Understanding HIPAA Privacy Regulations A guide to company policies and procedures Prepared by:

The Privacy Rule is intended to: Protect and enhance rights of consumers by providing them: access to their protected health information control over PHI uses and disclosures Improve healthcare quality by restoring public trust and willingness to share information Improve efficiency and effectiveness by creating uniform nationwide privacy framework

Privacy Regulations apply to: Covered entities, such as: Health plans / insurance payers Health care clearing houses Health care providers i.e. HMEs, physicians, nursing homes, home health agencies, etc Whoever “uses” or “discloses” protected health information (“PHI”) Business associates: through contracts with covered entities that hold them to the same provisions of the law

Basics of HIPAA Covers electronic, paper & oral information Requires contracts with business associates to protect health information Emphasizes "minimum necessary" access to information Standards apply to "protected health information": all individually identifiable health information in any form

Basics of HIPAA Protected Healthcare Information (PHI) Defined: Health information, including demographic information, which can reasonably identify the individual and relates to the person’s: Past, present or future physical health, mental health, or condition; Provision of health care; or Past, present or future payment for the provision of health General Rule: “Protected health information may not be used or disclosed for reasons other than treatment, payment or healthcare operations without specific patient authorization”

Basic Patient Rights - HIPAA Patients must receive written notice of provider's information practices describing patient rights; company must make good faith effort to obtain acknowledgement of receipt – All patients to receive “Privacy Notice” found in manual Patients may inspect their own health information and obtain a copy Patients may request amendment to health information

Basic Patient Rights - HIPAA Patients may receive an accounting of disclosures for purposes other than treatment, payment, and healthcare operations Patients may request that uses and disclosures of health information be restricted Patients must be provided means to report a privacy complaint

Basics of Use and Disclosure Providers must obtain a written patient Authorization before releasing PHI for purposes other than Treatment, Payment, and Health Care Operations. Consent forms are optional when info used only for treatment, payment and health care operations

Basics of Use and Disclosure Providers CAN release PHI without authorization: for treatment, payment or healthcare operations (including to business associates) when required by law for public health activities for victims of abuse, neglect, or domestic violence for health oversight – ex. Medicare audit for judicial proceedings for specific law enforcement activities

Basics of Use and Disclosure Providers CANNOT release PHI without authorization when info used for: marketing medical research fund-raising Authorizations generally address a specific need and circumstance or span of time

Rules Governing Business Associates Providers must identify all Business Associates that have access to or use/disclose protected health information of patients: Accrediting Bodies Consultants Billing Clearinghouse and Outsource companies Outcomes tracking outsourcing Business Associate contracts must be established to ensure that Business Associates' practices support HIPAA's requirements Sanctions must be applied by the company for non-compliance by Business Associates

Exceptions to the rule: Providers may release patient's location, condition, or death when needed to family, friends, others involved in the care of the patient Providers may make disclosures to family and others involved when in the patient's best interest – but you still have to follow state law when it comes to rights of minors

Exceptions to the rule: Providers may make disclosures to “personal representatives” of the patient – i.e. those with Power of Attorney; the estate of a deceased patient De-identified information is not subject to the privacy rules Defined as removal of identifiers such as: Name Date Geographic Destinations Phone/Fax Numbers Email, etc.

Penalties for non-compliance Criminal penalties - Intentional violation Up to $50,000 and up to one (1) year imprisonment for knowing misuse Up to $100,000 and/or imprisonment up to five (5) years if offense under false pretenses Fine of not more than $250,000 and/or imprisonment of up to ten (10) years if offense is with intent

HPP1 – Uses and Disclosures General “Use” of information is defined as that which is used WITHIN the organization “Disclosure” of information is that which is released OUTSIDE the organization Both are permitted without specific consent from the patient when info is used for treatment, payment or healthcare business operations – consent forms are optional in these circumstances

HPP1 – Uses and Disclosures General TREATMENT – includes information shared between the referral source and the HME provider to accomplish patient care objectives PAYMENT – includes information shared with insurance payers, billing clearinghouses, and outsource billing firms to obtain payment (billing firms are also business associates) OPERATIONS – includes information shared with accrediting bodies, consultants, outcomes tracking firms, etc. (these are commonly also business associates)

HPP2 – Uses and Disclosures Restrictions Patients have a right to restrict the use and disclosure of their PHI, even that used for treatment, payment, and healthcare operations – the “PRIVACY NOTICE” informs them of this Company has the right to refuse to continue care for patient if restrictions interfere with treatment, payment, or healthcare operations, but must honor request until patient transferred to another provider

HPP2 – Uses and Disclosures Restrictions Request can be verbal or in writing- both must be honored until company notified otherwise by patient (indefinitely) Better to have a policy to document patient request – use “Restriction Agreement” Form Keep a log of patients requesting restriction to PHI Keep log on file for 6 years

HPP3 – Business Associates A non-covered entity, defined as an organization or person other than a member of the company’s workforce who receives PHI from the company in order to provide services to or on behalf of the company: Healthcare billing clearinghouses Billing services Accreditation organizations Consulting firms Software vendors with access to company software systems

HPP3 – Business Associates Company must complete a contract with each business associates that holds them to the same privacy standards the company is held to as a “covered entity” Specifies what kind of information will be disclosed and to whom Identifies the responsibilities of the business associate to protect healthcare information Specifies what measures will be taken to insure privacy of info upon termination of contract

HPP4 – Deceased Patients Company must continue to protect info of deceased patient’s for as long as records are maintained State Law usually says records should be maintained for 7 years (or, 7 years past the age of majority for minors) PHI can be released to anyone with power of attorney (personal representative, to the patient’s estate)

HPP5 –Personal Representatives Have the same rights as patients as defined in the “PRIVACY NOTICE” Defined as: anyone with legal POA (healthcare or general); the estate of deceased patients; guardians of un-emancipated minors Document the relationship of the personal representative to the patient in the medical / billing record

HPP5 –Personal Representatives Recognize that some states allow minors to override the healthcare decisions of their guardians – HIPAA laws do not take precedence over state laws that are more stringent Company is not obligated to disclose information to a personal representative if they reasonably believe that revealing such information may subject the patient to violence, abuse, or neglect

HPP6 - Confidential Communications Patients are provided with their PHI upon request – treatment notes, billing information/details, etc. They do not need to provide a reason for receiving the information Verbal, faxed, or mailed responses to patient are permitted, based on patient request Hard copy communications best to document company response

HPP7 - Consent Use of consent form is optional if the information will only be used for treatment, payment and/or healthcare operations (whether information is used by the company, another “covered entity”, or a business associate) Most companies already have a “Release of Information” statement in their paper work – this is adequate even for optional purposes A form is provided in the manual to be used if company policy requires separate consent

HPP8 – Other Permitted Disclosures To public healthcare authorities – infectious disease reporting; Medwatch; FDA requirements, etc. When required by law enforcement, or to comply with state laws, or to prevent abuse and neglect of patient To CMS or by CMS demand when investigating allegations of fraud and abuse

HPP9 – De-identified Information Company is not required to comply with HIPAA regulations in regard to “de-identified” PHI De-identified PHI has had all identifying information removed – name, phone, birth dates, addresses, HICN, SSN, etc Can code the patient info with a number that will allow it to be “re-identified” later, within the company, so long as you don’t disclose coding methodology - common in outcomes tracking

HPP10 – Minimum Necessary Information Company uses and discloses the minimum necessary information needed to accomplish treatment, payment, and healthcare operations Need for information should be defined, by job description – company decides and puts in policy Minimum necessary information for business associates should be defined within individual contracts

HPP10 – Minimum Necessary Information Full access: Clinical staff Customer Service and Billing Operations and management personnel Limited access: Delivery and warehouse personnel No access: Maintenance and cleaning personnel This is suggested policy – company decides!

HPP11- Notification of Privacy Policy Provided to all patients or their representative upon initiation of care – see sample in manual Contains list of patient rights to privacy and explanation of typical uses and disclosures of PHI Must also provide a copy of notice upon request to any person requesting a copy

HPP11- Notification of Privacy Policy Always document that the patient / personal representative received the notice – carbonless copy w/ signature If amended, all current patients must receive a copy of the new, amended Privacy Notice If amended, company must keep old versions (master copy) of Privacy Notice on file for 6 years past date of retirement of previous version of notice

HPP12- Right to Restrict Patient has right to restrict use of information, even for treatment, payment, and healthcare operations Company has right to refuse to treat patient under those circumstances, but must abide patient’s request as long as patient continues on service Get it in writing – use Restriction form in manual

HPP13- Responding to requests Ask patient / personal representative to make request for extensive release of PHI in writing so you have documentation Ask patient / personal representative where they want the information sent – it can be mailed to someplace other than their primary address if they so choose; it can be provided via the telephone or by fax You can charge the patient for copying and mailing the information

HPP13 & 14 - Responding to requests Patient does not need to provide reason why they want the information Respond to requests in a timely fashion – 30 to 60 days is reasonable See policy HPP14 for examples of when info can be legally withheld If info is legally withheld, must provide patient with written explanation as to why

HPP15 – Right to amend Patients have a right to amend the info in their medical record after reviewing it, if they choose The request should be in writing, and state why the patient is requesting the change Company may deny request if: Info requested changed was not created by the company If the employee making the entry that is to be changed is no longer an employee If the info is currently accurate and complete, as is

HPP15 – Right to amend In case of company denial to amend put both sides (patient and company) in writing and include in patient’s medical record Release this amended information as well, as applicable, when disclosure to another person is provided at patient request Complete process in timely fashion – 60 to 90 days

HPP16 – Accounting of Disclosures Company needs to keep track of disclosures of patient information so they can be provided to patient / personal representative upon request Exceptions to tracking: Disclosures made directly to the patient Disclosures made for purposes of treatment, payment, or healthcare operations Provided to employees of the company Provided for reasons of national security Provided before HIPAA regulations went into effect

HPP16 – Accounting of Disclosures Must keep track of disclosures for 6 years past the disclosure Tracking must include: Date info released To whom info was released What info was released The purpose for which it was released Document patient requests for accounting of disclosures and respond to them in 60 days or less

HPP17 – Privacy Officer Company must designate one individual as responsible for protecting privacy Job duties include: Ensuring confidentiality of all PHI Development and implementation of company HIPAA policies Limited incidental disclosures Documentation & tracking of disclosures, and responding to patient complaints Name, location, and phone number of Privacy Officer should be posted in areas where patient have access

HPP18 – Employee Training All current employees to receive training – level to be based on their access to confidential information Employee orientation should include privacy training Training must be documented in the employee’s personnel file

HPP19 – Securing Medical Records Secured at the end of the business day, either in locked cabinets or a locked room Only individuals with permission, consistent with their job duties, may access medical records Electronic records controlled by logins and passwords to computer system Documents containing identifiable PHI must be shredded prior to disposal

HPP20 – Patient Complaints Patients have a right to file formal complaint when they feel their privacy has been violated Complaints should be directed to the Privacy Officer Privacy Officer is to: Document the complaint in a log Investigate the complaint Document the resolution to the complaint Inform the patient of findings / resolution

HPP21 – Employee Violations Employees who violate patient privacy will be subject to company procedures for violations of policy Company response will depend on the intention of the employee, and the severity of the violation Company response may range from verbal warning, up to and including termination All company responses to violations of privacy will be documented in the employee’s file

HPP23 – Protection of data Computers must be set up to insure integrity of information (firewalls, passwords, etc) Integrity of systems are routinely assessed Back-ups are created daily (company may change policy on frequency of back-up) Back-ups are stored off-site in a protected manner

HPP24 – Access to data All individuals who need access to computer data are given an access code A list of access codes and who has one are to be maintained by the company / Privacy Officer Employees are trained re: privacy regulations before receiving access to data Employee’s may not share their access code without prior approval of management

HPP25 – Mitigation of damage If a breach in security is reported the Privacy Officer must take steps to minimize damage Privacy Officer must investigate breach, determine cause, and suggest possible resolution All actions on the part of the Privacy Officer should be documented

HPP26 – Access logging The computer system should be capable of logging access to PHI – check with billing software vendors The log should be generated routinely to check for unauthorized attempt to access PHI Unauthorized attempts to access PHI will be followed up by the company’s Privacy Officer

HPP27 – Contingency Plan The company has a contingency plan that details how the company will back-up, secure, and re-establish its electronic databases in emergency situations

HPP28 – Consent to Film - Record The company has a policy that dictates what type of patient / client releases are required in order to film or record the patient for use in company training, or promotional activities that will be seen or heard by persons outside the company

HPP29 – Sale of PHI With very few exceptions, the sale of PHI is prohibited

HPP30 – Notice of Obligation The company is obligated to notify patients if their PHI has been breached. This obligation stands, regardless of whether the breach was made by the company or one of its business associates. This notification will be handled by the company owners, and/or the HIPAA privacy officer of the company.