How to HIPAA

HIPAA

How to HIPAA

Health Insurance Portability & Accountability Act of 1996

Presented by: Jeniece Poole,

U of A Privacy Officer

HIPAA Privacy & Research

Understanding YOUR responsibilities

Why Was HIPAA Created?

To establish minimum federal standards for safeguarding the privacy of individually identifiable health information

The History of HIPAA

Regulation has 3 areas of focus

Portability of/ and access to Health Benefits Preventing Fraud and Abuse Administrative Simplification

Teaching Hospital Physician’s Fraud

OIG Sanctions Teaching Hospital Physicians’ Fraud A four year investigation into billing practices in the University of

Washington Medical System ended with the University's physician practice plans agreeing to pay $35 million in restitution, damages and penalties to the state and federal governments for over billing Medicare and Medicaid. This FCA settlement is the largest ever paid by a practice group related to a teaching hospital for failing to comply with Federal billing regulations. As a result of the investigation, two University physicians were convicted of criminal charges in connection with the fraud, and a former University neurosurgeon pleaded guilty to obstruction of a Federal criminal health care investigation. In addition, a University-affiliated nephrologists pleaded guilty to health care billing fraud and admitted engaging in fraudulent conduct spanning approximately 11 years during which the defendant wrote notes in patients’ dialysis records indicating that he was present when he was not.

Clinical Laboratory Fraud

The owner of a medical testing laboratory extradited from the Philippines pleaded guilty to defrauding the Medicare program by submitting bills for blood testing that was never performed. The owner admitted the lab submitted fraudulent bills to the Medicare and Medicaid programs for tests for RBC Protoporphyrin ( a test that detects iron deficiency and lead poisoning) , Thin Layer Chromatography ( a test used to detect drug metabolytes), and several more specialty blood tests. The laboratory did not have the ability to perform these tests. In the course of seventeen months, the lab submitted approximately $2.2 million in fraudulent bills. Medicare paid approximately $1.3 million of those claims.

HIPAA aka Administrative Simplification Rule Includes:

EDI (Electronic Data Interchange) Privacy Security Unique Identifiers

PURPOSE OF ADMINISTRATIVESIMPLIFICATION Protect the privacy and security of health

information

Define standards for electronic submissions

Improve efficiency and effectiveness of the healthcare system

PURPOSE

Compliance with the rule involves implementation by a covered entity of policies and procedures to ensure the confidential use and disclosure of protected health information by all staff

PURPOSE

Protect the confidentiality and security of health information as it is used, disclosed and electronically transmitted

Create a framework, using standardized formats for transmitting electronic health information more efficiently

What Happened before HIPAA

Various State Laws Applied

No consistent rules

Most states had privacy regulations

Few states had financial resources to enforce strict compliance with regulations

Arizona law for privacy and medical record safekeeping is over 150 years old

Regulatory Agencies

Health and Human Services (HHS)

Office of Civil Rights (OCR)

Office for Human Research Protections (OHRP)

Agency for Healthcare Research and Quality (AHRQ)

Centers for Disease Control and Prevention (CDC)

National Institutes of Health (NIH)

Food and Drug Administration (FDA)

THE PRIVACY RULE

Assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote quality health care and to protect the public’s health and well being

Rule attempts to balance the important uses of information with the protection of the privacy of people who seek care and treatment

Privacy(effective 04/14/03)

Requires Covered Entities to safeguard patient health care information Covered Entities are defined as:

Health Care Providers Health Care Plans Health Care Clearinghouses

EDI (Effective 10/16/03)Electronic Transmission of healthcare data

transferred or received

• Most commonly used for claims processing and payment

• Reduction in paper transactions

• Reduces risk of lost paper documents

Security Regulations(effective 04/21/05)

Electronic data integrity and confidentiality

Access only to authorized individuals

Availability of information

Security and PrivacyRule Distinctions Inextricably linked Protection of the privacy of the information

depends on the security measures to protect the information

The Security Rule applies to information in electronic form

The Privacy Rule applies to information in any form

Who Must Complywith HIPAA??

Health Plans Health Care Clearinghouses Health Care providers that transmit

information electronically in connection with a HIPAA “standard transaction” Researchers are not covered entities unless they

are covered health care providers or

are employed by covered entities

What is patient health care information? Individually Identifiable Health Information

(IIHI) Protected Health Information (PHI) Relates to the past, present or future physical

or mental health condition of an individual

Personal Identifiers

This information can be in various forms and must be protected:

• Electronic• Paper• Oral

What are Personal Identifiers?1. names 2. geographic subdivisions smaller than a state, including

street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89

4. telephone numbers 5. fax numbers 6. electronic mail addresses 7. social security numbers 8. medical record numbers

More Personal Identifiers9. health plan beneficiary numbers

10.account numbers

11.certificate/license numbers

12.vehicle identifiers and serial numbers including license plate numbers

13.device identifiers and serial numbers

14.Web Universal Resource Locator (URL) 15.biometric identifiers, including finger or voice prints

16. full face photographic images and any comparable images

17. internet protocol address numbers

18.any other unique identifying number characteristic or code

What is Research?

Research is defined as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”

Distinguish from quality assurance Distinguish from public health activities

Impact of HIPAA on Research

Confusion!! Potential reduction in health care providers

willing to share for (PHI) research Places addition burden on IRB’s

Research and HIPAA

This rule applies to health care providers, including researchers when they provide health care (e.g., in a clinical trial)

Even if researcher do not provide health care, they must abide by the rule

The definition of “protected health information” includes information relevant to the provision of health care as well as information generated in the context of clinical research Although some research information may not have

proven clinical validity, the Privacy Rule considers it identifiable

Research and HIPAA

The regulation covers information – not tissue -except to the extent any identifiable medical information is attached to the tissue sample

Genetic information is not provided a higher standard of privacy coverage under this federal regulation

The regulation covers individually identifiable information in any form, including written, electronic or oral.

HIPAA vs. the Common Rule

FocusCommon Rule: safety and

welfare of human subjects

HIPAA: Privacy of the health

information of subjects

Research Privacy Regulations

Common RuleFederally funded or regulated

researchProtects Rights and WelfareHuman Subject (living) subject to

researchBoard reviews All research

protocols

Annual and Continuing ReviewsInformed Consent to participate in

Research

HIPAAAll research where CE uses or

discloses PHIProtects Privacy and WelfareIndividual (living or deceased)

subject informationEstablishes Privacy BoardIRB may act as Privacy BoardBoard Reviews Authorizations for

waiversNo continuing review requirementAuthorization & consent to PHI

IDI AND OTHER REGUALTIONS

HIPAAPHI is individually identifiable

information that is transmitted or maintained in any form or medium by a CE or its business associate excluding school or employment records

FDA Title 21 CFR 50& 56Do not define Individually

Identifiable Health Information

HHS Human Subjects Protection

Title 45CFR part 46

Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject may be ascertained by the investigator or associated with the information

Use of PHI

Types of PHI

De-identifiedData

LimitedData Set

Identified

HOW CAN INFORMATION BE USED OR SHARED?

De-Identify PHI Remove listed identifiers, determine

statistically that very small risk that information could be used to identify, or code identifiers

Tissue and blood is not PHI unless correlated with identifiers

How Can Information Be Used Or Shared?

Limited Data Set or partially de-identified: may use data related to individual, address (except street level) and other identifiers not listed

Must have “data use agreement” in place Obtain subject authorization

How Can Information BeUsed Or Shared?

HIPAA requires numerous elements (refer to checklist)

HIPAA authorization requires IRB approval IRB or Privacy Board may waive the need for

an authorization If PHI is solely to prepare for research and

will not be removed from the premises

Waiver of Authorization

Minimum risk to PRIVACYo Plan to protect identifierso Plan to destroy identifiers, ASAPo Written assurance not to reuse/rediscloseo Research cannot be done without Waivero Research cannot be done without PHIo PHI is the minimum necessaryo Disclosures are tracked

HIPAA and Research

Under HIPAA, individual authorization is required to use or disclose PHI for research

HIPAA specifies required elements or statements, which are far more detailed that then information traditionally provided in the Common Rule consent

USE AND DISCLOSURE OF PHI

USE = Sharing of PHI within an entity or component

DISCLOSURE = Sharing of PHI outside an entity or component

Under HIPAA, patients have the rights to request a complete listing of ALL disclosures of PHI for 6 years

Use and Disclosure of PHI

HIPAA applies to USE & DISCLOSURE of certain health information that:

Identifies the individual Relates to the individuals past, present or future Health, healthcare treatment, or health care

payment Is maintained or disclosed electronically, on

paper or orally

HIPAA’s Individual Rights

Primary purpose of HIPAA is to assure that individuals:

Are informed as to the uses or discloses of PHI (Notice of Privacy Practices)

Give appropriate permission for use or disclosure

Benefit from safeguards in place to protect privacy

What if I don’t want to share my health information?

Each Notice of Privacy Practices contains information on who will be able to view your PHI, how it is shared and how it maintained

It is assumed that you agree with the provisions of the NOPP

If you do not want to share

your information, you may exercise

the opt-out option

Protecting My PHI

Opt-outs must be in writing Opt-outs must be dated An address will be provided in the NOPP You may specify the provisions you do not

want to have You may revoke your opt-out at any time

HIPAA Authorization Form for Research Specific description of PHI to be used or disclosed

in the research Name of persons or class of persons authorized to

make disclosure Name of persons or class of persons to whom

disclosure will be made Description of Specific research protocol or study Expiration date of event or statement that

authorization has not expiration

HIPAA Authorization Form for Research Statement of participant’s right to revoke the

authorization in writing and a description of how the person may revoke authorization

Statement that a participant may not revoke the authorization as to PHI already disclosed in research or description of other exceptions where participant may not revoke the authorization

Statement that the organization disclosing the PHI may not condition treatment, payment , enrollment or eligibility

HIPAA Authorization form for Research Statement that PHI disclosed for research

may be subject to redisclosure by the recipient and no longer protected by the rule

Must have participant’s signature and date If authorization is executed by a personal

representative of the participant, a description of the person’s authority to act for the participant

HIPAA Security

Security Standards effective 4/21/05 Adopts standards for the security of

electronic protected health information (ePHI) 18 standards supported by specifications

Security Standards

FDA’s latest guidance and HHS’s HIPAA Security Focus on Risk Assessment Documentation Supporting Training Role based access

Prevent Inadvertent Disclosure• Computer display screen should not be visible to

passers-by

• Paper documentation should never be left unattended. Always lock paper records in a desk or file drawer.

• Do not send personal identifiers in an e-mail or attachment without appropriate security (e.g., encryption/password protection of attached file)

• Curtail hallway/elevator discussions

• Shred document containing PHI , turn folders inward or turn upside down

• Fax procedures (e.g., cover sheet, secure location, verification of number)

Disposal• Documentation should only be destroyed

when the information is no longer needed and when it is not required to be maintained by law or as public record

• Paper records: Shedding/Recycling in Appropriate Containers (not the office receptacle)

• Digital records: Overwriting• Deleting files is NOT sufficient• Some storage systems may require physical destruction

Protect your data• Password protect your computer and screensaver• Password protect your storage devices and

removable media• Use appropriate passwords • Keep anti-virus software current• NEVER share passwords• Never leave the computer when you are logged on• Manually initiate screensaver when not sitting at

desk• Lock office door when you leave• Don’t leave written password where others can find

them

Violations of Privacy

• HIPAA specifies the penalties for misuse of personal identifiers

• PERSONAL as well as INSTITUTIONAL liability

• If you are not following University policies/procedures, you will be personally liable

• Civil Penalties: $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated

Violations of Privacy

• Criminal Penalties: Up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to 5 yrs in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm

University Policy: Be Informed

http://arizona.eduhttp://vpr2.admin.arizona.edu/

HIPAA/HIPAA.htmOther websites:

http://www.hhs.gov/ocr/hipaahttp://security.arizona.eduhttp://www.irb.arizona.edu

Recommended Confidentiality & Nondisclosure Language (page 2) Add to Fax Cover Page: This cover page and any documents accompanying this

facsimile transmission contain confidential information belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled,unless otherwise required by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this facsimile in error, please notify the sender immediately to arrange for destruction or return of these documents.

Recommended Confidentiality &

Nondisclosure Language Add to email signature:

Confidentiality/Nondisclosure Notice: This e-mail transmission (and any attachments)is confidential. IT may also be privileged or otherwise protected by law. If you have received it by mistake, please let the sender know by e-mail reply or you may call sender at Name of Entity in Tucson, Arizona at 520/-------- and delete it from your system. You may not copy this message or disclose its contents to anyone.