The HIPAA Privacy Rule Basics

The HIPAA Privacy Rule, enacted under the Health Insurance Portability and Accountability Act of 1996, aims to protect medical records and protected health information (PHI) by setting guidelines for covered entities like health plans, clearinghouses, and providers. PHI includes personal data that could identify a patient, such as SSN, name, address, etc. Covered entities must implement measures to safeguard PHI, limit its use and sharing, conduct training programs, and obtain authorization for release unless allowed under HIPAA.

• HIPAA Privacy Rule
• Protected Health Information
• Health Insurance
• Medical Records
• PHI Protection

aden101 Follow

Uploaded on Mar 06, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. The HIPAA Privacy Rule: The Basics Jennifer Gimler Brady, Esquire November 8, 2018

2. HIPAA An Overview 2 2

3. HIPAA: An Overview What is HIPAA? Health Insurance Portability and Accountability Act of 1996 HIPAA was enacted to simplify the administration of health insurance It also requires includes privacy regulations designed to protect medical records and other protected health information [ PHI ] 3

4. HIPAA: An Overview Who is covered by the HIPAA privacy requirements? Health Plans (e.g., employee welfare benefit plans, health insurance issuers and HMOs) Health Care Clearinghouse (e.g., re-pricing companies, billing companies and value-added networks) Health Care Providers (e.g., doctors, hospitals, long-term care facilities, home health agencies, etc.) who transmit PHI in electronic form These are referred to as covered entities 4

5. HIPAA: An Overview What is PHI? PHI is information created or received by a health care organization that relates to an individual s past, present or future health or condition PHI includes any data about a patient that could potentially identify the patient, such as Social Security number, name, address, phone number, date of birth, email address, and account or record numbers Covers all forms of communication used in a healthcare facility such as computer records, patient orders, white boards for assignments, communication boards in patient rooms, and faxes 5

6. HIPAA: An Overview Examples of information that can identify an individual (besides the obvious): Dates directly related to an individual, other than year (e.g., admission date, discharge date, date of death, etc.) Medical record numbers Health plan beneficiary numbers Certificate / license numbers Vehicle identifiers license plate numbers and VINs Device identifiers and serial numbers Full face photographic images 6

7. HIPAA: An Overview To comply with the Privacy Rule, covered entities must: Implement measures to protect health information Limit the use and sharing of health information to the minimum extent necessary Enter into agreements with service providers to ensure that health information is properly handled (business associate agreement more on that later) Implement procedures to limit access to patients health information Administer training programs on protecting health information Obtain an individual s authorization to release PHI, unless it is a disclosure authorized under HIPAA 7

8. HIPAA: An Overview Authorized disclosures include: For purposes of payment, treatment, or health care operations Mandatory reports: abuse, neglect or domestic violence Public health and oversight of health care system Averting serious threats to health and safety Law enforcement functions Judicial and Administrative Proceedings court order subpoena, discovery requests or other lawful process without order if adequate assurance is provided (subject of request must be given notice and opportunity to object) 8

9. HIPAA: An Overview Authorizations Core Elements: Description of the PHI to be released Name of recipient or class of recipients Purpose Expiration date or event Right to revoke Statement that PHI used or disclosed pursuant to the authorization may be subject to redisclosure and no longer protected by HIPAA Signature of the individual and date If the signer is a legal representative, a description of the authority to act (e.g., guardian, POA, etc.) Prohibition against conditioning treatment, payment, or eligibility on the provision of an authorization 9

10. HIPAA: An Overview Under the Privacy Rule, individuals are entitled to: notice of privacy practices and breaches know how PHI will be used consent to and control disclosures of PHI access their own PHI (except psych notes) request an amendment receive an accounting of disclosures file complaints regarding use of their PHI 10

11. Notice of Privacy Practices (NPP) 11 11

12. Notice of Privacy Practices (NPP) The Privacy Rule gives individuals the right to be informed of the privacy practices of health care providers and health plans, as well as their rights with respect to their PHI Covered entities are required to develop and distribute NPPs that provide a clear explanation of these practices and rights NPP must contain the following header: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. 12

13. Contents of NPP NPPs must describe in plain language: how the covered entity may use and disclose an individual s PHI for treatment for healthcare operations to bill for services to assist with public health and safety issues for research purposes to comply with the law to respond to organ and tissue donation requests to work with a medical examiner or funeral director to respond to workers compensation, law enforcement and other government requests to respond to lawsuits and legal actions With at least one example 13

14. Contents of NPP NPPs must describe in plain language (cont d): the individual s rights with respect to PHI, how to exercise these rights and how to complain access to individual s own PHI (inspect and copy) amendments to PHI accounting of disclosures of PHI restrictions on use and disclosure of PHI restrictions on disclosures to health plans confidential communications (to contact in a specific manner) breach notification paper copy of notice The covered entity s legal duties with respect to the information, including the obligation to maintain the privacy of PHI and abide by the terms of the NPP; also reserve right to amend NPP Contact information to obtain more information about the covered entity s privacy practices Right to complain to the Secretary of DHHS and to be free from retaliation Effective date 14

15. Providing the NPP: NPP must be made available to any person who asks for it NPP must be prominently posted and made available on any website maintained to provide information on services or benefits Acknowledgement of receipt of NPP should be obtained for first encounter / service delivery Covered entities should retain copies of NPPs and written acknowledgments (6 years from creation or when last in effect) 15

16. Business Associate Agreements: The Basics and Key Provisions 16 16

17. Business Associates - Overview Under HIPAA, a business associate is: Any entity that creates, receives, maintains or transmits PHI performing a function, activity, or service on behalf of a covered entity Examples: third party administrator, payroll vendors, utilization review consultant, billing companies, independent medical transcriptionist, data processing firms, accountants, attorneys, pharmacy benefits manager, etc. A business associate also includes a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate Post-Omnibus Final Rule: BAs are directly liable (like covered entities) for compliance with many of the same standards and requirements under the Security and Privacy Rules, and the same penalties apply 17

18. Business Associates Agreements The Privacy Rule allows covered entities to enlist the assistance of non-covered entities to carry out health care activities and functions, including disclosing PHI to these business associates, provided that the covered entity receives satisfactory assurances that the business associate: Will use PHI only for purposes of the engagement Will safeguard PHI from misuse Will assist the covered entity in complying with its obligations under the Privacy Rule 18

19. Business Associates Agreements (contd) Satisfactory assurances must be in writing, in the form of a contract or agreement a business associate agreement ( BAA ) A BAA is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all BAAs should address: The permitted and required uses of PHI by the BA and the minimum necessary requirement The restriction on use or further disclosure other than as permitted by the BAA or as required by law The use of appropriate administrative, physical, and technical safeguards to prevent non-permitted use or disclosure of PHI 19

20. Business Associates Agreements (contd) Notification requirements in the event of breaches, security incidents or use / disclosure not in accordance with permitted uses The obligation to make PHI available for access, amendment, and accounting of disclosures The return or destruction of PHI upon termination of the engagement Termination in the event of a material violation of the BAA The limitation on remuneration for PHI The requirement to make the BA s internal practices, books and records available to DHHS and the covered entity to review and determine compliance An acknowledgement that the BA is liable for breaches and penalties, just like the covered entity Subcontractors must agree in writing to comply with the same requirements that apply to the BA 20

21. Business Associates Agreements (contd) Sample BAA provisions are available on OCR website: https://www.hhs.gov/hipaa/for-professionals/covered- entities/sample-business-associate-agreement- provisions/index.html Use of these provisions is not required for compliance They do not constitute an entire agreement Be aware of state requirements that may differ / be additive BAAs are subject to negotiation they are contracts so final versions may differ, but the key provisions must be included for compliance 21

22. Business Associates Agreements (contd) Other topics frequently addressed in BAs: Cyber insurance does the BA have insurance coverage for first and third-party losses associated with a security incident? CGL policies may not cover these kinds of losses Not all cyber policies are created equal. Consider coverage for: breach response, defense costs and penalties, data system damage / business interruption, cyber extortion, etc. BAs are top targets for data theft because of the nature of the information they often handle (billing, insurance, payment). A treasure trove. Independent contractor status Covered entity should not maintain control over how the BA does its work Indemnification Limitation on liability No third party beneficiary Specific security safeguards, such as encryption 22

23. Business Associates Agreements (contd) Offshoring provisions BA will not enter into subcontracts for services with an offshore or non-US person, entity or organization without the advance written consent of the covered entity Identification and contact information for Privacy Officers of covered entity and BA Access to BA s premises for audit purposes Provision to the allow BA to use PHI in the performance of its management and administration functions 23

24. HIPAA: Miscellaneous 24 24

25. HIPAA: Miscellaneous Administrative Requirements of the Privacy Rule: Privacy Officer Training Safeguards Complaints Sanctions Mitigation No retaliation for exercising rights / whistleblowing No waiver of rights as a condition Policies and Procedures Documentation retain for 6 years 25

26. HIPAA: Miscellaneous Preemption state laws that are contrary to the Privacy Rule are preempted Exceptions to preemption: Contrary state laws that: relate to the privacy of individually identifiable health information and provide greater privacy protections or privacy rights with respect to such information provide for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention require certain health plan reporting, such as for management or financial audits 26

27. HIPAA: Miscellaneous How can a covered entity go wrong? Not properly verifying to whom they are speaking Improper disposal of PHI regular trash disposal is never an option Faxing PHI to the wrong recipient Not securing PHI at the nurses station or elsewhere in a facility Otherwise not properly storing and securing PHI Not providing a private environment for PHI discussions Taking a patient s photograph without consent 27

28. HIPAA: Miscellaneous How can a covered entity go wrong? (cont d) Leaving detailed PHI on an answering machine Accessing PHI without a legitimate need to know (the celebrity cases) The errant email blast Intentional misuse of PHI (such as identity theft) Compromising the security of ePHI Not protecting user names and passwords Leaving computer stations live The lost / stolen laptop, smart phone, etc. 28

29. HIPAA: Miscellaneous Potential consequences of a HIPAA violation Civil fines up to $50,000 per unintentional incident Criminal penalties up to 10 years in prison and up to $250,000 fine for obtaining PHI for malicious harm or personal gain; 1 year and up to $50,000 fine for knowing violation Calendar year cap of $1.5 million for identical violations Considerations: Nature and extent of the violation (number of individuals affected and relevant time period) Nature and extent of the harm resulting from a violation (could be physical, financial, reputational, or access to health care) History of prior compliance, including violations by the covered entity or business associate Financial condition of the covered entity or business associate (whether fine could jeopardize continuing existence, and size) Such other matters as justice may require 29

30. HIPAA: Miscellaneous Potential consequences of a HIPAA violation (cont d) Litigation for breach of confidentiality and privacy / other potential claims Mitigation obligations / related expenses 30

31. HIPAA: Miscellaneous Real World Examples A former medical school researcher was sentenced to 4 months in prison for accessing high-profile patient records more than 300 times Pharmacy chains paid $1 million and $2.25 million to settle a claim for wrongful disposal of PHI (medication records). They tossed the information in a commercial dumpster accessible by the general public. Providers have been fined hundreds of thousands of dollars for compromised PHI on lost / stolen laptops that weren t passworded or encrypted Leading cancer hospital was fined $4.3 million relating to loss of unsecured (unencrypted) laptops and thumb drives 31

32. HIPAA: Miscellaneous Real World Examples (cont d) A nursing facility repeatedly faxed patient records to the wrong recipient over an extended period of time even after the recipient brought the error to the facility s attention on multiple occasions A nurse shared PHI about a patient with an estranged child without the consent of the legal representative A medical office nurse shared sensitive PHI about an adult patient with the patient s mother without consent A non-clinical hospital employee accessed confidential medical records of an HIV positive physician A nurse informed a friend about her spouse s STD test 32

33. To reach the speaker: Jennifer Gimler Brady, Esq. Direct dial: (302) 984-6042 jbrady@potteranderson.com Potter Anderson & Corroon LLP 1313 North Market Street PO Box 951 Wilmington, DE 19899-0951 www.potteranderson.com 33