HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier
HIPAA History Health Insurance Portability and Accountability Act of 1996 “Administrative Simplification!” Federal Law – Published in Federal Register Department of Health and Human Services (HHS) issued the regulation: Standards for Privacy of Individually Identifiable Health Information The Office for Civil Rights (OCR) is the department responsible for implementing and enforcing the privacy regulation
HIPAA Privacy Regulations Compliance Date: April 14, 2003 Primary Resource: Final Regulation (12/28/00, 8/14/02): Summary of Regulation: State of Michigan’s Medical Record Access Act –House Bill 4706 signed by Governor Granholm on April 1, 2004, effective immediately – (search for bill 4706)
Official Privacy Website
Other HIPAA Initiatives SECURITY REGULATIONS: Compliance Date: April 21, 2005 Final Regulation (2/13/03): Fearsome Four: Audits, Activity Review, Risk Planning & Disaster Recovery TRANSACTION & CODE SET STANDARDS: Final Rule published: 8/17/00, Final Modifications: 2/20/03 Compliance Date: October 16, 2003 (July 2004) Final Regulation: 5/0003ofr2-10.pdf 5/0003ofr2-10.pdf
More HIPAA To Come NATIONAL PROVIDER IDENTIFIERS (NPI): Final Rule published: 1/23/04 (See CMS website) Can begin application process 5/23/05 Compliance Date: 5/23/07 NATIONAL EMPLOYER IDENTIFIERS: Final Rule published: 5/31/02 Compliance Date: 7/30/04 NATIONAL HEALTH PLAN IDENTIFIERS NATIONAL PATIENT IDENTIFIERS
Link to all HIPAA Regulations: /regulations/default.asp /regulations/default.asp
PRIVACY REGULATIONS Purpose –To protect and enhance the rights of patients by providing them with access to their health information and controlling the inappropriate use of that information –To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for privacy protection
PATIENT PRIVACY With or without HIPAA, protecting privacy of health information is important to consumers Consumers are concerned about unauthorized disclosures of personal health information Rightly or wrongly, consumers are distrustful of providers, plans and employers in regard to their personal health information
PRIVACY BASICS Covered Entities –Health care providers, Health Plans & Clearinghouses Business Associates Privacy Officer Notice of Privacy Practice (Privacy Notice) PHI = Protected Health Information –Oral- Written- Electronic Minimum Necessary Incidental Uses & Disclosures
Privacy Basics TPO = Treatment, Payment, Healthcare Operations Accounting for Disclosures Directory – Hospital/Clergy Reasonable Safeguards –Role based Access Request for Amendments Request for Restrictions Complaint Process
Penalties Civil penalties of $100 per violation, up to $25,000 per standard violated per year Criminal penalties up to $250,000 and 10 years imprisonment
Security Basics Administrative Procedures –Policies & Procedures Physical Safeguards –Theft- Snooping –Vandalism- Environment –Disaster Recovery Technical Security –Authorizing –Accounting for Access –Encryption
Cancer Registry Impact Access to PHI Reporting data Patient follow up Accounting for disclosures Business Associate Agreements