Download presentation
Presentation is loading. Please wait.
Published byHarley Tuckness Modified over 9 years ago
1
HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics Programs cush@miami.edu
2
forces for health privacy ● a new federal law – called ”HIPAA” – adds national protections for everyone's health information ● however, there are many other sources of health privacy protection ● HIPAA, while important, is only one part of the picture
3
forces for health privacy ● federal law (HIPAA) ● state law ● licensing and certification bodies (JCAHO, NCQA) ● health professions' licensing organizations (AMA, ANA and many others) ● your own ethical standards
4
HIPAA and its goals Health Insurance Portability and Accountability Act ● make health insurance coverage more portable between jobs ● reduce waste and fraud in the health care system
5
HIPAA and its goals Health Insurance Portability and Accountability Act ● make the health system “more efficient” overall ● and encourage use of electronic record-keeping systems for health data
6
the connection to privacy ● paper records are very expensive (even if it seems otherwise) ● it can be difficult to find information when you need it
7
the connection to privacy ● paper can only be in one place at a time ● record duplication brings potential for error – and more expense
8
the connection to privacy ● electronic records are much cheaper (in the long run) ● it is much easier to find information -- both for those who should have it, and those who shouldn't
9
the connection to privacy ● so, a much greater need for security and privacy protections than with paper records ● HIPAA's standards are a national response to the health privacy issues raised by computers
10
HIPAA's four Standards (“Rules”) Transactions and Code Sets standard formats for all electronic transactions Identifiers Security Privacy
11
HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers standard IDs for health plans, providers, employers Security Privacy
12
HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security computer, communications protection technologies Privacy
13
HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security Privacy procedural protections for all health information
14
what is covered by HIPAA? “protected health information” (PHI) ● any identifiable information ● related to the “past, present or future physical or mental health” of a person ● used for treatment, payment or any other function
15
what is covered by HIPAA? ● protected health information (PHI) can be in “any form or medium” ● electronic, paper and even oral communications of PHI are covered by HIPAA's Privacy Rule ● only totally “de-identified” information is unprotected
16
who is covered by HIPAA? “covered entities” ● health providers, health plans, and information clearinghouses ● organizations that provide or pay for health services ● basically, any entity that uses or discloses health data
17
who is covered by HIPAA? ● customers (patients) of covered entities receive protections – privacy rights – for their health information ● covered entities, and those that work in them, have privacy obligations to ensure that HIPAA protections are achieved
18
individual rights under HIPAA ● to receive a “Notice of Privacy Practices” outlining how one's health information may be used or disclosed ● to obtain a copy of one's full health record (except for psychotherapy notes) ● to correct – or at least note disagreement – if the record appears to be in error
19
individual rights under HIPAA ● to know (some of) the persons and organizations to whom one's health information has been disclosed ● to ask for extra protection or confidential communications of particularly sensitive data ● to authorize certain additional “non-standard” uses or disclosures
20
individual rights under HIPAA ● to be assured that the institution follows appropriate privacy and security practices ● to complain to the covered entity's Privacy Officer – or directly to DHHS Office of Civil Rights – if one believes HIPAA rights have been violated
21
covered entities' responsibilities ● to give each patient (customer) the Notice that outlines their privacy rights ● the Notice must describe planned uses and disclosures, including the “basic” ones for treatment, payment and health care operations ● written acknowledgment of Notice must be obtained
22
covered entities' responsibilities ● to provide an opportunity for individuals to discuss any privacy concerns ● all individuals should understand their rights, including what to do if they feel their rights have been violated ● a process must be in place to handle problems and complaints
23
covered entities' responsibilities ● to get authorization for certain additional kinds of uses and disclosures, beyond those for treatment, payment or basic health care operations ● to undertake the additional uses and disclosures permitted by law in an appropriate manner
24
covered entities' responsibilities ● to develop reasonable, appropriate privacy and security policies ● to train all members of the workforce in those policies “as necessary and appropriate” to their job duties ● to get assurances from any business associates that handle PHI on the covered entity's behalf
25
● to use or disclose protected health information only for work-related purposes ● to limit uses and disclosures to the “minimum necessary” to achieve those work purposes ● and to otherwise exercise reasonable caution, to protect all PHI under their control obligations of health facility workers
26
● to understand the facility's privacy and security policies, and follow them ● to try to remedy any privacy problems – or report them to the facility Privacy Officer or DHHS Office of Civil Rights ● HIPAA prohibits covered entities from retaliating or discriminating against a worker who files a complaint
27
obligations of health facility workers ● note that “incidental uses and disclosures” are considered inevitable, and do not violate HIPAA ● reasonable limits and efforts – appropriate to the circumstances, and the nature of the information – are all that HIPAA requires
28
compliance timetable ● HIPAA Privacy Rule takes effect on 14 April 2003 for covered entities with more than $5M in annual revenues ● 14 April 2004 is the Privacy Rule deadline for smaller covered entities ● HIPAA Rules for security, transactions and identifiers take effect over the next few years
29
HIPAA and state law HIPAA “preempts” state health privacy law unless ● “more stringent” (protective) ● for public health purposes ● for oversight or regulation of the state's health system
30
Florida health privacy protections ● general right to privacy, and to a notice of one's rights ● right to see, copy records ● right to an accounting of disclosures (from providers) ● right to extra limitations on certain kinds of information (genetic, HIV, mental health, substance abuse)
31
Florida health privacy protections ● most of Florida's privacy protections are as strong as – or stronger than – HIPAA's ● these protections will remain in force after April 14 ● they are in force NOW
32
sanctions for privacy failures ● Federal civil and criminal penalties for HIPAA violations from $100 per incident up to $250,000 and 10 years in prison ● civil and criminal penalties for state law violations ● institutional reputation and market share ● employee suspension and termination ● loss of professional license
33
you are also a patient ● with networked computer systems, security of health information anywhere depends on privacy practices everywhere ● thousands of persons may have access to an individual's health record
34
you are also a patient ● try to treat others' health information the way you'd like yours to be treated, or that of a family member or a close friend
35
you are also a patient ● that includes attention to safe practices for the new electronic records, the old paper ones, as well as faxes, photocopies and printouts, telephone calls and email
36
University of Miami Ethics Programs © 2002 Historic computer and electronic equipment images are provided courtesy of the University of Virginia Computer Museum. All other images are from the UM Ethics Program digital image collection and are in the public domain. This presentation may be re-used for non-commercial, educational purposes, with appropriate credit to the source. Any other use requires prior written permission. Information presented herein is believed to be correct at the time of posting. However, these materials are intended for education purposes only; they are not intended or represented as legal advice. UM Ethics Programs, PO Box 016960 (M-825), Miami FL 33101
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.