Health Information Privacy and Accountability Act HIPAA Health Information Privacy and Accountability Act

What is HIPAA In 1996 Congress passed Health Information Privacy and Accountability Act Full compliance required since 10/16/03 Mandates Federal privacy protections for individual identifiable health information Primary purpose was to provide insurance coverage for workers who change jobs The Security, Privacy, and standards for electronic transactions are part of the Act Health insurance portability and accountability act

Cost American Hospital Association estimates costs to be 22.5 billion dollars over the first 5 years Physical changes to departments Staff training State law vs. Federal – most restrictive law takes precedence

Protected Health Information Created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse in normal course of business Relates to past, present or future physical or mental health or condition of an individual Relates to provision of healthcare to an individual Past, present or future payment for provision of health care to an individual

What is considered Protected Health Information (PHI)? Name Name of Relatives/Household Medical Record Number Address Employer Account/Health Plan Number SSN Telephone Numbers Vehicle or Other Device Serial Number Fingerprint Fax DOB Photograph E-mail address Certificate/License Number

De-Identified Health Information No restrictions on use or disclosure of de-identified health information Does not identify the individual Does not provide a reasonable means to ID a person

How Do I De-Identify Health Information? Formal determination by a qualified statistician Removal of specific identifiers of individual and that individual’s family, household members, employer

When can I disclose PHI without the person’s authorization? When sharing information with that person Information may be disclosed to doctors, nurses, technicians, health care providers and hospital personnel who are involved in the patient’s care Use for billing, treatment, or other health care operations Facility directory – includes name, location in the facility and general condition An individual may give informal permission to discuss with family, relatives or other identified people PHI directly relevant to that person’s involvement in the individual’s care or payment for care i.e. a pharmacist can give a filled prescription to a person acting on behalf of the patient Health care operations: CQI studies, competency assurance activities, case management and care coordination, audits, legal services, compliance programs, fraud investigations, risk management, business planning, etc

When can I disclose PHI without the person’s authorization? When required by federal or state law: Public Health Law enforcement agencies Appropriate government agencies In response to a court order or subpoena Health Oversight Agencies: for legally authorized audits, investigations, inspections, licensure, etc. To report child/elder abuse or neglect or domestic violence Health care operations: CQI studies, competency assurance activities, case management and care coordination, audits, legal services, compliance programs, fraud investigations, risk management, business planning, etc

When can I disclose PHI without the person’s authorization? Law enforcement purposes: criminal investigations, identify or locate a suspect, fugitive, or missing person alert regarding death of a person PHI is evidence of a crime that occurred on its premises emergency situation where the health care provider needs to communicate to law enforcement regarding location, nature, and perpetrator of the crime Health care operations: CQI studies, competency assurance activities, case management and care coordination, audits, legal services, compliance programs, fraud investigations, risk management, business planning, etc

When can I disclose PHI without the person’s authorization? Coroners, Funeral Directors, Medical Examiners for identification purposes Facilitate organ donation Some research Threat to health or safety – to either person or public Essential Government Functions: national security, medical suitability for service, health and safety of inmates or employers in correctional facilities, eligibility for enrollment in government benefit programs When consulting with other health care providers about a patient’s treatment

All Other Disclosure of PHI Must have Authorization from Person

Minimum Necessary Key aspect of the privacy law Make reasonable effort to disclose and/or request only that information which is needed to effectively treat, receive payment, or conduct business DME example Wheelchair ordered – only include that medical info needed related to the use of the wheelchair

HOW WILL HIPAA IMPACT YOUR PT PRACTICE?

Privacy Practice Notice Notice of privacy practices must be provided to patient no later than the first service encounter Notice must include the following: Ways your clinic may use and disclose PHI How your clinic will protect the patient’s privacy, legal requirements to protect privacy, and written notice of privacy practice including individual rights including right to complain to HHS Posted notice that is clearly visible to all patients Patient must sign that notice was provided, reviewed or received – recommend have the patient sign the actual notice

Safeguards to implement Speak quietly while discussing patient’s treatment/condition in waiting room with family members or patient Avoid using patient’s name in public hallways Lock all file cabinets, record/chart rooms – limit access to these keys to only staff that need access to records Lock staff offices when empty Computer disc when not in use should be locked up in desks, cabinets or disc storage Computers should be only accessed by appropriate staff (via passwords)

Safeguards to implement Patient sign in sheets should not include reason for visit OK to call out patient’s name in waiting rooms – limit information shared Keeping charts outside exam room or at bedside allowable as long as access limited to information – face chart to wall or face down on bed, limit access to exam/treatment areas by staff or by escorting non- employees Leaving messages for patients on their answering machines is ok – but limit what you disclose Shred documents containing PHI before throwing out Keep all privacy policies, records, complaints, other activities related to HIPAA for at least 6 years

You do not have to Retrofit your clinic with sound proof rooms – curtains or cubicles may constitute reasonable safe guard Discussing details of patient’s treatment in a “gym” allowable as long as detailed discussions occur in more private setting Get consent from patient when consulting on a patient’s treatment with another provider You are asked for your opinion about a treatment of a patient who is not yours by another PT – no need to get consent from patient about sharing PHI

What happens if patient refuses to sign notice? Document your efforts to get signature Document why patient would not sign

THE PATIENT HAS RIGHT OF ACCESS TO ALL THEIR DESIGNATED RECORD SET – ANY RECORDS WITH PHI YOU SEND NOTICE TO COLLECTION AGENCY WITH PHI INCLUDED – PATIENT HAS RIGHT TO SEE THAT LETTER CAN CHARGE REASONALBE COPYING COSTS TO PATEINT

Designated Record Set Group of records maintained by CE used in whole or part to make treatment decisions Providers medical and billing records about an individual’s health plan enrollment, payment, claims adjustment, case management records

Restriction Request Patients have the right to request your clinic restrict who gets or how PHI is used Your clinic does not have to agree to additional restrictions requested by patient If you do agree – your agreement is legally binding Patients have the right to request their information be amended Ex: patient wants his bills sent to a PO box not home address – and you agree but then send bills to home address – you are in violation of HIPAA

What about minors? Most cases parents are personal representatives for minor children Professional judgment is allowable (if made by a licensed health provider) if state law is silent about sharing information with parents

What happens if you violate HIPAA? $100 fine per failure to comply with a requirement Not to exceed $25,000 for multiple violations of same rule in calendar year No fine if violation due to reasonable cause and did not involve willful neglect and if corrected within 30 days of knowledge of violation

What happens if you violate HIPAA? Knowingly obtain or discloses PHI in violation of HIPAA – fine up to $50,000 and one year in prison Fine increases to $100,000 and 5 years in prison if involves false pretense Increases to $250,000 and 10 years in prison if involves selling and transfer of PHI for profit, commercial advantage, personal gain or malicious harm