HIPAA Administrative Simplification

Slides:



Advertisements
Similar presentations
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Advertisements

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
North Carolina State University Health Information Privacy 4/16/03.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.
Health Insurance Portability and Accountability Act (HIPAA)
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA – How Will the Regulations Impact Research?.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Privacy for Pharma Audioconference 5/29/2002 pwC.
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy, Security, and Compliance NCHCC Washington, DC February 6, 2003 William R. Braithwaite,
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
Privacy & Information Security Basics
Enforcement, Business Associates and Breach Notification. Oh my!
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA CONFIDENTIALITY
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPAA Pros - Disclosures
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
HIPAA Pros - Minimum Necessary
The HIPAA Privacy Rule and Research
HIPAA Administrative Simplification
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
National Congress on Health Care Compliance
HIPAA Policy & Procedure Strategies
HIPAA Privacy & Security: Medical Research Context
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
HIPAA Privacy and Security Update - 5 Years After Implementation
Presentation transcript:

HIPAA Administrative Simplification Health Information Privacy William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit West II San Francisco, CA March 14, 2002

Requirements for Privacy HIPAA requires: “Standards with respect to the privacy of individually identifiable health information …” Final Rule published 12/28/2000 Guidance issued 7/6/01. Compliance required 4/14/2003. Modifications will be proposed in NPRM soon. Expect proposals to decrease administrative burden. Expect no change in compliance date.

5 Principles of Fair Info Practices Openness [Notice] Existence and purpose of record-keeping systems must be publicly known. Individual Participation [Access] Individual right to see records and assure quality of information. accurate, complete, and timely. Security Reasonable safeguards for confidentiality, integrity, and availability of information. Accountability [Enforcement] Violations result in reasonable penalties and mitigation. Limits on Collection, Use, and Disclosure [Choice] Information collected only with knowledge and consent of subject. Information used only in ways relevant to the purpose for which the data was collected. Information disclosed only with consent or legal authority.

Bare Bones of HIPAA Privacy Standards

Scope: What is Covered? Protected health information (PHI) is: Individually identifiable health information, Transmitted or maintained in any form or medium, Held by covered entities or their business associates. De-identified information is not covered. Specific rules determine de-identification.

Individual’s Rights Individuals have the right to: A written notice of information practices from health plans and providers. Inspect and obtain a copy of their PHI. Obtain an accounting of disclosures. Amend their records. Request restrictions on uses and disclosures. Accommodation of reasonable communication requests. Complain to the covered entity and to HHS.

I just want to be left alone!

Key Points Covered entities can provide greater protections if they want. Required disclosures are limited to: Disclosures to the individual who is the subject of information. Disclosures to OCR to determine compliance. All other uses and disclosures in the Rule are permissive.

Uses and Disclosures Must be limited to what is permitted in the Rule: Treatment, payment, and health care operations (TPO). Uses and disclosures involving the individual’s care or directory assistance, Requiring an opportunity to agree or object. For specific public purposes. All others as authorized by individual. Requirements vary based on type of use or disclosure.

Consent: Rule Written consent required before direct treatment provider may use PHI for TPO. Exceptions: emergency treatment situation, substantial communication barriers, when required by law to treat. Not required for: Indirect Treatment Providers, Health Plans, Health Care Clearinghouses.

Policy Exceptions Covered entities may use or disclose PHI without a consent or authorization only if the use or disclosure comes within one of the listed exceptions & certain conditions are met; As required by law. Health care oversight. For public health. The final rule also permits, but does not require, covered entities to use or disclose PHI without a consent or authorization if the use or disclosure falls within one of the listed exceptions. These exceptions include: uses and disclosures required by law, uses and disclosures for involvement in the individual’s case, and uses and disclosures for health care oversight.

Policy exceptions, (2) For research. For law enforcement. For judicial proceedings. For other specialized government functions. To facilitate organ transplants. To Coroners, medical examiners, funeral directors.

Authorizations (not TPO) Generally, covered entities must obtain an individual’s authorization before using or disclosing PHI for purposes other than treatment, payment, or health care operations. Most uses or disclosures of psychotherapy notes require authorization. The final rule requires that, as a general rule, covered entities must obtain an individual’s authorization before making any other use or disclosure of PHI. This authorization must comply with the requirements set forth in the text of the regulation. For example, it must include certain information such as a description of the information to be used or disclosed, the name of the person(s) or class of persons authorized to make the disclosure, and the name of the person(s) or class of persons to whom the disclosure will be made. As a general rule, covered entities may not condition treatment, payment, or enrollment on the provision of an authorization. The authorization must contain the required elements described in the rule.

HIPAA: it not only looks complicated …

Minimum Necessary Covered entities must make reasonable efforts to limit the use or disclosure of PHI to minimum amount necessary to accomplish their purpose. Exceptions: Disclosure to or request by provider for treatment. Disclosure to individual. Under authorization (unless requested by CE). Required for HIPAA standard transaction. Required for enforcement. Required by law.

Minimum Necessary: Rule Reasonableness standard - consistent with best practices in use today. “Role-based” access limits. Standard protocols for routine & recurring uses / disclosures. Review each non-routine disclosure. May rely on judgment of requestor if: public official for permitted disclosure. covered entity. professional within covered entity. BA for provision of professional service for CE. researcher with IRB documentation.

Oral Communication All forms of communication covered. Requires reasonable efforts to prevent impermissible uses and disclosures. Policies and procedures to limit access/use except disclosure to or request by provider for treatment purpose.

Business Associates Agents, contractors, others hired to do work of or for covered entity that requires PHI. Satisfactory assurance – usually a contract --that a business associate will safeguard the protected health information. No business associate relationship is required for disclosures to a health care provider for treatment.

Business Associates (2) Covered entity is responsible for actions of business associates, if: knew of violation of business associate agreement failed to act. Liability only when: CE is aware of material breach & fails to take reasonable steps to cure breach or end relationship. Monitoring is not required.

Administrative Requirements Flexible & scalable. Covered entities required to: Designate a privacy official. Develop policies and procedures (including receiving complaints). Provide privacy training to its workforce. Develop a system of sanctions for employees who violate the entity’s policies. Meet documentation requirements.

Hippocratic Philosophy of Rule-Making First, do no harm … to the patient to the provider to the parts of the system that work! Don’t go too far … either way reaction could kill it. Oath

Rule #1: Don’t surprise the patient!!!

Resources Office for Civil Rights Web Site: http://www.hhs.gov/ocr/hipaa/ for privacy related publications and questions.

William.R.Braithwaite@us.PwCglobal.com Pwc

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.