HIPAA Administrative Simplification

Slides:



Advertisements
Similar presentations
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Advertisements

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Health Insurance Portability and Accountability Act (HIPAA)
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA PRIVACY AND SECURITY AWARENESS.
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA – How Will the Regulations Impact Research?.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
1 HIPAA Compliance Strategies for Pharmaceutical Manufacturers, PBMs and Pharmacies Jean-Paul Hepp, Ph.D. Director, Global Privacy HIPAA Colloquium Harvard.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.
HIPAA Health Insurance Portability and Accountability Act of 1996.
PricewaterhouseCoopers 1 Administrative Simplification: Strategic Thinking in Compliance National HIPAA Summit Washington, DC April 25, 2002 William R.
Health Insurance portability and Accountability Act (HIPAA)‏
HIPAA Privacy for Pharma Audioconference 5/29/2002 pwC.
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy, Security, and Compliance NCHCC Washington, DC February 6, 2003 William R. Braithwaite,
PricewaterhouseCoopers 1 Administrative Simplification: Strategic Thinking in Compliance National HIPAA Summit V Baltimore, MD October 31, 2002 William.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
1 Administrative Simplification: The Last Word National HIPAA Summit 8 Baltimore, MD March 9, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
10 Patient Confidentiality and HIPAA
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPAA Pros - Disclosures
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
National Congress on Health Care Compliance
Enforcement and Policy Challenges in Health Information Privacy
HIPAA Privacy & Security: Medical Research Context
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
HIPAA Privacy and Security Update - 5 Years After Implementation
Presentation transcript:

HIPAA Administrative Simplification Applicability to Pharma William R. Braithwaite, MD, PhD “Doctor HIPAA” Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum Philadelphia, PA November 15, 2002

HHS Required to Adopt Standards: Electronic transmission of specific administrative and financial transactions (including data elements and code sets) List includes claim, remittance advice, claim status, referral certification, enrollment, claim attachment, etc. Others as adopted by HHS. Unique identifiers (including allowed uses) Health care providers, plans, employers, & individuals. For use in the health care system. Security and electronic signatures Safeguards to protect health information. Privacy For individually identifiable health information.

Applicability Applies directly only to Covered Entities: Health Plans. Including ERISA plans. Health Care Clearinghouses. Including most PBMs. Health Care Providers who elect to conduct administrative transactions electronically. Including all providers > 10 FTE who bill Medicare. Includes pharmacies (both local and mail order). Applies indirectly to Business Associates: Agent who handles Protected Health Information (PHI) on behalf of a Covered Entity.

HIPAA Standards Philosophy To save money: every payer must conduct standard transactions. no difference based on where transaction is sent. Standards must be industry consensus based (whenever possible). national, scalable, flexible, and technology neutral. Implementation costs must be less than savings. Savings may depend on integrated implementation of requirements; compliance effort alone may not be enough. Continuous process of rule refinement: Annual update maximum (for each standard) to save on maintenance and transitions.

HIPAA Timeline Transactions Final Rule - 8/17/00 Compliance plan by 10/16/02 Modifications final rule expected 12/27/02 Testing by 4/16/03 Compliance by 10/16/03 Privacy Final Rule - 12/28/00 Modifications Final Rule 8/14/02 Compliance by 4/14/03 Employer ID NPRM - 6/16/98 Final Rule - 5/31/02 Compliance by 7/30/04 National Provider ID NPRM - 5/7/98 Security NPRM - 8/12/98

New Final Rules and NPRMs Expected by Q1 2003 (some as early as 12/27/02): Security Final Rule National Provider ID Final Rule Health Plan ID NPRM Claim Attachment NPRM More standards to come in future: First Report of Injury Electronic Prescriptions Patient Medical Record Information (PMRI) Public Health Reporting

5 Principles of Fair Info Practices Openness [Notice] Existence and purpose of record-keeping systems must be publicly known. Individual Participation [Access] Individual right to see records and assure quality of information. accurate, complete, and timely. Security [Safeguards] Reasonable safeguards for confidentiality, integrity, and availability of information. Accountability [Enforcement] Violations result in reasonable penalties and mitigation. Limits on Collection, Use, and Disclosure [Choice] Collected only with knowledge and permission of subject. Used only in ways relevant to the purpose for which the data was collected. Disclosed only with permission or overriding legal authority.

Privacy Scope: What is Covered? Protected health information (PHI) is: Individually identifiable health information, Transmitted or maintained in any form or medium, Held by covered entities or their business associates. De-identified information is not covered. Specific rules determine de-identification.

Individual’s Rights Individuals have the right to: A written notice of information practices from health plans and providers. Inspect and obtain a copy of their Designated Record Set (DRS). Obtain an accounting of disclosures. Amend their records. Request restrictions on uses and disclosures. Accommodation of reasonable communication requests. Complain to the covered entity and to HHS.

Key Points Covered entities can provide greater protections if they want. Required disclosures are limited to: Disclosures to the individual who is the subject of information. Disclosures to OCR to determine compliance. All other uses and disclosures in the Rule are permissive.

Uses and Disclosures Must be limited to what is permitted under 4 mechanisms in the Rule: Treatment, payment, and health care operations (TPO). Uses and disclosures involving the individual’s care or directory assistance, Requiring an opportunity to agree or object. For specific public policy exceptions. All others as specifically authorized by individual. Requirements vary based on type of use or disclosure.

Health Care Operations examples outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies. population-based activities relating to: improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives. evaluating performance of providers and plans. training programs. accreditation, certification, licensing, or credentialing.

Policy Exceptions Covered entities may use or disclose PHI without a consent or authorization only if the use or disclosure comes within one of the listed exceptions & certain conditions are met; As required by law. Health care oversight. For public health. For research. For law enforcement. Organ transplants. Coroners, medical examiners, funeral directors. … The final rule also permits, but does not require, covered entities to use or disclose PHI without a consent or authorization if the use or disclosure falls within one of the listed exceptions. These exceptions include: uses and disclosures required by law, uses and disclosures for involvement in the individual’s case, and uses and disclosures for health care oversight.

Using PHI for Research Purposes 6+ ways PHI can be used for research: De-identified PHI Limited Data Set with Data Use Agreement PHI with IRB/Privacy Board waiver PHI for research protocol preparation PHI of deceased PHI with authorization of subject plus, Healthcare Operations, Public Health, and as otherwise required by law (registry, reportable).

How does HIPAA affect research? New burdens for IRBs. Voluntary registries must now get patient authorization. Liability fears may dissuade CEs from sharing data with researchers. New forms for research subjects. Health Plans and Providers must track and account for research disclosures made without authorizations.

Marketing under 8/14/02 Final Rule Marketing may not be done without specific authorization of the individual … Marketing definition INCLUDES: communications about a product or service that encourage recipients to purchase or use the product or service. arrangements whereby the CE discloses PHI to the another entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service. BUT … Individual ability to opt-out removed. AND …

Marketing Exclusions Marketing definition EXCLUDES communications by CE: (i) To describe a health-related product or service, including: entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits. (ii) For treatment of the individual; or (iii) For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

Expected Security Final Rule Definitions and applicability harmonized with privacy. Requirements clarified and redundancies removed. Same philosophy as NPRM. Organization specific risk analysis and documentation of decisions. Only applies to electronically maintained and transmitted health information. Continues to be technology neutral. No electronic signature standard. Rule expected 12/27/02. Compliance expected in February 2005.

Administrative Requirements Apply to both privacy and security. Flexible & scalable (i.e., requires thought!). Covered entities required to: Designate a responsible official (privacy/security). Develop policies and procedures (P&P), including on receiving complaints. Train workforce on HIPAA & entity’s P&P. Develop a system of sanctions for employees who violate the entity’s policies. Meet documentation requirements. you didn’t do it if it’s not documented.

Enforcement Philosophy Enforcement by investigating complaints. No HIPAA police force -- OCR not OIG for privacy. Fines by HHS are unlikely (and small). Required by HIPAA to help people comply! Fines and jail time possible from DOJ. Where intent can be proven (difficult to do). BUT, real risk comes from Civil liability from private lawsuits. Dictates Risk Management Approach

Other Privacy Drivers E.U Data Directive E.U – U.S. Safe Harbor New federal privacy law being proposed State Privacy Laws (new state laws) Consumer Protection Law (State) Federal Trade Commission (Eli Lilly). Internet Privacy (e.g., COPPA) Reputation Assurance Business Disruption prevention

Pharma Privacy – 6 Areas of Impact Drug Discovery Research Marketing Sales HR Customer Support/Service

Drug Discovery Genetic Studies Tissue Samples Taking genetic samples and using related health information requires research IRB approval and individual authorization. Tissue Samples Not PHI per se, but usually accompanied by PHI. May become PHI in future, since genetic information in sample could be used to identify an individual.

Research Clinical Trails – phases 1 thru 4 Use of CROs New language required in patient authorizations Use of CROs Identifiable information on patients may not be disclosed to pharmaceutical firm without specific authorization Pharmacovigilence Adverse event reporting allowed under public health/FDA Patient Registries Authorization required unless under public health law Special case: expiration date = “None” Financial interests Personal financial info on investigators

Marketing Data Warehouses Web Sites Direct Mail Multiple sources of data; under authorizations? Web Sites Privacy statements must be adhered to (FTC) Direct Mail Covered entity must obtain an authorization for any use or disclosure of protected health information for marketing Patient Support Programs Patient authorization required if covered entity Disease Management or Wellness Programs Treatment by provider, operations by plan, else BA Drug Compliance; Preceptorships Require patient authorization

Sales Detail Reps – calling on physicians Patient Care Coordinators Physicians may be using HIPAA privacy to ward off calls Not excluded by HIPAA, but may require education Patient Care Coordinators Clinicians looking at records may fall under treatment Sales Info (NDC or IMS) Data available may change to meet new definition of de-identified Switch Programs Allowed under HIPAA rules but not advisable without individual permission (CVS/Giant public reaction)

Human Resources Health Benefits Clinics EAPs ERISA Health Benefit Plan for employees is covered Clinics Not usually covered unless conducting electronic transactions EAPs Not usually covered unless providers of ‘health care’ Flexible Spending Accounts May be covered as Health Plan Background Checks prerequisite to employment Employment requirements for health information require HIPAA compliant individual authorization

Customer Services/Support Reimbursement Programs Not addressed directly in HIPAA rules, but most likely will require patient authorizations. Indigent Care May require HIPAA authorization. Adverse Event Reporting Permitted without authorization (but must be accounted for) ----------------------------------------------------------------------- Bottom Line Recommendation: Each activity must be looked at closely in terms of what is done with what and whom, not at what it is called. Evaluate on basis of fair information principles first, then rules and regulations.

Questions? Only 150 days left! Bill.Braithwaite@us.PwCglobal.com http://www.pwchealth.com/hipaa.html http://aspe.hhs.gov/admnsimp http://www.hhs.gov/ocr/hipaa www.cms.hhs.gov/hipaa/ ncvhs.hhs.gov www.wedi.org snip.wedi.org Only 150 days left!