HHS 503 Ch.9 PDF: Health Privacy & Confidentiality

Summary

This document discusses the Health Insurance Portability and Accountability Act (HIPAA) and its relevant regulations and concepts, along with implications of ARRA and HITECH. It explains concepts of health information management, privacy, confidentiality, and release of information practices.

Full Transcript

Health Information Management Technology: An Applied Approach, Sixth Edition Chapter 9: Data Privacy and Confidentiality ahima.org ahima.org © 2020 AHIMA Privacy and Confidentiality Privacy: “right to be let alone” No constitutional right to privacy Confidentiality: stems from sharing of private information in confidence with someone else ahima.org © 2020 AHIMA Use and Disclosure Use: how an organization avails itself of information internally Disclosure: how information is disseminated outside an organization ahima.org © 2020 AHIMA State Laws—Privacy State laws that protect health information privacy vary State laws must comply with HIPAA or will generally be preempted (superseded) by it States also have laws that require the disclosure of health information E.g. vital statistics, communicable diseases, injuries indicative of criminal activity ahima.org © 2020 AHIMA HIPAA Definition TEST TEST: HIPAA can disclose info without a patients consent Health Insurance Portability and Accountability Act (HIPAA) of 1996 5 titles: Title II addresses Medical liability reform Health care fraud and abuse prevention Administrative simplification ahima.org © 2020 AHIMA Privacy standards Security standards Transactions, identifiers, and code set standards National provider identifiers ARRA and HITECH American Recovery and Reinvestment Act (ARRA) Health Information Technology for Economic and Clinical Health (HITECH) Act is a component of ARRA ARRA and HITECH provides important changes to the HIPAA Privacy Rule ahima.org © 2020 AHIMA Office of the National Coordinator for Health Information Technology (ONC) Within the Department of Health and Human Services Responsible for: Coordinating national efforts to implement and use health information technology Promoting exchange of electronic health information ahima.org © 2020 AHIMA HIPAA Applicability - Privacy HIPAA applies to covered entities Healthcare providers that conduct financial or administrative transactions electronically Health plans Healthcare clearinghouses – between healthcare providers and health plans ahima.org © 2020 AHIMA HIPAA Applicability HIPAA applies to business associates (BAs) Not working for the healthcare organization but have patients’ health information. (Ex. Outsourcing billing) Perform functions or activities on behalf of or for a covered entity that involve use or disclosure of protected health information Business Associate Agreements (BAAs) BAA content must be complete Requirements and penalties for BAs and the BAs’ subcontractors parallel those for covered entities ahima.org © 2020 AHIMA HIPAA Applicability Workforce members Employees, volunteers, student interns, trainees, employees of outsourced vendors working routinely onsite Are contractors working in a covered entity considered workforce members or business associates? BAs: core of role of job is looking at protected health information. Difference between workforce and business associates: Workforce is not always meant to work directly with protected health info. ahima.org © 2020 AHIMA HIPAA Applicability Protected health information (PHI) Held or transmitted by a covered entity or BA in any form (paper, electronic, oral) Individually identifiable Relates to one’s past, present or future physical or mental health condition; provision of healthcare; or payment for provision of healthcare (Ex. Disclosing someone is on medicare: If the person is younger then 65, then you know they either have a permanent disability or end stage dialysis. ahima.org © 2020 AHIMA HIPAA Applicability Deidentified information Does not identify the individual Not protected by the HIPAA privacy rule 18 elements must be removed to deidentify an individual (Ex. Phone number, address, email, license plate) Pg. 252 ahima.org © 2020 AHIMA HIPAA Applicability: ARRA and HITECH Change Individually identifiable health information of deceased persons is no longer be protected by HIPAA (for example, is no longer PHI) after the individual has been deceased more than 50 years. ahima.org © 2020 AHIMA HIPAA Applicability Individual—the person who is the subject of PHI Personal representative—a person with legal authority to act on another’s behalf ahima.org © 2020 AHIMA HIPAA Applicability Designated record set (DRS) Includes health records, billing records, and various claims records used to make decisions about an individual HIPAA applies to the DRS ahima.org © 2020 AHIMA HIPAA: Minimum Necessary Is a standard established by HIPAA Exceptions to minimum necessary Standard: Must limit uses, disclosures and requests to only the amount reasonably needed to accomplish the intended purpose ahima.org © 2020 AHIMA HIPAA: Treatment, Payment and Operations The Privacy Rule provides a number of exceptions to its requirements for PHI that is being used or disclosed for treatment, payment or operations (TPO) ahima.org © 2020 AHIMA HIPAA: Individual Rights The HIPAA privacy rule provides individuals with rights to provide some control over their health information. Right of access (affected by ARRA and HITECH) Right to request amendment Right to accounting of disclosures (affected by ARRA and HITECH) Right to request restrictions (affected by ARRA and HITECH) Right to request confidential communications Right to complain of privacy rule violations ahima.org © 2020 AHIMA HIPAA: Individual Rights—Access Right of access One’s own PHI contained in a designated record set ARRA and HITECH: covered entities with EHRs must make PHI available or send electronically if individual requests Exceptions to access Psychotherapy notes Information compiled for civil or criminal actions Denial of access No opportunity to review Opportunity to review ahima.org © 2020 AHIMA HIPAA: Individual Rights—Access (continued) Access request Provide request in writing (if previously informed of this) Timely response is required by the covered entity 30 days from receipt of request Extension of time period 30-day extension Must provide individual with written statement within original 30-day time period Written statement must include reason for delay and date covered entity will complete its action Time period for records not maintained on site Must produce in format requested if readily producible ahima.org © 2020 AHIMA HIPAA: Individual Rights—Access (continued) Charges Reasonable fee may be imposed Copying, including supplies and labor Postage, when individual has requested information to be mailed Preparation of an explanation summary, if agreed to by the individual in advance Retrieval fee not permitted for patient requests If costs not actually calculated or averaged for electronic PHI, OCR recommends $6.50 flat fee ahima.org © 2020 AHIMA HIPAA Individual Rights—Access (continued) Right of access gives individual the right to obtain his or her own PHI, or to direct that it be transmitted to a third party (vs. a request initiated by a third party) HIPAA authorization form (described later) is not required where the individual (patient) initiates the request ahima.org © 2020 AHIMA HIPAA: Individual Rights—Request Amendment Right to request amendment May require the amendment request to be in writing Allowed reasons for denial of amendment request Facility may accept or deny request Timely response to the request by the covered entity Process for denial of requests for amendment ahima.org © 2020 AHIMA HIPAA: Individual Rights—Accounting of Disclosures Right to accounting of disclosures Disclosures that do not require an accounting Disclosures for TPO purposes (only if covered entity does not have an EHR) Individuals provided their own PHI Incidental or otherwise permitted or required ahima.org © 2020 AHIMA HIPAA: Individual Rights—Accounting of Disclosures (continued) Disclosures that do not require an accounting (continued) Pursuant to an authorization Use in a facility directory To meet national security or intelligence requirements To correctional institutions or law enforcement officials Disclosures that occurred before the HIPAA privacy compliance date ahima.org © 2020 AHIMA HIPAA: Individual Rights—Accounting of Disclosures (continued) Information included in an accounting Date of disclosure Name and address of entity or person who received the information Brief statement of the purpose of the disclosure or copy of individual’s written authorization or request Timely response to request for accounting First accounting in 12-month period is free Required documentation ahima.org © 2020 AHIMA HIPAA: Individual Rights—Request Restrictions Right to request restrictions on uses and disclosures of PHI to carry out TPO Covered entity must permit such a request, but does not have to agree to the requested restriction Exception: Must agree if disclosure would be to a health plan for payment or operations, but individual paid for service or item completely out of pocket Termination of requested restrictions Covered entity’s responsibilities ahima.org © 2020 AHIMA HIPAA: Individual Rights—Confidential Communications Right to request confidential communications Alternative routing or destination or by alternative method Requests may be refused if information is not provided as to how payment will be handled ahima.org © 2020 AHIMA HIPAA: Individual Rights—Complain of Violations Right to complain of privacy rule violations Must inform individuals of right to complain at covered entity level and to the US Department of Health and Human Services ahima.org © 2020 AHIMA HIPAA Privacy Rule Documents: Notice of Privacy Practices Notice of Privacy Practices Purpose Availability of the notice Required content Acknowledgement by individual ahima.org © 2020 AHIMA HIPAA Privacy Rule Documents: Consent Consent To use or disclose PHI for treatment, payment, and operations (TPO) Optional document Required content Revocation ahima.org © 2020 AHIMA HIPAA Privacy Rule Documents: Authorization Authorization Definition Purpose Content Situations requiring an authorization ahima.org © 2020 AHIMA Authorization Not Required Required uses and disclosures without authorization Access or accounting of disclosures requested by individual or personal representative US Department of Health and Human Services investigation, review, or enforcement action ahima.org © 2020 AHIMA Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient has opportunity to informally agree or object) Directory of patients Notification of family or friends ahima.org © 2020 AHIMA Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient does not have opportunity to agree or object). These uses and disclosures are permissive only and must not violate a stricter or more protective state law. ahima.org © 2020 AHIMA Treatment, payment, and operations To the individual Incidental disclosures Limited data set 12 public interest and benefit purposes Authorization Not Required (continued) Twelve public interest and benefit purposes: As required by law (such as reporting specified wounds) Public health activities Victims of abuse, neglect, or domestic violence Healthcare oversight activities Judicial and administrative proceedings Law enforcement purposes Decedents Cadaveric organ, eye or tissue donation Research Threat to health or safety Specialized government functions Workers’ compensation ahima.org © 2020 AHIMA Authorization Not Required (continued) Notes: Disclosure of students’ immunization records is considered a public health disclosure (one of the 12 public interest and benefit purposes) Written authorization not required Oral agreement is required Research: covered entity may combine conditioned authorizations and unconditioned authorizations as long as each is clearly marked and the individual is able to opt out of unconditioned research activities ahima.org © 2020 AHIMA HIPAA: Breach Notification Previously, mitigation (to be determined by covered entity) was required in the event of a breach; per ARRA/HITECH, breach notification is a required mitigation method Covered entities and BAs: subject to HHS regulations Others (including PHR vendors): subject to FTC regulations ahima.org © 2020 AHIMA HIPAA: Breach Notification Breach: “Unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information” Applies to unsecured PHI only (encrypted PHI is an exception) Breach presumed following impermissible use or disclosure unless an exception or low probability of compromise ahima.org © 2020 AHIMA HIPAA: Breach Notification Exceptions to breach definition: Unintentional acquisition, access or use of PHI by workforce member acting under authority of a covered entity or BA (information cannot be further used or disclosed in impermissible manner) Inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or BA to another person authorized to access PHI at the covered entity or BA (information cannot be further used or disclosed in impermissible manner) If the covered entity or BA has good faith belief the unauthorized individual who received the PHI would not be able to retain the information ahima.org © 2020 AHIMA HIPAA: Breach Notification Probability of compromise determined by fourfactor risk assessment: Nature and extent of PHI involved, including types of identifiers involved and how likely it is that reidentification can occur Who the unauthorized recipient was Whether the PHI was actually obtained or viewed Degree to which covered entity or BA mitigated the risk ahima.org © 2020 AHIMA HIPAA: Breach Notification Must notify affected individuals without unreasonable delay, and no more than 60 days from when first known or should have known 500 affected: Media outlets must be used to notify public; Secretary of HHS must be notified All breaches < 500 affected are reported to HHS using an online tool, submitted no later than 60 days after the end of the calendar year ahima.org © 2020 AHIMA HIPAA: Marketing Definition General rule: Use or disclosure of PHI for marketing requires authorization Marketing activities that do not require an authorization Occurs face-to-face with the individual Concerns products or services of nominal value ahima.org © 2020 AHIMA HIPAA: Marketing Activities not defined as marketing per HIPAA (authorization not required) Communications by covered entity about health-related products and services provided by or covered as a benefit by the covered entity or a third party (must meet requirements) Communications for treatment of individual Communications for case management or care coordination or alternative treatments Remuneration to the covered entity must be disclosed ahima.org © 2020 AHIMA HIPAA: Marketing Unless a communication fits in one of the previous categories, it is not a healthcare operation The previous categories are not healthcare operations if the covered entity was paid for making it Exceptions (these are thus considered healthcare operations): Communication re. a currently prescribed drug Payment was reasonable and the covered entity received an authorization Communication was made by a BA consistent with BAA despite payment Any remuneration for a communication must be prominently stated ahima.org © 2020 AHIMA HIPAA: Sale of Information Addressed specifically by ARRA and HITECH A covered entity or BA is prohibited from receiving direct or indirect compensation in exchange for an individual’s PHI without that individual’s authorization Authorization must state whether receiving entity can further exchange the PHI for compensation. Exceptions exist ahima.org © 2020 AHIMA HIPAA: Fundraising Must inform individuals in Notice of Privacy Practices that PHI may be used for fundraising Instructions on opting out in future are required Opt-out ability required for fundraising communications that meet the definition of “healthcare operations” No authorization required if following only is disclosed: name, address/other contact information, age, date of birth, gender; dates of healthcare services; department of service; treating physician; health insurance information; outcome information ahima.org © 2020 AHIMA HIPAA: Administrative Requirements Administrative requirements include: Designation of privacy officer Standards for policies and procedures Workforce privacy training Process for establishing privacy safeguards Practices regarding sanctions Prohibition against retaliation and waiver Document and record retention ahima.org © 2020 AHIMA HIPAA: Enforcement and Penalties Individuals can be prosecuted for HIPAA violations Ex. If doctor has spouse in hospital they work at and they look at their records, it is a breach. Penalties apply to BAs Tiered penalties based on: Unknowing violations Due to reasonable cause Willful neglect (corrected) Willful neglect (uncorrected) ahima.org © 2020 AHIMA HIPAA: Enforcement and Penalties State attorneys general may bring civil actions based on alleged HIPAA violations HHS audits, removing enforcement on a complaintbased system only ahima.org © 2020 AHIMA Release of Information (ROI) The process of providing PHI access to individuals or entities deemed authorized to receive or review it Steps in the process: Enter request in ROI database Determine validity of authorization Verify patient’s identity Process the request ahima.org © 2020 AHIMA ROI Quality Control Productivity: turnaround times tracked Continuity of care requests processed first Accuracy: information released appropriately Confirm the signer Confirm signer is legally competent and signed voluntarily Use of HIPAA-compliant authorization forms ahima.org © 2020 AHIMA Medical Identity Theft Includes financial fraud and identity theft Victims include patients, providers, and payers Types: Use of person’s identity to obtain medical services or goods Victim may be unknowing or unaware of consequences Use of person’s identity to obtain money by falsifying claims for medical services ahima.org © 2020 AHIMA Medical Identity Theft Also categorized as: Internal (more prevalent) External o Patient verification is necessary Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule to identify, detect and respond to identity theft indicators ahima.org © 2020 AHIMA Patient Advocacy and Compliance Patient advocacy: Steward of patient record Patient-centered healthcare Patient empowerment Health literacy Legal access to health record Compliance: With laws that regulate the privacy of information With all laws applicable to an organization ahima.org © 2020 AHIMA