Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA PRIVACY RULE IMPLEMENTATION – WHATS UP AFTER 4/14/03? 8 th National HIPAA Summit Baltimore, MD March 8, 2004 Lynda A. Russell, EdD, JD, RHIA Privacy.

Similar presentations


Presentation on theme: "HIPAA PRIVACY RULE IMPLEMENTATION – WHATS UP AFTER 4/14/03? 8 th National HIPAA Summit Baltimore, MD March 8, 2004 Lynda A. Russell, EdD, JD, RHIA Privacy."— Presentation transcript:

1 HIPAA PRIVACY RULE IMPLEMENTATION – WHATS UP AFTER 4/14/03? 8 th National HIPAA Summit Baltimore, MD March 8, 2004 Lynda A. Russell, EdD, JD, RHIA Privacy Manager Cedars-Sinai Medical Center Los Angeles, CA

2 3/8/04HIPAA - Post 4/14/032 Disclaimer The presentation and materials are not to be perceived as legal advice.

3 3/8/04HIPAA - Post 4/14/033 INTRODUCTION Discussion topics: Pre 4/14/03 – General Comments Post 4/14/03 Implementation of Patient Rights Investigation of Potential Privacy Breaches Policies and Procedures Training

4 3/8/04HIPAA - Post 4/14/034 Pre 4/14/03 HIPAA gave several rights to patients: Access to own PHI Request for an Accounting Request for Amendment Request for Confidential Communications Request for Restrictions

5 3/8/04HIPAA - Post 4/14/035 Pre 4/14/03 Hospitals identified gaps between current practice and the new rights Gaps did not always indicate something was wrong They merely reflected the difference between what was ok before 4/14/03 and what would be ok after 4/14/03

6 3/8/04HIPAA - Post 4/14/036 Pre 4/14/03 Closed many gaps by: Revising and writing policies and procedures Conducting training

7 3/8/04HIPAA - Post 4/14/037 Post 4/14/03 – What continues to face hospitals?

8 3/8/04HIPAA - Post 4/14/038 Post 4/14/03 – What continues to face hospitals? Centralized approach? Decentralized approach? Combination of both approaches?

9 3/8/04HIPAA - Post 4/14/039 Post 4/14/03 – What continues to face hospitals? Centralized approach All processing is handled under the auspices of a designated department

10 3/8/04HIPAA - Post 4/14/0310 Post 4/14/03 – What continues to face hospitals? Decentralized approach All processing is carried out in areas Where medical records are maintained or Where reporting activities occur

11 3/8/04HIPAA - Post 4/14/0311 Post 4/14/03 – What continues to face hospitals? Designated record set Medical and billing records and any other record used to make decisions about an individual Used to define the set of information that the individual can access, copy, and request amendment to

12 3/8/04HIPAA - Post 4/14/0312 Post 4/14/03 – What continues to face hospitals? Implementation of patient rights under HIPAA

13 3/8/04HIPAA - Post 4/14/0313 Post 4/14/03 – What continues to face hospitals? We have decentralized approach to maintaining medical records and to the ROI function We have an ongoing process for centralizing the ROI function Requires mechanism to alert entity responsible for implementing the request

14 3/8/04HIPAA - Post 4/14/0314 Post 4/14/03 – What continues to face hospitals? Request for Access to DRS

15 3/8/04HIPAA - Post 4/14/0315 Post 4/14/03 – Request for Access to DRS Decentralized medical record maintenance process Pt must go to several different locations to gain access to all components of the designated record set

16 3/8/04HIPAA - Post 4/14/0316 Post 4/14/03 – Request for Access to DRS Problems with this approach Patient does not know where DRS is maintained Staff across institution may not know that other components exist, or, if so, where they exist Patient has to re-qualify right to access in each department or treatment area

17 3/8/04HIPAA - Post 4/14/0317 Post 4/14/03 – Request for Access to DRS Benefits of centralizing process Greater likelihood policies and procedures will be followed Patient is more confident he/she has been given access to entire DRS Patient only has to go to one location (better customer service)

18 3/8/04HIPAA - Post 4/14/0318 Post 4/14/03 – What continues to face hospitals? Request for Accounting

19 3/8/04HIPAA - Post 4/14/0319 Post 4/14/03 – Request for Accounting A new patient right Had no formalized processes in place Had patients before HIPAA wanting to know who had seen their records

20 3/8/04HIPAA - Post 4/14/0320 Post 4/14/03 – Request for Accounting Uses and disclosures that must be included in an Accounting Public interest disclosures Research disclosures under a Waiver of Authorization Disclosures in violation of HIPAA

21 3/8/04HIPAA - Post 4/14/0321 Post 4/14/03 – Request for Accounting We decided to implement this right on a centralized basis in the HIM Department

22 3/8/04HIPAA - Post 4/14/0322 Post 4/14/03 – Request for Accounting Options for creating an Accounting Central database Accounting on Demand

23 3/8/04HIPAA - Post 4/14/0323 Post 4/14/03 – Request for Accounting Central database – First Approach Data entered by one department only Advantage Greater likelihood policies will be followed Disadvantages Must gather all information from source departments No guarantee for obtaining all information Very time consuming

24 3/8/04HIPAA - Post 4/14/0324 Post 4/14/03 – Request for Accounting Central database - Second Approach Data entered by source department Advantage Data entry responsibilities spread over several departments Data may be more accurately entered Disadvantages May be more difficult to monitor and hold departments accountable

25 3/8/04HIPAA - Post 4/14/0325 Post 4/14/03 – Request for Accounting Regardless of who enters data into a centralized database Only enter actual ROI activities Do not need to enter multiple disclosures (discussed later)

26 3/8/04HIPAA - Post 4/14/0326 Post 4/14/03 – Request for Accounting Accounting on Demand Make list of disclosures only when patient requests an accounting May implement as long as process is in place to assure that the HIM department can accurately identify all required disclosures The accounting meets the HIPAA mandate (Ref: CHA HIPAA Seminar, Nov 2003)

27 3/8/04HIPAA - Post 4/14/0327 Post 4/14/03 – Request for Accounting Accounting on Demand Advantages Less time consuming overall Potentially less costly

28 3/8/04HIPAA - Post 4/14/0328 Post 4/14/03 – Request for Accounting Accounting on Demand Disadvantages May be difficult to implement because of decentralized public interest reporting Hospital does not have specific department or individual responsible for identifying all circumstances that should be included in an accounting Hospital must have a system for maintaining all copies of disclosure requests (Ref: CHA HIPAA Seminar, Nov 2003)

29 3/8/04HIPAA - Post 4/14/0329 Post 4/14/03 – Request for Accounting Cost of maintaining database vs accounting on demand Number of requests for accounting Potential size of database Confidence in decentralized data entry Confidence in centralized data entry

30 3/8/04HIPAA - Post 4/14/0330 Post 4/14/03 – Request for Accounting Regardless of option selected, should include monitoring the process in the ongoing HIPAA Program monitoring plan

31 3/8/04HIPAA - Post 4/14/0331 Post 4/14/03 – Request for Accounting Difficult Accounting Problems Accounting for multiple disclosures Accounting for research under a Waiver of Authorization Residents collecting information

32 3/8/04HIPAA - Post 4/14/0332 Post 4/14/03 – Request for Accounting Accounting for multiple disclosures of: A particular patient to the same person or entity Multiple patients to the same person or entity

33 3/8/04HIPAA - Post 4/14/0333 Post 4/14/03 – Request for Accounting Multiple disclosures to a third party for review constitutes a disclosure even if third party does not review any particular record (Ref: CHA HIPAA Seminar, Nov 2003)

34 3/8/04HIPAA - Post 4/14/0334 Post 4/14/03 – Request for Accounting Accounting for multiple disclosures Must maintain documentation of all records included in the universal set of records provided to the third party May be too time consuming to enter into centralized database May be better to use the accounting on demand approach (Ref: CHA HPAA Seminar, Nov 2003)

35 3/8/04HIPAA - Post 4/14/0335 Post 4/14/03 – Request for Accounting May be easier to check documentation of multiple disclosures whether creating the accounting using a centralized database or the accounting on demand approach

36 3/8/04HIPAA - Post 4/14/0336 Post 4/14/03 – Request for Accounting Approach taken may also depend on whether interfaces exist between the source system and the accounting system

37 3/8/04HIPAA - Post 4/14/0337 Post 4/14/03 – Request for Accounting What about JCAHO record reviews? Some say: Dont include because this is HCO Dont include because JCAHO is a BA Include in accounting

38 3/8/04HIPAA - Post 4/14/0338 Post 4/14/03 – Request for Accounting 2 nd difficult accounting issue – research Not required to include PHI disclosed pursuant to an authorization, in Limited Data Sets, and as de-identified data Must account for research under a Waiver of Authorization

39 3/8/04HIPAA - Post 4/14/0339 Post 4/14/03 – Request for Accounting Accounting for research under a Waiver of Authorization Modified accounting procedure if protocol involves 50 or more individuals, and the individuals PHI may have been disclosed

40 3/8/04HIPAA - Post 4/14/0340 Post 4/14/03 – Request for Accounting May find it better to track specific protocols May find it better to do accounting on demand May encourage researchers to use Limited Data Sets

41 3/8/04HIPAA - Post 4/14/0341 Post 4/14/03 – Request for Accounting 3 rd difficult accounting issue – residents Need information to take boards Collect information on patients they have treated to start their practice

42 3/8/04HIPAA - Post 4/14/0342 Post 4/14/03 – What continues to face hospitals? Request for Confidential Communications

43 3/8/04HIPAA - Post 4/14/0343 Post 4/14/03 – Request for Confidential Communications Patients are requesting hospitals to provide information by alternative methods

44 3/8/04HIPAA - Post 4/14/0344 Post 4/14/03 – Request for Confidential Communications We implemented on decentralized basis We are applying our ongoing ROI centralization process

45 3/8/04HIPAA - Post 4/14/0345 Post 4/14/03 – Request for Confidential Communications Patients are requesting information via e-mail Current options Issues with current options Alternative option – content scanner

46 3/8/04HIPAA - Post 4/14/0346 Post 4/14/03 – What continues to face hospitals? Request for Restrictions

47 3/8/04HIPAA - Post 4/14/0347 Post 4/14/03 – Request for Restrictions Opting out of directory Identifying who is or is not permitted to receive information as a participant in care Opting out of marketing, fundraising, and research Identifying any entity who is not permitted to receive information

48 3/8/04HIPAA - Post 4/14/0348 Post 4/14/03 – Request for Restrictions We implemented on decentralized basis We are applying our ongoing ROI centralization process Requires mechanism to notify those responsible for implementing request

49 3/8/04HIPAA - Post 4/14/0349 Post 4/14/03 – What continues to face hospitals? Investigating potential breaches

50 3/8/04HIPAA - Post 4/14/0350 Post 4/14/03 – Investigating Potential Breaches Have policy and procedure in place Work with IT Department Work with HR Department Work with Medical Staff Leadership Work with Educational Program Leadership

51 3/8/04HIPAA - Post 4/14/0351 Post 4/14/03 – Investigating Potential Breaches Examples: Volunteers looking up patients Deliver flowers to patient opting out of directory Conversations in areas with multiple patients present Employee believes record accessed by another employee without need to know

52 3/8/04HIPAA - Post 4/14/0352 Post 4/14/03 – What continues to face hospitals? Policies and Procedures

53 3/8/04HIPAA - Post 4/14/0353 Post 4/14/03 – Policies and Procedures Policies and Procedures Ongoing process Still identifying new policies needed Still identifying existing policies needing revision

54 3/8/04HIPAA - Post 4/14/0354 Post 4/14/03 – Policies and Procedures Examples: Department/specialty name in return address Visitors and observers

55 3/8/04HIPAA - Post 4/14/0355 Post 4/14/03 – What continues to face hospitals? Training

56 3/8/04HIPAA - Post 4/14/0356 Post 4/14/03 – Training It didnt end on 4/14/03 Have policy in place Various categories of workforce Persons not part of workforce

57 3/8/04HIPAA - Post 4/14/0357 Post 4/14/03 – References California Healthcare Association (CHA). HIPAA Privacy and Security Seminar, Nov. 2003. HIPAA Privacy Regulations, Section 164.501 et seq.

58 3/8/04HIPAA - Post 4/14/0358 Post 4/14/03 – What continues to face hospitals? Q & A Thank you


Download ppt "HIPAA PRIVACY RULE IMPLEMENTATION – WHATS UP AFTER 4/14/03? 8 th National HIPAA Summit Baltimore, MD March 8, 2004 Lynda A. Russell, EdD, JD, RHIA Privacy."

Similar presentations


Ads by Google