Download presentation
Presentation is loading. Please wait.
1
HIPAA CONFIDENTIALITY
Paul A. Stewart, Esq. Foley & Lardner One Maritime Plaza, 6th Floor San Francisco, CA
2
What’s to Simplify? Health Claims Encounter Information
Attachments to Health Claims Health Plan Enrollment/Disenrollment Eligibility Verification Claims Payments/Remittance Advice Payment of Premiums First Report of Injury Referral Certification/Authorization Claim Status Coordination of Benefits
3
Who Must Comply? A “Health Care Provider” - Furnishes, Bills or Gets Paid for Health Care Services or Supplies A “Health Plan” - Provides or Pays for Medical Care A “Health Care Clearinghouse” - processes non-standard into standard data elements “Business Partners” - Agents of Covered Entities
4
To What Do Regulations Apply?
“Health Information” (security regulations) Created by providers, health plans, public health authorities, employers, life insurers, schools or universities Relates to the physical/mental condition, provision of health care, payment
5
To What Do Regulations Apply? (cont’d)
“Protected Health Information” (“PHI”) (confidentiality regulations) health information identifies the individual or could reasonably be used to identify the individual
6
When To Comply? Whenever health information is electronically transmitted or maintained (security regulations) Whenever protected health information is electronically transmitted or maintained in connection with a standard transaction (confidentiality regulations) Obligations apply to information, not documents
7
Why Comply? Civil Monetary Penalties: up to $100 Per Violation/Per Person, with $25,000 Annual Limit Per Each Standard Violated Criminal Penalties for “Knowing Misuse”: $50,000–$250,000; Prison 1–10 years Greatest Penalties Reserved for Intent to Sell/Transfer/Use for Commercial Advantage, Personal Gain or Malicious Harm
8
What are the confidentiality Rules?
Disclosure/Use prohibited except as permitted by the regulation Permitted Disclosures: As authorized by the individual For health care treatment, payment, operations (except research and psychotherapy notes) In connection with national policy activities
9
What are the Rules? (cont’d)
Required Disclosures Request by the individual Investigation of compliance by government Circumstances Requiring Individual Authorization Marketing; sale, rental, barter; eligibility; fundraising; employers; research unrelated to treatment; psychotherapy notes Minimum Necessary
10
What are the Rules? (cont’d)
Patient Rights To Receive Adequate Notice of Information Practices To Inspect and Copy PHI To Request Amendment/Correction of PHI To Request Restriction on Uses/Disclosure of PHI To Receive Accounting of Uses/Disclosures
11
What Do I Have To Do? Designate a Privacy Official
Contact person/office Assess whether HIPAA preempts state law Assess current policies and procedures Develop comprehensive policies and procedures Draft contracts - Business partner/Chain of trust agreements
12
Preemption Assess whether HIPAA preempts state law
Federal standard, requirement or implementation specification contrary to state law Exceptions State law is necessary for certain purposes State law is more stringent State law relates to audits, licensure, certification, reporting of child abuse, births, deaths, injuries, public health activities
13
Policies and Procedures
Assess current policies and procedures What does your organization do to ensure PHI is not improperly disclosed? How do you monitor compliance with your current policies and procedures? What are the consequences in your organization if PHI is disclosed in violation of current legal requirements/p&p’s? Are your policies and procedures written?
14
Policies and Procedures (cont’d)
Develop comprehensive policies and procedures related to: Determining when disclosures are permitted/required Conditions applicable to certain permitted disclosures Minimum necessary standard Authorizations
15
Policies and Procedures (cont’d)
De-identifying PHI Business partners Deceased individuals Right to requests for restrictions Right to notice of information practices Right to access
16
Policies and Procedures (cont’d)
Right to accounting of disclosures Right to amendments and corrections Verification of identity/authority of requester Training Sanctions Complaints Changes in policies or procedures
17
Further Documentation
Must create documents related to the following and retain such documents for six years: Requested restrictions Contracts with business partners Authorization forms Notifications of information practices
18
Further Documentation (cont’d)
Statements regarding access/denial to PHI All accountings provided Denials of amendment/correction requests Employee certifications Complaints
19
Business Partner Contracts
Examples: Lawyers, auditors, consultants, TPA’s, DP firms Disclosures only as permitted/required No disclosures if disclosure by covered entity would violate regulation Safeguards established to prevent improper uses/disclosures Improper uses/disclosures reported Consistent subcontracts Right of access provided
20
Business Partner Contracts (cont’d)
Access by Secretary of DHHS to books/records pertaining to uses/disclosures PHI returned/destroyed upon termination of contract Amendments/corrections incorporated Third party beneficiaries/Liability to Patients for breach Termination upon improper use/disclosure Material breach may be noncompliance Need for audit trail
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.