Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Administrative Simplification

Published byHortense Lawrence Modified over 6 years ago

Similar presentations

Presentation on theme: "HIPAA Administrative Simplification"— Presentation transcript:

1 HIPAA Administrative Simplification
Health Information Privacy William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit West II San Francisco, CA March 14, 2002

2 Requirements for Privacy
HIPAA requires: “Standards with respect to the privacy of individually identifiable health information …” Final Rule published 12/28/2000 Guidance issued 7/6/01. Compliance required 4/14/2003. Modifications will be proposed in NPRM soon. Expect proposals to decrease administrative burden. Expect no change in compliance date.

3 5 Principles of Fair Info Practices
Openness [Notice] Existence and purpose of record-keeping systems must be publicly known. Individual Participation [Access] Individual right to see records and assure quality of information. accurate, complete, and timely. Security Reasonable safeguards for confidentiality, integrity, and availability of information. Accountability [Enforcement] Violations result in reasonable penalties and mitigation. Limits on Collection, Use, and Disclosure [Choice] Information collected only with knowledge and consent of subject. Information used only in ways relevant to the purpose for which the data was collected. Information disclosed only with consent or legal authority.

4 Bare Bones of HIPAA Privacy Standards

5 Scope: What is Covered? Protected health information (PHI) is:
Individually identifiable health information, Transmitted or maintained in any form or medium, Held by covered entities or their business associates. De-identified information is not covered. Specific rules determine de-identification.

6 Individual’s Rights Individuals have the right to:
A written notice of information practices from health plans and providers. Inspect and obtain a copy of their PHI. Obtain an accounting of disclosures. Amend their records. Request restrictions on uses and disclosures. Accommodation of reasonable communication requests. Complain to the covered entity and to HHS.

7 I just want to be left alone!

8 Key Points Covered entities can provide greater protections if they want. Required disclosures are limited to: Disclosures to the individual who is the subject of information. Disclosures to OCR to determine compliance. All other uses and disclosures in the Rule are permissive.

9 Uses and Disclosures Must be limited to what is permitted in the Rule:
Treatment, payment, and health care operations (TPO). Uses and disclosures involving the individual’s care or directory assistance, Requiring an opportunity to agree or object. For specific public purposes. All others as authorized by individual. Requirements vary based on type of use or disclosure.

10 Consent: Rule Written consent required before direct treatment provider may use PHI for TPO. Exceptions: emergency treatment situation, substantial communication barriers, when required by law to treat. Not required for: Indirect Treatment Providers, Health Plans, Health Care Clearinghouses.

11 Policy Exceptions Covered entities may use or disclose PHI without a consent or authorization only if the use or disclosure comes within one of the listed exceptions & certain conditions are met; As required by law. Health care oversight. For public health. The final rule also permits, but does not require, covered entities to use or disclose PHI without a consent or authorization if the use or disclosure falls within one of the listed exceptions. These exceptions include: uses and disclosures required by law, uses and disclosures for involvement in the individual’s case, and uses and disclosures for health care oversight.

12 Policy exceptions, (2) For research. For law enforcement.
For judicial proceedings. For other specialized government functions. To facilitate organ transplants. To Coroners, medical examiners, funeral directors.

13 Authorizations (not TPO)
Generally, covered entities must obtain an individual’s authorization before using or disclosing PHI for purposes other than treatment, payment, or health care operations. Most uses or disclosures of psychotherapy notes require authorization. The final rule requires that, as a general rule, covered entities must obtain an individual’s authorization before making any other use or disclosure of PHI. This authorization must comply with the requirements set forth in the text of the regulation. For example, it must include certain information such as a description of the information to be used or disclosed, the name of the person(s) or class of persons authorized to make the disclosure, and the name of the person(s) or class of persons to whom the disclosure will be made. As a general rule, covered entities may not condition treatment, payment, or enrollment on the provision of an authorization. The authorization must contain the required elements described in the rule.

14 HIPAA: it not only looks complicated …

15 Minimum Necessary Covered entities must make reasonable efforts to limit the use or disclosure of PHI to minimum amount necessary to accomplish their purpose. Exceptions: Disclosure to or request by provider for treatment. Disclosure to individual. Under authorization (unless requested by CE). Required for HIPAA standard transaction. Required for enforcement. Required by law.

16 Minimum Necessary: Rule
Reasonableness standard - consistent with best practices in use today. “Role-based” access limits. Standard protocols for routine & recurring uses / disclosures. Review each non-routine disclosure. May rely on judgment of requestor if: public official for permitted disclosure. covered entity. professional within covered entity. BA for provision of professional service for CE. researcher with IRB documentation.

17 Oral Communication All forms of communication covered.
Requires reasonable efforts to prevent impermissible uses and disclosures. Policies and procedures to limit access/use except disclosure to or request by provider for treatment purpose.

18 Business Associates Agents, contractors, others hired to do work of or for covered entity that requires PHI. Satisfactory assurance – usually a contract --that a business associate will safeguard the protected health information. No business associate relationship is required for disclosures to a health care provider for treatment.

19 Business Associates (2)
Covered entity is responsible for actions of business associates, if: knew of violation of business associate agreement failed to act. Liability only when: CE is aware of material breach & fails to take reasonable steps to cure breach or end relationship. Monitoring is not required.

20 Administrative Requirements
Flexible & scalable. Covered entities required to: Designate a privacy official. Develop policies and procedures (including receiving complaints). Provide privacy training to its workforce. Develop a system of sanctions for employees who violate the entity’s policies. Meet documentation requirements.

21 Hippocratic Philosophy of Rule-Making
First, do no harm … to the patient to the provider to the parts of the system that work! Don’t go too far … either way reaction could kill it. Oath

22 Rule #1: Don’t surprise the patient!!!

23 Resources Office for Civil Rights Web Site:
for privacy related publications and questions.

24 Pwc

Download ppt "HIPAA Administrative Simplification"

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.

Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Similar presentations

Ads by Google