Difference between revisions of "LII:HIPAA Compliance - LII 007 05. Administration"
| Line 5: | Line 5: | ||
====Privacy Policies and Procedures==== | ====Privacy Policies and Procedures==== | ||
A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. This is discussed in detail in [[LII:HIPAA Compliance - LII 007 04. Use and Disclosure#Patient Notification and Rights|Lesson 4, under Patient Notification and Rights]]. | A covered entity (CE) must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. This is discussed in detail in [[LII:HIPAA Compliance - LII 007 04. Use and Disclosure#Patient Notification and Rights|Lesson 4, under Patient Notification and Rights]]. | ||
====Privacy Personnel==== | ====Privacy Personnel==== | ||
CEs must designate a "Privacy Official', who will be responsible for developing and implementing its privacy policies and procedures. It must also provide a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. There isn't anything preventing these being the same person/office. | |||
====Workforce Training and Management==== | ====Workforce Training and Management==== | ||
Workforce members include employees, | Workforce requirements are two-fold: privacy, and breach procedures. Workforce members include employees, volunteers and trainees, and may also include other persons whose conduct is under the direct control of the CE (whether or not they are paid by the CE). CEs must train all workforce members on privacy policies and procedures - but only as necessary and appropriate for them to carry out their functions. In addition, the CE must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures or the HIPAA Privacy Rule. The information to do this is contained in this course and at the [[HHS]] website, as well as in the HIPAA law itself. | ||
volunteers | |||
direct control of the | |||
necessary and appropriate for them to carry out their functions. | |||
must have and apply appropriate sanctions against workforce members who violate | |||
====Mitigation==== | ====Mitigation==== | ||
Sometimes HIPAA regulations and/or CE privacy policies are broken, either accidentally or intentionally. In such cases, a CE must mitigate (to the extent practicable) any harmful effect it learns was caused by that use or disclosure of PHI by its workforce or its business associates. | |||
effect it learns was caused by use or disclosure of | |||
workforce or its business associates | |||
====Data Safeguards==== | ====Data Safeguards==== | ||
Per the HIPAA Security Rule, a CE must maintain reasonable and appropriate <u>administrative</u>, <u>technical</u>, and <u>physical safeguards</u> to prevent either intentional ''or'' unintentional use or disclosure of PHI in violation of the Privacy Rule, and to minimize its incidental use and disclosure in the process of providing otherwise allowed or required use or disclosure. For example, such safeguards could include shredding documents containing PHI before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. | |||
administrative, technical, and physical safeguards to prevent intentional or | |||
unintentional use or disclosure of | |||
Privacy Rule and to | |||
include shredding documents containing | |||
discarding them, securing medical records with lock and key or pass code, and | |||
limiting access to keys or pass codes. | |||
====Complaints==== | ====Complaints==== | ||
A covered entity must have procedures for individuals to complain | A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS. | ||
about its compliance with its privacy policies and procedures and the Privacy Rule. | |||
The covered entity must explain those procedures in its privacy practices notice. | |||
Among other things, the covered entity must identify to whom individuals can submit | |||
complaints to at the covered entity and advise that complaints also can be submitted | |||
to the Secretary of HHS. | |||
====Retaliation and Waiver==== | ====Retaliation and Waiver==== | ||
A covered entity may not retaliate against a person for | A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not | ||
exercising rights provided by the Privacy Rule, for assisting in an investigation by | require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility. | ||
HHS or another appropriate authority, or for opposing an act or practice that the | |||
person believes in good faith violates the Privacy Rule. A covered entity may not | |||
require an individual to waive any right under the Privacy Rule as a condition for | |||
obtaining treatment, payment, and enrollment or benefits eligibility. | |||
====Documentation and Record Retention==== | ====Documentation and Record Retention==== | ||
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy | A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. | ||
policies and procedures, its privacy practices notices, disposition of complaints, and | |||
other actions, activities, and designations that the Privacy Rule requires to be | |||
documented. | |||
====Fully-Insured Group Health Plan Exception==== | ====Fully-Insured Group Health Plan Exception==== | ||
The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data | The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan. | ||
and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan. | |||
Revision as of 17:01, 13 June 2016
Previous lessons in the Laboratory Informatics Institute HIPAA Compliance series have dealt with explaining what HIPAA is, who it applies to, what data are protected and how the Protected Health Information (PHI) of individuals must be handled, according to HIPAA generally and the Privacy Rule. Implications for administration of HIPAA and how it applies to and affects healthcare organizations and administrative departments are also important to understand.
Requirements and Recommendations
Administratively, there are a few things to keep in mind when seeking to comply with HIPAA, according to the HHS:
Privacy Policies and Procedures
A covered entity (CE) must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. This is discussed in detail in Lesson 4, under Patient Notification and Rights.
Privacy Personnel
CEs must designate a "Privacy Official', who will be responsible for developing and implementing its privacy policies and procedures. It must also provide a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. There isn't anything preventing these being the same person/office.
Workforce Training and Management
Workforce requirements are two-fold: privacy, and breach procedures. Workforce members include employees, volunteers and trainees, and may also include other persons whose conduct is under the direct control of the CE (whether or not they are paid by the CE). CEs must train all workforce members on privacy policies and procedures - but only as necessary and appropriate for them to carry out their functions. In addition, the CE must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures or the HIPAA Privacy Rule. The information to do this is contained in this course and at the HHS website, as well as in the HIPAA law itself.
Mitigation
Sometimes HIPAA regulations and/or CE privacy policies are broken, either accidentally or intentionally. In such cases, a CE must mitigate (to the extent practicable) any harmful effect it learns was caused by that use or disclosure of PHI by its workforce or its business associates.
Data Safeguards
Per the HIPAA Security Rule, a CE must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent either intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule, and to minimize its incidental use and disclosure in the process of providing otherwise allowed or required use or disclosure. For example, such safeguards could include shredding documents containing PHI before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
Complaints
A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.
Retaliation and Waiver
A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
Documentation and Record Retention
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Fully-Insured Group Health Plan Exception
The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.
- b. Organizational Options
- i. Hybrid
- ii. Affiliated
- iii. Organized Healthcare Arrangement
- iv. Covered Entities With Multiple Covered Functions
- v. Group Health Plan disclosures to Plan Sponsors
