module 2: hipaa privacy fundamentals - · pdf filemodule 2: hipaa privacy fundamentals hipaa...
TRANSCRIPT
Module 2: HIPAA Privacy Module 2: HIPAA Privacy FundamentalsFundamentalsFundamentalsFundamentals
HIPAA Enforcement Training for State Attorneys General
Module IntroductionModule Introduction
Module 2: Introduction
This module of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training for State Attorneys General (SAG) provides:Training for State Attorneys General (SAG) provides:
• Term and concepts used in the HIPAA Privacy Rule
A i f th i t f th HIPAA P i R l• An overview of the requirements of the HIPAA Privacy Rule
• Description of certain changes to the Rule made under the ARRA/HITECH Act of 2009ARRA/HITECH Act of 2009
• Questions to ask when conducting an investigation
HIPAA Enforcement Training for State Attorneys General 2
Module ObjectivesModule Objectives
Module 2: Objectives
After completing this module, you will be able to:
• Define terms used in the HIPAA Privacy Rule
• Summarize the requirements of the HIPAA Privacy Rule
• Describe the Privacy Rule’s administrative requirements for covered entities and business associates
• Develop investigatory questions to apply to your cases
HIPAA Enforcement Training for State Attorneys General 3
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and DefinitionsConcepts and DefinitionsConcepts and Definitions
HIPAA Enforcement Training for State Attorneys General
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Lesson 1: Objectives
After completing this lesson, you will be able to:
• Define terms used in the HIPAA Privacy Rule
• Apply this terminology when investigating HIPAA violations
HIPAA Enforcement Training for State Attorneys General 5
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule
Use and Disclosure of PHI
Covered entities may only use or disclose PHI i d i d b h P iPHI as permitted or required by the Privacy Rule.
Use is the sharing employment applicationUse is the sharing, employment, application, utilization, examination, or analysis of …information within the entity…
Disclosure is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity.
References: 45 CFR §§ 160.103, 164.502
HIPAA Enforcement Training for State Attorneys General 6
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Covered Entities
A covered entity is:
(continued)
A covered entity is:
• A health plan
• A health care clearinghouse• A health care clearinghouse
• A health care provider who transmits any health information in electronic form in connection with a ycovered transaction—one for which the Secretary has adopted standards.
HIPAA Enforcement Training for State Attorneys General 7
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Organizational Structures
Covered entities may be organized using structures
(continued)
Covered entities may be organized using structures that affect their obligations under the HIPAA Privacy and Security Rules. Organizational structures include:
– Hybrid entities
– Affiliated Covered Entities (ACEs)Affiliated Covered Entities (ACEs)
– Organized Health Care Arrangements (OHCAs) (O s)
HIPAA Enforcement Training for State Attorneys General 8
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)( )
Hybrid Entities
A h b id tit i i l l l titA hybrid entity is a single legal entity:
• That is a covered entity • Whose business activities include both covered and• Whose business activities include both covered and non‐covered functions, and
• That designates its health care components in g paccordance with the HIPAA Privacy Rule
HIPAA Enforcement Training for State Attorneys General 9
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Hybrid Entities (continued)
Hybrid entities may designate parts of themselves as health
(continued)
Hybrid entities may designate parts of themselves as health care components, and must:
• Comply with the HIPAA Privacy and Security RulesComply with the HIPAA Privacy and Security Rules
• Refrain from disclosing PHI inappropriately, including to another component of the hybrid entityanother component of the hybrid entity
May disclose as otherwise allowed if they were separate legal entities.
References: 45 CFR §§ 164.103, 164.105(a)(2)(iii)HIPAA Enforcement Training for State Attorneys General 10
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Examples of Hybrid Entities
• A state health department whose business practices include
(continued)
A state health department whose business practices include both covered and non‐covered functions
• A correctional facility with a health care clinic that transmits yone or more HIPAA‐covered transactions electronically
• A data processing center that conducts health care l i h ti iti ll h lth d t tclearinghouse activities as well as non‐health care data entry
• A university health clinic that is a HIPAA covered entity and has health information to which the Privacy Rule does nothas health information to which the Privacy Rule does notapply
HIPAA Enforcement Training for State Attorneys General 11
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Affiliated Covered Entities
Affiliated covered entities:
(continued)
Affiliated covered entities:
• Legally separate covered entities undercovered entities under the same ownership or control
• May participate in a single HIPAA compliance program
HIPAA Enforcement Training for State Attorneys General 12
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Affiliated Covered Entities (continued):
• Must have documented status as an affiliated covered entity
(continued)
Must have documented status as an affiliated covered entity
• All entities must comply with the HIPAA Privacy and Security Rules
• Common examples include chains of hospitals or clinics
Reference: 45 CFR §164.105(b)(2)
HIPAA Enforcement Training for State Attorneys General 13
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Organized Health Care Arrangements (OHCA)
Organized Health Care Arrangements
(continued)
Organized Health Care Arrangements (OHCA) are organizational structures under which:
• Two or more covered entities work together
• Common examples: Integrated health centers containing independent legal entities; multiple health plans with the same sponsor
HIPAA Enforcement Training for State Attorneys General 14
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Organized Health Care Arrangements (OHCA) (continued)
(continued)
OHCA members may:
• Disclose PHI to each other for health care operations activities of the OHCA
U j i t ti f i• Use a joint notice of privacy practices
• Share a common business• Share a common business associate
HIPAA Enforcement Training for State Attorneys General 15
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)(continued)
HIPAA Enforcement Training for State Attorneys General 16
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary
Th i i t d d li it
(continued)
The minimum necessary standard limits uses, disclosures, and requests for PHI to the minimum necessary amount of PHI needed to carry out the purposes of the use or disclosure.
HIPAA Enforcement Training for State Attorneys General 17
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary (continued)
Exceptions to this include:
(continued)
Exceptions to this include:• Disclosures to, or requests by, a health care provider for treatment purposesp p p
• Uses or disclosures made to the individual or pursuant to the individual’s authorization
• Disclosures to HHS for HIPAA compliance purposes
• Uses or disclosures required by lawq y
Reference: 45 CFR § 164.502(b)HIPAA Enforcement Training for State Attorneys General 18
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary (continued)
The standard for minimum necessary uses
(continued)
The standard for minimum necessary usesrequires covered entities to make reasonable efforts to limit access to PHI to those in the workforce that need access to it based on their roles in the covered entity.
HIPAA Enforcement Training for State Attorneys General 19
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary (continued)
Minimum necessary disclosures and
(continued)
Minimum necessary disclosures and requests for PHI:
For routine disclosures and requests, q ,a covered entity must implement policies and procedures/standard protocols.
For others, the entity must review individual requests for disclosure to ensure they meet developed criteria to limit PHI di l d t h t i bl f th i t d ddisclosed to what is reasonably necessary for the intended purpose.
HIPAA Enforcement Training for State Attorneys General 20
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary (continued)
The Privacy Rule safeguards standards and the Security Rule work
(continued)
The Privacy Rule safeguards standards and the Security Rule work in concert to fulfill the Privacy Rule’s minimum necessary standard.
HIPAA Enforcement Training for State Attorneys General 21
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Examples of Minimum Necessary Disclosure
When leaving a message for a patient i hi fion an answering machine to confirm an
upcoming doctor’s appointment, there is no need to state the reason for the doctor’s visit.
In sending a bill to a health plan for payment, normally there i d i l d h l f h id d d fis no need to include the results of the tests provided and for which the payment is being requested.
When scheduling appointments front office staff will probablyWhen scheduling appointments, front office staff will probably not need to have access to a patient’s entire health record.
HIPAA Enforcement Training for State Attorneys General 22
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Activity 1: National Pharmacy Chain Extends Protections for PHI Case StudyWorking together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion questions and provide your answers during the class
ireview.
Case Study:
A pharmacy employee placed a customer’s insurance card in another p y p y pcustomer’s prescription bag. When contacted by OCR, the pharmacy argued that no inappropriate disclosure had taken place because it did not consider the customer’s insurance card to contain PHI.
Discussion Questions:Discussion Questions:
1. Which is the covered entity in this case study—the pharmacy chain's headquarters or the local store? What considerations will help you make this determination?help you make this determination?
2. Do you think the customer’s insurance card was PHI?
HIPAA Enforcement Training for State Attorneys General 23
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Activity 2: Dentist Changes Process to Protect PHI Case Study
Working together as a group at your table take a few minutesWorking together as a group at your table, take a few minutes to read the case study. After reading the case, answer the discussion question and provide your answer during the class reviewreview.
Case Study:
An OCR investigation confirmed allegations that a coveredAn OCR investigation confirmed allegations that a covered dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover, and that
d h dl d th t th ti t d t ff ith trecords were handled so that other patients, and staff without need to know, could read the sticker and the patient name.
Discussion Question:
HIPAA Enforcement Training for State Attorneys General 24
Q
Did the dentist violate the Privacy Rule?
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms Used in the HIPAA Privacy Rule (continued)
Minimum Necessary and Limited Data Sets
Under HITECH a covered entity is treated as in compliance with the minimum necessary standard only if the covered entity limits theminimum necessary standard only if the covered entity limits the use and disclosure of PHI to:• The “limited data set” as currently defined in the HIPAA
privacy regulations; or, if needed• The minimum necessary to accomplish the intended purpose
HHS ill i id h t tit t “ i i ”HHS will issue guidance on what constitutes “minimum necessary.”
Reference: ARRA/HITECH Subtitle D Privacy § 13405(b)(1)Reference: ARRA/HITECH, Subtitle D, Privacy, § 13405(b)(1)
HIPAA Enforcement Training for State Attorneys General 25
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
Minimum Necessary and Limited Data Sets (continued)
• Most potentially identifiable data elements is
( )
p yremoved, except for dates and geographic information as specified in the Privacy Rule
• Data recipients must sign a Data Use Agreement stating the information will be used only for the specified purposes, no attempt will be made to re identify it and it will not beattempt will be made to re‐identify it, and it will not be re‐disclosed
• Information may be used only for research public health or• Information may be used only for research, public health, or health care operations purposes
HIPAA Enforcement Training for State Attorneys General 26
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms & Concepts Used in the HIPAA Privacy Rule (continued)
De‐identification of PHI
• Removal of certain identifiers so that
(continued)
• Removal of certain identifiers so that the individual who is the subject of the PHI may no longer be identified
• De‐identified information is not protected, and can be shared without limit
HIPAA Enforcement Training for State Attorneys General 27
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
Topic 1: Terms Used in the HIPAA Privacy Rule (continued)
De‐identification of PHI (continued)
Two methods:
• Expert determination method likelihood• Expert determination method – likelihoodof identifying an individual is very small
OR
• Safe harbor method – stripping of listed identifiers, such as:– Names– Geographic subdivisions < state
f– All elements of dates– Social Security numbersAND
d h k l d h h f b d– Covered entity has no knowledge that the information can be used to identify the individual
HIPAA Enforcement Training for State Attorneys General 28
Lesson 1: HIPAA Privacy Rule Lesson 1: HIPAA Privacy Rule Concepts and DefinitionsConcepts and Definitions
Module 2
b i i f f i i f
Lesson 1: Recap• A business associate performs a function or service for or
on behalf of the covered entity
• Covered entities and business associates haveCovered entities and business associates have obligations under HIPAA regarding the use and/or disclosure of PHI
• All organizations subject to the HIPAA Privacy Rule must request, use, or disclose only the minimum necessary PHI
• Covered entities may be organized using structures that affect how they address the HIPAA Privacy and Security Rules including hybrid entities affiliated entities andRules including hybrid entities, affiliated entities, and organized health care arrangements.
HIPAA Enforcement Training for State Attorneys General 29
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy Rule
HIPAA Enforcement Training for State Attorneys General
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Lesson 2: Objectives
After completing this lesson, you will be able to:
• Describe the general requirements of the HIPAA P i R lHIPAA Privacy Rule
• Identify uses and disclosures that may violate the P i R lPrivacy Rule
• Summarize the rights of individuals under the HIPAA Privacy RuleHIPAA Privacy Rule
HIPAA Enforcement Training for State Attorneys General 31
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 1: Federal Floor of Privacy Protections
The HIPAA Privacy Rule:
• Sets the federal floor for health information privacyprivacy
• Sets forth minimum privacy protections
• Establishes individual rights• Establishes individual rights
• Establishes administrative requirements
• Does not prevent covered entities from establishing internal• Does not prevent covered entities from establishing internal policies that provide greater protections, or that offer consumers greater rights
• Does not preempt more stringent state laws
HIPAA Enforcement Training for State Attorneys General 32
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 2: Requirements for Uses and Disclosures of PHI
A covered entity must not use or disclose PHI, except as specifically permitted or required by the HIPAApermitted or required by the HIPAA Privacy Rule.
References: 45 CFR § 164.502(a)§ ( )
HIPAA Enforcement Training for State Attorneys General 33
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 3: Required Disclosures of PHI
The HIPAA Privacy Rule requires disclosure in two instances:
T th i di id l h th i di id l• To the individual when the individual exercises the right to access PHI in designated record sets or the right to andesignated record sets or the right to an accounting of disclosures
• To HHS for HIPAA investigative and genforcement purposes
Reference: 45 CFR § 164.502(a)(2)§ ( )( )
HIPAA Enforcement Training for State Attorneys General 34
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 4: Permitted Uses and Disclosures of PHI
The Rule permits uses and disclosures without individual authorization including those:
T th i di id l• To the individual
• For treatment, payment, and health care operations (TPO)
• Incidental uses/disclosures
• To business associates with a business associate agreement
HIPAA Enforcement Training for State Attorneys General 35
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
l h
Topic 4: Permitted Uses and Disclosures of PHI (continued)Health care operations are:• Certain administrative, financial, legal, and quality improvement
activities of a covered entity,activities of a covered entity,
• Necessary to run its business, or support the core functions of treatment and payment
HIPAA Enforcement Training for State Attorneys General 36
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 4: Permitted Uses and Disclosures of PHI (continued)
Incidental uses and disclosures are: • “Incident to” another use or disclosure that is permitted or
required by the Rulerequired by the Rule • Those that occur even though the minimum necessary and
safeguard standards are metsafeguard standards are met
HIPAA Enforcement Training for State Attorneys General 37
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
l f d l d d l
Topic 4: Permitted Uses and Disclosures of PHI (continued)Examples of incidental uses and disclosures:
• A hospital inpatient in a shared room overhears two health care providers discuss the other patient’s care at her bedsideproviders discuss the other patient s care at her bedside.
• Hospital staff and other patients hear a patient’s name when an ambulatory patient is paged.
• A visitor or non‐treatment staff at a hospital sees the name of the patient on a folder containing the patient’s chart kept immediately outside of the patient’s exam roomimmediately outside of the patient s exam room.
• An administrative worker in a nurses’ station sees the names of patients on a whiteboard used to inform staff of which patients p pare in which rooms.
HIPAA Enforcement Training for State Attorneys General 38
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
/
Topic 4: Permitted Uses and Disclosures of PHI (continued)
Uses/disclosures requiring an opportunity for the individual to agree or object include:agree or object include:
• For facility directories
T i l d i th i di id l’• To a person involved in the individual’s care and notification purposes (i.e., when a friend is involved in ( ,patient care or payment for care)
• For notification & disaster relief purposes
HIPAA Enforcement Training for State Attorneys General 39
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
/
Topic 4: Permitted Uses and Disclosures of PHI (continued)
Other uses/disclosures that do not require an authorization:
• Required by law
• Public health activities
• About victims of abuse, neglect, or domestic violence
• Health oversight activities
• Judicial and administrative proceedingsJudicial and administrative proceedings
• Law enforcement purposes
HIPAA Enforcement Training for State Attorneys General 40
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
/
Topic 4: Permitted Uses and Disclosures of PHI (continued)
…other uses/disclosures that also explicitly do not require an authorization:
Ab t d d t• About decedents
• Cadaveric organ, eye, or tissue donation
• Research purposes
• To avert a serious threat to health or safety
• Specialized government functions
• Workers’ compensationo e s co pe sa o
HIPAA Enforcement Training for State Attorneys General 41
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
/
Topic 4: Permitted Uses and Disclosures of PHI (continued)
Permitted uses/disclosures where written authorization is required include:
M k ti• Marketing
• Psychotherapy notes
• All uses or disclosures not otherwise permitted (examples: disclosure to life insurance drug test results to employer and disclosureinsurance, drug test results to employer, and disclosure of child’s physical results to school)
HIPAA Enforcement Training for State Attorneys General 42
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 5: Authorization
Elements of a Written Authorization
Required elements of a written authorization i l dinclude:
• Specific description of PHI to be used/disclosedused/disclosed
• Who can use/disclose PHI
• To whom the PHI can be used/disclosedTo whom the PHI can be used/disclosed
• Purpose of the use/disclosure
• Expiration date or eventp
• Signature of patient, with dateHIPAA Enforcement Training for State Attorneys General 43
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 5: Authorization (continued)
Elements of a Written Authorization (continued)• Right to revoke in writing; and the exceptions and instructions
regarding the procedure, or a reference to the Notice if this g g p ,information is there
• A statement about the covered entity’s ability/inability to condition the authorization on treatment, payment, eligibility, or enrollmentthe authorization on treatment, payment, eligibility, or enrollment
• A statement that once disclosed, the PHI may no longer be protected by the HIPAA Privacy Rule, or an alternative statement if the disclosure is to another covered entitythe disclosure is to another covered entity
• If use or disclosure is for marketing purposes, and the covered entity will receive remuneration, a statement must be includedto that effectto that effect
HIPAA Enforcement Training for State Attorneys General 44
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 5: Authorization (continued)
Defective Authorizations
Key items to look for when reviewing an authorization form during the investigation of a HIPAA violationinvestigation of a HIPAA violation:
• Was the authorization in effect at the time of the disclosure?
• Does it contain all the required elements to be valid? Is theDoes it contain all the required elements to be valid? Is the authorization free from unlawful conditions?
• To the best of the covered entity’s knowledge, is all information in the authorization not false?
If the answer is “no” to any of the above, the authorization is defective and the covered entity cannot request use or disclose PHI based on thatand the covered entity cannot request, use, or disclose PHI based on that authorization. A covered entity must retain authorizations it acts upon.
HIPAA Enforcement Training for State Attorneys General 45
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Read the scenario and review the authorization which is is
Activity 3: Authorization ScenarioRead the scenario, and review the authorization, which is is located on page 5 in your Appendix. Working with your your Table Group, answer the discussion questions, and provide your answers during the class review.
Scenario:
An individual signs an authorization giving his health care provider permission to disclose certain information to his personal trainer at thepermission to disclose certain information to his personal trainer at the gym. The individual is upset because the trainer learned from the medical record sent from the health care provider that he has a mental disorder, and shared that information with a friend—who happened to be the i di id l' lindividual's employer.
Discussion Questions:
1. Did the health care provide make an authorized disclosure?1. Did the health care provide make an authorized disclosure?
2. Is this a valid authorization?
HIPAA Enforcement Training for State Attorneys General 46
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights
• Notice of Privacy Practice
• Inspect and Copy
• Accounting
• Request Amendment
• Request Restriction
• Request Confidential CommunicationRequest Confidential Communication
• File a Complaint
HIPAA Enforcement Training for State Attorneys General 47
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights
Notice of Privacy Practices
A Notice of Privacy Practices for PHI id tifi ti t i di id l th tprovides notification to individuals that
includes:
• Required header and content in plain• Required header and content, in plain language
• How their PHI will be used and/or disclosedHow their PHI will be used and/or disclosed by a covered entity
• Their individual rights
• The covered entity’s duties
HIPAA Enforcement Training for State Attorneys General 48
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Notice of Privacy Practices (continued)
…provides notification that includes:
• How the individual can file a complaint with the covered entity and/or the Secretary of HHS
• Contact information for a person or office who is responsible• Contact information for a person or office who is responsible for receiving HIPAA complaints and who is able to provide further information about matters covered by the notice
• Effective date There are varying distribution, acknowledgement, and posting requirements for the different types of covered entitiesrequirements for the different types of covered entities.
HIPAA Enforcement Training for State Attorneys General 49
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Ri ht t I t d CTopic 6: Individual Rights (continued)Right to Inspect and Copy
Right of access enables individuals to inspect and copy their PHI in a designatedinspect and copy their PHI in a designated record set.
A designated record set is a group of records g g pmaintained by or for a covered entity, and includes:
• An individual’s medical and billing records E ll t t l i dj di ti t• Enrollment, payment, claims adjudication, case management record systems of a health plan
• Other records used by covered entities to make decisions about individuals
HIPAA Enforcement Training for State Attorneys General 50
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Inspect and Copy (continued)
The right of access does NOT apply to:• PHI that is subject to the Clinical
Laboratories Improvements Amendment of 1988of 1988
• Psychotherapy notes• Information being compiled for a legalInformation being compiled for a legal
proceeding
Certain other exceptions also applyCertain other exceptions also apply.
HIPAA Enforcement Training for State Attorneys General 51
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Inspect and Copy (continued)
The covered entity must act on a request for access no later than 30 days after receipt of theaccess no later than 30 days after receipt of the request (and within 60 days if information requested is not maintained or accessible to the covered entity on‐site). A covered entity may have only one 30‐day extension of this 30 (or 60) day deadline, provided that:deadline, provided that:
• The patient is provided a written statement of the reasons for the delay, and the date by which th d tit ill l t it tithe covered entity will complete its action on the request
HIPAA Enforcement Training for State Attorneys General 52
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to an Accounting of Disclosures
Individuals have a right to receive an ti f di l f th i PHI d baccounting of disclosures of their PHI made by
the covered entity within the past six years.
Thi i ht li ith t i ti tThis right applies, with certain exceptions, to:• Disclosures made for most “public policy” purposes• Disclosures that violate the rule that the CE knows about• Per HITECH, TPO disclosures through an electronic
health recordThe first accounting within a 12‐month period is free of chargeThe first accounting within a 12‐month period is free of charge.
HIPAA Enforcement Training for State Attorneys General 53
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Request Amendment
Patients have the right to request that the d tit d th i PHI icovered entity amend their PHI in a
designated record set.
A d tit i i d th tA covered entity may require in advance that individuals make requests for the amendment in writing and provide supporting rationale.p pp g
HIPAA Enforcement Training for State Attorneys General 54
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Request Amendment (continued)
A covered entity may deny an amendment if th i f ti th t th i di id l k tthe information that the individual seeks to amend:
W t t d b th d tit• Was not created by the covered entity, unless the originator is no longer available
• Is not part of the designated record setIs not part of the designated record set• Would not be available under the individual’s right to
inspect and copy • Is accurate and complete
HIPAA Enforcement Training for State Attorneys General 55
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Request Restrictions on Uses or DisclosuresIndividuals have a right to request restrictions on uses and disclosures otherwise permitted for:p• Treatment, payment, or healthcare operations• Next of kin/caregiver notificationsThe covered entity is not required to agree to requested restrictions. If the covered entity does agree, it must y g ,document the agreement and abide by its terms.The covered entity can break the agreement in certain emergency situationssituations.
HIPAA Enforcement Training for State Attorneys General 56
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Request Confidential Communications An individual has the right to request that the covered entity communicate PHI to him or her via specified y pconfidential means, including restricting communications to one method or receiving communications at an alternative location:
• A covered entity may require that the request be in writing
• A covered health care providermust accommodate• A covered health care providermust accommodate reasonable requests and must not require the patient to explain why the request is being made
A d h lth l t d t bl t if th• A covered health planmust accommodate reasonable requests if the individual clearly states that disclosure could endanger the individual
HIPAA Enforcement Training for State Attorneys General 57
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to Request Confidential Communications (continued)
The covered entity may condition the i i f bl d tiprovision of a reasonable accommodation on:
• The individual specifying an alternative th d f t tmethod of contact
• The individual providing information on how payment if any will be handledhow payment, if any, will be handled
HIPAA Enforcement Training for State Attorneys General 58
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Topic 6: Individual Rights (continued)
Right to File a Complaint
• A person who believes that a covered entity i t l i ith HIPAA iis not complying with HIPAA privacy provisions may file a complaint with the Secretary of HHSSecretary of HHS
• A covered entity must advise patients in its Notice of Privacy Practices how complaints y pmay be filed with the Secretary and with the covered entity itself
HIPAA Enforcement Training for State Attorneys General 59
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
k f i d h d d i
Activity 4: Hospital Implements New Policies for Telephone Messages Case StudyTake a few minutes to read the case study. As you read it, think about the patient’s right to request confidential communication, and other rights to privacy that have been discussed. Working in your Table Group, answer the discussion question, and provide your answer during the class review.
Case Study:Case Study:
A hospital employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. The patient had requested that the hospital use only her office telephone number.
Discussion Question:Discussion Question:
What Privacy Rule provisions were violated?HIPAA Enforcement Training for State Attorneys General 60
Lesson 2: HIPAA Privacy RuleLesson 2: HIPAA Privacy RuleModule 2
Lesson 2: Recap
The HIPAA Privacy Rule:
• “Federal Floor” of Privacy Protections
• First set of comprehensive federal health privacy protections
• Restricts uses and disclosures of PHI
• Provides rights for individuals who are the subject of PHI
HIPAA Enforcement Training for State Attorneys General 61
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilitiesResponsibilitiesResponsibilities
HIPAA Enforcement Training for State Attorneys General
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Lesson 3: Objectives
After completing this lesson, you will be able to:
• Recognize potential violations
• Identify the fundamental responsibilities
• Describe the relationship of business associates to covered entities
• List a covered entity’s administrative responsibilities related to protecting individuals’ PHI
HIPAA Enforcement Training for State Attorneys General 63
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 1: Identifying Business Associates and Executing Business Associate AgreementsA business associate is a person or entity that performs a function or activity on behalf of a covered entity, or provides
Business Associate Agreements
function or activity on behalf of a covered entity, or provides certain services to a covered entity that involve the use or disclosure of PHI.
Business associates include individuals or organizations that conduct:• Legal services
• Accounting services
Cl i i d i i i• Claims processing or administration
HIPAA Enforcement Training for State Attorneys General 64
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 1: Identifying Business Associates and Executing Business Associate Agreements (continued)A Business Associate Agreement (BAA) establishes the permitted and required uses and disclosures of PHI by businessand disclosures of PHI by business associates. Its purpose is to obtain promises from the business associates about how PHI may and may not be used.
A BAA also authorizes termination of the contract or other relationship by thecontract or other relationship by the covered entity if it is determined that the business associate has violated the contract’s terms.
HIPAA Enforcement Training for State Attorneys General 65
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 2: Privacy Policies and Procedures
Covered entities and business associates must institute and maintain privacy policies and procedures to protect PHIpolicies and procedures to protect PHI.
HIPAA Enforcement Training for State Attorneys General 66
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 3: Privacy Officers’ Roles and Responsibilities
Privacy Officer:
• Responsible for the development d i l t ti f iand implementation of privacy
policies and procedures
M i l i t di• May receive complaints regarding privacy
• May be able to provide information to patients• May be able to provide information to patients on their privacy rights
HIPAA Enforcement Training for State Attorneys General 67
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 4: Safeguards
Covered entities must:• Put in place administrative, technical, and
physical safeguards to protect againstphysical safeguards to protect against intentional or unintentional use or disclosure of PHI that violates the Rule
• Reasonably safeguard PHI to limit incidental• Reasonably safeguard PHI to limit incidental uses or disclosures
HIPAA Security Rule:HIPAA Security Rule: • Also requires administrative, technical, and physical safeguards• Provides more detail on the safeguards requiredg q• Is limited to electronic PHI (ePHI)
HIPAA Enforcement Training for State Attorneys General 68
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 5: Established Complaint Process
Covered entities must:
• Have an established complaint process
• Have an established process for documentation of the complaints and th i l titheir resolution
• Have an employee designated to receive and document the complaintsdocument the complaints
HIPAA Enforcement Training for State Attorneys General 69
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 6: Workforce Training
Covered entities must:
• Provide training to their workforce
• Document that the training occurred
HIPAA Enforcement Training for State Attorneys General 70
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 7: Workforce Sanctions
Covered entities must:
Have and apply appropriate ti h b f thsanctions when a member of the
workforce does not comply with privacy policies and proceduresprivacy policies and procedures or with the Privacy Rule
HIPAA Enforcement Training for State Attorneys General 71
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 8: Mitigating Harmful Effects of Improper Uses or Disclosures
Covered entities must:
Mitigate to the extentMitigate to the extent practicable harmful effects caused by their improper use or disclosure of a patient’s PHI that is known to the covered entity
HIPAA Enforcement Training for State Attorneys General 72
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 9: Prohibition Against Retaliatory Acts
Covered entities may not retaliate in any form against anyone who:
Fil l i t f i• Files a complaint of a privacy violation
E i i ht d th R l• Exercises a right under the Rule
• Participates in a process established by the Ruleestablished by the Rule
HIPAA Enforcement Training for State Attorneys General 73
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 10: Prohibitions Against Requiring Individuals to Waive HIPAA Rights as a Condition of Payment, Treatment,
Covered entities may not require
g yEligibility, or Enrollment
individuals to waive their HIPAA rights as a condition of their receiving treatment being foundreceiving treatment, being found eligible for or being allowed to enroll in a health plan, or as a condition of their provider receiving payment.
HIPAA Enforcement Training for State Attorneys General 74
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Topic 11: Documentation
Covered entities must:
• Maintain policies and procedures in paper or electronic formor electronic form
• If a communication is required to be in writing, maintain such writing, or an electronic copy as documentationelectronic copy, as documentation
• If an action, activity, or designation is required to be documented, maintain a paper
l i d f h i i i d i ior electronic record of such action, activity, or designation
A covered entity must retain required documents for six years from the date of their creation or the date when they were lastfrom the date of their creation or the date when they were last in effect, whichever is later.
HIPAA Enforcement Training for State Attorneys General 75
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Activity 5: Private Practice Changes Patient Consent Form Case StudyTake a few minutes to read the case study. Workingin your Table Group, answer the discussion question, and provide your answer during the class reviewand provide your answer during the class review.
Case Study: A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintainagreement entitled Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his
ti d/ t t t i h f th h i i ’expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule.
Discussion Question: Did the doctor violate any requirements orDiscussion Question: Did the doctor violate any requirements or prohibitions of the Privacy Rule?
HIPAA Enforcement Training for State Attorneys General 76
Lesson 3: Administrative Lesson 3: Administrative ResponsibilitiesResponsibilities
Module 2
Lesson 3: Recap
The HIPAA Privacy Rule:
• Spells out administrative responsibilities
• Discusses written agreements between covered entities and business associates
• Discusses the need for privacy policies and procedures
• Describes employer responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI
HIPAA Enforcement Training for State Attorneys General 77
Lesson 4: Identifying andLesson 4: Identifying andLesson 4: Identifying and Lesson 4: Identifying and Investigating Potential Privacy Rule Investigating Potential Privacy Rule
Violations Violations
HIPAA Enforcement Training for State Attorneys General
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Lesson 4: Objectives
After completing this lesson, you will be able to:
• Discuss how to identify potential Privacy Rule i l tiviolations
• Describe what constitutes a violation of the Privacy Rule
HIPAA Enforcement Training for State Attorneys General 79
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Topic 1: Events and Conditions Constituting Privacy Rule Violations
Privacy Rule questions for investigation:
• Did the covered entity use or discloseDid the covered entity use or disclose PHI for a purpose other than treatment, payment, or health care operations, or other uses or disclosures permitted under 164.502, without proper authorization?without proper authorization?
• If an authorization was required and was executed, was it complete and valid?
HIPAA Enforcement Training for State Attorneys General 80
was it complete and valid?
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued)
…Privacy Rule questions for investigation:
• Did a use and/or disclosure requiringDid a use and/or disclosure requiring an opportunity for the individual to agree or to object occur without the individual’s input?
• Did the covered entity fail to provide an adequate notice of privacy practices?
• Was an individual’s right to request that the covered entity li i di l f i l d?
HIPAA Enforcement Training for State Attorneys General 81
limit use or disclosure of PHI violated?
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Topic 1: Events and Conditions Constituting Privacy Rule Violations (continued)
…Privacy Rule questions for investigation:
• Was an individual inappropriatelyWas an individual inappropriately denied the right to access or amend his or her PHI?
• Was an individual inappropriately denied an accounting of disclosures of his or her PHI?
• Was PHI provided to a business associate without an i b i i i l ?
HIPAA Enforcement Training for State Attorneys General 82
appropriate business associate agreement in place?
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Topic 1: Events and Conditions Constituting HIPAA Violations (continued)
…Privacy Rule questions for investigation:
• Had the entity implementedHad the entity implemented appropriate internal protections for the PHI, such as minimum necessary, and administrative standards, such as training and safeguards?
HIPAA Enforcement Training for State Attorneys General 83
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Topic 2: Violation of the HIPAA Privacy Ruleh bl f h d lThere are many possible fact patterns that may indicate violations of the HIPAA Rules. The following example is a strong indicator of the absence of required policies, or that policies were not q p , pfollowed. Either would be a violation of the HIPAA Privacy and Security Rules.
Example: A workforce member of a covered entity simply disposes of PHI in an unsecureddisposes of PHI in an unsecured, easily accessible dumpster.
Reference: 45 CFR §164.310(d)(2)(i)
HIPAA Enforcement Training for State Attorneys General 84
Reference: 45 CFR §164.310(d)(2)(i)
Lesson 4: Identifying and Investigating Lesson 4: Identifying and Investigating Potential Privacy Rule Violations Potential Privacy Rule Violations
Module 2
Lesson 4: Recapl k f d l dKey items to look for during an investigation include:
• Was the PHI used or disclosed? By or to whom?
• What documentation regarding the use and disclosure was maintained?
• Were the other administrative requirements followed?
• Were individual rights protected?
• Were the requirements of the Privacy Rule met?
Answers to these questions may lead an investigator to determine
HIPAA Enforcement Training for State Attorneys General 85
that multiple violations exist.
Module ActivityModule Activity
Module 2 Activity: State of CT Privacy Rule Violations
Working in your Table Group:
• Read Section IV of the complaint, which is l t d 2 f A dilocated on page 2 of your Appendix
• Draft a list of Privacy Rule violations
• Provide your answers during the class review
86HIPAA Enforcement Training for State Attorneys General
Module ActivityModule Activity
Module 2 Activity: State of CT Privacy Rule Violations
Violations identified by the class include:1.
87HIPAA Enforcement Training for State Attorneys General
Module RecapModule Recap
Module 2: Recap
The HIPAA Privacy Rule provides guidance on:
• What information needs to be protected (PHI)
• Who must protect PHI (covered entities, business associates)
• Responsibilities in protecting PHI
HIPAA Enforcement Training for State Attorneys General 88
Module SummaryModule Summary
Module 2: Summary
Having completed this module, you are able to:
• Define terms used in the HIPAA Privacy Rule
• Summarize the requirements of the HIPAA Privacy Rule
• Describe the Privacy Rule’s administrative requirements for covered entities and business associates
• Develop investigatory questions to apply to your case
89HIPAA Enforcement Training for State Attorneys General