Article

Intake - Health Information Privacy

User Services

Health Information Privacy Should an assistive technology reutilization organization, in its role as a provider (even if nonpaid), comply with the privacy requirements imposed by the Health Insurance Portability and Accountability Act (HIPAA)?

Users of assistive technology must often divulge confidential health information to receive services. It is important to understand the provisions of HIPAA that apply in other settings where healthcare information is handled. Even if the organization is not legally bound to comply, it is worth considering the privacy provisions to which consumers have become accustomed. What is HIPAA? HIPAA is a federal law – Public Law 104-191, H.R. 3103, the Health Insurance Portability and Accountability Act of 1996. It has several parts for which the rules and regulations have been implemented in phases. HIPAA established standard codes, data transaction formats and unique identifiers that are used nationally. In addition, HIPAA requires privacy and security protections to ensure that a client’s health information remains confidential. Who must comply with HIPAA? • Every payer (insurance company, Medicare, Medicaid, and other health plans) must accept the standards. • Any provider who conducts financial or administrative transactions (claims, referral authorizations or eligibility determination) electronically is a “covered entity.” • All clearinghouses (companies that process claims) must comply. How does HIPAA affect healthcare organizations? Privacy The privacy portion of HIPAA limits the use of individual health information, allows clients access to their records and restricts the release of information to the minimum needed for the purpose. The privacy rule requires that the organization identify employees in its work force who need access to the client health information and the information to which access is needed. To comply with the HIPAA Privacy requirements, the organization must prepare a compliance plan – a set of written policies and procedures that indicate how the company will comply. The rule requires the organization to implement standard practices that limit the disclosures of protected health information to the amount reasonably necessary to achieve the purpose of the disclosures. The company also must train all employees in the basics of the law and their responsibilities. Security This facet of HIPAA addresses standards to protect electronic health information systems from improper access.  Electronic Claims Data sets are standardized, with regional and local coding eliminated. This affected Medicare and Medicaid coding significantly. All payers are required to accept electronic claims. Employer Identification All payers and providers are required to use the EIN assigned by the IRS to identify employers. What must healthcare organizations do to comply? Privacy 1. Designate a privacy officer. 2. Assess business processes to ensure compliance. 3. Devise consent forms that must be executed by client before treatment. 4. Document how client may request restriction of information release. 5. Devise a separate Notice of Privacy Practices to be given to the client. 6. Document procedures for obtaining client consent. 7. Retain consent form for 6 years from creation or when it was last in effect. 8. Track disclosures of client information. 9. Include privacy provisions in written contracts with all business associates. Penalties for non-compliance with HIPAA Privacy The company must act on violations of the Privacy rule – depending on intent and severity. These sanctions are part of the compliance plan. In addition to employer sanctions, however, there are federal penalties for violations of the law. HIPAA is enforced by the Centers for Medicare and Medicaid Services (CMS). Privacy violations are subject to very stiff penalties, depending on the violation and the intent:      Single offense                                       $100 per person, per violation, up to $25,000 per year for a single offense      Misuse of health information                 $50,000 fine and/or one year in prison               Under false pretenses                  $100,000 fine and up to five years in prison              With intent to sell information       $250,000 fine and up to ten years in prison. HIPAA Privacy Requirements The Privacy rule is intended to safeguard a client’s protected health information.  Protected health information is anything that can identify a client: name, address, telephone number, Social Security number and all other client-specific data. The regulation covers everything on paper, on electronic media – and spoken conversation. An employee is expected to keep confidential all information about the client’s past or present health condition and related services or equipment. This means that any casual discussion of a person’s health condition based on information obtained in the course of employment (and unrelated to performing the job) is a violation of law. HIPAA requires that employees comply with the minimum necessary standard. This standard specifies that employees have access only to the information necessary to perform their job. The compliance plan specifies which information is needed by each category of employees. Other employees should not share additional information or permit access to it. This is commonly known as a “need to know” rule. What are the client’s rights under HIPAA? 1. The client must be informed of his/her rights. 2. The organization must inform the client of its privacy practices. 3. The organization must get consent to release information to any person or organization other than the payers indicated by the client. The client is entitled to restrict the use of health information. (There are some legal instances which do not require client permission. These are all defined in the Griffin Homecare HIPAA Manual.) The client may withdraw consent after it has been given and further restrict use of protected health information. 4. The client is entitled to see and to receive a copy of his or her record. The client can specify how he/she wants to receive that copy. (The provider is permitted to charge for providing such copies.) 5. If the client learns that information has been released without consent, the client may file a complaint with the organization’s Privacy Officer. The complaint must be investigated and resolved according to the procedure outlined in the compliance plan. How employees can comply with the Privacy rule: 1. Client information should not be left exposed in a place where it can be viewed by others. This includes all kinds of paperwork (delivery tickets, physician orders, fax cover sheets, client files, reimbursement statements), computer screens, client files, and supplies with names on them. 2. Employees should not discuss a client within hearing of others who have no need to know protected health information. 3. Employees should not access client information that is not given to them directly by an appropriate staff member. If the person needs information to perform his/her job, it should be acquired from the person who should provide it. 4. Employees should always obtain the appropriate consent for release of information before providing information to other parties (including caregivers).

Authorization Procedures

Notice of Privacy Practices Every new client should be given a copy of the Notice of Privacy Practices. Consent/ Authorization Every new client should be asked to sign a form that permits the center to release information if required to provide the assistive technology.

The same consent form should include a space permitting information to be released to a family member or caregiver concerning the use of equipment or supplies.

The signed consent form should be placed in the client’s file. A release log should be started and placed in each client’s file. If information is released, it should be logged. A consent form must be present. This log must be retained for at least six years past the last release date (or, in the case of a minor, six years past the date of majority). DISCLAIMER The original contents of this document were developed by Professional Resource Group LLC in 2003 as part of training for durable medical equipment providers in the implementation of HIPAA privacy practices. The reader should not construe this information to have the endorsement of the U.S. Department of Education, the Federal government or the Georgia Department of Labor under whose auspices this database is administered.

 

Attachments

Other Information

Title: Intake - Health Information Privacy
Module: User Services
Author: Trish Redmon
Audience: Administrator
Sub Title: Summary of HIPAA provisions
Procedure:
Organization Source: Professional Resource Group LLC
Last Reviewed: 01-23-2009 7:56 AM