“New Federal Standards for Privacy of Health Information”



[pic]

“New Federal Standards for

Privacy of Health Information”

INTRODUCTION

On April 14, 2003, new federal standards for privacy of health information came into effect. These new privacy standards are contained in a law called the Health Insurance Portability and Accountability Act or “HIPAA”. We use the acronym HIPAA as a shorthand way to refer to these privacy rules.

Little Steps Pediatric Physical Therapy, PC., believes that patient privacy and maintaining the confidentiality of patient health information are critical components of high quality patient care. Little Steps Pediatric Physical Therapy, PC., has always maintained policies, procedures, and protocols protecting the privacy of patients and ensuring the confidentiality of patient information. Now, Little Steps Pediatric Physical Therapy, PC., will continue in her commitment to patient privacy and confidentiality of patient health information through the implementation of the new HIPAA health information privacy rules. Little Steps Pediatric Physical Therapy, PC.’s patients can expect that their health information will be kept confidential and only used for permitted purposes.

IMPACT OF THE NEW HIPAA REGULATIONS

While Little Steps Pediatric Physical Therapy, PC. has always been conscientious regarding confidentiality obligations, with the advent of HIPAA the healthcare industry has entered into a new era of privacy and protection of medical information. As such, Little Steps Pediatric Physical Therapy, PC. is required to be even more sensitive and diligent in the way we handle confidential patient health information. In addition to a thorough knowledge of the HIPAA regulations, let common sense be your guide in using and disclosing patient health information. Taking an extra moment to ensure that information is being used and disclosed to the appropriate individuals and in an appropriate manner will go far in the commitment to complete compliance with the HIPAA requirements.

OVERVIEW OF HIPAA PRIVACY REGULATIONS

PRIVACY OFFICER

Little Steps Pediatric Physical Therapy, PC., is the appointed privacy officer to coordinate the implementation of the HIPAA regulations and to act as a resource for privacy related issues. She should be contacted at 773-609-5405 if there is any question as to the appropriateness of a particular use or disclosure of patient health information.

NOTICE OF PRIVACY PRACTICES

Beginning immediately, each patient must be provided with a HIPAA Notice of Privacy Practices. This notice, which is a new form to be provided upon admission or first encounter, provides each patient with important information regarding Little Steps Pediatric Physical Therapy, PC.’s policies and procedures regarding the use and disclosure of patient medical information and informs patients of their rights with respect to that information. In addition to posing the Notice of Privacy Practices, we must use our best efforts to obtain a written acknowledgement of receipt from the patient.

PROTECTED HEALTH INFORMATION (PHI)

Protected Health Information (PHI) is individually identifiable information, whether oral, written, or electronic, created or received by a health care provider relating to a past, present or future physical or mental health condition or payment for health care created or received by a health care provider or health plan. Personal health information includes information of persons both living and deceased.

Any of the following components are considered to be individually identifiable information within PHI:

• Names

• Street address, city, county, precinct, zip code

• Dates directly related to a patient including birth date, admission date, discharge date, and date of death

• Telephone numbers, fax numbers, and electronic mail addresses

• Social security numbers

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers

• Certificate/license numbers

• Vehicle identifiers and serial numbers including license plate numbers

• Device identifiers and serial numbers

• Web Universal Resource Locators (URLs)

• Biometric identifiers, including finger and voice prints

• Full face photographic images and any comparable images

• Any other unique identifying number, characteristic, or code.

All information created to establish the patent’s medical record, including all information placed or written into the medical record, any information discussed about a patient and any patient billing information is PHI.

“USING” AND “DISCLOSING” PHI

The HIPAA regulations distinguish between the “use” and the “disclosure” of PHI. Using PHI is the discussing, reading, analyzing, or otherwise using the PHI within an entity or between the individuals who are part of an entity that maintains such information. Disclosing PHI is releasing, transferring, providing access to, or divulging PHI outside the entity holding the information.

Generally if the patient has been given a copy of the Notice of Privacy Practices, the patent’s PHI can be used or disclosed without a patient’s authorization to carry out patient treatment, payment, or for other health care operations. Except in accordance with certain exceptions, all other uses or disclosures of PHI require a patient’s authorization.

TREATMENT, PAYMENT, OR HEALTHCARE OPERATIONS (TPO)

Generally, Little Steps Pediatric Physical Therapy, PC., is permitted to use and disclose PHI without a patient’s authorization for treatment, payment, or healthcare operations (TPO).

There are some examples of activities in which use or disclosure of PHI would not require patient authorization for use or disclosure.

Treatment:

• The provision, coordination, or management of health care and related services by one or more health care providers

• The coordination or management of health care by a health care provider with a third party

• Consultation between health care providers relating to a patient

• Referral of a patient for health care from one health care provider to another

Payment:

• Activities undertaken to obtain or provide reimbursement for the provision of health care services

• Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims

• Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing

• Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges

• Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services

• Disclosure to consumer reporting agencies of any of the following PHI relating to collection of premiums or reimbursement: a) name and address, b) date of birth, c) social security number, d) payment history, e) account number, and f) name and address of the health care provider and/or health plan.

Healthcare Operations:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines.

• Population-based activities relating to improving health or reducing health care costs

• Protocol development

• Case management and care coordination

• Contacting of health care providers and patients with information about treatment alternatives and related functions that do not include treatment

• Reviewing the competence or qualifications of health care professionals

• Evaluating practitioner and provider performance.

• Conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.

• Training of non-health care providers

• Accreditation, certification, licensing, or credentialing activities

• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs

• Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies

• Business management and general administrative activities of the entity.

USE, DISCLOSURE AND REQUESTS FOR PHI LIMITED TO MINIMUM NECESSARY

Most uses, disclosures, and requests for personal health information are limited to that which is reasonably necessary to accomplish the intended purpose of the use, disclosure or request. However, the following types of disclosures, uses, and requests are not subject to the minimum necessary requirements:

• Disclosures to or requests to a health care provider for treatment

• Uses to prepare information for and disclosures made pursuant to an authorization signed by a patient or patient’s representative

• Disclosures made to the Secretary of the US Department of Health and Human Services for compliance and enforcement of the privacy regulations, and

• Uses to prepare information for and disclosures that are required by law.

SPECIAL RULES RELATING TO OTHER TYPES OF HEALTH INFORMATION

In addition to the HIPAA guidelines, other federal and state laws may restrict the disclosure of other types of patient medical information such as information related to communicable diseases or treatment for drug and alcohol abuse. You should continue to follow these guidelines in using and disclosing this information.

DISCLOSURE OF MEDICAL INFORMATION TO FRIENDS AND FAMILY

The HIPAA regulations permit disclosure of a patient’s PHI to a family member, other relative or friend involved in the patient’s care. This usually occurs when a patient is being actively treated in a facility or clinic. In most cases, the patient must agree to allow disclosure of his or her PHI. The regulations say that while it is preferable to obtain verbal agreement of the patient, it is not required in the following instances:

• If an agreement can be inferred from the circumstances that the patient would not object to the disclosure

• If the patient arrives at the facility with a family member or friend, or if the patient asks the family member or friend to be there to answer some pre-admission or pre-treatment questions

• If the patient is not present or does not have the opportunity to agree or object to the use or disclosure because of his or her incapacity, the patient’s physician or caregiver may determine whether the disclosure is in the best interest of the patient. However, if the physician or caregiver has any doubts regarding the appropriateness of sharing such information with a patient’s family or friends, the physician or caregiver should consult with Little Steps Pediatric Physical Therapy, PC.

In all of these cases, Little Steps Pediatric Physical Therapy, PC., is required to disclose only the information that is directly relevant to the person’s involvement with the patient’s health care. Disclosures of a patient’s PHI to a family member, other relative or friend involved in the patient’s care after discharge require a patient’s authorization and all such requests should be forwarded to the individual responsible for medical records.

INCIDENTAL DISCLOSURES

Communications between health care professionals regarding a patient’s PHI is essential for the provision of quality health services. However, because of the frequency and necessity of such communication, the potential exists for an individual’s PHI to be disclosed incidentally. For example, a hospital visitor may overhear a physician’s confidential conversation with a staff member or a patient, or a patient may see a patient’s information on a sign-in sheet. HIPAA does not require that we alter these customary and essential communications and practices and does not require that all risk of incidental use or disclosure be eliminated. HIPAA permits incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. Reasonable precautions include using lowered voices or talking apart from others when sharing PHI.

SAFEGUARDING PATIENT INFORMATION

Employees must take reasonable steps to safeguard patients PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA regulations. Such safeguarding includes, but is not limited to, placing PHI in a cabinet or closed file at the end of the workday; maintaining privacy during oral discussions of PHI; restricting electronic transmission of PHI to job related duties; and disposing of documents strictly in accordance with Little Steps Pediatric Physical Therapy, PC.’s policies and procedures. In addition, medical records, billing records, and other patient information may only be destroyed in accordance with the appropriate policies and procedures, which requires shredding or incineration.

MARKETING

The HIPAA regulations place specific prohibitions on use of PHI for marketing purposes without specific patient authorization. Marketing is a communication about a product or service to encourage recipients of the communication to purchase or use the product or service. However, marketing does not include the following:

• Communications describing the products and services provided by or offered by Little Steps Pediatric Physical Therapy, PC. You may use patient information to describe our products and services to patients and you can target patients by clinical information, zip code, sex, or age.

• Communications to a patient as part of his/her treatment and for the purpose of furthering his/her treatment

• Communications made for case management or care coordination for the individual

• Communications to a patient in the course of managing his/her treatment, to direct or recommend alternative treatments, therapies, heath care providers or settings of care

• Communications that promote heath in a general manner, such as information about how to guard against development of a particular disease or condition, so long as the communications do not promote a specific product or service from a particular provider and the communications are population-based (i.e., are mailed to our entire patient base or to women or other population-based designations, but are not based on clinical information)

However, the HIPAA regulations do permit a communication about a product or service to encourage recipients of the communication to purchase or use the product or service in the following circumstances without a patient authorization:

• During face-to face encounters with the patient

• Communications consisting of a promotional gift of nominal value; for example: pens, magnets, calendars, etc.

RESEARCH

PHI may not be used for internal research purposes or disclosed to anyone outside for research purposes without the authorization of the patient and without specific approval from the Privacy Officer.

HIPAA REGULATIONS RELATING TO OUR PATIENTS

PATIENT RIGHTS AND HEALTH PROVIDER OBLIGATIONS

HIPAA gives individuals certain rights regarding their medical records and health information and establishes procedures to healthcare providers to respond to these rights.

RIGHT TO INSPECT AND COPY

Patients have the right to request to inspect and copy their PHI. If any patient or other person requests access to his or her PHI, you may refer the person to Little Steps Pediatric Physical Therapy, PC.

AUTHORIZATIONS FOR RELEASE OF PHI

Patients have the right to authorize all uses and disclosures of PHI that do not relate to treatment, payment or healthcare operations and that are not required by law or other governmental process. In certain circumstances, a legal representative may request health information regarding a patient. In these cases, we are required to verify that the individual requesting the information has a legal right to do so. Authorizations will be processed by Jaime Passaglia. If a patient requests a copy of his or her medical record or request use or disclosure of his or her medical information you should direct the patient to Little Steps Pediatric Physical Therapy, PC.

RIGHT TO REQUEST AN AMENDMENT

Patients have a right to request an amendment to their PHI. If any patient or other person requests an amendment to his or her PHI, you may refer the person to Little Steps Pediatric Physical Therapy, PC.

RIGHT TO REQUEST AN ACCOUNTING

Individuals have a right to request and receive an accounting of all disclosures made in accordance with the HIPAA guidelines. Such request may be approved or denied by a healthcare provider. If any patient or other person request such an accounting, you may refer the person to Little Steps Pediatric Physical Therapy, PC.

RIGHT TO REQUEST RESTRICTIONS ON THE USE OF PHI

Patients have the right to place certain restrictions on the use of their health information. If a restriction has been placed in the medical record, such information may not be used or disclosed for any purpose in violation of such restriction, except as necessary for the emergency treatment of the patient. In addition, patients have the right to request to receive communications from us by alternative means or at alternative locations. Before using or disclosing or communicating with any patient it is important to determine whether a restriction is noted in the patient’s medical record. If any patient or other person requests a restriction on his or her PHI, you may refer the person to Little Steps Pediatric Physical Therapy, PC.

RIGHT TO MAKE A COMPLAINT

Patients have the right to file a complaint with us if they believe that their privacy rights have been violated. If any person request information on how to file a complaint, you may refer the person to Little Steps Pediatric Physical Therapy, PC.

VIOLATIONS AND DISCIPLINARY ACTION

REPORTING WORKPLACE HIPAA VIOLATIONS OR MISUSES OF PHI

Employees of Little Steps Pediatric Physical Therapy, PC., should report HIPAA violations to Little Steps Pediatric Physical Therapy, PC. at 773-609-5405

DISCIPLINARY ACTION FOR NONCOMPLIANCE

Little Steps Pediatric Physical Therapy, PC., will take appropriate disciplinary measures against individuals who violate any policy or procedure concerning the use or disclosure of PHI. The disciplinary measures taken will be consistent with the violation and the circumstances of each case. Discipline for infractions of the privacy policies and procedures may include reprimand, suspension, or discharge of the individual, depending on the severity of the misconduct.

FINES AND PENALTIES FOR VIOLATION OF HIPAA REGULATIONS

Fines and penalties that may be imposed under HIPAA for privacy violations include:

• Civil monetary penalties of not more than $100 per violation for general disclosures, with a maximum penalty of up to $25,000 per person per violation of a single standard within a calendar year.

• Fines of up to $50,000 and/or imprisonment of not more than a year for intentional disclosures of PHI

• Criminal penalties of $100,000 and /or imprisonment of not more than 5 years for obtaining or disclosing PHI under false pretenses.

• Criminal penalties of $250,000 and/or imprisonment of not more than 10 years for obtaining PHI with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download