OCR – HHS Office for Civil Rights
[www.hhs.gov/ocr/hipaa] – OCR will investigate complaints
PHI – Protected Health Information
– information created or received by a health care provider that relates:
to the physical or mental health of the individual, past, present or future;
to the provision of health care; to payment for the provision of health
care
TPO – treatment, payment or health
care operations
Business Associates – those who receive
PHI from covered entities in order to carry out essential functions or perform
services for providers (accountants, lawyers, medical transcription services,
claims processing vendors)
Covered Entity – health plans, health
care clearinghouses, and health care providers who conduct certain financial
and administrative transactions electronically
Personal Representative – usually
a parent or guardian of a minor who has the authority to make health care
decisions and therefore has the right to obtain access to health information
and control PHI
DRS – designated record set
Gap Analysis – assessment of the
practice as pertains to the accessibility of records to providers, employees,
or patients; physical location of records; computer access.
Minimum Necessary – disclose the
least amount of PHI for treatment purposes; a reasonable effort to limit
use, disclosure and requests for PHI. EXCEPT-to HHS (OCR), other laws, to
comply with HIPAA transactions, or if so authorized by the patient
HIPAA
The purpose of the Privacy Rule is to protect
patients from unauthorized access to their health information. A hospital’s
computer system was entered and sensitive information was divulged; another
system was accessed and information was altered. The fear by individuals
that their health information could be used in this way, or against them,
such as for withholding of insurance, jobs, etc., has prompted the need to
protect the public against this technological assault.
The Privacy Rule, HIPAA 1996, became effective
4/14/2001, with the requirement that practices are compliant by 4/14/2003,
and small practices by 2004. There will be guidelines issued periodically
to aid in this transition, in addition to the steps covered entities will
need to take to come into full compliance. An important concept to this end
is scalability, which means that the extent to which the rules apply
are scaled based upon the size and complexity of each practice. The
fifty-physician group must have more stringent rules and safeguards in place
than the solo practitioner.
The Health Insurance Portability and Accountability
Act (HIPAA) Security Standards (the "Security Rule") were published in final
form in the Federal Register on February 20, 2003. All covered entities,
including physicians who transmit standard transactions (e.g. ( claims),
must comply with the Security Rule by April 21, 2005. The Security Rule is
intended to establish a level of protection for protected health information
focusing on information transmitted and maintained electronically. The
Security Rule specifies a series of administrative, technical and physical
procedures to assure the security of protected health information.
Although the previously published proposed rule
included a standard for electronic signatures, this version of the Security
Rule does not include the electronic signature standard requirement. A
final rule for electronic signatures will be published at a later date.
The AMA will provide a summary of the Security Rule and a compliance
checklist shortly. The six-page text of Security Rule is available
at the link below, starting at page 44. The remainder of the document is
background information. Visit
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf
to learn additional information.
Step-wise approach
to achieving compliance:
Name a Privacy Officer.
Assess information forms – computers, charts.
Provide a policy for automatic log-off, unique user ID and password, and
audit trails.
Assess physical security – remedy any
breaches.
Write policies and procedures –
Confidentiality of PHI
Patient Consent and Notice of Privacy
Policies
Medical record storing, accessing, releasing
Workstations
Charts
Faxes
Verbal communications of PHI
E-mail with PHI
Electronic communications (employees and
patients)
Sign-in sheets/logs
BA policies
Minimum necessary – what constitutes the
minimum amount of information needed to communicate
Employee termination
Release of information
Remote access
Patient Rights
Teach employees.
Notice to patients – create the Privacy
Notice, and make available.
Consent Form, which describes how PHI will be
used and refers them to the Privacy Notice.
Review and amend BA contracts.
Assess external threats (need for
"firewalls")
Create an Authorization form if there is an intent
to use PHI for others reasons (i.e. research)
Frequently asked
questions:
Which will take priority – State laws
or HIPAA? The State laws, which usually are more restrictive, override HIPAA, as
does CLIA
Can a provider use collection agencies or
credit agencies?
As long as there is a proper agreement in place between the covered entity
and the BA (collection or credit agencies), then this is acceptable to carry
out TPO. However, information should be limited to payment history.
Is the covered entity liable for privacy
violations of a BA?
No. Make sure there is a signed agreement with each Business Associate.
Can research be done without individual
authorizations?
If patients are "de-identified", so that there is no feasible way information
can be associated with an individual, research can be done. Usually, the
IRB (Internal Review Board) of an institution has restrictions and limitations
for research clearly specified, which is compliant with the Privacy
Rule.
