Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
HIPAA WORKSHOP UTA – HCAD Students By Barbara Odom-Wesley, PhD, RHIA May 27, 2003 OBJECTIVES Review the value of Medical Records Review Federal & State Requirements for Medical Record Privacy Update procedures regarding confidentiality & release of healthcare information Study the impact of HIPAA on medical practices Medical Record Definition • A compilation of pertinent facts • Of a patient’s life and health history, including past and present illnesses and treatments • Written by the health professionals contributing to that patient’s care • Compiled in a timely manner • And contains sufficient data to Identify the patient Justify the treatment Support the diagnosis Document the results MEDICAL RECORD DOCUMENTATION Arrangement Forms Management Compliance Policies Analysis WHY MEDICAL RECORDS? • • • • • CLINICAL Patient Care Management Quality Review Research Public Health Education LEGAL • Documentary Evidence • Confidentiality • • • • FINANCIAL Medical Necessity Complexity Detail Services Substantiate Claims STANDARDS • JCAHO Joint Commission on Accreditation of Healthcare Organizations • NCQA National Committee for Quality Assurance • HEDIS Health Plan Employer Data & Information Set • AAAHC Accreditation Association for Ambulatory Health Care • TSBME Texas State Board of Medical Examiners MORE STANDARDS • Conditions of Participation (Medicare) • Uniform Ambulatory Care Data Set • Professionally Accepted Practices OIG Compliance Plan • • • • • • • Auditing & Monitoring Standards & Procedures Compliance Officer Training & Education Corrective Action Plan Communication Lines Disciplinary Standards CONFIDENTIALITY CONCEAL OR REVEAL? • Physician-patient relationship • Medical Record ownership • Texas Legal Statutes Senate Bill 667 Senate Bill 975 • Senate Bill 11 • Federal Law HIPAA Senate Bill 667 • • • • • • Authored to reduce confidentiality threats Debated in four legislative sessions Passed by House and Senate May, 1995 Effective: January 1, 1996 1997 Revisions: SB 975 Support: THA, TxHIMA, Trial Lawyers 1997 Revisions (SB 975) • Added Exceptions: Directory Information Transporting EMS Clergy Organ or tissue procurement American Red Cross Poison Control Center Utilization Review Agent • incompetent to incapacitated • Clarified court subpoena • Fees Document certification Written questions ($10.00) None for patient examination None for Workers’ Comp. Senate Bill 11 The Texas extended arm of HIPAA • Disclose PHI for health research only with individual consent or IRB waiver. • Composition & conduct of privacy board • Disclose for health research if represented as necessity. • Authorizes subject of research access to information at conclusion of trial. • Use of PHI for public health activities without authorization. • Prohibits re-identifying without authorization SENATE BILL 11 PROVISIONS • Prohibits disclosing, using, selling, or coercing consent for marketing purposes • Extended to parties not covered by HIPAA (holder of insurance license) • Amends insurance code to require authorization to disclose any nonpublic PHI • Right of patient to revoke authorization • Exempt: nonprofits, Workers’ Comp., Red Cross, offenders with mental impairments, educational records, public health authority • Effective 9/1/01; insurance code amendments 1/1/02 HIPAA Health Insurance Portability and Accountability Act of 1996 Congress failed to adopt by August 21, 1999 as required by HIPAA History of Legislation Privacy Standards developed by DHHS Effective: 4/14/2001 HIPAA http://aspe.os.dhhs.gov/admnsimp/ • Pub.L.104-191 Federal Register vol. 65 no. 250, pp 82462-82829 • Enacted April 14, 2001 Privacy implementation: April 14, 2003 • Amended Public Health Service Act (PHS), Employee Retirement Income Security Act of 1974 (ERISA) Internal Revenue Code of 1986 • Final Regulations August 14, 2002 Simplification Standards Extension: www.cms.gov/hipaa2/default/asp • • • • • • Electronic Exchange Unique Health Identifiers Code Sets Security Electronic Signatures Transmission of Data • Privacy HIPAA Privacy GOALS 1. Protect & enhance rights of consumers by providing them with access to their health information & controlling the inappropriate use of that information 2. Improve the quality of healthcare in the US by restoring trust in the healthcare system 3. Improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection HIPAA Highlights • Paper & verbal • Preempts state law • Mechanism for complaints • Office of Civil Rights Administers • Mitigation for Policy Violation • Privacy Training • Organization Requirements • Definitions for appropriate release PRIVACY STANDARDS • Covered Entities • Protected Health Information • Consents • Authorizations • Rights of Individuals • Privacy Officer • Staff Training • Business Associate Relationships • Administrative Requirements • Preemption • Accounting for Disclosures • Guidelines for Release Covered Entities (CE) • All but “small” health plans (<5 mil revenue) Implementation by 4/14/2004 • Large health plans & healthcare providers Implementation by 4/14/2003 • Health Care Clearinghouse • Health Care Provider of Services or Supplies (direct/indirect treatment relationship) COVERED ENTITIES (CE) • Direct Care Providers – treatment relationship • Indirect – delivers healthcare based on orders Provides service, product or report to another provider • Clearinghouse – process or facilitates processing PHI received from CE Organized Healthcare Arrangement • Separate covered entities • Establish clinically & operationally integrated systems • Permitted to share information for TPO • May use common Notice and Consent • Example: hospital & its associated medical staff Are you a CE? • Cardiology Associates keeps medical records on paper and in file drawers and does not have electronic records. They only use the computers for accounting, scheduling and other limited purposes • YES COMPLIANCE DATE APRIL 14, 2003 What Information is Covered? Protected Health Information (PHI) • Identifies an individual • Relates to health, treatment, healthcare payment • Created or received by CE • Maintained or disclosed electronically, on paper, orally Information Not Covered Individual health information loses its protections and may be used or disclosed freely if it can’t be used to identify an individual Must Remove all 18 identifiers Covered Business Associates Performs or assists in the performance of a function or activity for the Covered Entity, not part of workforce. Confidentiality contract required: Attorneys Actuaries Accountants Consultants Computer Vendors Outsourced Services BUSINESS ASSOCIATE TEST 1. On behalf of CE 2. Other than workforce 3. Involves use of PHI Requirements for Business Associates • Assurance they will safeguard information • Contracts should set permitted uses & disclosures • Contracts should stress privacy • Safeguard PHI from misuse • CE is not liable for violations Enforce Contracts If the provider becomes aware of a “pattern of practice” that is a violation of contractual obligations, “reasonable steps” must be taken to solve the problem or the contract must be terminated. If the contract can’t be broken, the provider must report the problem to HHS. Business Associates Final Reg. Changes • Additional year to incorporate BA agreements not up for renewal (April 2004) Identifying Business Associates • WeCare, Inc., a local nursing home, hires a law firm to defend it in an elder abuse case. ASC discloses PHI to a health plan for payment purposes. Which of these entities, the law firm or the health plan would be a BA? • The law firm is a BA. The health plan is not a BA. PATIENT RIGHTS • To consent for uses or disclosures of PHI to carry out treatment, payment, or healthcare operations, & the right to notice of privacy practices as part of the required consent form or process • To access Protected Health Information (PHI) • To accounting of how their PHI has been disclosed outside normal patient care channels • To agree or object to certain disclosures • To request amendment or correction to PHI • To request restrictions on use of PHI for treatment, payment or healthcare operations CONSENTS Individual Consents required for: Payment Treatment Healthcare Operations PERMITTED DISCLOSURE Consent Coverage TPO • Treatment Direct and Indirect • Payment UR, medical necessity, determination of coverage • Operations QA, credentialing, peer review, quality analysis, accreditation, fraud/abuse monitoring Requirements for CONSENTS • May be written in general terms • Provider can refuse to treat individuals who do not consent to uses & disclosures for treatment, payment, healthcare operations • Can be combined into a single document covering all three activities & combined with other types of legal permission • Consents may be revoked in writing at any time. Consents not Required • • • • • Indirect treatment relationship Inmates Required by law to treat Substantial barriers to communicate Emergency treatment (must obtain as soon as reasonable) Psychotherapy Records • CE’s must obtain the individual’s authorization to use or disclose psychotherapy notes to carry out TPO (other than originator of notes) • Differs from other records because they do not include information that is needed typically for TPO Final rule, Section 164.508 Final Rule Changes to Consents • Optional • Direct Provider CE • Written Acknowledgement alternative Document receipt of “Notice of Privacy Practices” • Not required for emergencies • Layered Notice encouraged Patient-friendly summary Full notice layered beneath • Allows disclosure of PHI for another provider (TPO) Need a Consent? • A primary care physician sees a patient who has been experiencing arrhythmia. The physician refers the patient to a cardiologist for testing. The physician’s office calls the cardiologist’s office to arrange for an appointment for the patient. The patient would be new to the cardiologist’s practice. May the cardiologist schedule the appointment and review the patient’s information prior to the patient signing a consent? • Under the final changes, prior consent is not required. A “Notice” is required to be provided. Consent Required? • An elderly woman is bedridden and is unable to leave the house to pick up her medications. She calls a friend and asks the friend to pick up the prescription for her. May the pharmacist give the prescription medication to the friend? • Yes, there is implied consent. Prior consent is not required. The “Notice” should be given to the friend. AUTHORIZATIONS • Allows use & disclosure of PHI for purposes other than those covered by consent • Must be written in specific terms with essential elements • May not condition treatment on signing • Can be revoked at any time. NO BLANKET AUTHORIZATIONS VALID AUTHORIZATIONS • Written, Dated Signed: Patient • Legally Authorized Representative: Parent/Guardian Adult Guardian Durable Power of Attorney/Agent Attorney ad litem • • • • • • • Information & Time Purpose To whom Facility to Release Right to withdraw Validity date (90 days) Photocopy valid CONSENTS vs. AUTHORIZATIONS • General language • One time consent • Allows full exchange among treatment team • Refuse treatment without • Allows for TPO • May be revoked in writing • Specific, detailed • Required for each release • May not condition care on refusal • Psychotherapy records • Non-TPO purposes • Must keep a record Authorization Required? • A person injured in a car crash is treated at an ASC. The ASC receives a request for medical records from an attorney who represents the driver in the automobile accident. The request states the attorney represents the drier who has been sued for negligence by the patient and to send the records to the lawyer within 15 days of receipt of the request. May the center disclose the patient’s records to the attorney without authorization from the patient? • No, it requires an authorization or court order. Authorization for Marketing? • A group of oncologists have been approached by a pharmaceutical company to purchase the group’s patient list so the company may develop a new marketing plan for its pharmaceuticals. May the group sell its patient list? • No, not without authorizations from each patient. GUIDELINES FOR RELEASE • • • • • • Minimum Necessary Minors Deceased By Fax Subpoenas Copy Fees Minimum Amount Necessary Covered Entities must make all reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Minimum Necessary Guides • Establish role-based access for workforce • Standard guidelines for recurring/routine disclosures • Make determinations for “non-routine” disclosures • Exception: disclosures for treatment • Incidental disclosure not violation Misuse of PHI • The Widget Company establishes a group health plan for the benefit of its employees. A couple of employees of the company perform administrative functions for the group health plan. They sometimes have access to PHI. One of these employees learns that someone in the company has contracted hepatitis and tells her boss about the condition. The boss, fearful of the cost implications, decided to include the employee in a reduction in workforce. • This violates the standards. Deceased • • • • • • Executor Spouse Adult Child Parent Adult Sibling Statutory beneficiary Minors • Emancipated: 16, independent • Active Duty Military • Related to pregnancy • Related to chemical dependence • Counseling for abuse, suicide • Infectious, contagious, communicable diseases Written Denial of Request • Form letter on office letterhead • We are unable to respond because….. Incomplete identification of patient Office not specified to release Party to receive not specified Information to release not specified Authorization incomplete due to... Responding to Requests • • • • • • • Deny invalid authorization Never release originals Furnish copy, summary, narrative Delete information about others Provide within 30 days Notify patient of compulsory in 10 days Exception: Physician determines harmful Protect Confidentiality • Post notice on copies • Prohibit redisclosure • Provide other’s records only for original purpose of release POST NOTICES Prohibition on Redisclosure This information has been disclosed from confidential records which are protected by federal law. Federal regulations prohibit the redisclosure of the information without the written consent of the person to whom it pertains. RECEIVING PHI • Any person who receives information made confidential by this Act may disclose the information to others only to the extent consistent with the authorized purposes for which consent to release the information was originally obtained. • Furnish copies including records received from a physician or other health care provider involved in the care or treatment of the patient only for continued care or treatment. EXCEPTIONS For Legal Purposes: • Patient legal proceedings against physician • substantiate & collect on claim • Civil litigation or administrative proceeding • Disciplinary investigations • Involuntary commitments • Criminal case involving patient • Execution of Will • Court Order or Subpoena “COURT SUBPOENA” • “As the author of S.B. 667, I can unequivocally state that it was not my intent to limit subpoena power for medical records to judges or remove that power from any legally authorized officer of the court who was empowered with such authority prior to the passage of SB 667. It was my intent that the term “court subpoena”, as used in SB 667, be interpreted to mean a subpoena issued by the officer of the court under the authority of the Texas Rules of Civil and Criminal Procedure or a subpoena issued under the authority of Chapter 121 of the Texas Civil Practices and Remedies Code.” – Frank Madla, Texas State Senate, District 19, March 8, 1996 SUBPOENAS Judicial • Official legal order • Issued by a court of law • Compels to appear Nonjudicial • Notary, court reporting service, record copying service • Patient consent is required Court Order Required Substance Abuse Mental Illness Communicable, contagious diseases (STD) Exceptions for Other Purposes: • Governmental agencies • Law enforcement • Management audits • Other physicians & personnel • Collection of fees • State Hospital inquiries • Education, QA, peer review • Custodial institutions • IRB Research project • HMO for statistics Release by Fax • Only when original hard copy, maildelivered will not meet needs of Immediate patient care. • Required for ongoing certification • Use cover sheet (confidentiality statement) • Verify receipt • Photocopy thermal paper $ REASONABLE FEES $ • Ten day notification requiring payment • Not required to release until paid • May not deny release based on past due account • TSBME Effective: 4/16/96 First 20 pages = no more than $25.00 Each subsequent page = 15 cents Mailing/Delivery = actual costs Films/diagnostic imaging studies = $8.00 PREEMPTION • HIPAA will preempt state laws relating to the privacy of individually identifiable information except for those that are contrary to and more stringent than the federal HIPAA requirements. Individual Access • To inspect & copy PHI for as long as CE maintains information. • No automatic right to access: psychotherapy notes, information in criminal, civil, or administrative action, PHI exempted by CLIA • CE must act within 30 days (60 if offsite) • CE may charge fees based on cost • CE must maintain records of personnel responsible for 6 years Accounting for Disclosures Right to accounting for 6 years prior to request Exceptions: • • • • • For payment, treatment, or operations To the individual patient For the directory or those involved in care National security or Intelligence purposes To correctional institutions or law enforcement • Prior to compliance date • Authorization received Accounting for Disclosures Guidelines • CE must act within 60 days • CE must provide one free per year • Must include date person to whom released description of information copy of authorization DISCLOSURE LOG • • • • • • • One in each patient record’ One line per disclosure Date Person/entity to whom released Information released Initials of staff who released Comments regarding release Accounting Required? • Dr. Green must document each time she consults the chart to answer a patient’s question. • No, this is a use of the PHI, not a disclosure. • What about when she calls another physician to discuss the patient’s condition? • No, exceptions are those disclosures for TPO. Disclosures with authorization are also excepted. Request for Amendment • • • • • CE may require written request with rationale CE has 60 days to act Notify individual that amendment accepted Inform relevant persons CE may deny request (written) physician not available not a part of designated record set(DRS) accurate & complete • CE can prepare rebuttal • Include with future disclosures Denying Request • • • • • • Not created by CE Not part of designated record set Not available for inspection Accurate and complete Document denial Individual right to statement of disagreement Designated Record Set (DRS) • A group of records maintained by or for a CE : • Medical records and billing records • Used in whole or in part, by or for the covered entity to make decisions about individuals Notice of Privacy Practices • • • • • • • Written notice to patients including: Uses & disclosures of PHI Explanation of privacy rights Charges CE’s responsibility under HIPAA How to file complaints with CE or HHS Name/title/phone of contact person Effective date of notice Notice Introduction This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please read it carefully. Include one example of each type of use and disclosure (TPO) that CE is authorized to make NOTICE DISTRIBUTION • • • • • • • Post in office Post on website Post in treatment areas Provide copies in office Use e-mail with patient permission No later than first service delivery Patient must acknowledge receipt NOTICE Procedures • Retain copies of notices issued Include version number & effective date • Revise & communicate changes • Do not combine with the consent except for research PRIVACY OFFICIAL A CE must designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures of the entity. AHIMA Certification CHP Principles for Protecting PHI • Notice – Existence & purpose known • Choice – Collected & released with knowledge • Access – Accurate, complete, timely • Security – Reasonable safeguards • Enforcement – Mitigation & penalties SECURITY REGULATIONS Compliance: April 20, 2005 • Administrative Safeguards policies & procedures to protect ePHI manage conduct of workforce • Physical Safeguards unauthorized intrusions natural & environmental hazards • Technical Safeguards technology to control access Steps to HIPAA Compliance • • • • • • • Appoint Leadership Team (Privacy Officer) Educate staff on requirements Review current procedures Conduct a gap analysis Set goals Identify resources needed Develop timeline & document progress Compliance & Penalties • Dept. of HHS – Office of Civil Rights Implementation & Enforcement • Process complaints • Civil: $100/violation to $25000/year for identical violation • Criminal: knowing violations, false pretenses, personal gain/malice Fines: $50,000 - $250,000 Imprisonment 1 – 10 years OFFICE PREPAREDNESS • • • • • • • • • Appoint privacy officer Develop confidentiality policies/ procedures Define levels of access Design consent & authorization forms Include in Budget Upgrade Equipment (paper & electronic) Renovations for physical safeguards Review contractual agreements Train Staff Release of Information Policies • Limited Use Rule for purposes compatible with reason for collection • Limited Disclosure Rule only for authorized purpose; employee confidentiality statement • Minimal Disclosure Rule minimum necessary to accomplish purpose • Accounting for Disclosure Rule maintain record of all access • Security Rule administrative, technical, physical safeguards • Notice of Practices PROCEDURES NEEDED • • • • • • • Consents Authorizations Amendments Patient Access Copying by Patient Denial of Access Nonretaliation for whistleblowers • Opt-out (directories/marketing/ fundraising) • Verification of identification for requestors • Complaints Handling • Sanctions • Release without authorizations Confidentiality & Office Dynamics • • • • • • • Policies and Practices Staff Awareness Scheduling Appointments Calling patients from waiting room Posting information outside exam room Conversations among providers Architectural considerations Sign-In Sheets • Dr. Taylor’s practice utilizes patient sign-in sheets which patients sign when they arrive for an appointment. When Dr. Taylor is ready for her next appointment, the nurse calls out the patient’s name in the waiting room notwithstanding that there are others in the room as well. • The intent of the regulations was not to prohibit this type of practice, but to make sure reasonable safeguards are put into place. Each provider will need to make their own business decisions regarding what these safeguards must be. There are reasonable options to these practices. STAFF TRAINING • Document for every employee with access to PHI • Entire workforce must be trained prior to compliance date. • New employees must be trained within reasonable time Impact on Internship Students • • • • Workforce Training Sign Confidentiality Statements Demonstrate knowledge of standards Receive PHI only as required for the assignment • Do not disclose PHI orally or in writing • Respond appropriately to various situations More Information • • • • • • www.ama-assn.org www.texmed.org www.ahima.org http://thomas.loc.gov www.mgma.com www.wedi.org • www.hhs.gov/ocr/hipaa • • • • www.ncqa.org www.the-medicare.com www.cms.gov www.healthlawyers.org • www.privacyassociation.org Additional Websites • • • • • AdvanceforHIM.com WhatIs.techtarget.com Webopedia.com NIST.gov Goggle.com • • • • • HIPAAadvisory.com WEDI.org HIMinfo.com CMS.gov CDC.org RESOURCES • Model Forms http://www.ama-assn.org/ama/pub/category/6698.html • Physician Compliance Report www.hcmarketplace.com • Medical Office Manager: Newsletter for Physician Officer Administrators www.ardmorepublishing.com PREPARE FOR THE FUTURE • EDI transaction and code sets • Security guidelines for technical components of protecting access to PHI • Medical Errors & Documentation • Patient Participation In Documentation • The Paperless Office