HIPAA Privacy Those Nagging Issues That Dont Seem
- Slides: 34
HIPAA Privacy: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt. com Davis Wright Tremaine LLP
HIPAA Privacy — A Timeline November 3, 1999: Proposed privacy regulations 1996: HIPAA is enacted into law December 28, 2000: Final privacy regulations published February 17, 2000: Comment period closes after extension. Record number of comments received April 14, 2001: Effective date of final privacy regulations March 1 -30, 2001: Second comment period July 2001: HHS Guidance issued March 27, 2002: Proposed amendments to final regulations published April 14, 2003: Compliance date (except small health plans) April 26, 2002: End of comment period for proposed amendment Reminder: April 20, 2005 = security regulations compliance date for most covered entities Davis Wright Tremaine LLP 2 April 14, 2003: Compliance date for small plans
HIPAA Roulette Davis Wright Tremaine LLP 3
Business Associates u Identifying business associates u Disagreements on BA status u Negotiation u Tracking Davis Wright Tremaine LLP 4 contracts
Who is a Business Associate? u. A person who, on behalf of a covered entity or OHCA — v Performs or assists Billing with a function or Firms activity involving n Individually identifiable health Clearinghouses information, or n Otherwise covered Management by HIPAA Companies v Performs certain identified services Davis Wright Tremaine LLP 5 Auditors, Actuaries Covered Entity Consultants, Vendors Lawyers TPAs Accreditation Organizations
Who Are Business Associates? u. Medical device company. . . Probably not u. Research sponsor. . . Usually not ─ Follow research rules u. Record storage/destruction. . . Depends u. Accreditation u. Software vendor. . . Maybe u. Collection u. Lawyers organizations. . . Yes agencies. . . Yes . . . Definitely maybe Davis Wright Tremaine LLP 6
What Must Be in a Business Associate Contract — Privacy Rule u Use and disclose information only as authorized in the contract v No further uses and disclosures v Not to exceed what the covered entity may do u Implement appropriate safeguards u Report unauthorized disclosures to covered entity u Facilitate covered entity’s access, amendment and accounting of disclosures obligations u Allow HHS access to determine CE’s compliance u Return/destroy protected health information upon termination of arrangement, if feasible v If not feasible, extend BAC protections u Ensure agents and subcontractors comply u Authorize termination by covered entity Davis Wright Tremaine LLP 7
What Must Be in a Business Associate Contract — Security Rule u Implement administrative, physical and technical safeguards that reasonably and appropriately protect the v Confidentiality, v Integrity and v Availability v Of electronic protected health information u Ensure any agent implements reasonable and appropriate safeguards u Report any security incident u Authorize termination if the covered entity determines business associate has breached Davis Wright Tremaine LLP 8
Business Associate Contracts u Tip: Contract management system u Tip: Establish an approach under security regulations u Process to: v Revisit existing relationships and contracts v Address u Build future relationships off of existing approach v Templates v Rules of the road v Elevate issues as needed Davis Wright Tremaine LLP 9
De-Identification u. How u. When Davis Wright Tremaine LLP to use 10
De-Identification u Information is presumed de-identified if— v Qualified person determines that risk of re-identification is “very small” or v The following identifiers are removed: v Name Dates SSN License # Address Telephone MR# Vehicle ID Relatives Fax Plan ID URL Fingerprints Photographs Other unique identifier And the CE does not have actual knowledge that the recipient is able to identify the individual Davis Wright Tremaine LLP 11 Employer e-mail Account # IP address
De-Identification u. Beware the “other unique identifier” requirement v Especially difficult with large amount of records/information v Beware small communities u. Identify what workforce needs to know de-identification rules. For example, v Marketing v Medical staff who lecture Davis Wright Tremaine LLP 12
Limited Data Sets u. What are they u. When u. How Davis Wright Tremaine LLP to use limited data sets to disclose limited data sets 13
Limited Data Set — Not Quite Identified u Limited Data Set = PHI that excludes direct identifiers except: v Full dates v Geographic detail of city, state and 5 -digit zip code u Not de-identified u Special rules apply Davis Wright Tremaine LLP 14 De-
Data Use Agreements u u A covered entity may use or disclose a limited data set if recipient signs data use agreement but only for v Research, v Public health or v Health care operations Recipient must enter into a Data Use Agreement: v Permitted uses and disclosures by recipient v Who may use or receive limited data set v Recipient must: n Not further use or disclose information n Use appropriate safeguards n Report impermissible use or disclosure n Ensure agents comply n Not identify the information or contact the individuals Davis Wright Tremaine LLP 15
Data Use Agreements u. Likely uses v State hospital associations v Public health agencies (for non-mandatory reporting) v Research u. Not where identifiers are not necessary included in an accounting of disclosures Davis Wright Tremaine LLP 16
Accounting of Disclosures u. What is covered u. What is the best way to track u. Communications Davis Wright Tremaine LLP 17 with patients
Accounting of Disclosures u Patient has the right to receive an accounting of disclosures of the patient’s PHI u Accounting v Date includes: of disclosure v Recipient name and address v Description v Purpose of information disclosed of disclosure Davis Wright Tremaine LLP 18
Accounting of Disclosures u. Exceptions: v Treatment, payment and health care operations v Individual access v Directories, v Pursuant v National to authorizations security or intelligence v Incidental v Limited v Prior persons involved in care disclosures date set to April 14, 2003 Davis Wright Tremaine LLP 19
Accounting of Disclosures – Problems u. Cumbersome process with few requests to date u. Patients often want information that is excepted u. Tricky issues v. Date ranges acceptable (e. g. , access to a universe of records during limited time) v. For disclosures made routinely within set time: n Intervals acceptable (e. g. , “gunshot wound within 48 hours after treatment” plus date of treatment) u. Dealing with Business Associates Davis Wright Tremaine LLP 20
Accounting of Disclosures ─ Approaches u. Different potential approaches v Log all disclosures at time of the disclosure v Do analysis at time of any patient request v Abbreviated accounting u. Tip: clarify the request before beginning (but do not discourage request) Davis Wright Tremaine LLP 21
Complaints and the Ex-Factor u. Top risk areas include v Intentional misuse and improper disclosures related to exrelationships, divorces, custody disputes, new significant others v VIPs v Fellow Davis Wright Tremaine LLP 22 workforce members
Complaint Process u. Must provide process to receive complaints u. Must document all complaints and their disposition u. Tip: Make it easy for a patient to complain v Written only vs. any medium u. Tip: Be aware of local complaints that may become OCR complaints u. Tip: Privacy Officer should be attuned to “gossip” Davis Wright Tremaine LLP 23
Legal Proceedings Davis Wright Tremaine LLP 24
Disclosures for Legal Proceedings u. If a party to litigation/proceeding v May use and disclose PHI for own health care operations (as well as other exceptions) v Operations includes conducting or arranging for legal services to the extent related to health care functions n Defendant in malpractice suit n Plaintiff in collection matter (also payment) v Minimum necessary n De-identification n Qualified protective order u. Business associate contract for outside counsel needed Davis Wright Tremaine LLP 25
Disclosures for Legal Proceedings u. If covered entity is not a party, find an exception v Required v Health by law (e. g. , court order) care oversight (e. g. , licensure hearing) v Authorization v Response to subpoena or other lawful process n Satisfactory assurances that requestor made reasonable efforts either to notify relevant patients or secure a qualified protective order n Covered n Specific entity may do the same requirements for each Davis Wright Tremaine LLP 26
Disclosure for Legal Proceedings u. Preemption Considerations: Beware state law u. Don’t assume a lawyer knows the law (with HIPAA at least) u. Is a business associate contract for outside counsel needed? u. Accounting of Disclosures v Depends on exception v No: health care operations, payment, authorization v Yes: subpoena, health care oversight Davis Wright Tremaine LLP 27
Disclosures to Law Enforcement Davis Wright Tremaine LLP 28
Disclosures to Law Enforcement u When required by law u Pursuant u To to court orders, subpoenas or other process respond to an administrative request u To respond to a request about a victim of a crime, upon agreement or law enforcement representation (not used against victim/and necessary) u To report child abuse or neglect u To report adult abuse, neglect or domestic violence (limited) u To report a death in suspicious circumstances u To report a crime on the premises Davis Wright Tremaine LLP 29
Disclosures to Law Enforcement u To report criminal activity in off-site medical emergencies u. To avoid serious and imminent threat u To respond to a request for purposes of identifying a suspect, fugitive, material witness or missing person (limited) v Name, address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, description of distinguishing features u To report a person who has admitted to a violent crime (limited) u For specialized governmental law enforcement (intelligence, inmate) Davis Wright Tremaine LLP 30
Disclosure to Law Enforcement u Preemption v State u Develop considerations law plays a critical role in analysis detailed policies and procedures v Tip: Identify go-to people v Tip: Two tier approach n Basic approach for majority of work force n Detailed approach for those making the decisions u Tip: Consider a community meeting with providers and law enforcement to agree on ground rules Davis Wright Tremaine LLP 31
Misunderstandings and Unrealistic Expectations Davis Wright Tremaine LLP 32
Misunderstandings and Unrealistic Expectations u. Must train workforce u. Should train/educate patients u. Areas of confusion v Opting out of facility directory n Approach to foster understanding of consequences v Requests for additional privacy protections n Patient has right to ask n Covered entity has right to say “No” n Covered entity is bound by a “Yes” n Approach to promote consistency v Accounting of disclosure Davis Wright Tremaine LLP 33
Questions Davis Wright Tremaine LLP 34
Privacy awareness and hipaa awareness training cvs
Dont ask dont tell political cartoon
Dont laugh at me dont call me names
Hipaa privacy and security awareness training
Mtf hipaa privacy officer
Big data privacy issues in public social media
Three primary privacy issues are accuracy property and
Issues surrounding information privacy
Thể thơ truyền thống
Tôn thất thuyết là ai
Hãy nói thật ít để làm được nhiều
Thơ thất ngôn tứ tuyệt đường luật
Gây tê cơ vuông thắt lưng
Phân độ lown ngoại tâm thu
Walmart thất bại ở nhật
Sau thất bại ở hồ điển triệt
Block nhĩ thất cao độ
Tìm độ lớn thật của tam giác abc
Jira hipaa
Hipaa training georgia
Becoming hipaa compliant
Hipaa training strategies
When should you promote hipaa awareness
Uday ali pabrai
Hipaa pre-existing condition protections
Hipaa principles
Hipaa summit
What is hipaa
Accountable hipaa training
Patient portals and hipaa
Hipaa training for nurses
Joint commission hipaa
Gillman hipaa progress note
Ferpa law
Hipaa frequently asked questions
