HIPAA’s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington,

Slides:



Advertisements
Similar presentations
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
Presented by the Office of the General Counsel An Overview of HIPAA.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Health Insurance Portability and Accountability Act (HIPAA)
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
HIPAA PRIVACY AND SECURITY AWARENESS.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA – How Will the Regulations Impact Research?.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
H I P A A T R A I N I N G Self Directed Module 7 Research Disclosures For Data Custodians START Click to begin…
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Health Insurance portability and Accountability Act (HIPAA)‏
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
Copyright © 2002 PricewaterhouseCoopers LLP 1 HIPAA Privacy Modification Rule - Final Harvard Colloquium August 21, 2002 Tom Hanks Director Client Services.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
National Congress on Health Care Compliance
Analysis of Final HIPAA Privacy Modification Rule
Presentation transcript:

HIPAA’s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington, D.C. (202)

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) The Road to Privacy

The Multiple Components of HIPAA

Components of “Administrative Simplification” Privacy Standards Standards for Electronic Transactions National Standard Provider Identifier National Standard Employer Identifier Security Standards Electronic Signature Standards Administrative Simplification

Standards for Electronic Transactions

Standards, Transactions and Code Sets In December 2001, Congress extended the deadline for the transaction set rule New deadline is October 16, 2003 Entities that want an extension must submit a detailed plan for compliance to HHS No effect on deadline for Privacy Regulation

ASCA On December 27, 2001, President Bush signed into law the Administrative Simplification Compliance Act. By October 16, 2002, covered entities must either: –be in compliance with the Standards for Electronic Transactions and Code Sets; or –submit a summary plan to the Secretary of Health and Human Services describing how the covered entity will come into full compliance with the standards by October 16, No effect on deadline for Privacy Regulation

ASCA HHS recently issued a model form that covered entities must complete in order to obtain the one-year compliance extension “Multiple related covered entities that are operating under a single implementation plan” are permitted to submit one form Forms are due by orm.asp

Privacy Regulation Final regulation became effective April 14, 2001, and providers have 2 years from that date to be in compliance HHS issued its first set of implementation guidance in July 2001 Major revision issued March 27, 2002, 67 Fed. Reg April 14, 2001

Privacy Regulation GOALS Give consumers control over their health information Regulate the use, disclosure and receipt of an individuals’ health information Ensure security of personal health information Establish accountability for health information use and release

Privacy Regulation COMPLIANCE DATE Covered entities must be in compliance with the rule by April 14, 2003 March 2002 Proposal would extend Business Associate requirements for a year, under certain circumstances

March 2002 Proposed Changes In March 2002 HHS issued proposed changes to the Privacy Regulation Extensive and far- reaching changes Generally well-received by the health care community Comments due by April 26th Does not affect compliance date

March 2002 Proposed Changes Consent becomes optional Good faith effort to obtain acknowledgement of Notice of Privacy Practices Simplifies Minimum Necessary requirements Delays compliance of Business Associate contracts, until modification or renewal

March 2002 Proposed Changes Simplifies marketing requirements Eases restrictions on research uses Greater rights to parents with respect to their children New standards for de-identification

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Scope of the Privacy Regulation

“In a Nutshell” The Privacy Regulations govern a covered entity’s use and disclosure of protected health information and grant individuals certain rights with respect to their protected health information. HIPAA sets the “floor” not the “ceiling”— more stringent state laws are not preempted.

Who is covered? Covered entities –health plans; –health care clearinghouses; and –providers that transmit health information in electronic form in connection with a HIPAA standardized transaction Also reaches the “Business Associates” of the covered entity

Organizational Structures A “hybrid entity” means a single legal entity that performs both covered and non-covered functions. Affiliated Covered Entities--the rules permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity Organized health care arrangements are arrangements involving clinical and/or operational integration among legally separate covered entities

Hybrid Entity March 2002 Proposed Changes In the March 2002 Proposal, HHS eliminates the “primary purpose” requirement, permitting any covered entity whose business activities include both covered and non-covered functions to designate itself as a hybrid entity.

Protected Health Information (PHI) All individually identifiable health information that is transmitted or maintained in any form or medium.

Individually Identifiable Health Information Created or received by a covered entity or employer; and Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual and which: –Identifies the individual; or –Offers a reasonable basis for identification of the individual

De-Identification PHI does not include information that has been “de-identified”: –specified list of identifiers removed; or –determination by statistical expert that risk of identification is very small Covered entity may assign code or other means of record identification to allow de-identified information to be re-identified if: –code not derived from or related to information otherwise capable of identifying the individual; and –covered entity does not use/disclose the code for any other purpose or disclose the mechanism for re- identification

De-Identification March 2002 Proposed Changes March 2002 Proposal requests comment on an alternative approach to de-identification Permits disclosure of limited data set that includes certain identifiers Disclosure only for research, public health, and health care operations Recipients of data would have to agree to limit its use

De-Identification March 2002 Proposed Changes Limited Data Set –Admission, discharge and service dates –Date of death –Age –Five digit zip code

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Key Concepts

Uses and Disclosures of PHI 4 types of “Permissions” –Consent –Oral agreement –None required –Authorization

Consent Direct health care providers must obtain consent from an individual before using or disclosing PHI for treatment, payment, or health care operations Once a consent is obtained, it may be used forever unless it is revoked in writing by the individual who gave it. In most circumstances, if the patient refuses to give consent for TPO, the provider may refuse to treat the patient

Consent Under the March 2002 Proposal Consent not required for TPO, although providers have the option of obtaining it Providers with a direct treatment relationship are required to make a “good faith effort” to obtain written acknowledgement of receipt of Notice Covered entity can disclose PHI to another entity for payment activities and some health care operations of the other entity, without consent

Authorizations If not otherwise permitted by the regulation, an authorization must be obtained – e.g., certain marketing activities, research, employment determinations, fund raising, psychotherapy notes Must be written in plain language and contain specific elements Only valid until the date/event specified, or until it is revoked in writing by the patient

Authorizations Under the March 2002 Proposal Requires all authorizations to contain certain core elements Where the individual that is the subject of the PHI initiates authorization for his own purposes, he does not have to reveal purpose Only marketing authorizations have to disclose any remuneration that may result

Authorizations Under the March 2002 Proposal All authorizations must contain statements regarding the following: –The right to revoke and process for doing so –Treatment, payment, enrollment eligibility for benefits not conditioned on authorization –Where “conditioning” is permissible, statement regarding the consequences –The potential for re-disclosure by recipient

Research “Research” has same definition as in the Common Rule Covered entities may use/disclose PHI for research if: –Obtain patient authorization; –Obtain documentation of an IRB or Privacy Board approval of a waiver of authorization; or –Obtain from the researcher representations that the use/disclosure is sought solely to review PHI as necessary to prepare a research protocol, no PHI will be removed from the covered entity in the course of the review, and PHI is necessary for the research purposes

Research Under the March 2002 Proposal Criteria for waiver made more consistent with requirements of Common Rule Simplify research authorizations: –Permit “end of research” or “none” for expiration date –Eliminate special authorization for research involving treatment –Permits research authorization to be combined with other legal documents related to the research

Minimum Necessary When using, disclosing or requesting PHI, a covered entity must limit PHI to the “minimum necessary to accomplish the intended purpose of the use, disclosure or request” except when: –Disclosing for purposes of treatment –Uses or disclosures made to the individual –Disclosures made to HHS –Uses or disclosures required by law

Minimum Necessary Under the March 2002 Proposal Permits incidental uses and disclosures, so long as reasonable safeguards in place Exempts from minimum necessary rule any uses or disclosures where entity has valid authorization Makes requirements applicable to requests for PHI more consistent with those applicable to disclosures of PHI

Business Associates “Business associates” (“BA”) are defined as persons, other than workforce members, who perform or assist in the performance of a function on behalf of, or provide services to, a covered entity and such function or service involves the use or disclosure of PHI.

Business Associates It is important to note that the BA relationship does not describe all relationships between covered entities and other persons or organizations BA contracts are only required where/when: –the covered entity is disclosing PHI to someone or some organization that will use the info on behalf of the covered entity BA requirements do not apply to covered entities who disclose PHI to providers for treatment purposes (i.e., hospital and physician; laboratory and physician)

Business Associates If the covered entity becomes aware of a violation of the rule by a business associate and fails to act in response, it can be PENALIZED. The fact that the business associate is performing the functions on behalf of the covered entity DOES NOT insulate the covered entity from enforcement.

Business Associates Under the March 2002 Proposal Existing contracts with BAs will not have to be compliant until April 14, 2004, unless renewed or modified in the interim Sample contract language is included in the appendix

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Patient Rights Administrative Requirements Enforcement

Patient Rights Notice of Privacy Practices Access, inspect and copy Accounting of disclosures Request amendments Restrict disclosures Request privacy protections

Notice Of Privacy Practices Purpose is to inform patients about kinds of uses and disclosures of PHI that may occur, their rights with respect to the PHI, and the covered entity’s duties under the rule Plain language Specified elements Complaints Contact person Revisions (going forward only)

Notice Under the March 2002 Proposal Notice is more important under March 2002 changes –Good faith effort to obtain individual’s written acknowledgement of receipt of Notice –Not applicable to indirect treatment providers –No standards for how provider obtains the patient’s acknowledgement

Access, Inspection, And Copying See and make copies of records Facility must respond within 30 or 60 days Facility may deny requests under limited circumstances Psychotherapy notes excluded

Accounting Of Disclosures All disclosures of PHI other than for treatment, payment, or health care operations Specified elements Patient entitled to receive accounting for previous 6 years Facility must respond within 60 days Patient entitled to one free accounting per year Facility must document disclosures, the written accounting given to patients, and the name and title of the person in the facility responsible for handling requests

Request Amendments Patients have the right to request amendments Under some circumstances, facility may deny patient’s request Procedures to follow for requesting amendments and responding to requests Facility must act on a request within 60 days

Restrict Disclosures Patients have the right to request that the facility restrict the use or disclosure of PHI Facility may choose not to grant the request If the facility agrees, is it bound Facility must establish policies and procedures to deal with requests

Request Privacy Protections Patients may request that the provider communicate PHI by alternative means or at alternative locations. –Example: if a patient does not want his family to know that he is receiving treatment, he may request that the facility send all communication to his work address. Facility must accommodate reasonable requests.

Administrative Requirements Designation of a “Privacy Official” Policies and Procedures Training Reporting and complaint processing mechanism Sanctions Duty to mitigate

Enforcement Efforts Prison and fines HHS Office of Civil Rights Guidance

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Implementation

Getting Started Identify HIPAA organizational structure(s) Create a “Privacy Task Force” Determine scope of the project –HIPAA –state privacy law –corporate compliance Conduct an assessment and inventory

Compliance Strategy Inventory uses of PHI Identify covered entities and business associates Develop and implement privacy procedures Develop and implement privacy procedures with business associates Monitor state laws

Thank You! Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington, D.C. (202)