Download presentation
Presentation is loading. Please wait.
Published bySophia Green Modified over 9 years ago
1
HIPAA The Privacy Rule 2003
2
Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law 104-191, in 1996 U.S. Department of Health and Human Services (HHS) drafted privacy regulations after Congress failed to within three years of the Act’s passage President Bush and HHS Secretary Tommy G. Thompson allowed the rule to take effect April 14, 2001. HIPAA requires covered entities to comply with the final rule’s provisions by April 14, 2003 (45 CFR 164.534)
3
What is HIPAA? HIPAA is a federally enacted law containing five provisions designed to: Assure portability of health insurance; Decrease health care fraud and abuse; Improve efficiency and effectiveness of health care; and Guarantee security and privacy of patient health information
4
Organizational HIPAA Sharron Stevens Privacy Officer Pat W. Myrick, CCRP, CIP Compliance Officer Barbara Love Credentialing Officer
5
HIPAA Privacy Rule (65 Fed. Reg. 82462) Title II: Administrative Simplification – Transaction Standards – Standard Code Sets – Unique Health Identifiers – Security – Privacy Privacy code includes: Research & Public Health Privacy code includes: Research & Public Health
6
Who Must Comply? The Code refers to, “Covered Entities” “Covered Entities,” include health plans, health care clearinghouses and health care providers who conduct financial and administrative transactions – such as electronic billing and funds transfers – electronically. (45 CFR 160.103)
7
What Does HIPAA Protect? ALL medical records and other individually identifiable health information used or disclosed by a covered entity in any form – electronic, paper, oral – are covered by the final Privacy Rule. (45 CFR 164.501 and 45 CFR 164.502)
8
Minimum Disclosure... Disclosures of patient information will be limited to the minimum necessary for the purpose of the disclosure, except for purposes of treatment. 45 CFR 164.502(b)(1)
9
Permitted Disclosures The Privacy Rule permits, but does not require, covered entities to disclose health information without authorization for certain public responsibilities: – Emergencies – Identity of deceased, determine cause of death – Public Health needs – Judicial and administrative proceedings – Law enforcement – National defense and security
10
New Patient Rights Issued Privacy Notice: Covered entities must notify patients in writing how they may use or disclose their patient’s protected health information (PHI). 45 CFR 164.520 Access: Patients will be able to access and get copies of their heath records. They may also request amendments to those records. A history of non-routine disclosures must also be accessible to patients. 45 CFR 164.526
11
New Patient Rights Consent = Authorization: Health care providers who see patients must obtain patient consent (authorization) before sharing their information for treatment, payment and health care operations. Treatment may be conditioned on receiving consent unless other legal obligations exist, such as the Federal Emergency Medical Treatment and Active Labor Act (EMTALA), also known as COBRA. 45 CFR 164.506(a)(1)
12
New Patient Rights Authorization: A separate patient authorization must be obtained by non-routine disclosures – such as Public Relations activities, marketing, fundraising – and most non-health care purposes. Treatment may not be conditioned upon receiving authorization. 45 CFR 164.508(a)(1)
13
New Patient Rights Restrictions: Patients will have the right to request restrictions on the uses and disclosures of their information. 45 CFR 164.522 Recourse: Patients may file formal complaints with a covered entity or with the Department of Health and Human Services (HHS). 45 CFR 160.306(a)
14
Three Mandates Under HIPAA Adopt written privacy policies and procedures detailing: – Who has access to protected information; – How protected information will be used within the covered entity; – When protected information may be disclosed; – And ways to ensure business associates protect privacy of health information.
15
Three Mandates Under HIPAA Train employees in privacy procedures. – Design and implement training plan – Track and audit employee training 45 CFRF 164.530(b)(1) Designate privacy officer to ensure policies and procedures are followed. The ETSU Privacy Officer is Sharron Stevens, stevenss@mail.etsu.edu. The VAMC Privacy Officer is Angela Mullins, Angela.Allen@med.va.gov.stevenss@mail.etsu.edu Angela.Allen@med.va.gov – Develop and implement a method to report complaints – Investigate complaints – Conduct routine and random audits 45 CFR 164.530(a)(1)
16
Ensure Business Associates Safeguard Information A covered entity may disclose protected health information to a “business associate” and allow it to receive health information on its behalf ONLY after the covered entity is assured the business associate will safeguard the information. Even though business associates aren’t covered directly under the law, covered entities are liable for their business associates’ actions if they disclose protected health information. 45 CFR 164.502(e)(1)
17
Penalties for Covered Entities Civil Penalties: $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated (65 Fed. Re g. At 82470) Federal criminal penalties for knowing violations: – Up to $50,000 and one year in prison – Under “false pretenses” – up to $100,000 and up to five years in prison – Intent to sell, transfer or use – up to $250,000 and up to 10 years in prison
18
Pre-emption of State Law State laws which may be contrary to the rule are preempted unless one of four conditions are met. Legal counsels will be tasked with evaluating how HIPAA will impact state law. – DHHS determined that the state law is necessary to prevent fraud and abuse, to regulate insurance or health plans, is for reporting health care delivery or costs, or is serving a compelling need related to health, safety and welfare, or its principal purpose is regulation of controlled substances. – State law is more stringent than the privacy rule. – State law provides for reporting of disease, injury, child abuse, birth or death, or provides for conduct of public health surveillance. – State law requires a health plan to report or provide access to info. for management of financial audits, program monitoring and evaluation, or licensure or certification of people or facilities. (45CFR160.203)
19
Enforcement The DHHS Office for Civil Rights (OCR) will enforce the Privacy Rule. The agency is using a $3.2 million budget allocation to hire new agents. Enforcement will likely be compliance driven and investigations will be conducted by one of 10 regional offices. OCR is still faced with clarifying terms on hearing and appeal procedures and defining civil (monetary) penalties for violations. 65 Fed. Reg. At 82472
20
This Introduction to HIPAA, PowerPoint presentation is made available for educational purposes only.
21
Acknowledgements 45 CFR 164 45 CFR 160 65 Fed. Reg. At 82462 65 Fed. Reg. At 82470 65 Fed. Reg. At 82472 Hall, E., (2002). Privacy Officer, A301 Kentucky Clinic, Lexington, KY, 40536-0284 Irvine, K., & Hilton, E. (2003). Ensuring a HIPAA-compliant informed consent process. A guide for clinical research professionals. Boston, MA: Thomson-Centerwatch
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.