Reid Cushman, UM Ethics Programs HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics Programs cush@miami.edu

forces for health privacy a new federal law – called ”HIPAA” – adds national protections for everyone's health information however, there are many other sources of health privacy protection HIPAA, while important, is only one part of the picture

forces for health privacy federal law (HIPAA) state law licensing and certification bodies (JCAHO, NCQA) health professions' licensing organizations (AMA, ANA and many others) your own ethical standards

HIPAA and its goals Health Insurance Portability and Accountability Act make health insurance coverage more portable between jobs reduce waste and fraud in the health care system

HIPAA and its goals Health Insurance Portability and Accountability Act make the health system “more efficient” overall and encourage use of electronic record-keeping systems for health data

the connection to privacy paper records are very expensive (even if it seems otherwise) it can be difficult to find information when you need it

the connection to privacy paper can only be in one place at a time record duplication brings potential for error – and more expense

the connection to privacy electronic records are much cheaper (in the long run) it is much easier to find information -- both for those who should have it, and those who shouldn't

the connection to privacy so, a much greater need for security and privacy protections than with paper records HIPAA's standards are a national response to the health privacy issues raised by computers

HIPAA's four Standards (“Rules”) Transactions and Code Sets standard formats for all electronic transactions Identifiers Security Privacy

HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers standard IDs for health plans, providers, employers Security Privacy

HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security computer, communications protection technologies Privacy

HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security Privacy procedural protections for all health information

what is covered by HIPAA? “protected health information” (PHI) any identifiable information related to the “past, present or future physical or mental health” of a person used for treatment, payment or any other function

what is covered by HIPAA? protected health information (PHI) can be in “any form or medium” electronic, paper and even oral communications of PHI are covered by HIPAA's Privacy Rule only totally “de-identified” information is unprotected

who is covered by HIPAA? “covered entities” health providers, health plans, and information clearinghouses organizations that provide or pay for health services basically, any entity that uses or discloses health data

who is covered by HIPAA? customers (patients) of covered entities receive protections – privacy rights – for their health information covered entities, and those that work in them, have privacy obligations to ensure that HIPAA protections are achieved

individual rights under HIPAA to receive a “Notice of Privacy Practices” outlining how one's health information may be used or disclosed to obtain a copy of one's full health record (except for psychotherapy notes) to correct – or at least note disagreement – if the record appears to be in error

individual rights under HIPAA to know (some of) the persons and organizations to whom one's health information has been disclosed to ask for extra protection or confidential communications of particularly sensitive data to authorize certain additional “non-standard” uses or disclosures

individual rights under HIPAA to be assured that the institution follows appropriate privacy and security practices to complain to the covered entity's Privacy Officer – or directly to DHHS Office of Civil Rights – if one believes HIPAA rights have been violated

covered entities' responsibilities to give each patient (customer) the Notice that outlines their privacy rights the Notice must describe planned uses and disclosures, including the “basic” ones for treatment, payment and health care operations written acknowledgment of Notice must be obtained

covered entities' responsibilities to provide an opportunity for individuals to discuss any privacy concerns all individuals should understand their rights, including what to do if they feel their rights have been violated a process must be in place to handle problems and complaints

covered entities' responsibilities to get authorization for certain additional kinds of uses and disclosures, beyond those for treatment, payment or basic health care operations to undertake the additional uses and disclosures permitted by law in an appropriate manner

covered entities' responsibilities to develop reasonable, appropriate privacy and security policies to train all members of the workforce in those policies “as necessary and appropriate” to their job duties to get assurances from any business associates that handle PHI on the covered entity's behalf

obligations of health facility workers to use or disclose protected health information only for work-related purposes to limit uses and disclosures to the “minimum necessary” to achieve those work purposes and to otherwise exercise reasonable caution, to protect all PHI under their control

obligations of health facility workers to understand the facility's privacy and security policies, and follow them to try to remedy any privacy problems – or report them to the facility Privacy Officer or DHHS Office of Civil Rights HIPAA prohibits covered entities from retaliating or discriminating against a worker who files a complaint

obligations of health facility workers note that “incidental uses and disclosures” are considered inevitable, and do not violate HIPAA reasonable limits and efforts – appropriate to the circumstances, and the nature of the information – are all that HIPAA requires

compliance timetable HIPAA Privacy Rule takes effect on 14 April 2003 for covered entities with more than $5M in annual revenues 14 April 2004 is the Privacy Rule deadline for smaller covered entities HIPAA Rules for security, transactions and identifiers take effect over the next few years

HIPAA and state law HIPAA “preempts” state health privacy law unless “more stringent” (protective) for public health purposes for oversight or regulation of the state's health system

Florida health privacy protections general right to privacy, and to a notice of one's rights right to see, copy records right to an accounting of disclosures (from providers) right to extra limitations on certain kinds of information (genetic, HIV, mental health, substance abuse)

Florida health privacy protections most of Florida's privacy protections are as strong as – or stronger than – HIPAA's these protections will remain in force after April 14 they are in force NOW

sanctions for privacy failures Federal civil and criminal penalties for HIPAA violations from $100 per incident up to $250,000 and 10 years in prison civil and criminal penalties for state law violations institutional reputation and market share employee suspension and termination loss of professional license

you are also a patient with networked computer systems, security of health information anywhere depends on privacy practices everywhere thousands of persons may have access to an individual's health record

you are also a patient try to treat others' health information the way you'd like yours to be treated, or that of a family member or a close friend

you are also a patient that includes attention to safe practices for the new electronic records, the old paper ones, as well as faxes, photocopies and printouts, telephone calls and email

University of Miami Ethics Programs © 2002 Historic computer and electronic equipment images are provided courtesy of the University of Virginia Computer Museum. All other images are from the UM Ethics Program digital image collection and are in the public domain. This presentation may be re-used for non-commercial, educational purposes, with appropriate credit to the source. Any other use requires prior written permission. Information presented herein is believed to be correct at the time of posting. However, these materials are intended for education purposes only; they are not intended or represented as legal advice. UM Ethics Programs, PO Box 016960 (M-825), Miami FL 33101