Copyright © 2002 PricewaterhouseCoopers LLP 1 HIPAA Privacy Modification Rule - Final Harvard Colloquium August 21, 2002 Tom Hanks Director Client Services.

Slides:



Advertisements
Similar presentations
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Advertisements

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Informed Consent.
THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Confidentiality of MH/DD/SA Records Family Court Conference March 9, 2006 Mark Botts School of Government, UNC.
Health Insurance Portability and Accountability Act (HIPAA)
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA PRIVACY AND SECURITY AWARENESS.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
HIPAA Privacy and Research August 21, 2015
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
PwC Tissue Banking and Repositories – Human Subject Protections Privacy Protections Medical Research Summit Tom Puglisi, Ph.D. Friday March 7 – 9:15 am.
HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer.
HIPAA – How Will the Regulations Impact Research?.
HIPAA’s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington,
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Chapter 7—Privacy Law and HIPAA
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
University of Pennsylvania Health System 1 Session 3.02: Case Studies in Clinical Research Compliance Russell M. Opland, M.P.H., EMT-P Chief Privacy Officer.
Health Insurance portability and Accountability Act (HIPAA)‏
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
06/20/03- revised1 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators,
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
Final PRIVACY RULE Presentation by Richard Campanelli, Director OCR/HHS at 5 th National HIPAA Summit Washington, D.C. October 31, 2002.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
The HIPAA Privacy Rule and Research
National Congress on Health Care Compliance
HIPAA Privacy & Security: Medical Research Context
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
The Health Insurance Portability and Accountability Act
Presentation transcript:

Copyright © 2002 PricewaterhouseCoopers LLP 1 HIPAA Privacy Modification Rule - Final Harvard Colloquium August 21, 2002 Tom Hanks Director Client Services Health Care Practice

Copyright © 2002 PricewaterhouseCoopers LLP End.2 Privacy Modification Rule - Components  Use & Disclosure of PHI –Consent & Notice –Authorization  Minimum Necessary Provision  Business Associates  Parental Rights

Copyright © 2002 PricewaterhouseCoopers LLP End.3 Privacy Modification Rule - Components  Marketing Communications  Research & De-identification  Technical Modifications –Accounting for disclosures –Hybrid Entities –Sales of covered entities –Security/Safeguards

Copyright © 2002 PricewaterhouseCoopers LLP End.4 Using And Disclosing PHI – Consent  Removes consent requirement for use & disclosure for TPO Retains right to request restrictions Requires good faith effort to obtain acknowledgement of notice Layered notices preferred

Copyright © 2002 PricewaterhouseCoopers LLP End.5 Using And Disclosing PHI – Sharing PHI for TPO  Treatment – unlimited between all providers  Payment - between covered entities and non-covered providers  HCO – only between covered entities (limited)

Copyright © 2002 PricewaterhouseCoopers LLP End.6 Using And Disclosing PHI – Authorization  Simplifies Authorization –Eliminates special authorizations based on purpose –Sets core criteria –Sets minimum requirements for informational statements

Copyright © 2002 PricewaterhouseCoopers LLP End.7 Using And Disclosing PHI – Authorization (cont’d)  Core Criteria i.A description of the information to be used or disclosed, ii.The identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, iii.The identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure,

Copyright © 2002 PricewaterhouseCoopers LLP End.8 Using And Disclosing PHI – Authorization (cont’d)  Core Criteria iv.A description of each purpose of the use or disclosure, v.An expiration date or event, vi.The individual’s signature and date, and vii.If signed by a personal representative, a description of his or her authority to act for the individual.

Copyright © 2002 PricewaterhouseCoopers LLP End.9 Using And Disclosing PHI – Authorization (cont’d)  Informational statements i. A statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice.

Copyright © 2002 PricewaterhouseCoopers LLP End.10 Using And Disclosing PHI – Authorization (cont’d) ii. A statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization,

Copyright © 2002 PricewaterhouseCoopers LLP End.11 Using And Disclosing PHI – Authorization (cont’d) iii. As appropriate, a statement about the potential for the protected health information to be re-disclosed by the recipient. This statement could inform the individual that the information will be disclosed to another covered entity where it would still be protected, or disclosed to a non-covered entity for which protections may not be available under HIPAA. However, if disclosed to an entity that is subject to other privacy laws or privacy policies, those laws and/or policies that may provide further protection may be stated.

Copyright © 2002 PricewaterhouseCoopers LLP End.12 Using And Disclosing PHI – Authorization (cont’d)  Conditioning payment of claim is no longer allowed  Removes individual’s right to revoke in certain circumstances  Prevents requiring an individual to list a purpose for disclosure for their own purposes

Copyright © 2002 PricewaterhouseCoopers LLP End.13 Using And Disclosing PHI – Authorization (cont’d)  Disclosing remuneration only required for marketing.  Mandates authorization for all marketing  Clarifies no disclosure of psych notes without authorization

Copyright © 2002 PricewaterhouseCoopers LLP End.14 Minimum Necessary Provision  Permits incidental disclosures  Clarifies role-based access  Requires policies & procedures for processing non-routine disclosures  Clarifies MNP does not apply to release of PHI to the individual

Copyright © 2002 PricewaterhouseCoopers LLP End.15 Minimum Necessary Provision – (cont’d)  Affirms “reasonable standard” – eliminates the term “reasonably ensure”  Clarifies the MNP is intended to be flexible –Facility redesigns & expensive computer upgrades not required  Clarifies Sign-in sheets may be OK

Copyright © 2002 PricewaterhouseCoopers LLP End.16 Business Associates  Allows BA’s to operate under existing contracts until April 14, 2004  Offers sample language for BAC  Oops – maintains the requirements for mitigation

Copyright © 2002 PricewaterhouseCoopers LLP End.17 Parental Rights & Unemancipated Minors  Clarifies that state laws govern disclosure of PHI of minors –If laws specifically address the issue –If laws leave disclosure to discretion of the provider  Establishes a neutral position when parent is not the personal representative or law is silent or unclear

Copyright © 2002 PricewaterhouseCoopers LLP End.18 Marketing Communications  Simplifies by removing special marketing provisions –New marketing definition –New marketing exclusions  Requires authorization for any use of PHI for marketing

Copyright © 2002 PricewaterhouseCoopers LLP End.19 Marketing Communications – (cont’d)  Broadens “marketing” definition i.“to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” OR

Copyright © 2002 PricewaterhouseCoopers LLP End.20 Marketing Communications – (cont’d) ii.“an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service”  Clarifies that remuneration does not define marketing

Copyright © 2002 PricewaterhouseCoopers LLP End.21 Marketing Communications – (cont’d)  Clarifies marketing exceptions i.Participating providers and health plans in a network, the services offered by a provider, or the benefits covered by a health plan.

Copyright © 2002 PricewaterhouseCoopers LLP End.22 Marketing Communications – (cont’d) ii.Individual’s treatment iii.Case management or care coordination for that individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care

Copyright © 2002 PricewaterhouseCoopers LLP End.23 Research & De-Identified Information  Simplifies IRB/Privacy Board waiver criteria –Aligns with Common Rule Evidence of adequate plans to protect & destroy identifiers & prohibit reuse or re-disclosure Ability to perform research without the waiver

Copyright © 2002 PricewaterhouseCoopers LLP End.24 Research & De-Identified Information - (cont’d)  Standardizes authorization requirement –Eliminates expiration date  Clarifies that research entities can continue to use PHI collected after authorization revocation  Clarifies use of re-identification codes

Copyright © 2002 PricewaterhouseCoopers LLP End.25 Research & De-Identified Information - (cont’d)  Consolidates transition period to grandfather prior permissions  Adds limited data set alternative –Prescription number cannot be included in limited data set –Includes Dates & Geographic Info (State & Zip)

Copyright © 2002 PricewaterhouseCoopers LLP End.26 Research & De-Identified Information - (cont’d)  Limited Data Set Excludes i.Names; ii.Postal address information, other than town or city, State, and zip code; iii.Telephone numbers; iv.Fax numbers; v.Electronic mail addresses; vi.Social security numbers; vii.Medical record numbers; viii.Health plan beneficiary numbers; ix.Account numbers; x.Certificate/license numbers; xi.Vehicle identifiers and serial numbers, including license plate numbers; xii.Device identifiers and serial numbers; xiii.Web Universal Resource Locators (URLs); xiv.Internet Protocol (IP) address numbers;Biometric identifiers, including finger and voice prints; and xv.Full face photographic images and any comparable images.

Copyright © 2002 PricewaterhouseCoopers LLP End.27 Research & De-Identified Information - (cont’d)  Who can use a Limited Data Set –May only be used for the purposes of health care operations, public health and research –Not for use between health plans and plan sponsors –Requires Data Use Agreement for use of Limited Data Set

Copyright © 2002 PricewaterhouseCoopers LLP End.28 Research & De-Identified Information - (cont’d)  Terms of Data Use Agreement i.Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; ii.Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;

Copyright © 2002 PricewaterhouseCoopers LLP End.29 Research & De-Identified Information - (cont’d) iii.Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; iv.Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions; and, v.Not identify the information or contact the individuals

Copyright © 2002 PricewaterhouseCoopers LLP End.30 Accounting for Disclosures  Removes requirements to account for disclosures made under authorizations  Excludes uses or disclosures of Limited Data Set

Copyright © 2002 PricewaterhouseCoopers LLP End.31 Hybrid Entities  Removes non-covered entity restrictions –Designate covered/non-covered components –Create “firewalls” –Include components that would be business associates “Firewalls required to protect information in BA components that serve both covered & non-covered components

Copyright © 2002 PricewaterhouseCoopers LLP End.32 Hybrid Entities - (cont’d)  Excludes health information in covered entities’ employment records from PHI –Employment records not limited to specific “physical” files – context based  Treats sharing of PHI between covered & non-covered components as it would separate legal entities

Copyright © 2002 PricewaterhouseCoopers LLP End.33 Hybrid Entities - (cont’d)  Non-health care components cannot be included in covered components unless act as business associates  Treats sharing of PHI between covered & non-covered components as it would separate legal entities

Copyright © 2002 PricewaterhouseCoopers LLP End.34 Hybrid Entities - (cont’d)  Employers, plan sponsors and group health plans cannot be treated as separate components of a hybrid entity –Separate legal entities

Copyright © 2002 PricewaterhouseCoopers LLP End.35 Sale of a Covered Entity  Allows PHI to be disclosed to the purchasing entity without authorization

Copyright © 2002 PricewaterhouseCoopers LLP End.36 Enrollment Information  Clarifies that enrollment information can be shared between a health plan and plan sponsor

Copyright © 2002 PricewaterhouseCoopers LLP End.37 Protects Disclosures to FDA  Ensures that covered entities can disclose PHI to FDA  Clarifies that Privacy rule not intended to disrupt flow of information to FDA

Copyright © 2002 PricewaterhouseCoopers LLP End.38 Security and Privacy  Clarifies no potential conflict between Privacy & Security rules –Privacy covers all PHI –Security only covers PHI maintained or transmitted electronically  All safeguards required under Privacy apply regardless of Security rule

Copyright © 2002 PricewaterhouseCoopers LLP 39 Questions? Tom Hanks Director Client Services Health Care Practice