Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy for Compliance Professionals

Published byBerta Gagliardi Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy for Compliance Professionals"— Presentation transcript:

1 Privacy for Compliance Professionals
Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. Washington, DC

2 The Multiple Components of HIPAA
Standardized Transactions Code Sets and National Standard Provider Identifier Employer Security Standards Electronic Signature Standards ü      HIPAA was passed by Congress and signed into law in the summer of 1996. ü      Administrative Simplification is only one of several parts of HIPAA. The purpose of AS is to make the health care system more efficient and effective by standardizing the electronic exchange of administrative and financial data. In so doing, we need to protect the security and privacy of individually identifiable health information. ü      The goal is to promote the free flow of health information in order to provide high quality health care services, while also assuring that individuals’ health information is appropriately protected. Privacy Standards

3 Recent HIPAA News On December 27, 2001, President Bush signed into law the Administrative Simplification Compliance Act. By October 16, 2002, covered entities, including pharmacies, must either: be in compliance with the Standards for Electronic Transactions and Code Sets; or submit a summary plan to the Secretary of Health and Human Services describing how the covered entity will come into full compliance with the standards by October 16, 2003.

4 Proposed Security and Electronic Signature Standards
Overview

5 Security Standards 4 Components Administrative Physical
Technical Services Technical Mechanisms UPDATE HHS OCR has reported that the final version of the Security and Electronic Signature Standards have been forwarded to OMB for final review and should be released before the end of the year. Administrative: Certification Chain of Trust Agreement Formal mechanism for processing records Information access control Internal audit Personnel security Security Configuration Management Security Incident Procedures Termination Procedures Training Physical: Assigned security responsibility Media controls Physical access controls Workstation use/location Awareness training Technical Services: Access control Audit controls Authorization control Data authentication Entity authentication Technical Mechanisms: Required if using open networks: Alarm Audit trail Event reporting Integrity controls Message authentication Plus: encryption or access controls

6 Standards for Privacy of Individually Identifiable Health Information
Overview of the “Privacy Regulations”

7 “In a Nutshell” The Privacy Regulations govern a covered entity’s use and disclosure of protected health information and grant individuals certain rights with respect to their protected health information.

8 Covered Entities Covered entities
health plans; health care clearinghouses; and providers that transmit health information in electronic form in connection with a HIPAA standardized transaction Also reaches indirectly the “Business Associates” of the covered entity Health plan HMO Insurance company Employee welfare benefit plan 50 or more participants TPA May be fully insured or self-insured If plan documents are amended to protect information from being used inappropriately in employment-related decisions, the HMO or insurer can exchange information without a business associate agreement and without having to address the minimum necessary standard Amended plan docs--to describe permitted uses/disclosures, require certification by plan sponsor, and provide adequate firewalls Health Care Clearinghouse Billing services Repricing companies Information systems or community health information systems “Value added” networks and switches Processes health information received in a nonstandard format or containing nonstandard data elements or vice versa Health care providers Must transmit health information in electronic form in connection with a standard transaction Providers become covered entities if they use another entity to conduct standard transactions on their behalf

9 Protected Health Information (PHI)
All individually identifiable health information that is transmitted or maintained in any form or medium.

10 Individually Identifiable Health Information
Created or received by a covered entity or employer; and Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual and which: identifies the individual; or offers a reasonable basis for identification of the individual Significance of the term “covered entity” --- information collected at the front end of a hybrid entity will not be considered PHI

11 Uses and Disclosures of PHI
Four categories of uses and disclosures of PHI Consent required—direct treatment providers– treatment, payment, and health care operations Oral agreement required—facility directories and disclosures in the presence of personal care givers No consent, authorization or agreement required—required by law, for public health activities, etc. Authorization required—all other uses and disclosures

12 General Rules for Uses and Disclosures
Minimum Necessary Business Associates

13 Minimum Necessary Covered entities must limit the PHI used or disclosed to the minimum necessary to achieve the purpose of the use or disclosure. doesn’t apply to disclosures made for treatment or to the individual Identify persons or classes of persons who need access to PHI, and the categories of PHI that they need access to, in order to carry out their duties. Example: If the facility can accomplish the same purpose by disclosing only a portion of an individual’s medical record, as opposed to the entire medical record, it should do so. Reasonableness Limit unnecessary sharing Consistent with professional judgment and standards Substantial discretion Does not apply to uses or disclosures for treatment or disclosures to the individual directly. For routine or recurring requests or disclosures, facility must develop policies and procedures to limit information to the minimum necessary.

14 Business Associates “Business associates” (“BA”) are defined as persons, other than workforce members, who perform or assist in the performance of a function on behalf of, or provide services to, a covered entity and such function or service involves the use or disclosure of PHI. Covered entities are required to execute agreements with each of their business associates to ensure that PHI provided to business associates is protected in the same manner as required of the covered entity. BAs include, among others, consultants, accountants, auditors, accreditation bodies, and lawyers

15 Patient Rights Notice of Privacy Practices Access, inspect and copy
Accounting of disclosures Request amendments Restrict disclosures Request privacy protections Notice of Privacy Practices § Uses and disclosures of PHI that may occur Individual’s rights Covered entity’s duties Plain language Specified elements Complaints Contact Revisions Date of first service delivery p/ effective date - provide, post, have available, website, Access - § See and get copies of their medical records; Request amendments Denial of access/correction permitted Psychotherapy notes Subject to Privacy Act requirements Endangerment of health or safety of self,others Likely to cause “harm” to another Confidential information if reveals source Information compiled for a legal proceeding Accounting of disclosures - § 6 years prior (after compliance date) Doesn’t include uses made for payment, treatment or ops Includes disclosures to or by business associates Reply w/n 60 days of receipt of request One accounting per 12 No charge Documentation Disclosures, written accounting, titles of persons accountable for processing request Right to have covered entity amend PHI - § May deny if Not created by covered entity Not part of the designated record set Not available for inspection Is accurate and complete Right to request restriction of uses and disclosures - § (a) Covered entity not required to agree Termination Documentation Right to request confidential communication by alternative means and at alternate places - § (b) Covered entity must accommodate reasonable requests

16 Administrative Requirements
Designation of a “Privacy Official” Policies and Procedures Training Reporting and complaint processing mechanism Sanctions Duty to mitigate

17 Getting Started Identify HIPAA organizational structure(s)
Corporate compliance program integration? Create a “Privacy Task Force” Determine scope of the project HIPAA state privacy law corporate compliance Conduct an assessment and inventory Other Laws COPPA GLB State laws Practice acts and licensure laws Medical records privacy laws Insurance law New electronic media initiatives Fraud and abuse laws European Union Data Directive

18 Compliance Integration

19 Organizational Structures
A “hybrid entity” or “component entity” means a single legal entity that is a covered entity and whose “covered functions” are not its primary functions Affiliated Entities--the rules permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity Organized health care arrangements are arrangements involving clinical and/or operational integration among legally separate covered entities A “hybrid entity” or “component entity” means a single legal entity that is a covered entity and whose “covered functions” are not its primary functions. TEST: Is most of what the covered entity does related to its health care functions? Examples include: a school or business with a clinic; an employer that self administers a health plan; and entity with different insurance lines Significance is that if appropriate safeguards are implemented (eg. Firewalls) the requirements are inapplicable to the other components within the organization; Training implications; Access, accounting of disclosures Particularly significant to manufacturers/suppliers We include three relationships related to group health plans as organized health care arrangements. First, we include a group health plan and an issuer or HMO with respect to the group health plan within the definition, but only with respect to the protected health information of the issuer or HMO that relates to individuals who are or have been participants or beneficiaries in the group health plan. We recognize that many group health plans are funded partially or fully through insurance, and that in some cases the group health plan and issuer or HMO need to coordinate operations to properly serve the enrollees. Second, we include a group health plan and one or more other group health plans each of which are maintained by the same plan sponsor. We recognize that in some instances plan sponsors provide health benefits through a combination of group health plans, and that they may need to coordinate the operations of such plans to better serve the participants and beneficiaries of the plans. Third, we include a combination of group health plans maintained by the same plan sponsor and the health insurance issuers and HMOs with respect to such plans, but again only with respect to the protected health information of such issuers and HMOs that relates to individuals who are or have been enrolled in such group health plans. provider may disclose protected health information for ‘‘billing, claims. Affiliated entity--Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policy of another entity Common ownership exists if an entity or entities possess an ownership or equity interest of 5% or more Significant implications: single notice of privacy practices, single consent Organized Health Care Arrangement Administration of privacy compliance program may be centralized Includes: clinically integrated care settings, certain organized health systems, and certain group health plan relationships Organized health systems must (1) hold themselves out to the public as participating in a joint arrangement; and (2) participate in joint activities that include at least one of the following 3 activities: UR--QA/QI--Payment One consent (joint consent) No business associate agreements needed between parties Not business associates HMO and group health plan Hospital and member of medical staff HMO and participating provider Accounting of disclosures does not apply to disclosures made for health care operations, which is defined as activities of a covered entity or an organized health care arrangement IPA is an example

20 Privacy Task Force Privacy Officer--responsible for the development and implementation of the policies and procedures of the covered entity Task force--assists with the development and day-to-day operations of the Privacy Program Pharmacy Marketing Human Resources/Benefits Legal Information Systems Compliance MANAGABILITY

21 Project Scope HIPAA State statutes, regulations, and common law
Other federal privacy laws (e.g., COPPA) Corporate Compliance

22 Consider engaging legal counsel to maintain attorney-client privilege
Privacy Assessment Identify the flow of PHI throughout the covered entity data elements within the record the purposes for uses and disclosures whether there is a sale of data the retention period for data the final disposition of the data the instrumentality Gather existing policies and procedures Identify available infrastructure Compare your findings to the requirements set forth in the regulations and state statutory, regulatory and common law including subsidiaries, sister companies, trading partners, and business associates, Consider engaging legal counsel to maintain attorney-client privilege that address privacy, security, confidentiality, data management, and records retention CORPOATE COMPLIANCE

23 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C.
THANK YOU Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C.

Download ppt "Privacy for Compliance Professionals"

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Similar presentations

Ads by Google