|
HIPAA
- Health Insurance Portability and Accountability Act - Effective
April 14, 2003 for most entities and April 14, 2004 for small health plans.
A small health plan is described as having less than five million in annual
receipts.
In
the event a plan is not compliant, it may continue its operations and
cash flow provided that a good faith, and ongoing effort is being made
to become compliant and can be reasonably demonstrated.
- For
electronic transaction and code sets rule, the deadline was October
16, 2003.
- Security
standards must be met by all covered entities by April 21, 2005.
Below
is a list of frequently asked questions:
What
does the Act do?
The Act creates national standards to protect individual's medical records
and personal health information. It sets boundaries over the use and release
of those health records.
Who
is covered by the Act?
Those engaged in the business/financial transactions of provided healthcare
services, including:
- Health
plans
- Health
care clearinghouses
- Health
care providers
What
is the "average" health care provider required to do?
- Notify
patients about their rights and how their information will be used.
- Adopt
and implement privacy procedures for its practice.
- Train
employees so that they understand the privacy policy.
- Designate
an individual to be sure compliance with the policy is carried out.
- Secure
patient records to prevent disclosure.
- Enter
into business associate agreements and other trading partner agreements
as are necessary and when required.
The
Act provides a general prohibition on the use of an individual's information
for the purposes of marketing. However, there are certain expectations.
Can
a health plan network communicate products and services of participating
providers or its own products and services?
Yes. It is not considered "marketing" under the Act for a plan
provider or insurance carrier to mail information about a preferred provider
list to its participants. For example, if a doctor develops a new treatment
device, such as a new skin lotion, it is not considered marketing for
that doctor to mail information about the new lotion to his/her patients
even if they had not been treated for the particular symptom for which
the lotion was developed.
Can
care providers and pharmacists mail reminders to patient's homes?
Yes. Care providers are allowed to communicate with patients about their
treatment. This includes the mailing of reminders about appointments,
prescription refills, and in certain instances product and service information.
When
is a written and signed authorization required (such as for marketing)
versus a voluntary consent?
A written, signed detailed authorization is required generally for communications
other than those related to treatment, payment, health care operations
or to disclose information to a third party. An authorization must specify
those specific elements or items for which the authorization is granted
as well as description of the protected health information to be used
and disclosed; the person authorized to make the disclosure or use; the
person or entity to whom the disclosure is to be made; an expiration date
for the authorization; and in some cases the purpose for which the disclosure
is to be made.
Can
health plans communicate about health related products or services to
enrollees that add value but are not part of the plan?
Yes. Communications about value added services may qualify under the marketing
exception, even if the services are not part of the plan. To qualify,
for the exclusion, the value added product or service must meet two conditions.
1) They must be health related (discounts off of eyeglasses would meet
this condition if available only to members of a plan or patients of a
provider and not to the general public, discounts to a movie theater would
not) and 2) such products or services must add value to the plan's membership
and not simply be part of a larger pass through discount that is offered
to the public at large. For example, if the public can obtain the same
discount offer for eyeglasses through the eyeglass outlet, then specific
authorization to send the offer to members would be needed.
Can
a doctor or pharmacy be paid to make/send a prescription or appointment
reminder without prior authorization?
Yes. It is not marketing for a doctor or pharmacist to be paid to make
a prescription refill reminder, even if a third party is paying for the
communication as an appointment reminder is considered to be part of the
treatment. The reminder is considered part of a patient's treatment and
no prior authorization is required. Similarly, suggesting an alternate
medication or treatment is excluded from the definition of marketing.
Under the Act. In addition, covered entities (those covered or governed
by the Act) may use a legitimate business associate to assist them in
making such communications. Such as a pharmacist using a mail house or
fulfillment entity to send out prescription reminders to the pharmacist's
patients. However, if the data is sold, then the entity would need to
obtain prior authorization from the patients.
Can
telemarketers obtain and use my health care information to contact me
about goods and services?
Under the Act, information may be shared with a telemarketer only if the
covered entity has obtained prior written authorization to do so or has
entered into a business associate relationship with the telemarketer for
the purpose of making a communication that is not marketing, such as to
inform the individual about the covered entity's own goods and services.
Do
health care providers have to mail out notices in connection with changes
in its notice policy?
No. For any changes to an existing policy, the provider must post in a
conspicuous place in the office the policy with the changes and copies
of the changes to the notice policy must be made available on request
to a patient. In addition, the revised notice must be provided to patients
at the first service delivery (first time a patient comes in for treatment
or consultation).
Can
communications be issued to individuals having a specific condition to
make them aware of particular products and services for that condition?
Yes. If the communication is related to the individual's treatment, case
management, care coordination or is used to recommend alternative therapies.
Similarly, communications targeted at individuals obtained from clinical
information may be provided so long as they are in the area of health
education or disease prevention and as such are not considered marketing
when they promote health in a general manner.
Are
hospitals or other care providers required to provide their notices to
patients treated under emergency conditions?
No. The Act requires that notice be provided to patients with a direct
treatment relationship when practical, after the emergency situation has
ended. In addition, the care provider is relieved from its obligation
of having to make a good faith effort to obtain written consent to receipt
of the notice under emergency conditions.
Can
information such as name, address, and social security number be disclosed
for public health purposes?
Yes. So long as the disclosure is needed for public health purposes and
the disclosure is reasonably limited to that which is minimally necessary
to accomplish the public health purpose.
Can
the notices of care providers be provided with or as part of other mailings
or distributions?
Yes. Special mailings are not required to distribute notices to patients
and the notice information may be included with other mailings, such as
other products and services offered by the care provider. However, a good
faith effort to obtain the written consent to receipt of the notice should
be made.
What
is a business associate under the Act?
A business associate is any person or entity, other than the covered entity
(e.g. health plan), that performs functions or services to a covered entity
that involve the use or disclosure of individually identifiable health
information. Examples of such entities include: Data analysis, claim processing,
billing, consulting, plan administration, financial services, legal review
and others.
When
is a business associate agreement needed?
An agreement is needed where information is going to be shared with another
entity. The agreement must include provisions for the protection of information,
accounting for disclosures of protected information and certifications
by the associate concerning the use and treatment of the information in
compliance with applicable law.
When
is a data sharing agreement needed?
A data sharing agreement is needed in those situations where only a limited
data set is being exchanged, such as in connection with performing quality
analysis of hospitals in a network.
Is
a software vendor considered to be a business associate?
The mere selling or providing software to a covered entity does not rise
a business associate relationship if the vendor does not have access to
protected information. If access is required, then the vendor would be
considered a business associate of the care provider or covered entity
and would be required to enter into a business associate agreement.
What
safeguards are needed for such practices as posting medical charts?
Care providers are not prohibited from making disclosures by posting a
patient's chart outside an examination room or from engaging in common
and important health care practices. However, the provider must take steps
to limit access and restrict how that information is used and disclosed.
Can
I use a log book or other form to acknowledge receipt of notice?
Yes. Provided that the log book or form clearly indicates what the patient
is acknowledging and that care is taken to limit access to the information.
May
care providers use sign in sheets?
Yes. Such sign in sheets may be used provided that the information disclosed
is appropriately limited and care is taken to limit access to the information.
Such an incidental disclosure is permitted where the covered entity has
implemented reasonable safeguards.
Does
the authorization have to contain an expiration date?
Yes. The acknowledgment must contain either a time limit for which the
authorization is granted ("authorization expires one year from the
date it was signed") or an expiration event ("attainment at
the age of majority").
Can
an email, facsimile, or copy suffice as a signed authorization?
Yes.
When
is an authorization required from a patient before a provider of a health
plan can engage in marketing to that individual?
An authorization is required for all marketing activity, prior to the
commencement of such activity, except where the communication occurs in
a face to face encounter or the communication involves a promotional gift
of nominal value. If the marketing campaign involves compensation to the
covered enmity from a third party, then the authorization must state that
remuneration is involved.
Can
information be disclosed in an effort to collect payment?
Yes. Information may be disclosed to a collection agency in an effort
to collect payment for services that have been rendered. The information
disclosed must be reasonably limited and kept to a minimum.
Is
the notice required to be posted at the care facility?
Yes. Care providers must post the entire notice in a conspicuous place,
however, no particular form of the posting is prescribed by the Act.
The
information contained in this Special Edition of WK Today does not reflect
the views or opinions of Ward/Kraft, Inc. and are merely provided for
informational purposes only. Ward/Kraft, Inc. encourages you to seek the
advice of counsel for each situation that you may encounter to make sure
you are in compliance with the Act. No representations or warranties are
made with the respect to the information contained herein, its accuracy,
or its fitness for a particular purpose.
Follow this link to unsubscribe Remove
Me
|
