1. HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier

2. HIPAA History Health Insurance Portability and Accountability Act of 1996 “Administrative Simplification!” Federal Law – Published in Federal Register Department of Health and Human Services (HHS) issued the regulation: Standards for Privacy of Individually Identifiable Health Information The Office for Civil Rights (OCR) is the department responsible for implementing and enforcing the privacy regulation

3. HIPAA Privacy Regulations Compliance Date: April 14, 2003 Primary Resource: http://www.hhs.gov/ocr/hipaahttp://www.hhs.gov/ocr/hipaa Final Regulation (12/28/00, 8/14/02): http://www.hhs.gov/ocr/hipaa/finalreg.html http://www.hhs.gov/ocr/hipaa/finalreg.html Summary of Regulation: http://www.hhs.gov/ocr/privacysummary.pdf http://www.hhs.gov/ocr/privacysummary.pdf State of Michigan’s Medical Record Access Act –House Bill 4706 signed by Governor Granholm on April 1, 2004, effective immediately –www.michiganlegislature.org (search for bill 4706)www.michiganlegislature.org

4. Official Privacy Website http://www.hhs.gov/ocr/hipaa/

5. Other HIPAA Initiatives SECURITY REGULATIONS: Compliance Date: April 21, 2005 Final Regulation (2/13/03): http://www.hipaadvisory.com/regs/Regs_in_PDF/finaltrans.pdf http://www.hipaadvisory.com/regs/Regs_in_PDF/finaltrans.pdf Fearsome Four: Audits, Activity Review, Risk Planning & Disaster Recovery TRANSACTION & CODE SET STANDARDS: Final Rule published: 8/17/00, Final Modifications: 2/20/03 Compliance Date: October 16, 2003 (July 2004) Final Regulation: http://www.cms.hhs.gov/regulations/hipaa/cms0003- 5/0003ofr2-10.pdf http://www.cms.hhs.gov/regulations/hipaa/cms0003- 5/0003ofr2-10.pdf

6. More HIPAA To Come NATIONAL PROVIDER IDENTIFIERS (NPI): Final Rule published: 1/23/04 (See CMS website) Can begin application process 5/23/05 Compliance Date: 5/23/07 NATIONAL EMPLOYER IDENTIFIERS: Final Rule published: 5/31/02 Compliance Date: 7/30/04 NATIONAL HEALTH PLAN IDENTIFIERS NATIONAL PATIENT IDENTIFIERS

7. Link to all HIPAA Regulations: http://www.cms.hhs.gov/hipaa/hipaa2 /regulations/default.asp http://www.cms.hhs.gov/hipaa/hipaa2 /regulations/default.asp

8. PRIVACY REGULATIONS Purpose –To protect and enhance the rights of patients by providing them with access to their health information and controlling the inappropriate use of that information –To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for privacy protection

9. PATIENT PRIVACY With or without HIPAA, protecting privacy of health information is important to consumers Consumers are concerned about unauthorized disclosures of personal health information Rightly or wrongly, consumers are distrustful of providers, plans and employers in regard to their personal health information

10. PRIVACY BASICS Covered Entities –Health care providers, Health Plans & Clearinghouses Business Associates Privacy Officer Notice of Privacy Practice (Privacy Notice) PHI = Protected Health Information –Oral- Written- Electronic Minimum Necessary Incidental Uses & Disclosures

11. Privacy Basics TPO = Treatment, Payment, Healthcare Operations Accounting for Disclosures Directory – Hospital/Clergy Reasonable Safeguards –Role based Access Request for Amendments Request for Restrictions Complaint Process

12. Penalties Civil penalties of $100 per violation, up to $25,000 per standard violated per year Criminal penalties up to $250,000 and 10 years imprisonment

13. Security Basics Administrative Procedures –Policies & Procedures Physical Safeguards –Theft- Snooping –Vandalism- Environment –Disaster Recovery Technical Security –Authorizing –Accounting for Access –Encryption

14. Cancer Registry Impact Access to PHI Reporting data Patient follow up Accounting for disclosures Business Associate Agreements