2. Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.

3. Outline of Presentation HIPAA Overview HIPAA Overview Transactions and Code Set Rule Transactions and Code Set Rule Security Rule Security Rule Privacy Rule Privacy Rule

4. HIPAA Overview “Health Insurance Portability and Accountability Act of 1996” “Health Insurance Portability and Accountability Act of 1996” Regulations Regulations  Facilitate electronic exchange of health information  Protect the privacy and security of health information

5. HIPAA Regulations Final Form Final Form  Transactions and Code Set Rule  Security Rule  Privacy Rule  National Standard Employer Identifier Rule Remaining are unpublished or in proposed form. Remaining are unpublished or in proposed form.

6. Applicability The regulations apply to “covered entities:” The regulations apply to “covered entities:”  Health care providers that electronically bill for services (e.g., most ambulance suppliers, physicians, hospitals),  Health plans, and  Health care clearinghouses.

7. TRANSACTIONS AND CODE SET RULE

8. Transactions and Code Set Rule Purpose Purpose  To encourage the use of electronic exchanges  To reduce the administrative burden associated with using different formats Specifies the content and format standards for eight common types of health information transactions. Specifies the content and format standards for eight common types of health information transactions.

9. Standard Transactions Transactions are composed of: Transactions are composed of:  Format data – define and control the structure of the transaction (e.g., the data element is a dollar amount)  Data content – all data elements and code sets inherent to a transaction and not related to the format of the transaction (e.g., the actual dollar amount)

10. Transactions The eight standard transactions include: The eight standard transactions include:  Health care claims or equivalent encounter information,  Health care payment and remittance advice,  Coordination of benefits,  Health care claim status,  Enrollment and disenrollment in a health plan,  Referral certification and authorization,  Eligibility for a health plan, and  Health plan premium payments. No standards promulgated for first report of injury and health claims attachments. No standards promulgated for first report of injury and health claims attachments.

11. Compliance Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. 16, 2003. Compliance required by Oct. 16, 2002, unless a compliance plan was submitted to CMS by Oct. 15, 2002, where upon the compliance deadline was extended to Oct. 16, 2003.

12. Implementation HIPAA Awareness – understand the rule and educate workforce. HIPAA Awareness – understand the rule and educate workforce. Operational Assessment – assess and identify internal implementation issues and develop a work plan to address issues. Operational Assessment – assess and identify internal implementation issues and develop a work plan to address issues. Development and Testing - finalize development of, install, and train staff on, applicable software and perform all software and systems testing. Development and Testing - finalize development of, install, and train staff on, applicable software and perform all software and systems testing.

13. SECURITY RULE

14. Security Rule Final rule published Feb. 20, 2003. Final rule published Feb. 20, 2003. Compliance required by April 21, 2005. Compliance required by April 21, 2005. Requires covered entities to: Requires covered entities to:  Assess risks and vulnerabilities,  Maintain appropriate security measures, and  Document these methods.

15. Security Rule Requires covered ambulance suppliers to: Requires covered ambulance suppliers to:  Apply administrative, physical, and technical safeguards  That reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information  That they create, receive, maintain or transmit.

16. Examples – Required Safeguards Administrative Administrative  Sanction policy  Business associate contracts Physical Physical  Disposal of device and media controls  Workstation security Technical Technical  Person or entity authentication  Unique user identification

17. PRIVACY RULE

18. Privacy Rule Applicability Applicability Uses and Disclosures Uses and Disclosures Patient Rights Patient Rights Administrative Requirements Administrative Requirements Penalties Penalties Interaction with State Law Interaction with State Law

19. Compliance Date Covered ambulance suppliers must be in compliance with the Privacy Rule by April 14, 2003. Covered ambulance suppliers must be in compliance with the Privacy Rule by April 14, 2003.

20. Applicability of the Privacy Rule Applies directly to covered entities. Applies directly to covered entities. Regulates protected health information maintained by covered entities. Regulates protected health information maintained by covered entities.

21. Protected Health Information Protected health information (“PHI”) is information in any form that: Protected health information (“PHI”) is information in any form that:  Identifies or reasonably could be used to identify the patient,  Relates to the past, present, or future health or condition of a patient, payment for care, or provision of care, and  Is created or received by a covered entity, provider or employer.

22. Protected Health Information It includes: It includes:  Medical information  Billing information  Patient demographic information  Information stored electronically  Information you convey on the phone  Information maintained on paper

23. Business Associates Requires covered entities to contractually bind their business associates to some of the requirements of the Privacy Rule. Requires covered entities to contractually bind their business associates to some of the requirements of the Privacy Rule.

24. Definition A business associate is an entity that A business associate is an entity that 1. creates or receives PHI 2. to provide a service or function for or on behalf of a covered entity.

25. Examples - Business Associates Disclosures of PHI to: Disclosures of PHI to:  An accreditation organization perform accreditation services.  A billing and collection service to assist with reimbursement.  A transcription service to transcribe notes.

26. Examples - No Business Associate Disclosure of PHI: Disclosure of PHI:  To a provider for treatment of a patient.  Inadvertently to a janitorial agency that provides cleaning services.  To researchers for research purposes. No business associate relationship with your employees. No business associate relationship with your employees.

27. Business Associate Agreements You must enter into written agreements with your business associates to: You must enter into written agreements with your business associates to:  Limit use and disclosure of PHI,  Safeguard PHI, and  Ensure certain patient rights (e.g., providing a patient with access to PHI).

28. USES AND DISCLOSURES

29. Overview of Uses and Disclosures Covered ambulance suppliers may use or disclose PHI only: Covered ambulance suppliers may use or disclose PHI only:  For purposes expressly required or permitted by the rule, or  With patient authorization.

30. Examples When Authorization Required To provide a list of names of patients involved in automobile accidents to a company that offers automobile insurance. To provide a list of names of patients involved in automobile accidents to a company that offers automobile insurance. To provide a list of patient names to a national association for the association’s fundraising purposes. To provide a list of patient names to a national association for the association’s fundraising purposes.

31. Examples When Authorization Not Required To use and disclose PHI for your own treatment, payment and health care operations (TPO). To use and disclose PHI for your own treatment, payment and health care operations (TPO). To disclose PHI for the treatment or payment activities of another covered entity. To disclose PHI for the treatment or payment activities of another covered entity. In limited situations, to disclose PHI for the health care operations of another covered entity. In limited situations, to disclose PHI for the health care operations of another covered entity.

32. Health Care Operations Generally, no authorization required if the disclosure is: Generally, no authorization required if the disclosure is:  To a covered entity that also has a relationship with the patient and  For quality assessment and improvement activities, case management and coordination, fraud and abuse detection or compliance, and other similar activities.

33. Disclosures to Family Members May disclose PHI to family members or others involved in the patient’s care or payment for care if: May disclose PHI to family members or others involved in the patient’s care or payment for care if:  The patient agrees (or agreement is inferred), or  The patient is not present or is incapacitated and you believe that it is in the patient’s best interest. Also may notify of the patient’s location, general condition, or death. Also may notify of the patient’s location, general condition, or death.

34. Other Purposes May use and/or disclose PHI without authorization if certain criteria are met: May use and/or disclose PHI without authorization if certain criteria are met:  To avert a serious threat to health or safety  As required by law  For limited marketing activities  For public health activities  For health oversight activities  For research

35. Other Uses and Disclosures – Avert Serious Threat May use or disclose PHI based on your good faith belief that the use or disclosure is necessary: May use or disclose PHI based on your good faith belief that the use or disclosure is necessary:  To prevent/lessen a serious and imminent threat to the health or safety of a person or the public; or  Under limited circumstances, for law enforcement authorities to identify or apprehend an individual.

36. Written Authorization – The Default Category May use and disclose PHI for any reason with the written authorization of the patient. May use and disclose PHI for any reason with the written authorization of the patient. Must be in writing and contain certain statements and information that ensures patient knows how his or her information will be used and disclosed. Must be in writing and contain certain statements and information that ensures patient knows how his or her information will be used and disclosed.

37. MINIMUM NECESSARY STANDARD

38. Minimum Necessary Standard Covered entities may use, disclose and request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure or request. Covered entities may use, disclose and request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure or request.

39. Minimum Necessary Exceptions Disclosures to and requests by providers for treatment (but it does apply to uses) Disclosures to and requests by providers for treatment (but it does apply to uses) Disclosures to the patient who is the subject of the PHI Disclosures to the patient who is the subject of the PHI Uses and disclosures pursuant to authorization Uses and disclosures pursuant to authorization

40. INCIDENTAL USES AND DISCLOSURES

41. Incidental Uses and Disclosures An incidental use or disclosure is that which occurs as a result of another use or disclosure that is permitted (e.g., a conversation between EMTs treating a patient overheard by another patient). An incidental use or disclosure is that which occurs as a result of another use or disclosure that is permitted (e.g., a conversation between EMTs treating a patient overheard by another patient).

42. Incidental Uses and Disclosures Incidental uses and disclosures are permitted as long as a covered entity has: Incidental uses and disclosures are permitted as long as a covered entity has:  Applied reasonable safeguards, and  Implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.

43. PATIENT RIGHTS

44. Patient Rights Receive a notice of privacy practices Receive a notice of privacy practices Receive an accounting of certain disclosures of PHI Receive an accounting of certain disclosures of PHI Access their information Access their information Amend their information Amend their information Request a restriction on the use or disclosure of information Request a restriction on the use or disclosure of information Request confidential communications Request confidential communications

45. Content of Notice A header indicating the purpose of the notice A header indicating the purpose of the notice A description the uses and disclosures that you may make A description the uses and disclosures that you may make A statement of patient rights and how to exercise them A statement of patient rights and how to exercise them A statement of your duties A statement of your duties Instructions for filing complaints Instructions for filing complaints Contact information Contact information

46. Provision of Notice - First Service Delivery General Rule: General Rule:  Provide the patient with your notice no later than the first service delivery on or after April 14, 2003; and  Make a good faith effort to obtain a written acknowledgment of receipt of notice.  If not obtained, document good faith efforts and reason why not obtained.

47. Obtaining Acknowledgment Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be retained by the ambulance supplier Sign a separate sheet, list, log book, or initial a cover sheet of the notice to be retained by the ambulance supplier Tear off sheet to mail back to the ambulance supplier Tear off sheet to mail back to the ambulance supplier Combine an acknowledgment with consent Combine an acknowledgment with consent

48. Good Faith Effort – Reason Not Obtained Patient refused Patient refused Patient failed to mail back acknowledgment Patient failed to mail back acknowledgment Patient unconscious or agitated Patient unconscious or agitated

49. Provision of Notice - First Service Delivery EXCEPTION - Emergency Treatment Situations: EXCEPTION - Emergency Treatment Situations:  Notice: Provide the notice as soon as reasonably practicable after the emergency situation.  Acknowledgment: NOT required to make a good faith effort to obtain the acknowledgment.

50. Provision of Notice You also must make the notice available by April 14, 2003: You also must make the notice available by April 14, 2003:  Upon request;  At the delivery site (notice must be posted and available for individuals to take with them); and  If you maintain a web site about your services or benefits, prominently on your web site and make the notice available electronically through the site.

51. Accounting Don’t need to track disclosures Don’t need to track disclosures  To carry out treatment, payment, or health care operations  To patients who are the subject of the PHI  Pursuant to an authorization

52. Accounting Must track disclosures Must track disclosures  For public health purposes  For research  For health oversight activities  For administrative/judicial proceedings  For abuse/neglect reporting

53. ADMINISTRATIVE REQUIREMENTS

54. Administrative Requirements Designate a privacy official Designate a privacy official Designate a contact person or office for complaints and questions Designate a contact person or office for complaints and questions Establish and implement policies and procedures Establish and implement policies and procedures Provide training to workforce members Provide training to workforce members Apply administrative, technical and physical safeguards Apply administrative, technical and physical safeguards Establish a process for individuals to make complaints Establish a process for individuals to make complaints

55. Administrative Requirement— Training Must train workforce on privacy policies and procedures necessary and appropriate to their jobs. Must train workforce on privacy policies and procedures necessary and appropriate to their jobs. Training must occur: Training must occur:  For current employees: no later than the compliance date,  For new employees after the compliance date: within a reasonable time after the person joins the workforce, and  For employees whose functions change due to a subsequent change in privacy policies or procedures: within a reasonable time after the change.

56. PENALTIES

57. Civil Penalties Any person who violates a provision is subject to: Any person who violates a provision is subject to:  A penalty of not more than $100 for each such violation and  Total amount imposed on a person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

58. Criminal Penalties Criminal penalties vary depending on the offense. Criminal penalties vary depending on the offense. A person can be fined not more than $250,000, imprisoned not more than 10 years or both if: A person can be fined not more than $250,000, imprisoned not more than 10 years or both if:  the offense is committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

59. INTERACTION WITH STATE LAW

60. Interaction with State Law Must comply with both the Privacy Rule and state laws. Must comply with both the Privacy Rule and state laws. If impossible (rare), comply with provision that provides the patient with: If impossible (rare), comply with provision that provides the patient with:  greater privacy rights,  access to greater amounts of information, or  greater privacy protections. State laws often have heightened protection for sensitive information (e.g., HIV/STDs). State laws often have heightened protection for sensitive information (e.g., HIV/STDs).

61. The End.