What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. Portability refers to the section that provides for the waiver of pre-existing conditions when persons who are covered under a group policy with their current employer move to a new employer. HIPAA portability provisions limit the ability of group health plans to exclude coverage of pre-existing conditions and prohibits the exclusion of individuals from coverage based on health status.

As a part of the legislation, Congress incorporated a section called Administrative Simplification. This section of the law includes:

* Standardization of electronic formats for transmission of nine transactions including claims, electronic remittance advice, eligibility, authorization, pharmacy, enrollment, coordination of benefits, attachments and first notice of claims, and

* Security of electronic health information and electronic signatures, and

* Privacy of patient identifiable information.

What is the difference between privacy and security of patient information?

Privacy is defined as controlling who is authorized to access patient information and under what circumstances patient information may be accessed, used, and/or disclosed to third parties. Privacy is accomplished typically through policy and procedure.  Security is defined as the ability to control access and protect information from accidental or intentional disclosures to unauthorized persons and from alteration, destruction, or loss. Security is typically accomplished through some kind of technical controls.

Do the HIPAA privacy and security regulations apply only to patient information stored in an electronic format?

No. While that was originally proposed, the regulations were broadened to include patient information stored in written format as well as information stored in computers.

Does HIPAA cover oral communications?

Yes. Patient information provided orally (spoken) to third parties, read aloud, or discussed in open-access areas is protected by the regulation’s Privacy Rule. However, it does not apply to patient-related communications between health care professionals engaged in direct patient care, except to the extent that such communications should take place in a manner as not to be overheard by those who do not have a need or right to know the information.

When are the regulations effective?

The regulations are being phased in. The Privacy rules must be complied with by April 14, 2003. The Security rules must be complied with by April 21, 2005.

What federal agency is responsible for HIPAA compliance?

The Office of Civil Rights (OCR) has jurisdiction over HIPAA compliance including:

* Imposing civil penalties and making referrals for criminal prosecution

* Making exception determinations · Overseeing voluntary compliance through technical assistance and other means

* Responding to questions regarding the rules and providing interpretation and guidance

* Responding to state requests for exception determinations.

Who is covered by the HIPAA Privacy and Security Rules?

Health care providers that transmit claims electronically, health plans, and health care clearinghouses.

Are external organizations or agencies with which patient data is shared covered under the HIPAA regulations?

These are referred to as Business Associates and they are not specifically regulated by HIPAA, unless they are themselves a covered entity as defined in the regulations. However, if covered entities share information with Business Associates, they must establish contracts that protect the information as it changes hands.

Is all patient information protected?

With a couple of exceptions, protected health information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. Broadly defined, PHI is any patient information, including demographic information, that ties the identity of the individual to their health record. Examples are names, addresses, geographic codes smaller than state, all date (except year) elements related to the individual, telephone numbers, fax numbers, e-mail addresses, license numbers, etc. If it can possibly be used to identify an individual, the element is considered protected.

What is the Privacy Rule?

The Privacy Rule creates national standards to protect individuals’ medical records and other personal health information. Specifically, it:

* Gives patients more control over their health information.

* Sets boundaries on the use and release of health records.

* Establishes appropriate safeguards that health care providers and other must achieve to protect the privacy of health information.

* Holds violators accountable with civil and criminal penalties that can be imposed if they violate patients’ privacy rights, and

* Strikes a balance when public responsibility requires disclosure of some forms of data – for example, to protect public health.

For patients, it:

* Enables patients to find out how their information may be used and what disclosures of their information have been made. In most cases, it requires specific patient consent or authorization to use or disclose their protected health information.

* Generally limits release of information to the minimum reasonably needed for the purpose of disclosure, and

* Gives patients the right to examine and obtain a copy of their own health records and request corrections.

What are the penalties for violating HIPAA regulations?

It is important to note that penalties can extend to the individual as well as to the corporation. There is a $100 civil penalty up to a maximum of $25,000 per year for each standard violated. Criminal penalties are imposed for certain wrongful disclosures of health information. It is a graduated penalty that may escalate to a maximum of $250,000 for particularly egregious offenses.

Can an individual sue if his or her privacy is violated?

No. HIPAA does not create a federal right to sue for violations of the Act. Individual complaints are filed with the Office of Civil Rights (OCR). It is this federal agency that will investigate claims that patient protections have been violated.

Will the University have a process for a patient to seek advice regarding their rights or to express concern if they feel their privacy has been violated?

Yes. As required by the regulations, the University has named a HIPAA Privacy Officer to oversee compliance and will establish a formal process for patients to seek information or to express concern.  The Marshall University HIPAA Privacy Officer is Michelle Douglas, Director, Human Resource Services, 207 Old Main, 304.696.3983, douglasm@marshall.edu.

Isn’t the University really in compliance with most of the privacy and security regulations already?

No. Confidentiality of patient data has always been important to Marshall University, but these new regulations are extensive. The University must have policies and procedures that implement our responsibilities under HIPAA including:

* To identify the people or class of people who require access to protected health information.

* To identify the categories of information to which those people need access.

* To prevent access to protected health information by unauthorized people.

* To assure that the “minimum necessary” amount of information is released for routine disclosures.

* To review requests for other disclosures and determine the appropriate amount of information to release.

* To identify the identity of the requestor of information, and

* To provide individuals with access to their records, the opportunity to amend or request correction of their records, and to receive an accounting of disclosures.

Does “accounting of disclosure” mean that I have to a keep record every time I use or talk about a patient’s medical information?

No. Accounting of disclosure refers to records reflecting the transmission of protected health information to external parties for reasons other than treatment, payment, or normal health care operations (TPO).

Where will most of the work to comply actually be performed?

The bulk of the compliance work will be accomplished by employees in units that have protected health information.  The University will develop and publish an institution-wide policy on HIPAA compliance, but real compliance must be accomplished at the department or unit level. Department-specific procedures to comply with the policy initiatives will have to be developed locally and department or unit administrators will have to assure that the procedures put in place are being followed.

How will the University go about complying with the HIPAA regulations?

The HIPAA Privacy Officer will oversee implementation of HIPAA at Mashall University and will be assisted by a committee in order to assess the applicability of the law’s many regulations and to make recommendations regarding compliance strategy. Current information security procedures and existing technology are being assessed. Education and training programs are being developed that will be part of an on-going education initiative. Institutional policies that comply with the Privacy Rule are being developed, as well.

Does HIPAA require that we modify physical facilities to assure absolute patient privacy?

No. The regulations say nothing about the requirement to modify physical space. Certainly, all areas should examine where conversations with patients take place and attempt to protect the confidentiality of those conversations to the extent practicable. Changes in policy and procedure are usually sufficient to comply with the law’s intent. If the space is totally inadequate, however, some changes to the facility might be a reasonable solution.

Is it illegal under HIPAA to use sign-in sheets and to call out patient names in a waiting room?

No. Sign-in sheets are permissible under the HIPAA regulations. As for using patient names in a waiting room, the regulations are silent. Certainly assigning numbers to patients is not required. To comply with the spirit of the law, it might be advisable to ask patients if they mind their name being used and, if they do, assign a number, pseudonym, or other identifier that would be satisfactory to the patient.

In the event of an emergency, do I have to obtain advanced consent from a patient?

No. Advanced consent is not required in emergencies. However, you should document the circumstances and obtain consent as soon as is practicable.

If state law requirements and HIPAA are in conflict, which one takes precedence?

HIPAA provides a floor of protection, not a ceiling. Consequently, where state law provides more protection than that granted under HIPAA, state law takes precedence.  The West Virginia State Code may be consulted as necessary in this regard.

Is there a limit on the number of times any one patient can request to inspect or copy his or her medical files?

No. There is no maximum referred to in the regulations. A healthcare provider is, however, allowed to charge a “reasonable” fee that can take into account the resources required, e.g., employee time, paper cost, machine usage, etc.

If another employee views the medical records of an individual for whose records he/she is not responsible, is that a violation of HIPAA?

Possibly. It would depend on the reason. If viewing the medical records had nothing to do with patient care and there was no valid administrative, medical or educational reason to view the patient’s chart, it would be a violation. HIPAA restricts access to a patient’s protected health information to those who have a need and a right to know the information. Even health care professionals must have a valid reason for accessing protected patient information.

Can I be fired for violating HIPAA regulations?

Yes. Depending on circumstances, severity, and intent, violations of HIPAA regulations, including violations of institutional HIPAA-compliance policies and procedures may result in disciplinary action up to and including termination of employment.

Are student workers covered by HIPAA regulations?

Yes. Students or trainees who have access to protected health information are covered by the HIPAA privacy standards. Students and trainees must be trained regarding their obligations under HIPAA and, depending on circumstances, severity and intent, are subject to suspension or expulsion from academic or training programs for violations.

If a patient feels they have had their rights under HIPAA violated, what can they do?

Patients, including patients who are participants in treatment-oriented research, and other participants in research studies from whom protected health information is obtained may contact the Marshall University HIPAA Privacy Officer with a complaint. The complaint will be investigated and any necessary corrective action taken. Complaints may also be filed with the Secretary of the Department of Health and Human Services (DHHS) in Washington, DC, which are then passed on to the Office of Civil Rights (OCR) for subsequent investigation.