|
|
|
|
HIPAA COMPLIANCE |
|
|
|
|
|
|
Privacy Standards for HIPAA Implementation -
Biometrics Direct
PROTECTING THE PRIVACY OF
PATIENTS' HEALTH INFORMATION - US Dept of Health and Human
Services
This version includes COMPANY NOTES from Biometrics Direct
Commentary
James Childers - CEO of ASG
- My NOTES will be
highlighted
Overview: The first-ever federal privacy
standards to protect patients' medical records and other health
information provided to health plans, doctors, hospitals and
other health care providers took effect on April 14, 2003.
Developed by the Department of Health and Human Services (HHS),
these new standards provide patients with access to their
medical records and more control over how their personal health
information is used and disclosed. They represent a uniform,
federal floor of privacy protections for consumers across the
country. State laws providing additional protections to
consumers are not affected by this new rule.
Congress called on HHS to issue patient privacy
protections as part of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). HIPAA included provisions
designed to encourage electronic transactions and also required
new safeguards to protect the security and confidentiality of
health information. The final regulation covers health plans,
health care clearinghouses, and those health care providers who
conduct certain financial and administrative transactions (e.g.,
enrollment, billing and eligibility verification)
electronically. Most health insurers, pharmacies, doctors and
other health care providers were required to comply with these
federal standards beginning April 14, 2003. As provided by
Congress, certain small health plans have an additional year to
comply. HHS has conducted extensive outreach and provided
guidance and technical assistant to these providers and
businesses to make it as easy as possible for them to implement
the new privacy protections. These efforts include answers to
hundreds of common questions about the rule, as well as
explanations and descriptions about key elements of the rule.
These materials are available at
http://www.hhs.gov/ocr/hipaa.
PATIENT PROTECTIONS
The new privacy regulations ensure a national floor of
privacy protections for patients by limiting the ways that
health plans, pharmacies, hospitals and other covered entities
can use patients' personal medical information. The regulations
protect medical records and other individually identifiable
health information, whether it is on paper, in computers or
communicated orally. Key provisions of these new standards
include:
- Access To Medical Records. Patients generally
should be able to see and obtain copies of their medical
records and request corrections if they identify errors and
mistakes. Health plans, doctors, hospitals, clinics, nursing
homes and other covered entities generally should provide
access these records within 30 days and may charge patients
for the cost of copying and sending the records.
- Notice of Privacy Practices. Covered health
plans, doctors and other health care providers must provide
a notice to their patients how they may use personal medical
information and their rights under the new privacy
regulation. Doctors, hospitals and other direct-care
providers generally will provide the notice on the patient's
first visit following the April 14, 2003, compliance date
and upon request. Patients generally will be asked to sign,
initial or otherwise acknowledge that they received this
notice. Health plans generally must mail the notice to their
enrollees by April 14 and again if the notice changes
significantly. Patients also may ask covered entities to
restrict the use or disclosure of their information beyond
the practices included in the notice, but the covered
entities would not have to agree to the changes.
- Limits on Use of Personal Medical Information.
The privacy rule sets limits on how health plans and covered
providers may use individually identifiable health
information. To promote the best quality care for patients,
the rule does not restrict the ability of doctors, nurses
and other providers to share information needed to treat
their patients. In other situations, though, personal health
information generally may not be used for purposes not
related to health care, and covered entities may use or
share only the minimum amount of protected information
needed for a particular purpose. In addition, patients would
have to sign a specific authorization before a covered
entity could release their medical information to a life
insurer, a bank, a marketing firm or another outside
business for purposes not related to their health care.
- Prohibition on Marketing. The final privacy rule
sets new restrictions and limits on the use of patient
information for marketing purposes. Pharmacies, health plans
and other covered entities must first obtain an individual's
specific authorization before disclosing their patient
information for marketing. At the same time, the rule
permits doctors and other covered entities to communicate
freely with patients about treatment options and other
health-related information, including disease-management
programs.
- Stronger State Laws. The new federal privacy
standards do not affect state laws that provide additional
privacy protections for patients. The confidentiality
protections are cumulative; the privacy rule will set a
national "floor" of privacy standards that protect all
Americans, and any state law providing additional
protections would continue to apply. When a state law
requires a certain disclosure -- such as reporting an
infectious disease outbreak to the public health authorities
-- the federal privacy regulations would not preempt the
state law.
- Confidential communications. Under the privacy
rule, patients can request that their doctors, health plans
and other covered entities take reasonable steps to ensure
that their communications with the patient are confidential.
For example, a patient could ask a doctor to call his or her
office rather than home, and the doctor's office should
comply with that request if it can be reasonably
accommodated.
- Complaints. Consumers may file a formal complaint
regarding the privacy practices of a covered health plan or
provider. Such complaints can be made directly to the
covered provider or health plan or to HHS' Office for Civil
Rights (OCR), which is charged with investigating complaints
and enforcing the privacy regulation. Information about
filing complaints should be included in each covered
entity's notice of privacy practices. Consumers can find out
more information about filing a complaint at
http://www.hhs.gov/ocr/hipaa or by calling (866)
627-7748.
HEALTH PLANS AND PROVIDERS
The privacy rule requires health plans, pharmacies, doctors
and other covered entities to establish policies and procedures
to protect the confidentiality of protected health information
about their patients. These requirements are flexible and
scalable to allow different covered entities to implement them
as appropriate for their businesses or practices. Covered
entities must provide all the protections for patients cited
above, such as providing a notice of their privacy practices and
limiting the use and disclosure of information as required under
the rule. In addition, covered entities must take some
additional steps to protect patient privacy:
- Written Privacy Procedures. The rule requires
covered entities to have written privacy procedures,
including a description of staff that has access to
protected information, how it will be used and when it may
be disclosed. Covered entities generally must take steps to
ensure that any business associates who have access to
protected information agree to the same limitations on the
use and disclosure of that information.
- Employee Training and Privacy Officer. Covered
entities must train their employees in their privacy
procedures and must designate an individual to be
responsible for ensuring the procedures are followed. If
covered entities learn an employee failed to follow these
procedures, they must take appropriate disciplinary action.
- Public Responsibilities. In limited
circumstances, the final rule permits -- but does not
require --covered entities to continue certain existing
disclosures of health information for specific public
responsibilities. These permitted disclosures include:
emergency circumstances; identification of the body of a
deceased person, or the cause of death; public health needs;
research that involves limited data or has been
independently approved by an Institutional Review Board or
privacy board; oversight of the health care system; judicial
and administrative proceedings; limited law enforcement
activities; and activities related to national defense and
security. The privacy rule generally establishes new
safeguards and limits on these disclosures. Where no other
law requires disclosures in these situations, covered
entities may continue to use their professional judgment to
decide whether to make such disclosures based on their own
policies and ethical principles.
- Equivalent Requirements For Government. The
provisions of the final rule generally apply equally to
private sector and public sector covered entities. For
example, private hospitals and government-run hospitals
covered by the rule have to comply with the full range of
requirements.
OUTREACH AND ENFORCEMENT
HHS' Office for Civil Rights (OCR) oversees and
enforces the new federal privacy regulations. Led by OCR, HHS
has issued extensive guidance and technical assistance materials
to make it as easy as possible for covered entities to comply
with the new requirements. Key elements of OCR's outreach and
enforcement efforts include:
- Guidance and technical assistance materials. HHS
has issued extensive guidance and technical materials to
explain the privacy rule, including an extensive, searchable
collection of frequently asked questions that address major
aspects of the rule. HHS will continue to expand and update
these materials to further assist covered entities in
complying. These materials are available at
http://www.hhs.gov/ocr/hipaa/assist.html.
- Conferences and seminars. HHS has participated in
hundreds of conferences, trade association meetings and
conference calls to explain and clarify the provisions of
the privacy regulation. These included a series of regional
conferences sponsored by HHS, as well as many held by
professional associations and trade groups. HHS will
continue these outreach efforts to encourage compliance with
the privacy requirements.
- Information line. To help covered entities find
out information about the privacy regulation and other
administrative simplification provisions of the Health
Insurance Portability and Accountability Act of 1996, OCR
and HHS' Centers for Medicare & Medicaid Services have
established a toll-free information line. The number is
(866) 627-7748.
- Complaint investigations. Enforcement will be
primarily complaint-driven. OCR will investigate complaints
and work to make sure that consumers receive the privacy
rights and protections required under the new regulations.
When appropriate, OCR can impose civil monetary penalties
for violations of the privacy rule provisions. Potential
criminal violations of the law would be referred to the U.S.
Department of Justice for further investigation and
appropriate action.
- Civil and Criminal Penalties. Congress provided
civil and criminal penalties for covered entities that
misuse personal health information. For civil violations of
the standards, OCR may impose monetary penalties up to $100
per violation, up to $25,000 per year, for each requirement
or prohibition violated. Criminal penalties apply for
certain actions such as knowingly obtaining protected health
information in violation of the law. Criminal penalties can
range up to $50,000 and one year in prison for certain
offenses; up to $100,000 and up to five years in prison if
the offenses are committed under "false pretenses"; and up
to $250,000 and up to 10 years in prison if the offenses are
committed with the intent to sell, transfer or use protected
health information for commercial advantage, personal gain
or malicious harm.
HHS
is having their OFFICE FOR CIVIL RIGHTS manage HIPAA complaints.
This means that the allegation of a violation will be taken very
seriously and will be investigated and prosecuted to the fullest
extent. When you think about the recent financial scandals
and the "examples" they made out of Ken Lay, Martha Stewart,
Enron, and other companies, you KNOW that they will make an
example out of someone for violations of the HIPAA guidelines
soon. Don't be that guy!
PENALTIES FOR HIPAA VIOLATIONS
Per section 1177 of HIPAA, a person who knowingly
- uses a unique health identifier, or causes one to be
used;
- obtains individually identifiable health information
relating to an individual; or
- discloses individually identifiable health information
to another person;
is in violation of HIPAA regulations. Such persons are
subject to the following penalties:
- a fine of up to $50,000, or up to 1 year in prison, or
both; (Class 6
Felony)
- if the offense is committed under false pretenses, a
fine of up to $100,000, up to 5 years in prison, or both;
(Class 5 Felony)
- if the offense is committed with intent to sell,
transfer, or use individually identifiable health
information for commercial advantage, personal gain, or
malicious harm, a fine up to $250,000, or up to 10 years in
prison, or both.
(Class 4 Felony)
- HIPAA also provide for civil fines to be imposed by the
Secretary of DHHS "on any person" who violates a provision
of it. The maximum is $100 for each violation, with the
total amount not to exceed $25,0000 for all violations of an
identical requirement or prohibition during a calendar year.
(Class 3 Felony)
NOTE - HIPAA is a FEDERAL LAW and offenses will be tried in
FEDERAL COURT. In the United States Federal Law,
a felony is a crime
punishable by one or more years of imprisonment,
and the penalties for HIPAA violations are FELONIES. This
means that you can lose your RIGHTS to the following if you are
convicted of any of these offenses. The right to vote is
taken away, as is the opportunity to run for office and serve in
the military, and the ability to own or use a firearm. A felon's
driver's license may be revoked or suspended; employers have the
right to inquire about any felony convictions, and may require
insurance coverage before hiring anyone with prior history as a
felon. Many insurance companies will not insure convicted
felons, therefore making it difficult for many to obtain jobs..
Theoretically, federal law allows persons convicted of felonies
in a federal United States district court to apply to have their
record expunged after a certain period of time with a clean
record. However, the U.S. Congress has refused to fund the
federal agency mandated with handling the applications of
convicted felons to have their record expunged.
This means that, in
practice, federal felons cannot have their records expunged.
The person responsible for the leak of the data is the one that
will be tried. Don't take a chance - SECURE that DATA and
your NETWORK.
|
|