presented by the office of the general counsel an overview of hipaa
TRANSCRIPT
Presented by the Office of the General CounselPresented by the Office of the General Counsel
An Overview of An Overview of HIPAAHIPAA
An Overview of An Overview of HIPAAHIPAA
HIPAAHIPAAHIPAAHIPAA• HHealthealth• IInsurancensurance• PPortability andortability and• AAccountabilityccountability• AActct
HIPAA’s GoalsHIPAA’s GoalsHIPAA’s GoalsHIPAA’s Goals• Simplify the Administration of Simplify the Administration of
Electronic Health InformationElectronic Health Information
• Protect an Individual’s Privacy Protect an Individual’s Privacy Rights with regard to Health Rights with regard to Health InformationInformation
When is HIPAA When is HIPAA effective?effective?
When is HIPAA When is HIPAA effective?effective?
• First Deadline: October 2002First Deadline: October 2002– Possible Extension until Oct. 2003 Possible Extension until Oct. 2003 – AU must have Compliance planAU must have Compliance plan
• Privacy Regulations: Privacy Regulations: April April 20032003– AU target date for complianceAU target date for compliance
Who Must Who Must Comply?Comply?
Who Must Who Must Comply?Comply?
“ “ Each Each Covered EntityCovered Entity who who maintains or transmits maintains or transmits health information”health information”
• Health PlansHealth Plans• Health Care ClearinghouseHealth Care Clearinghouse
• Health Care Health Care ProvidersProviders
Who is a Who is a Provider?Provider?Who is a Who is a Provider?Provider?
““Any person or entity that Any person or entity that furnishes, bills, or is paid for furnishes, bills, or is paid for health care in the normal health care in the normal course of business.”course of business.”
– Health CareHealth Care = any “care, = any “care, services, or supplies related to services, or supplies related to the health of an individual”the health of an individual”
Examples of Examples of Providers / PlansProviders / Plans
Examples of Examples of Providers / PlansProviders / Plans
• Student Health Student Health CenterCenter
• Psychology Psychology ClinicsClinics
• EAPEAP
• Athletic Athletic DepartmentDepartment
• Hearing / Eye Hearing / Eye ClinicsClinics
• Self – Insurance Self – Insurance Health Plans Health Plans
4 Key HIPAA 4 Key HIPAA ElementsElements
4 Key HIPAA 4 Key HIPAA ElementsElements
• Electronic Transaction & Code Electronic Transaction & Code Set StandardsSet Standards
• Security StandardsSecurity Standards• Privacy RegulationsPrivacy Regulations• National IdentifiersNational Identifiers
Electronic Transaction Electronic Transaction & Code Set Standards& Code Set StandardsElectronic Transaction Electronic Transaction & Code Set Standards& Code Set Standards
• General Rule:General Rule:
““If a covered entity (either itself or If a covered entity (either itself or through an agent) conducts a through an agent) conducts a Covered Transaction Covered Transaction electronically, the transaction electronically, the transaction must be conducted using the must be conducted using the HIPAA form.”HIPAA form.”
Electronic Transaction Electronic Transaction & Code Set Standards& Code Set StandardsElectronic Transaction Electronic Transaction & Code Set Standards& Code Set Standards
Required ElementsRequired Elements
1.1. Covered EntityCovered Entity
2.2. Electronically transmitsElectronically transmits
3.3. Covered TransactionCovered Transaction
Covered Covered TransactionsTransactions
Covered Covered TransactionsTransactions
• Submission of Submission of Claims for Claims for paymentpayment
• Checking Checking eligibilityeligibility
• Enrollment & Enrollment & DisenrollmentDisenrollment
• Referrals and pre-Referrals and pre-certificationcertification
• Claims Claims attachmentsattachments
• Payment & claims Payment & claims remittanceremittance
• Coordination of Coordination of BenefitsBenefits
• Checking claims’ Checking claims’ statusstatus
Electronic Transaction Electronic Transaction & Code Set Standards& Code Set StandardsElectronic Transaction Electronic Transaction & Code Set Standards& Code Set Standards
Requirements of ETSRequirements of ETS
• Standard FormatsStandard Formats• Standard Data ContentStandard Data Content• Standard CodesStandard Codes
Electronic Transaction Electronic Transaction & Code Set Standards& Code Set StandardsElectronic Transaction Electronic Transaction & Code Set Standards& Code Set Standards
Where to find the ETS Where to find the ETS standards:standards:
• http://aspe.hhs.gov/http://aspe.hhs.gov/admnsimpadmnsimp
• www.wpc-edi.com/HIPAAwww.wpc-edi.com/HIPAA
• www.afehct.orgwww.afehct.org
Security Security StandardsStandardsSecurity Security
StandardsStandards• Intended to protect againstIntended to protect against
•Unauthorized access Unauthorized access •Accidental / Intentional Accidental / Intentional disclosure to unauthorized disclosure to unauthorized personspersons
•Alteration, destruction, or lossAlteration, destruction, or loss
Security Security StandardsStandardsSecurity Security
StandardsStandardsWho is CoveredWho is Covered??
• Any covered entityAny covered entity• That That StoresStores information information
electronicallyelectronically• Does not have to be a Does not have to be a
covered transactioncovered transaction
Security Security StandardsStandardsSecurity Security
StandardsStandards- Elements -- Elements -
• Administrative ProceduresAdministrative Procedures– Protects health info Protects health info – Manages personnel ConductManages personnel Conduct
• Physical SafeguardsPhysical Safeguards– Protects physical systems / buildingsProtects physical systems / buildings
• Technical SecurityTechnical Security– Controls access to health informationControls access to health information
Administrative Administrative ProceduresProcedures
Administrative Administrative ProceduresProcedures
• Security AnalysisSecurity Analysis• Information access privilegesInformation access privileges• Password & Authentication policiesPassword & Authentication policies• Plans for disasters & security Plans for disasters & security
breachesbreaches• Disciplinary process & penaltiesDisciplinary process & penalties• Employee & Vendor TrainingEmployee & Vendor Training• Security OfficerSecurity Officer
Physical SafeguardsPhysical SafeguardsPhysical SafeguardsPhysical Safeguards• Document ways computer & Document ways computer &
physical records are physical records are protectedprotected
• Use of keys, locks, etc. to Use of keys, locks, etc. to control access to computerscontrol access to computers
• Restriction of access to Restriction of access to authorized personsauthorized persons
• Tracking of medical recordsTracking of medical records• Workstation location policyWorkstation location policy
Technical Technical SecuritySecurity
Technical Technical SecuritySecurity
• Single sign-on technologySingle sign-on technology• New user ID’s, passwordsNew user ID’s, passwords• Audit trails for health infoAudit trails for health info
Security Security StandardsStandardsSecurity Security
StandardsStandardsGeneral CommentsGeneral Comments
• Still in proposed formStill in proposed form• Not technically specificNot technically specific• Amount of security Amount of security
required is scalable based required is scalable based on dept. size and on dept. size and resourcesresources
Privacy Privacy RegulationsRegulations
Privacy Privacy RegulationsRegulations
• General Rule:General Rule:
“ “A covered entity A covered entity may not may not useuse
or discloseor disclose Protected Protected Health Health
Information (PHI) except as Information (PHI) except as permitted by the privacy permitted by the privacy regulations.” regulations.”
Privacy Privacy RegulationsRegulations
Privacy Privacy RegulationsRegulations
• PHIPHI – – Protected Health InformationProtected Health Information– Individually IdentifiableIndividually Identifiable
– Any form or mediumAny form or medium• Electronic, Oral, or WrittenElectronic, Oral, or Written
– Created or ReceivedCreated or Received
– Relates to past, present, future Relates to past, present, future condition or payment of individualcondition or payment of individual
– Exception: FERPA recordsException: FERPA records
Privacy Privacy RegulationsRegulations
Privacy Privacy RegulationsRegulations
• General Requirement:General Requirement:
““Must make Must make reasonable effortsreasonable efforts to limit the use and disclosure to limit the use and disclosure of PHI to the of PHI to the minimum minimum necessarynecessary to accomplish to accomplish intended purpose.”intended purpose.”
Privacy Privacy RegulationsRegulations
Privacy Privacy RegulationsRegulations
Main ElementsMain Elements
• Rules for Use & Disclosure of Rules for Use & Disclosure of PHIPHI
• Patient’s Rights to Health InfoPatient’s Rights to Health Info
• Administrative ProceduresAdministrative Procedures
• Business Partner RequirementBusiness Partner Requirement
Rules for Use & Rules for Use & DisclosureDisclosure
Rules for Use & Rules for Use & DisclosureDisclosure
Consent vs. AuthorizationConsent vs. Authorization
ConsentConsent: If a general written consent : If a general written consent is obtained, a provider may is obtained, a provider may use/disclose PHI for “TPO”use/disclose PHI for “TPO”
AuthorizationAuthorization: If use/disclosure is not : If use/disclosure is not for “TPO”, use/disclosure forbidden for “TPO”, use/disclosure forbidden without a more specific without a more specific authorizationauthorization
““TPO” = Treatment/Payment/Health TPO” = Treatment/Payment/Health Care OperationsCare Operations
Rules for Use & Rules for Use & DisclosureDisclosure
Rules for Use & Rules for Use & DisclosureDisclosure
““TPO” = Treatment / Payment / TPO” = Treatment / Payment / Health Care OperationsHealth Care Operations
TreatmentTreatment: Provision, coordination, : Provision, coordination, management of healthcaremanagement of healthcare
PaymentPayment: Actions to obtain payment: Actions to obtain payment
OperationsOperations: Internal day-to-day business : Internal day-to-day business Ex: QA, Peer Review, Customer ServiceEx: QA, Peer Review, Customer Service
Rules for Use & Rules for Use & DisclosureDisclosure
Rules for Use & Rules for Use & DisclosureDisclosure
ConsentConsent• Must be in plain languageMust be in plain language• Must specify use of PHIMust specify use of PHI• Can make a prerequisite to Can make a prerequisite to
treatment (Can refuse treatment)treatment (Can refuse treatment)• Exceptions: Emergency, Required Exceptions: Emergency, Required
by Lawby Law, , Communication barriers, Communication barriers,
Rules for Use & Rules for Use & DisclosureDisclosure
Rules for Use & Rules for Use & DisclosureDisclosureAuthorizationAuthorization
• Cannot be a condition of treatmentCannot be a condition of treatment• Must Inform about specific use and Must Inform about specific use and
right to refuse, revoke, and inspectright to refuse, revoke, and inspect• Psychotherapy Notes require Psychotherapy Notes require
AuthorizationAuthorization• ExamplesExamples
• ResearchResearch• MarketingMarketing• FundraisingFundraising
Patient’s RightsPatient’s RightsPatient’s RightsPatient’s Rights• Right to Notice of Privacy Right to Notice of Privacy
PracticesPractices• Right of Access to PHIRight of Access to PHI• Right to Accounting of Right to Accounting of
Disclosures for 6 years Disclosures for 6 years • Right to request restriction of Right to request restriction of
TPO use to family membersTPO use to family members– Not required to agree if TPO Not required to agree if TPO
Administrative Administrative ProceduresProcedures
Administrative Administrative ProceduresProcedures
• Document policies, procedures, & Document policies, procedures, & systems to achieve compliancesystems to achieve compliance
• Complaint MechanismsComplaint Mechanisms• Employee SanctionsEmployee Sanctions• Documented Documented training of employeestraining of employees• Mitigation of harmful effects Mitigation of harmful effects • Designated Privacy officerDesignated Privacy officer
Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• General Rule:General Rule:
– A covered entity must have a A covered entity must have a business associate contract to business associate contract to ensure that its business ensure that its business associates also are in compliance associates also are in compliance with HIPAA’s protection of PHI.with HIPAA’s protection of PHI.
Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Business Associates…Business Associates…
– Perform a function involving use / Perform a function involving use / disclosure of PHI disclosure of PHI on behalf ofon behalf of the the covered entitycovered entity
– Perform legal, accounting, Perform legal, accounting, consulting, data aggregation, consulting, data aggregation, administrative, management, or administrative, management, or financial services involving PHI financial services involving PHI for the covered entityfor the covered entity
Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Examples:Examples:
– Billing companiesBilling companies– Computer VendorsComputer Vendors– Attorneys, Accountants, AuditorsAttorneys, Accountants, Auditors– ConsultantsConsultants– Document storage / destruction Document storage / destruction
companiescompanies
Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Business Associate Contracts:Business Associate Contracts:
– Restrict use & disclosure of PHIRestrict use & disclosure of PHI– Require appropriate safeguardsRequire appropriate safeguards– Require similar requirements of Require similar requirements of
subcontractorssubcontractors– Require B.A. to disclose breachesRequire B.A. to disclose breaches– Require B.A. to remedy breaches or Require B.A. to remedy breaches or
risk termination of contract risk termination of contract
Hybrid EntityHybrid EntityHybrid EntityHybrid Entity• RequirementsRequirements
– Single Legal EntitySingle Legal Entity– Primary business is not Primary business is not
healthcarehealthcare• AdvantagesAdvantages
– Only “Healthcare Components” Only “Healthcare Components” must comply with HIPAAmust comply with HIPAA
• DisadvantageDisadvantage– Firewall between HC Firewall between HC
Components and Non-Components and Non-ComponentsComponents
Hybrid EntityHybrid EntityHybrid EntityHybrid Entity• Auburn must…Auburn must…
– Identify Healthcare ComponentsIdentify Healthcare Components– Identify Business Associates of Identify Business Associates of
the HC Componentsthe HC Components– Erect the ‘firewalls’ between HC Erect the ‘firewalls’ between HC
Components & Non-ComponentsComponents & Non-Components
Penalties for Non-Penalties for Non-ComplianceCompliance
Penalties for Non-Penalties for Non-ComplianceCompliance
** Both Individuals & Entities can incur ** Both Individuals & Entities can incur criminal and/or civil penalties criminal and/or civil penalties
Civil PenaltiesCivil Penalties: $100 - $25,000: $100 - $25,000
Criminal PenaltiesCriminal Penalties: Max 10 yrs. Prison: Max 10 yrs. Prison
Max $250,000 fineMax $250,000 fine
HIPAA TimelineHIPAA TimelineHIPAA TimelineHIPAA Timeline• ETS StandardsETS Standards: October 16, : October 16,
20022002 – Extended to Oct. 2003 w/ Extended to Oct. 2003 w/
University extensionUniversity extension
• Privacy Regs: April 14, 2003Privacy Regs: April 14, 2003
• Security Regs: Date expected Security Regs: Date expected by August 2002by August 2002
Next Steps toward Next Steps toward ComplianceCompliance
Next Steps toward Next Steps toward ComplianceCompliance
1.1. Fill out the AU HIPAA SurveyFill out the AU HIPAA Survey
2.2. Review how PHI is stored, Review how PHI is stored, accessed, protected, & accessed, protected, & destroyeddestroyed
3.3. Think about easy steps to Think about easy steps to better protect PHIbetter protect PHI
4.4. Designate 1+ person to review Designate 1+ person to review specific HIPAA policiesspecific HIPAA policies
For more HIPAA For more HIPAA info…info…
For more HIPAA For more HIPAA info…info…
• www.hipaa.orgwww.hipaa.org– Links to complete final rules & Links to complete final rules &
proposed rulesproposed rules
• www.hipaadvisory.comwww.hipaadvisory.com– News, primers, and complete News, primers, and complete
rulesrules
• www.hrm.uab.edu/HIPAAwww.hrm.uab.edu/HIPAA– UAB’s training siteUAB’s training site
Additional Additional Questions?Questions?Additional Additional Questions?Questions?
Contact the Provost’s OfficeContact the Provost’s OfficeContact the Provost’s OfficeContact the Provost’s Office