Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.

Similar presentations


Presentation on theme: "HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics."— Presentation transcript:

1 HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics Programs cush@miami.edu

2 forces for health privacy ● a new federal law – called ”HIPAA” – adds national protections for everyone's health information ● however, there are many other sources of health privacy protection ● HIPAA, while important, is only one part of the picture

3 forces for health privacy ● federal law (HIPAA) ● state law ● licensing and certification bodies (JCAHO, NCQA) ● health professions' licensing organizations (AMA, ANA and many others) ● your own ethical standards

4 HIPAA and its goals Health Insurance Portability and Accountability Act ● make health insurance coverage more portable between jobs ● reduce waste and fraud in the health care system

5 HIPAA and its goals Health Insurance Portability and Accountability Act ● make the health system “more efficient” overall ● and encourage use of electronic record-keeping systems for health data

6 the connection to privacy ● paper records are very expensive (even if it seems otherwise) ● it can be difficult to find information when you need it

7 the connection to privacy ● paper can only be in one place at a time ● record duplication brings potential for error – and more expense

8 the connection to privacy ● electronic records are much cheaper (in the long run) ● it is much easier to find information -- both for those who should have it, and those who shouldn't

9 the connection to privacy ● so, a much greater need for security and privacy protections than with paper records ● HIPAA's standards are a national response to the health privacy issues raised by computers

10 HIPAA's four Standards (“Rules”) Transactions and Code Sets standard formats for all electronic transactions Identifiers Security Privacy

11 HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers standard IDs for health plans, providers, employers Security Privacy

12 HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security computer, communications protection technologies Privacy

13 HIPAA's four Standards (“Rules”) Transactions and Code Sets Identifiers Security Privacy procedural protections for all health information

14 what is covered by HIPAA? “protected health information” (PHI) ● any identifiable information ● related to the “past, present or future physical or mental health” of a person ● used for treatment, payment or any other function

15 what is covered by HIPAA? ● protected health information (PHI) can be in “any form or medium” ● electronic, paper and even oral communications of PHI are covered by HIPAA's Privacy Rule ● only totally “de-identified” information is unprotected

16 who is covered by HIPAA? “covered entities” ● health providers, health plans, and information clearinghouses ● organizations that provide or pay for health services ● basically, any entity that uses or discloses health data

17 who is covered by HIPAA? ● customers (patients) of covered entities receive protections – privacy rights – for their health information ● covered entities, and those that work in them, have privacy obligations to ensure that HIPAA protections are achieved

18 individual rights under HIPAA ● to receive a “Notice of Privacy Practices” outlining how one's health information may be used or disclosed ● to obtain a copy of one's full health record (except for psychotherapy notes) ● to correct – or at least note disagreement – if the record appears to be in error

19 individual rights under HIPAA ● to know (some of) the persons and organizations to whom one's health information has been disclosed ● to ask for extra protection or confidential communications of particularly sensitive data ● to authorize certain additional “non-standard” uses or disclosures

20 individual rights under HIPAA ● to be assured that the institution follows appropriate privacy and security practices ● to complain to the covered entity's Privacy Officer – or directly to DHHS Office of Civil Rights – if one believes HIPAA rights have been violated

21 covered entities' responsibilities ● to give each patient (customer) the Notice that outlines their privacy rights ● the Notice must describe planned uses and disclosures, including the “basic” ones for treatment, payment and health care operations ● written acknowledgment of Notice must be obtained

22 covered entities' responsibilities ● to provide an opportunity for individuals to discuss any privacy concerns ● all individuals should understand their rights, including what to do if they feel their rights have been violated ● a process must be in place to handle problems and complaints

23 covered entities' responsibilities ● to get authorization for certain additional kinds of uses and disclosures, beyond those for treatment, payment or basic health care operations ● to undertake the additional uses and disclosures permitted by law in an appropriate manner

24 covered entities' responsibilities ● to develop reasonable, appropriate privacy and security policies ● to train all members of the workforce in those policies “as necessary and appropriate” to their job duties ● to get assurances from any business associates that handle PHI on the covered entity's behalf

25 ● to use or disclose protected health information only for work-related purposes ● to limit uses and disclosures to the “minimum necessary” to achieve those work purposes ● and to otherwise exercise reasonable caution, to protect all PHI under their control obligations of health facility workers

26 ● to understand the facility's privacy and security policies, and follow them ● to try to remedy any privacy problems – or report them to the facility Privacy Officer or DHHS Office of Civil Rights ● HIPAA prohibits covered entities from retaliating or discriminating against a worker who files a complaint

27 obligations of health facility workers ● note that “incidental uses and disclosures” are considered inevitable, and do not violate HIPAA ● reasonable limits and efforts – appropriate to the circumstances, and the nature of the information – are all that HIPAA requires

28 compliance timetable ● HIPAA Privacy Rule takes effect on 14 April 2003 for covered entities with more than $5M in annual revenues ● 14 April 2004 is the Privacy Rule deadline for smaller covered entities ● HIPAA Rules for security, transactions and identifiers take effect over the next few years

29 HIPAA and state law HIPAA “preempts” state health privacy law unless ● “more stringent” (protective) ● for public health purposes ● for oversight or regulation of the state's health system

30 Florida health privacy protections ● general right to privacy, and to a notice of one's rights ● right to see, copy records ● right to an accounting of disclosures (from providers) ● right to extra limitations on certain kinds of information (genetic, HIV, mental health, substance abuse)

31 Florida health privacy protections ● most of Florida's privacy protections are as strong as – or stronger than – HIPAA's ● these protections will remain in force after April 14 ● they are in force NOW

32 sanctions for privacy failures ● Federal civil and criminal penalties for HIPAA violations from $100 per incident up to $250,000 and 10 years in prison ● civil and criminal penalties for state law violations ● institutional reputation and market share ● employee suspension and termination ● loss of professional license

33 you are also a patient ● with networked computer systems, security of health information anywhere depends on privacy practices everywhere ● thousands of persons may have access to an individual's health record

34 you are also a patient ● try to treat others' health information the way you'd like yours to be treated, or that of a family member or a close friend

35 you are also a patient ● that includes attention to safe practices for the new electronic records, the old paper ones, as well as faxes, photocopies and printouts, telephone calls and email

36 University of Miami Ethics Programs © 2002 Historic computer and electronic equipment images are provided courtesy of the University of Virginia Computer Museum. All other images are from the UM Ethics Program digital image collection and are in the public domain. This presentation may be re-used for non-commercial, educational purposes, with appropriate credit to the source. Any other use requires prior written permission. Information presented herein is believed to be correct at the time of posting. However, these materials are intended for education purposes only; they are not intended or represented as legal advice. UM Ethics Programs, PO Box 016960 (M-825), Miami FL 33101


Download ppt "HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics."

Similar presentations


Ads by Google