|
1
|
- THE UNIVERSITY OF ALABAMA
|
|
2
|
- The Health Insurance Portability and Accountability Act
- Law passed to ease the movement of healthcare data between providers.
- Places new restrictions on disclosure of “protected health information”
(PHI) that will impact the University of Alabama.
|
|
3
|
- HIPAA applies to UA’s “Health Care Components”: Capstone Medical Center,
Brewer-Porch, the Speech & Hearing Clinic, Nursing Clinic and UA’s
Group Health Insurance and other Health plans.
- It also applies to
administrative departments, like the Legal Office and Auditing, Privacy
Officer, etc. supporting any of these Health Care Components.
|
|
4
|
- One approach to HIPAA compliance, but each health care component will
have its own policies and procedures to ensure the privacy of PHI.
|
|
5
|
- For UA’s health care providers, the Privacy Rule:
- Sets boundaries on the way providers use and release protected health
information (PHI);
- Establishes safeguards that we must achieve to protect the privacy of
PHI;
- Provides for adverse consequences including fines and jail sentences for
failure to comply.
|
|
6
|
- PHI is any information, including demographic information, that is
TRANSMITTED or MAINTAINED in any MEDIUM (electronic, paper, or spoken
word) that is created or received by a health care provider, health
plan, or health care clearinghouse that relates to or describes the
past, present or future physical or mental health or condition of an
individual; the provision of health care to an individual; or future
payment for the provision of healthcare to the individual.
|
|
7
|
- Student records that fall under the Family Educational Rights and
Privacy Act (FERPA).
- Medical records, exempt from FERPA, of students 18 or over or attending
UA and that are made or maintained by a health care provider and used
only to treat the student and disclosed only to individuals providing
the treatment.
- The University’s Employment Records.
|
|
8
|
- Wrongfully accessing or disclosing PHI: Fines up to $50,000 and up to 1
year in prison.
- Obtaining PHI under false pretenses: Fines up to $100,000 and up to 5
years in prison.
- Wrongfully using PHI for a commercial activity: Fines up to $250,000 and
up to 10 years in prison.
|
|
9
|
- Up to $100 per violation.
- Each name in a data set can be a violation.
- Not to exceed $25,000 per year.
- AND – civil monetary damages may be available to patients who win state
tort claims, such as breach of privacy.
|
|
10
|
- A covered entity can always use and disclose PHI for any purpose if it
gets the person’s written authorization.
- HIPAA requires certain components to be in the authorization in order
for it to be valid.
- There are many exceptions to the requirement for authorization.
|
|
11
|
- No authorization is needed if for Treatment, Payment and Healthcare
Operations (TPO).
- PHI (except psychotherapy notes) may be used/disclosed for the covered
entity’s own TPO.
- PHI may be disclosed to other covered entities or a health care
providers for the payment activities of the entity that receives the
information, such as an ambulance company.
- PHI may be disclosed to another covered entity or health care provider
for its health care operations, under limited circumstances.
|
|
12
|
- PHI may be disclosed to a Business Associate if the Covered Entity has
executed a Business Associate Agreement with the Business Associate.
- Each UA Health Care Provider
identifies who its Business Associates are.
|
|
13
|
- When required (not permitted) by law;
- To Public Health/Legal Authorities charged with preventing and
controlling disease, disability or injury;
- To FDA to ensure quality, safety, or effectiveness of FDA-regulated
products;
|
|
14
|
- To persons who may have been exposed to communicable disease or may be
at risk of contracting or spreading a disease;
- To entities charged with overseeing victims of abuse, neglect or
domestic violence, consistent with reporting obligations;
- To a health oversight agency for activities authorized by law (gov’t.
licensing or accreditation agencies)
|
|
15
|
- In response to a Court order;
- In response to a subpoena that meets certain requirements (always check
with the Legal Office);
- Law enforcement officials seeking to identify a suspect, witness, or
victim of a crime;
- Coroners/medical examiners/funeral directors to identify a deceased
person or determine a cause of death;
- Organizations handling organ, eye or tissue donation;
|
|
16
|
- To prevent/lessen a serious and imminent threat to patients or others
health and safety;
- To military command authorities and federal officials for intelligence
and national security activities;
- To comply with workers compensation laws;
- Facility directories, if asked by name.
- Individuals involved in patient’s care or payment.
- Persons involved in disaster relief.
|
|
17
|
- Provide Notice to individuals of information practices.
- Authorization Forms
- Control access
- Account for use and disclosures
- Manage complaints
- Have a privacy officer
- Conduct training
- Provide sanctions
- Develop Business Associate Agreements
- Have policies and procedures
|
|
18
|
- Receive Notice of Health Information Practices.
- Authorize use of their data.
- Request access to their data.
- Request an accounting of the uses and disclosures of their data.
- Request amendment and corrections to their data.
- Request restrictions on use of data.
- File a complaint.
|
|
19
|
- Providers should disclose or use only the minimum necessary amount of
PHI in order to do their jobs.
- Minimum necessary does not apply to:
- 1. disclosures used for
treatment;
- 2. to the individual who is the
subject of the
- disclosure;
- 3. when a valid HIPAA
authorization is signed;
- 4. Uses and disclosures required
by law;
- 5. Disclosures to HHS.
|
|
20
|
- They cannot be reasonably prevented;
- Are limited in nature;
- Are a by-product of otherwise permitted use; and
- The Covered Entity has established “reasonable safeguards” to ensure
only necessary information is disclosed.
|
|
21
|
- Waiting room sign-in sheets
- patient charts at bedside
- physician conversations with patients in semi-private room
- physicians conferring at nurse’s stations.
|
|
22
|
- Family and friends can still pick up prescriptions for sick people.
- Physicians and Nurses do not have to whisper.
- State laws still govern the disclosure of minor’s health information to
parents. (a minor is under the age of 19 in Alabama)
|
|
23
|
- 1. Notice of Privacy Practices
- 2. Authorization Forms
- 3. Accounting for Disclosures
- 4. Business Associate
Agreements
- UA has developed template forms and policies for health care components.
|
|
24
|
- Notice of patient’s rights with respect to PHI and UA’s privacy
practices.
- Providers must make a good faith effort to obtain the patient’s written
acknowledgement at the time of receipt of the Notice of Privacy
Practices, except in emergency circumstances.
- Each patient must receive a Notice of Privacy practices no later than
the date of first service delivery.
|
|
25
|
- Must list each type of disclosure that may be made by the covered entity
and distinguish between those that are made pursuant to law and those
that are not.
|
|
26
|
- An Authorization Form is required for the use and disclosure of PHI for
business-related purposes other than Treatment, Payment, and Operations
and other than the permitted exceptions.
- Authorizations are always required to disclose psychotherapy notes in
order to give psychotherapy notes stronger protections.
|
|
27
|
- Must be kept separately from the patient’s medical record.
- Consists of the “process notes” that the therapist makes about
counseling sessions.
- Does not include summary information used for treatment such as
symptoms; summary notes; diagnosis, and medications.
|
|
28
|
- UA is prohibited from using or disclosing PHI for marketing purposes
without the patient’s express authorization.
- Prohibited from selling patient lists to third parties.
- CAN talk with patients about our treatment options, and have common
health care communication about wellness, prescription refill reminders,
therapies, and appointment notifications without an authorization.
|
|
29
|
- Must disclose if UA is receiving benefits or payment from any third
party receiving the patient’s information.
|
|
30
|
- Individuals have the right to receive an accounting of disclosures of
PHI made by UA, except for:
- -Disclosures made to carry
out Treatment,
- Payment, and health care
Operations;
- -PHI provided to the patient
about them;
- -PHI disclosed to family
members or friends
- involved in a patient’s
care;
- -Disclosures made pursuant to
authorization.
- UA has designed forms for tracking disclosures.
|
|
31
|
- Business Associates perform specific tasks involving the use/disclosure
of PHI on our behalf, such as billing, legal services, and
accreditation.
- UA must have a written agreement with Business Associates specifying the
purpose for which PHI will be used or disclosed.
- UA must be able to account for these disclosures to BAs and the BA must
be able to track disclosures.
- UA has a BAA Template. If we are
the BA, use our BA form, or one similar.
|
|
32
|
- If you work for a Health Care Provider under HIPAA, do not release PHI
for research unless:
- - The patient has signed a
valid HIPAA
- authorization, or
- - The IRB at UA has
approved a waiver of
- authorization; or
- - The IRB agrees that an
exception applies.
- Separate training on HIPAA & Research is available through the
Privacy Office.
|
|
33
|
- Must have appropriate administrative, technical and physical safeguards
to protect the privacy of PHI.
- Must control access to information.
- Do not leave printed documents where unauthorized persons can see them.
- Position computer screens so they cannot be seen by unauthorized
persons.
- Do not share your password.
- Report suspected or known breaches of confidentiality to your Privacy
Officer.
- New Security Regulations have been issued. Compliance is required by
2005.
|
|
34
|
- The Privacy Officer in each health care component.
- The UA Privacy Officer: Dr. John
Dew 348-9831, jdew@aalan.ua.edu
- www.hipaa.ua.edu
|
Notes
