IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines, Arky, Zall & Bernstein LLP 1675 Broadway, Suite 2700 New York, New York 10019 (212) 830-7270 [email protected] KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 A BRIEF HISTORY OF THE PRIVACY RULE Deadline for Congressional action Enactment of HIPAA Statute 8/21/99 8/21/96 HHS adheres to final rule 4/14/01 Final rule reopened for comment 3/14/01 HHS issues guidance 7/6/01 Final rule adopted Proposed rule issued 12/28/00 11/3/99 Modifications to rule proposed End of comment period on proposed changes Adoption of changes to rule Compliance date 3/27/02 4/26/02 Summer 2002? 4/14/03 1 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 KEY COMPLIANCE ISSUES Proper use and disclosure of protected health information (PHI) Application of “minimum necessary” standard Execution of business associate contracts Accommodation of patient rights Creation of administrative, physical and technical safeguards Issuance of privacy notice Appointment of privacy officer 2 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHAT IS PHI? Individually identifiable health information – created or received by provider, plan, clearinghouse or employer – relates to individual’s health, provision of care or payment for care – identifies or could reasonably be used to identify the individual Transmitted or maintained in any form 3 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 HOW CAN PHI BE USED OR DISCLOSED? Patient Approval Required?1 Type of Use or Disclosure 1 Treatment, payment and health care operations (subject to limited exceptions) Consent optional Psychotherapy notes for most purposes Authorization required Certain marketing and fundraising activities No authorization required Facility directories, family members and disaster relief Opportunity for oral objection by patient IRB-approved research following specified protocols No authorization required “National Priority” disclosures No authorization required Other uses and disclosures not subject to specific exception Authorization required Assumes adoption of proposed amendments to rule. 4 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHAT ARE HEALTH CARE OPERATIONS? Quality improvement Reviewing provider qualifications and performance Underwriting, rating and related activities Medical review, legal services and auditing Business planning and development Business management and general administration 5 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHAT ARE PSYCHOTHERAPY NOTES? Recorded by a mental health professional In any medium Documenting or analyzing contents of conversation during private or group counseling session Separated from rest of medical record Excludes medication monitoring, session times, modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress 6 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHEN MAY PSYCHOTHERAPY NOTES BE DISCLOSED? By originator for treatment Mental health training programs Defense of legal action brought by patient Certain health oversight activities 7 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHAT ARE THE ELEMENTS OF AN AUTHORIZATION? Must specifically identify information being disclosed, its recipients and purpose of disclosure May not be combined with other documents Must include expiration date or event Must be signed by patient or personal representative 8 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 MARKETING EXCEPTION Types of marketing permitted without authorization – face-to-face – products or services of nominal value In name of covered entity Disclosure of remuneration Opt out procedures Determination and disclosure of patient benefit if health status-based 9 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 FUNDRAISING EXCEPTION By covered entity, business associate or related foundation Disclosable or usable information – demographic information – dates of care provided Opt out procedures 10 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 NATIONAL PRIORITY DISCLOSURES Required by law Decedents Public health Cadaveric donations Neglect and abuse IRB-approved research Health oversight Health or safety threat Legal proceedings Specialized government functions Law enforcement Workers’ compensation 11 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 “MINIMUM NECESSARY” STANDARD When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 12 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 EXCEPTIONS TO MINIMUM NECESSARY Treatment Disclosures to other covered entities Compliance with law Disclosures pursuant to patient’s authorization Disclosure to patient 13 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 IMPLEMENTING MINIMUM NECESSARY Internal role-based access Policies and procedures for routine disclosures Criteria for all other disclosures 14 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHO IS A BUSINESS ASSOCIATE? Provides specified functions to or on behalf of covered entity Exceptions – Members of workforce – Members of hospital medical staff – Members of “organized health care arrangement” – Plan sponsors – Financial institutions processing consumer transactions – “Conduits” 15 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHO IS A BUSINESS ASSOCIATE? Yes No Billing companies Employees Computer maintenance vendors Student trainees Transcription services Federal Express Attorneys AOL Accountants Referring providers Compliance consultants Third party payers 16 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 BUSINESS ASSOCIATE CONTRACTS Permitted uses and disclosures Adoption of safeguards and reporting of unauthorized disclosures Compliance by subcontractors Access, amendment and accounting by patients Access by HHS Return or destruction of records if feasible Termination for material breach 17 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE? Contract Status Compliance Date Executed on or after April 14, 2003 Date of execution Executed prior to April 14, 2003 with no amendments or renewals prior to April 14, 2004 April 14, 2004 Executed prior to April 14, 2003 with amendment or renewal between April 14, 2003 and April 14, 2004 Date of amendment or renewal 18 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHEN ARE YOU LIABLE FOR BUSINESS ASSOCIATES? If covered entity knows of improper pattern of activity or practice Covered entity must take reasonable steps to cure breach If cure unsuccessful, covered entity must – terminate, if feasible; or – report problem to HHS 19 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 PATIENT ACCESS TO PHI Access or copies Time frames Appeal rights Reasonable copying charges Exception for psychotherapy notes 20 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 PATIENT AMENDMENT OF PHI Time frames No obligation to amend Informing other entities Statement of disagreement 21 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 ACCOUNTING OF DISCLOSURES Accounting Required Accounting Not Required Treatment, payment and To HHS Permitted marketing Permitted fundraising Research without patient authorization Public interest purposes not covered by exemption 22 health card operations Individual’s written authorization To individual Pursuant to oral agreement National security or intelligence Correctional institutions or law enforcement agencies KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 WHAT SAFEGUARDS ARE REQUIRED? Type of PHI Scope of Safeguards Electronic Rely on proposed security rules Paper Proposed security rules, where applicable Faxes Public postings File cabinets Oral Proposed security rules, where applicable Telephone Hallway conversations Public announcements 23 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 KEY ELEMENTS OF PRIVACY NOTICE Mandated header Permitted uses and disclosures (examples) Separate statement for certain uses Individual rights Covered entity’s duties Complaints Contact information 24 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS Provide at first contact after compliance date Make good faith effort to obtain written acknowledgement Make available on-site at patient request Make available by mail at patient request Post on-site in conspicuous location 25 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 PRIVACY OFFICER DUTIES Oversee implementation of policies and procedures Answer questions Handle complaints Investigate privacy breaches Conduct audits Review contracts Coordinate employee training 26 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 RELATIONSHIP TO STATE LAWS HIPAA provides floor but not ceiling — more stringent state laws not pre-empted Exceptions – Certain state public health and auditing laws – HHS determination based on specified factors 27 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 SAMPLE COMPLIANCE TIMELINE May 2002 September 2003 Education Gap Analysis Remediation Testing Training 28 January 2003 April 2003 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 ALTERNATIVE COMPLIANCE TIMELINE May 2002 September 2003 Procrastination Infighting Half-hearted efforts Panic Finger-pointing 29 January 2003 April 2003 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 DEFINE THE COVERED ENTITY Affiliates Hybrid entities/health care components Organized health care arrangements 30 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 CONSIDERATIONS IN DEFINING ENTITY Standardization of policies Centralization of administration Sharing of information Liability concerns 31 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 GAP ANALYSIS OPTIONS High SelfAssessment Staff Resources Professional Self-Assessment Tool Moderate On-site Consultants Low Low Moderate Financial 32 Resources High KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 CREATE PHI FLOW CHART Patient Registration Medical Records Billing Clinician DOH Accounts Receivable Finance Payers Collection Agency 33 QA Other Providers Patient KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 ANALYZE EACH USE AND DISCLOSURE Consent or authorization required? Minimum necessary applicable? Satisfied? Business associate contract required? In place? Subject to accounting? Recorded? 34 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 REVIEW PATIENT RIGHTS’ POLICIES Access and copying of records Amendment of records Restriction on uses 35 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 REVIEW ELECTRONIC DATA SAFEGUARDS Administrative policies Physical plant security Technical security measures – catalogue hardware and software (Y2K inventory) – compare security features to security regulations 36 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 REVIEW OTHER POLICIES AND PRACTICES Fax File cabinets Telephone Waiting room procedures Hallway conversations Posted information 37 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 EVALUATE COMPLIANCE OPTIONS Prioritize initiatives Reasonableness considerations Scalability Documentation Maintaining confidentiality 38 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 KEY REMEDIATION STEPS Revise policies and procedures Document policies and procedures Execute business associate contracts Upgrade security of software and hardware Secure physical plant Prepare privacy notice, consent and authorization form Appoint privacy officer 39 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 CONDUCT EMPLOYEE TRAINING Differentiate by employee roles Initial training before April 14, 2003 Build into hiring process Regular refresher training 40 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 TRAINING OPTIONS Internal trainer Outside attorney or consultant Written manual Videotape or CD-ROM 41 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 CIVIL PENALTIES $100 per violation $25,000 per year cap for each type of violation Cooperative approach by HHS – reasonable diligence standard – technical assistance – informal dispute resolution 42 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 CRIMINAL PENALTIES Maximum Fine Maximum Prison Term Use of unique health identifier, or acquisition of individually identifiable health information (“basic offense”) $50,000 One Year Basic offense under false pretenses $100,000 Five Years Basic offense for commercial advantage, personal gain or malicious harm $250,000 Ten Years Offense 43 KALKINES, ARKY, ZALL & BERNSTEIN LLP HIPAA Compliance Presentation - May 31, 2002 HELPFUL WEB SITES http://aspe.hhs.gov/admnsimp http://www.hhs.gov/ocr/hipaa http://snip.wedi.org http://www.cpri-host.org http://www.ahima.org 251565 44
© Copyright 2026 Paperzz