National Congress on Health Care Compliance

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Minimum Necessary Standard Version 1.0

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Are you ready for HIPPO??? Welcome to HIPAA

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,

1 Disclosures © HIPAA Pros 2002 All rights reserved.

PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.

Health Insurance Portability and Accountability Act (HIPAA)

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

1 Integrating Privacy and Security HIPAA Summit/WEDI Security Baltimore, MD September 14, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

Health Insurance portability and Accountability Act (HIPAA)‏

HIPAA Privacy for Pharma Audioconference 5/29/2002 pwC.

HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy, Security, and Compliance NCHCC Washington, DC February 6, 2003 William R. Braithwaite,

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.

1 Administrative Simplification: The Last Word National HIPAA Summit 8 Baltimore, MD March 9, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:

Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act of 1996

Privacy & Information Security Basics

Enforcement, Business Associates and Breach Notification. Oh my!

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

The HIPAA Privacy Rule: Implications for Medical Research

HIPAA CONFIDENTIALITY

HIPAA Administrative Simplification

Health Insurance Portability and Accountability Act

HIPAA Pros - Disclosures

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

HIPAA Pros - Minimum Necessary

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

Enforcement and Policy Challenges in Health Information Privacy

HIPAA Privacy & Security: Medical Research Context

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Issues in HIPAA Research Compliance

Analysis of Final HIPAA Privacy Modification Rule

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

National Congress on Health Care Compliance Privacy & Security Regulation National Congress on Health Care Compliance William R. Braithwaite, MD, PhD Director, Healthcare Consulting Practice Washington, DC 7 February 2002, Washington, DC ©2002 PricewaterhouseCoopers. PricewaterhouseCoopers refers to the individual member firms of the world-wide PricewaterhouseCoopers organisation. All rights reserved.

Contents International Fair Information Practices HIPAA Privacy Requirements Scope Uses and Disclosures Consent vs. Authorization Minimum Necessary Rule State law & Preemption HIPAA Security Requirements How to get more information PricewaterhouseCoopers

5 Principles of Fair Info Practices Openness Existence and purpose of record-keeping systems must be publicly known. Individual Participation Individual right to see records and assure quality of information. accurate, complete, and timely. Security Reasonable safeguards for confidentiality, integrity, and availability of information. Accountability Violations result in reasonable penalties and mitigation. Limits on Collection, Use, and Disclosure Information is collected only with knowledge and consent of subject. Information is used only in ways relevant to the purpose for which the data was collected. Information is disclosed only with consent of subject or legal authority.

Requirements for Privacy HIPAA requires: Recommendations to Congress for legislation from the Secretary of Health and Human Services (done 9/97). If legislation establishing privacy standards is not enacted within 3 years, the Secretary of HHS shall promulgate final regulations containing such standards. Final Rule published 12/28/2000 Guidance issued 7/6/01. Compliance required 4/14/2003. Administrative Simplification Compliance Act (AKA ‘Delay’ legislation) does not affect privacy scope or compliance date. Modifications expected to be proposed early 2002. Expect proposals to decrease administrative burden. No change expected in compliance date.

Scope: Who is Covered? Limited by HIPAA to covered entities: Health care providers who transmit health information in electronic transactions. Health plans. Health care clearinghouses. Business associate relationships ... Agents and contractors (not otherwise covered) who need health information to do work on behalf of covered entities. Covered entities required to contract for protection of the information.

Scope: What is Covered? Protected health information (PHI) is: Individually identifiable health information, Transmitted or maintained in any form or medium (including oral), Held by covered entities or their business associates. De-identified information is not covered. Specific rules determine de-identification.

Uses and Disclosures Limit to what is permitted in the Rule (4 conditions): Treatment, payment, and health care operations (TPO). Under conditions of notice and consent for direct providers. Uses and disclosures involving the individual’s care or directory assistance, Require an opportunity to agree or object. For specific public purposes. Following controls and limits in rule. All others as permitted by individual. Under written, revocable authorization. Specific requirements vary based on type of use or disclosure.

Consent Written consent required before direct treatment provider may use PHI for TPO. Exceptions: emergency treatment situation, substantial communication barriers, when required by law to treat. Not required for: Indirect Treatment Providers, Health Plans, Health Care Clearinghouses.

Policy Exceptions Covered entities may use or disclose PHI without a consent or authorization – only if certain conditions are met & the use or disclosure comes within one of the exceptions; As required by law. For health care oversight. For public health. For research. To facilitate organ transplants. For law enforcement. For judicial proceedings. For other specialized government functions. To Coroners, medical examiners, funeral directors. The final rule also permits, but does not require, covered entities to use or disclose PHI without a consent or authorization if the use or disclosure falls within one of the listed exceptions. These exceptions include: uses and disclosures required by law, uses and disclosures for involvement in the individual’s case, and uses and disclosures for health care oversight.

Minimum Necessary Covered entities must make reasonable efforts to limit the use or disclosure of PHI to minimum amount necessary to accomplish their purpose. Exceptions: Disclosure to or request by provider for treatment. Disclosure to individual. Under authorization (unless requested by CE). Required for HIPAA standard transaction. Required for enforcement. Required by law.

Minimum Necessary (2) Reasonableness standard - consistent with best practices in use today. “Role-based” access limits. Standard protocols for routine & recurring uses / disclosures. Review each non-routine disclosure. May rely on judgment of requestor if: public official for permitted disclosure. covered entity. professional within covered entity. BA for provision of professional service for CE. researcher with IRB documentation.

State Law & Preemption State Health Information Privacy Laws are: Fragmented, not comprehensive Scattered in all parts of state law Entity specific (e.g. aimed at a specific type of healthcare entity) Not uniform or kept up-to-date HIPAA Administrative Simplification preempts most ‘contrary’ provisions of state law, Except more stringent provisions of state law regarding privacy. Result: Each type of entity must perform (or have performed on its behalf) a legal analysis of the law in each applicable state with respect to HIPAA privacy rules to determine true requirements. HHS not expected (or equipped) to do this.

HIPAA Security Requirements Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards -- to ensure integrity and confidentiality to protect against reasonably anticipated threats or hazards to security or integrity unauthorized uses or disclosures taking into account technical capabilities costs, training, value of audit trails needs of small and rural providers Proposed rule published August 12, 1998. Final rule expected soon.

Key Security Philosophy Identify & assess risks/threats to: Availability Integrity Confidentiality Take reasonable steps to reduce risk.

Security Issues Covers data at rest as well as transmitted data. Involves policies/procedures & contracts with business associates. For most security technology to work, behavioral safeguards must also be established and enforced. requires administration commitment and responsibility. Final rule expected soon: Harmonized with privacy (scope, philosophy). General requirements only (flexible, scalable, technology neutral). Electronic signatures: Final rule will depend on industry progress on reaching consensus on a standard.

For More Information OCR Privacy Website: http://www.hhs.gov/ocr/hipaa/ Administrative Simplification Web Site: http://aspe.hhs.gov/admnsimp/ Georgetown Health Privacy Project www.healthprivacy.org William.R.Braithwaite@us.pwcglobal.com

Pwc