets. (835 Payment, 837 Claim)

Health organizations also must adopt a set of industry standard codes to be used with transactions. Various coding systems are already in use to identify:

diseases injuries other health problems (as well as their causes, symptoms,

and actions taken)

AdministrativeSimplification

2. Privacy and Confidentiality

This rule protects the privacy of information related to an individual's health, treatment, or healthcare payment.

Limits the use of individually identifiable health information, sent or stored in any format (electronic, paper, voice, etc) without patient authorization

Business partners who receive, store or have access to privately identifiable health information must ensure the privacy of the records

Patients may have access to their own medical records

AdministrativeSimplification

3. Security of Health Information & Electronic Signature Standards

A uniform level of security for all health information that is:

housed or transmitted electronically pertains to an individual

Organizations who use Electronic Signatures will have to meet:

a standard ensuring message integrity user authentication, and non-repudiation

AdministrativeSimplification

4. Unique Identifiers for Providers, Employers, and Health Plans

The current system allows for multiple ID numbers assigned by different agencies and insurers. HIPAA

sees this as confusing, conducive to error, and costly. It is expected that standard identifiers will reduce problems. HIPAA sets a standard identifier for:

Providers Claims Payers Employers

Identifier likely to be eliminated: Unique Patient Identifier

AdministrativeSimplification

Minimum Necessary

Verification Prior to Disclosure

Administrative Requirements

Business Associate Agreements

Privacy and ConfidentialityStandards (Policies & Procedures)

Limits the use of Protected Health Information (PHI)

Protected Health Information (PHI)

Limit Access/Role Bases

Disclosure of Minimum Necessary

De-Identification

Right to Request Privacy Protection/Confidential Communication

Individual’s Access

Minimum Necessary

Protected Health Information (PHI):

Protected Health Information (PHI) is information that identifies an individual and relates to the person’s physical or mental health or condition, the provision of health care to that person, or payment for the provision of health care to that person.

DAS will limit the disclosure of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose of the authorized use, disclosure, or request.

Minimum Necessary

Some items that identify an individual are: Name, Address, Telephone or FAX #, Email Address, Names of Relatives, SS#, Birth Date, Account Number, Name of Employers, any other item that can ID a person in a small sample…

Limit Access/Role Bases:

DAS will identify and make reasonable efforts to limit the access:

To those persons or classes of persons, as appropriate, in its workforce who need access to Protected Health Information (PHI) to carry out their duties

Minimum Necessary

Disclosure of Minimum Necessary:

DAS will limit any request for Protected Health Information (PHI):To that which is reasonably necessary to accomplish the purpose for which the authorized request is made

Minimum Necessary

It just means that if a person needs a date from a file, don’t give them the whole file. Give authorized individuals the minimum necessary to get the job done.

De-Identification :

DAS will de-identify Protected Health Information (PHI) (eliminate or cross out, identifiers of the individual or of relatives, employers, or household members of the individual), to limit the disclosure of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose of the authorized disclosure

This is not necessary for TPO (to carry out Treatment, Payment or health care Operations)

Minimum Necessary

Right to Request Privacy Protection/Confidential Communication:

It is our policy that we respect the right of an individual to request restrictions on uses and disclosures of PHI and permit an individual to request confidential communication of PHI at alternative locations or by alternate means.

DAS will document the restriction and termination of the restriction, should it occur.

Minimum Necessary

The following will apply to requests for alternative confidential communications:

Request must be received in writing Determine how payment will be handled, if necessary Specification of an alternative address or other method of

contact is required Request or denial will be documented.

DAS will not require an explanation from the individual

The uses and disclosures of PHI are then subject to the agreed upon restriction and/or the confidential communications requirements.

Minimum Necessary

Individual’s Access:

DAS will give an individual the right to access and inspect or obtain a copy of his/her PHI for as long as DAS maintains the PHI. DAS will act on a request for access no later than 30 days after receipt of the request.

Minimum Necessary

ID Person and Authority

Verification Methods

Routine Communication

Non-Routine Disclosures

Recording of Uses and Disclosures

Exercise of Professional Judgment

Verification Prior toDisclosure

ID Person and Authority

DAS will verify the identity of a person requesting Protected Health Information (PHI) and the authority of any such person to have access to the Protected Health Information (PHI)

Verification Prior toDisclosure

DAS is a Clearinghouse and only uses and discloses healthcare information for Treatment, Payment and Health Care Operations (TPO). The Client Agencies for which it processes the data have already obtained the appropriate authorizations and consents.

Verification Prior toDisclosure

All employees are required to sign a confidentiality agreement as a condition of employment whereby they agree not to request, use or disclose protected information unless necessary to perform their job

Verification Prior toDisclosure

Verification Methods:

Verification is done when the identity of the requestor is not known or when documentation is required

Routine communication, where entity relationships have been established, do not require special verification procedures

Verification Prior toDisclosure

Verification Methods Examples:

Phone: Caller ID; if they are holding a Statement, ask for identifying information off of the statement; if not, ask Social Security Number, date-of-birth,

Letter: Verify name and addressSigned Authorization, Claim Number, Company Tax ID

Number, Letterhead, Callback, Copy of Appointing Document, Identification Badge, other official credentials; warrant, subpoena, order, or other legal process issued

Verification Prior toDisclosure

Non-Routine Disclosures:

Non-routine disclosures, not covered in the Policies and Procedures, must be reviewed on an individual basis by a Team Leader. Unresolved issues are to be brought to the DAS HIPAA Privacy Officer for resolution

Verification Prior toDisclosure

Recording of Uses and Disclosures:

A log for the recording of all non-routine disclosures will be maintained. A copy going back six years prior to request will be made available to clients at their request for $.50 per page to cover the cost of copying and mailing

Verification Prior toDisclosure

Recording of Uses and Disclosures:

Non-routine disclosures will be recorded on the Avatar Admission Comments Screen, with-in 60 days. Items to be keyed in:

 Date of disclosureName of entity or person who received the PHI

(address if known)Brief description of PHI disclosedBrief statement of purpose of disclosure

Verification Prior toDisclosure

Purpose of Use or

Disclosure

Routine Verify Identity

See Team Leader/Privacy Officer

Record Patient’s Authorization

Needed

MinimumNecessary

Safeguard

TPO(Treatment,

Payment, Operations)

Routine NO* NO NO NO YES YES

Law Enforcement/

LegalProceedings,

National Security,

National Health

Non-Routine

YES YES YES NO YES YES

Marketing, Fund-Raising,

Medical Research

Non-Routine

YES YES YES YES YES YES

*YES, where identity of requester is not known (like an unrecognized voice on the phone)

Exercise of Professional Judgment :

The verification requirements are met if DAS relies on the exercise of professional judgment or acts on a good faith belief in making a disclosure

Verification Prior toDisclosure

Privacy Officer

Training

Safeguards

Complaints to DAS

Refraining from Intimidating or Retaliatory Acts

Sanctions

Policies and Procedures

Administrative Requirements

Privacy Officer

DAS will create, document and maintain a position of privacy official that is responsible for the development, implementation and maintenance of the policies and procedures of DAS

Responsible for receiving complaints regarding privacy of Protected Health Information (PHI)

Administrative Requirements

Training

DAS will train all members of its workforce on the policies and procedures with respect to Protected Health Information (PHI) as necessary and appropriate for the members of the workforce to carry out their functions within DAS

Administrative Requirements

Safeguards

DAS will have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information (PHI).

Administrative Requirements

Safeguards

Administrative:Scalable confidentiality and security

procedures, designated security officer, sanctions for violations, signed statement by all employees regarding confidentiality of data

Administrative Requirements

Safeguards

Technical:Unique ID and Password, system stores

password encrypted, weak passwords not allowed, automatic time logoff, system enforced password changes, firewall, virus checking

Administrative Requirements

Safeguards

Physical: Secure computer room, secure access to

displays and printers, secure destruction of printouts, other outputs and obsolete equipment, disaster recovery plan in place and tested

Administrative Requirements

Complaints to DAS

DAS will document all complaints received, and their disposition, if any, in written or electronic form. These documents must be retained for a period no less than six years

Administrative Requirements

Refraining from Intimidating or Retaliatory Acts

DAS will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone making a Privacy complaint

Administrative Requirements

Sanctions

Consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce (can result in dismissal, other disciplinary actions, criminal prosecution and/or civil suit)

Administrative Requirements

Policies and Procedures

DAS will implement Policies and Procedures with respect to Protected Health Information (PHI) that are designed to comply with the standards, implementation specifications or other requirements of the Health Insurance Portability and Accountability Act of 1996

Administrative Requirements

Definitions

Vendor Contracts

Agreements

Business AssociateAgreements

What is a Business Associate?

An organization or person who performs activities on behalf of or in coordination with DAS that involves the use or disclosure of individually identifiable health information

Business AssociateAgreements

Contracts/Agreements

DAS will ensure continued privacy protections of health information by entering into a Business Associate Contract

Business Associate agrees that it shall be prohibited from using or disclosing the information provided or made available by DAS for any purpose other than as expressly permitted or required by the Contract

Business AssociateAgreements

Business Associate Contract Covers: Use and Disclosure Safeguards Subcontractors Right to Access/Amend Accounting of Disclosures Return of Information or

Destruction Mitigation Sanctions Property Rights Termination

Business AssociateAgreements

Contracts/Agreements

Business Associate Contract wording will be included in every vendor contract’s terms and conditions for the state of Connecticut through DAS’ Procurement Unit

MOU will be executed between DAS and our partnering state agencies

Business AssociateAgreements

Fines up to $25,000 for multiple violations of the same standard in a calendar year

Fines up to $250,000 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

“Hot Water”

Penalties

Real Life

New York Times Answer: Sorry, can’t by law

Police Officer (properly identified) Answer: Yes, minimum necessary

Billing and Collection Answer: Yes (TPO)

Real Life -Confidentiality: - No Gossiping

Neighbor’s name noticed on case Don’t go home and tell your family

Celebrity’s name noticed on case Don’t gossip to friends/coworkers

What This Means

DAS will limit the disclosure of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose of the authorized use, disclosure, or request

DAS will verify the identity of a person requesting Protected Health Information (PHI) and the authority of any such person to have access to the Protected Health Information (PHI)

What This Really Means

Use or disclose health information that identifies the individual for billing and collection (Payment) purposes only

When you do that, disclose the minimum necessary and know who you disclose to

It is all about information – There is an explosion of Health Information out there – There is an information explosion:

Just to give you a perspective on information today: The Internet is doubling in content every 100 days. The Sunday edition of the New York Times alone now contains more information than all the written information available in the 15th Century. There are more than 300,000 books published every year. When Columbus discovered America, the largest library in the world was the Queen’s College Library in Cambridge. It contained only 199 books. Most of us have more than that in our homes today.

Next Steps

Be more aware of client privacy and confidentiality

Exercise professional judgment/make reasonable efforts

The End