A. Health Information Portability and Accountability Act (HIPAA) of 1996
1. Titles (there are only two)
Title I: protects workers and their families from loss of coverage when they change or lose their job
Title II: The Administrative Simplification (AS) provisions require establishment of national standards
2. Goals
- Records portability
- Reduce waste, fraud and abuse
- Reduce costs
- Protect patient privacy
3. Requirements
- Dictates backup and restore P&P,
- offsite backup with a provider including an SLA for rates,
- scope and
- minimum standards.
4. The Privacy Rule requires accounting of all disclosures of PHI by Covered Entities (CEs):
- Providers
- Health plans
- Clearinghouses like billing operations
- Business Associates (BA), which require a Business Associate Agreement (BAA)
Individually identifiable health information created by a CE or a BA is Protected Health Information (PHI):
- Past, present or future
- Mental and physical
- Payment information
- Provision information
- As long as retained by provider
- Even after death
Deidentified Information
Must be certified by statistician or expert
May be deidentified by an “encoder” program
18 key identifiers removed
Birth Date ONLY removed if patients are 90 or older!
Practical Requirements
- Employee training
- Privacy P&P
- Privacy Officer
- Entities must limit use or disclosure of PHI to the minimum necessary number of people.
Parents and family do NOT have an automatic right to patient records.
Birth parents of a foster child do NOT have a right to patient records.
Family members do NOT have a right to records for custody cases.
Privacy Rule is enforced by the Office for Civil Rights (OCR).
5. The Security Rule mandates technical safeguards and logging of all PHI releases.
Specifies Administrative, Technical and Physical safeguards for HIPAA compliance.
Regulates electronically transmitted or stored information (ePHI).
CEs must ensure officers and employees comply with the Security Rule, usually through training requirements.
Logging was first mandated by this rule.
6. The Identifier Rule mandates that CEs have a National Provider Identifier (NPI).
7. The Transaction and Code Sets Rule regulates electronic data interchange (EDI) formats.
Transactions include all documents, insurance claims, encounter records, insurance enrollment and disenrollment, eligibility documents, payment and remittance records, first reports of injury and coordination of benefits.
B. ARRA – the American Recovery and Reinvestment Act of 2009, overseen by the ONC
1. The HITECH Act requires providers and third parties to comply with HIPAA regulations.
- Tougher penalties
- Express permission of patient required for disclosure
- Sale of PHI limited
- Patients can audit records
- Encryption required
- Requires public notice of breach
Requires records of creation, modification, deletion or printing of anything containing PHI, including emails.
*Business Associates (BAs) now have to comply with the Security Rule the same as CEs.*
HHS must be notified of any data breach of more than 500 patients. (Patients must also be notified?)
HITECH Act Enforcement
Unknowing violations, despite due diligence
$1000 – $25,000/yr/violation. {CONFIRMED}[CHECK NEW] For reasonable cause,
but not willful neglect,
$1000 – $100,000/yr/violation.[CHECK NEW] For willful neglect (a civil penalty),
if corrected within 30 days from knowledge of violation,
$10,000 – $250,000/yr/violation.For willful neglect that goes uncorrected,
$50,000 – $1,500,000/yr/violation
+ up to 1 year in prison.Obtaining PHI through wrongful conduct that involves false pretenses,
$100,000
+ up to 5 years in prison.
HITECH and EHRs
HIT Regional Extension Centers (RECs) promote HIT
Part IV specifies Medicare and Medicaid incentives for:
- Prospective payment system (PPS) hospitals, paid based on diagnosis, not costs (a Medicare Part A system)
- Critical access hospitals (CAHs), which get cost-based reimbursement from Medicare
HITECH and Meaningful Use
- EHRs must be certified
- Must be used in a meaningful manner, including electronic prescriptions
- Must collect and submit quality-measure data
- Must be used to exchange information to improve the quality of healthcare
Financial Incentives for EHR adoption under HITECH have been diminishing by year:
2012: $18,000
2013: $15,000
2014: $12,000
2015: $8,000
2016: $4,000
C. Code of Federal Regulations (CFR)
Title 21 CFR Part 11
Defines the criteria for electronic records and signatures to be considered trustworthy, reliable and equivalent to paper records.
Applies to FDA-regulated entities: drug makers, device manufacturers, biotech firms etc.
Requires controls and audit trails for system validations, electronic signatures and software and system documentation.
Part 20
Covers what info may or may not be shred with the general public.
Part 7
Enforcement policies for food, drugs and cosmetics
D. The Patient Self Determination Act (1990)
“Preserves the patient’s wishes, right, healthcare options and advanced directives even if the decision results in the death of the patient.”
E. The Patient Bill of Rights
Eight rights every patient has
- To file a complaint
Legal practices
Informed Consent – consent of a patient to treatment or trial after understanding of facts and risks
Legally binding contracts require
- Payment or consideration between parties
- No illegal activities
- Actions of parties must be described
- Agreement without threat or duress
Memorandum of Understanding (MOU)
Good MOUs include:
- use plain language
- identify all parties
- outline expectations of all parties
- specify termination process
Rights of Minors
A minor child can request and receive treatment, without parental consent, for:
- Drug or alcohol abuse
- STDs
Service Level Agreements – define a provider’s responsibilities when providing a service by performance measures:
- Downtime: maximum periods allowed
- Downtime period: how long a service must be non-functional to be considered “down”
- Monthly uptime percentage
- Scheduled downtime for service
- Service credit: compensation for downtime, often in “free time”
Waivers of Liability – signed by patient to indemnify providers (not allowed in some states)