The document provides an overview of HIPAA privacy and security requirements and how they affect medical personnel and commanders. It discusses the Military Command Authority exemption that allows disclosure of protected health information of active duty members to their commanders. It also summarizes key aspects of the HIPAA Privacy Rule including required disclosures, documentation requirements, and patient privacy rights. The roles and responsibilities of Privacy and Security Officers are outlined as well.
Memorándum de Entendimiento (MoU) entre Codelco y SQM
AF Medical Operations Agency HIPAA Privacy and Security Overview
1. Air Force Medical Operations Agency
Excellent Healthcare, Clinical Currency
HIPAA Privacy
and Security
1
2. What HSA Students needs to
know about HIPAA
n
To provide an introductory overview of HIPAA and how it affects you as
a TOPA or future Systems Flight Commander
n
INTERNAL - This presentation focuses on how the HIPAA Privacy and
Security Rule impact the Privacy Officer in TOPA, the Security Officer in
Systems Flight, and you as a medical member of the Covered Entity.
n
EXTERNAL – How HIPAA affects your interaction with Wing ‘Line”
commanders
n
It is not intended to provide you with a comprehensive understanding of
the entire Privacy and Security Rule, nor is it intended to address all the
various requirements your Medical Group must observe in order to be in
compliance with the rule
Excellent Healthcare, Clinical Currency
3. General Overview of HIPAA
n
Public Law 104-191
-
-
-
n
The overarching purposes of HIPAA are to:
-
-
-
-
n
Also known as the Health Insurance Portability and Accountability
Act (HIPAA)
Primary AF Guidance for HIPAA Privacy includes AFI 41-210 and DoD
6025.18-R
Primary AF Guidance for HIPAA Security includes AFI 41-217
Improve the portability and continuity of health insurance coverage
Combat waste, fraud, and abuse in health insurance and health care
delivery
Simplify the administration of health insurance
Standardize all electronic transaction code sets (EDI)
HIPAA is much more than just privacy and security:
several functions within the healthcare industry needed to be overhauled
or standardized in order to meet the mandates of HIPAA
- Transaction and Code Set Standards – ICD-9, CPT
- National Identifier Standards – National Provider Identifier (NPI)
- Security Standards
Excellent Healthcare, Clinical Currency
4. Medical Group
Improve HIPAA and Sustain Program
• Complete the
MDG medical
mission and
comply with
HIPAA
requirements
• Make HIPAA
IMPROVE the
combat
operations
capability of
AFB ‘Line”
Units
• Secure PHI
• Get needed
Protected
Health
Information
(PHI) to Wing
Excellent Healthcare, Clinical Currency
5. Military Command Authority (MCA)
n The
Military Command
Authority (MCA) Exemption
permits disclosure of PHI to a
member’s commander in
order to determine fitness for
duty to conduct the mission.
But, this exemption applies
only to the PHI of Active Duty
ARMED FORCES MEMBERS.
n
Excellent Healthcare, Clinical Currency
6. A Unit Commander wants to
know their airman’s condition.
n The
member’s authorization is NOT
required;
AND
n Only
the “Minimum Necessary”
information will be disclosed (Similar to
“OPSEC” rules)
ALL DISCLOSURES MUST BE DOCUMENTED BY THE MTF
Excellent Healthcare, Clinical Currency
7. Military Command Authority (MCA)
n
to determine the member’s fitness for duty,
n
to determine the member’s fitness to perform any particular
mission, assignment, order, or duty, including compliance with
any actions required as a precondition to performance of such
mission, assignment, order, or duty.
n
to carry out activities under the authority of DoD Directive
6490.2, “Joint Medical Surveillance,” August 30, 1997.
n
to carry out any other activity necessary to the proper
execution of the mission of the Armed Forces.
n
Appropriate military command authorities are considered all
commanders who exercise authority over an individual who is
a member of the Armed Forces.
n
The use may be by the Commander or his/her designee.
Excellent Healthcare, Clinical Currency
8. MCA Impact
n
‘Line’ commander’s perceive HIPAA as a barrier to obtain
medical information on the airmen under their command
n
The MDG must maintain and update a MCA roster of commanders
and their designees. This roster must include Medical
Commanders and their Designees.
n
‘Line’ commanders must educate their staff that only the
commander and his/her designee may obtain Protected Health
Information (PHI) from the MDG
n
Many of the AF Health and Human Services (HHS) complaints have
resulted from the MDG disclosing PHI to a ‘Line’ member who is
not on the MDG MCA list
Excellent Healthcare, Clinical Currency
9. Military Command Authority (MCA)
n
Common Examples of health information flows from the MDG
- Readiness Reports (PIMR)
- Quarters notices to the Line
- Physical Profiles and Duty Limiting Condition Reports
- Appointment Scheduling and Reminders
- Direct Communications from Healthcare Providers
- Family Advocacy and support programs
- Required communications from Mental Health Provider
- MEB/PEB Processing
- PRP determinations
- CITA reports
- PHAs
- Request to access an individual’s health records for a
specific
purpose
- Request to meet with a provider to receive clarification of
duty limitations, etc
- Commander Directed Mental Health Evaluation
Excellent Healthcare, Clinical Currency
10. Military Command Authority (MCA)
n
Air Force actions resulting from the Ft Hood incident
n
Briefing that should be given to all ‘Line’ commanders
n
Memorandum For ALMAJCOM/CV; from HQ USAF/SG;
Subject: Sharing Protected Health Information with
Appropriate Command Authorities; 14 May 2010
Memorandum For All MTF/CC; from AFMOA/CC; Subject:
Disclosure of Protected Health Information to Appropriate
Command Authorities; 24 May 2010
PowerPoint – Awareness Campaign Presentation
n Suggest presentation be viewed in “notes” mode
n
n
Excellent Healthcare, Clinical Currency
10
11. The Privacy Rule
–Disclosing Information
n
What is a Disclosure?
-
-
n
The release, transfer, provision of access to, or divulging of information in any manner
outside the covered entity holding the information
Any time the Medical Group provides health information of an individual under your
command, they are making a disclosure and must document it
There are three types of disclosures
-
-
-
Patient’s authorization is not required
Patient’s authorization is required
Patient must be given the opportunity to either agree with, or object to the disclosure;
such notice is provided by the Notice of Privacy Practices
As Required by Law
Judicial and Administrative Proceedings
Medical Facility Patient Directory
Research Involving Minimal Risk
Inmates in Correctional Institutions or in Custody
Law Enforcement Purposes
Cadaveric Organ, Eye or Tissue Donation Purposes
Workers Compensation
Public Health Activities
Specialized Government Functions (MCA)
About Decedents
Avert A Serious Threat to Health or Safety
Health Oversight Activities
About Victims of Abuse, Neglect, or Domestic Violence
Excellent Healthcare, Clinical Currency
12. Six Year Retention Requirement
n
Documentation associated with HIPAA Privacy/Security Program
must be maintained for six years from date of implementation or
last use
n
n
n
Common documents to be retained:
n
n
n
n
n
n
n
n
Privacy Implementation Date: 14 Apr 03
Security Implementation Date: 21 Apr 05
Privacy Officer/Security Officer appointment letters
Commander Designee letters
Medical Group Instructions or Operating Instructions
Local training plans/sign in sheets
Security Risk Assessment (OCTAVE)
Privacy Gap Analysis (HIPAA Basics)/MEDFACTS Compliance Assessments
Disclosure accountings; complaints; requests for restriction, amendments, or
confidential communications
Items should be maintained in file system, not a continuity binder
Excellent Healthcare, Clinical Currency
12
13. The Privacy Rule
- In a Nutshell
n What it does…
- Sets boundaries on the use and release of health records
- Establishes safeguards that must be met to protect the privacy of
health information
- Holds violators accountable with civil and criminal penalties that can
be imposed if the patient’s privacy rights are violated
n What the Medical Group Must Do to Comply…
-
-
-
-
Develop local policies & procedures to ensure compliance with privacy
requirements
Enforce workforce compliance with policies & procedures, to include
sanctions when required
Ensure workforce is trained on HIPAA requirements
Make the MHS Notice of Privacy Practices available to beneficiaries
Excellent Healthcare, Clinical Currency
14. The Privacy Rule
– Key Terms
- Disclosure: Allowing healthcare information to be accessed, released, or
otherwise conveyed in any manner outside the entity holding the information
- Protected Health Information (PHI): Individually identifiable health information
in any form
o Is created or received by a health care provider, health plan, public health
authority, employer, life insurer, school or university, or health care
clearinghouse; and
o Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual
- Minimum Necessary: The minimum amount of protected health information
necessary to accomplish a permitted use or disclosure
o The HIPAA Privacy Rule requires covered entities to take reasonable steps
to limit the use or disclosure of, and requests for, protected health
information
o Even within the Medical Group, staff members may only share or gain
access to PHI on a “role-based” basis
Excellent Healthcare, Clinical Currency
15. Notice and Authorizations
n
We are required to give our patients a
Notice Of Privacy Practices when we
make our first contact with them
n
This notice tells them how we will use or
disclose their health information according to the
HIPAA law
n
Finally, it tells our patients about their rights to
access their own health information and receive
confidential communications
n
We ask that our patients sign an acknowledgement
of this Notice Of Privacy Practices to confirm that
they have received it and understand it. This
sticker is placed on the back of medical and dental
records
Excellent Healthcare, Clinical Currency
16. HIPAA Patient Privacy Rights –
NoPP
To Inspect and Copy
To Request Restrictions
To request Confidential
Communications
To Request Amendment
To an Accounting of Disclosures
To Obtain a Copy of this Notice
To File a Complaint
Excellent Healthcare, Clinical Currency
17. HIPAA and How It Affects You
n
Transmission of PHI from the Medical Group to You
-
The Medical Group must observe Privacy Act and AF Communications Guidelines
to ensure e-mail containing PHI is properly safeguarded during transmission
o Includes use of PKI encryption and Digital Signature as outlined in AFI 33-119
o Must be For Official Use Only (FOUO) as outlined in AFI 33-332
o Information is not transmitted to distribution lists unless each recipient is a
Commander’s Designee and has a need to receive the information being transmitted
-
n
The Medical Group will not transmit an e-mail message containing PHI if it cannot
be properly encrypted
Verification of Identity
-
Medical Group personnel must verify the identity of Commander’s and designees
prior to disclosing health information
o
n
Privacy Officer should have a good process in place for members of the MDG to
know who the Commanders and the Commander designees are in each unit.
Where HIPAA Ends and the Privacy Act Begins
-
-
-
PHI is a subset of Personally Identifiable Information (PII) as defined in DoD
5400.11-R
Within the Medical Group, PHI is governed by both the Privacy Act (PA) and HIPAA
Once properly released by the Medical Group, the information ceases to be
protected by HIPAA, but remains subject to the Privacy Act
Excellent Healthcare, Clinical Currency
18. HIPAA and How It Affects You
as a Privacy Officer
HIPAA Privacy Officers’ Roles and Responsibilities
n
n
n
Be the MTF’s initial Point
of Contact for all HIPAA
Privacy issues and concerns
Monitor compliance with
HIPAA training requirements
Ensure adherence to Federal
Law, MHS, and AF SG policies
and procedures at the MTF level
n
n
n
n
n
Investigate patient privacy
complaints
Develop MTF specific
polices and procedures
Implement methods to
track disclosures of PHI
Chair HIPAA Compliance
teams
Completes HIPAA Privacy risk
assessment
Excellent Healthcare, Clinical Currency
19. HIPAA and How It Affects You
as a Security Officer
HIPAA Security Officers’ Roles and Responsibilities
Oversee compliance with
HIPAA Security Rule
n Establish policies and
procedures to manage
electronic PHI/PII
n Monitor compliance with
HIPAA training
requirements
q Chairs the Medical
Information Security
Readiness Team (MISRT)
n
Develop HIPAA Security
MTF specific polices and
procedures
n Ensure sanction policies
are consistently applied
for failure to comply
with ePHI security and
breaches
q Complete OCTAVE HIPAA
security risk assessment
n
Excellent Healthcare, Clinical Currency
20. Important Contacts
n
Effective management requires establishing good working
relationships with:
n
n
n
n
n
n
n
n
Wing SJA/Medical Legal Advisor
Regional Medical Legal Consultant
AFMOA Regional Health Information Compliance Rep
Base Comm Sq IT Staff
Local hospital Privacy Officers where frequent admissions
occur
MDG Patient Advocate
Base Privacy Act Officer
Base Freedom of Information Act (FOIA) Officer
Excellent Healthcare, Clinical Currency
20
21. Trends
q HITECH Breaches: AFMS has experienced 3 total that affected 500 plus
individuals PHI.
q Improper disposal, PHI accidentally recycled or employee removal of medical
forms/PHI
q Inappropriate AHLTA and CHCS access- “AHLTA Snooping”
q Errant emails containing PHI/PII sent unencrypted, sent to wrong email/
unintended recipients, on mail group to MDG All email groups.
q Violation of the “Minimum Necessary” principal when the MDG discloses too
health information
q MTF mails wrong medical records to requestor
q Lost electronic equipment: Laptop/media storage/CD/thumb drive
q US Postal or Fedex: medical records packages open during shipment to other
MTFs or AFPC.
q Test results to wrong patients
q Pharmacy dispenses to wrong patient
q Verbal breaches of PHI to neighbors about neighbors
Excellent Healthcare, Clinical Currency
22. HIPAA and Privacy Act
Incidents
n
An Incident, defined per HIPAA, is the
KNOWN or PERCEIVED unauthorized
access, use, disclosure, modification, or
destruction of Protected Health Information
(PHI).
n
An Incident, defined per the Privacy Act, is
the KNOWN or PERCEIVED unauthorized
access, use, disclosure, modification, or
destruction of Personally Identifiable
Information (PII)
Excellent Healthcare, Clinical Currency
23. HIPAA Incidents
n
AFMS personnel must report potential and actual compromises of
PII to the United States Computer Emergency Readiness Team
(US-CERT) within one hour of the breach occurring or becoming
known.
n
A Defense Privacy Civil Liberties Office (DPCLO) Breach Report is
then accomplished.
n
AFMS organizations experiencing a breach of PHI must provide a
copy of the DPCLO Breach Report to AFMOA/SGAT as soon as
possible, but not later than 24 hours after the breach occurred or
became known.
n
AFMOA/SGAT will forward the report to AFMSA/SG3SA where the
report will be reviewed for content and clarity before forwarding to
the TMA Privacy Office. AFMSA/SG3SA maintains copies of all
correspondence and reports associated with breach reporting for
purposes of tracking and trending incidents within the AFMS, and
for documenting HHS reporting requirements.
Excellent Healthcare, Clinical Currency
23
25. Affected Individual
Notification Procedures
§ A “risk of harm” assessment will be accomplished after the
incident. If the assessment results in a “high risk of harm” the
affected individuals will be notified as soon as possible, but not
later than 10 working days after the loss, theft, or compromise is
discovered and the identities of the individuals ascertained. The
notification should be in writing and should be concise,
conspicuous, and in plain language.
§ NOTE: The 10-day period is a line requirement under DoD
5400.11-R, and AFI 33-332 and begins after the Component is able
to determine the identities of the individuals whose records were
lost. If the Component is only able to identify some but not all of the
affected individuals, notification shall be given to those that can be
identified with follow-up notifications made to those subsequently
identified
11/14/13
Excellent Healthcare, Clinical Currency
25
26. Most Common Privacy Issues
n
Health and Human Services reports the following as the most
common types of issues investigated (in order of frequency):
n
n
n
n
n
Impermissible uses and disclosures of PHI
Lack of safeguard of PHI
Lack of patient access to PHI - CLIA
Uses or disclosures of more than “Minimum Necessary” PHI
Lack of or invalid authorizations for uses and disclosures
Excellent Healthcare, Clinical Currency
26
27. HOW TO AVOID BREACHES
§ Do not leave PII unattended
§ Lock records in cabinets/offices
§ Do not remove PII from office workspace
• Limit the extraction of PII from protected information systems (i.e.
export to Microsoft Access, Excel, Printed Format, etc.)
§ Be deliberate before posting in shared environments ( shared
drives)
§ Give access only as needed to perform duties
• Limit disclosure/access to absolute minimal needed
• Have checks/balances in place to prevent misuse
Properly destroy records when record retention is met
You can’t lose what you don’t have!
Excellent Healthcare, Clinical Currency
28. HIPAA Compliance
n
MEDFACTS
n
We have added HIPAA elements into MEDFACTS.
n
These are regulatory elements to ensure your program is in
compliance with the HIPAA rule.
n
If your Privacy and Security officers do not have a MEDFACTS
account, suggest they get with MDG QA folks to obtain one.
Excellent Healthcare, Clinical Currency
28
29. Summary
q HIPAA hasn’t changed your ability to access the health information you
need to effectively execute the military mission
q The Specialized Government Functions provision allows the Medical
Group to disclose information to appropriate military command
authorities or their designated representative
q The Medical Group must observe the “Minimum Necessary” principal
when they disclose health information to you
q HIPAA protects health information, but the Privacy Act remains in force
q Leadership Role overseeing HIPAA Privacy and Security functions to
keep the MTF compliant.
q Always feel free to confer with any case you are dealing with by
consulting with your AFMOA HIPAA Reps.
Excellent Healthcare, Clinical Currency
30. “HIPAA-theticals” for
discussion
q While in the Public Health area a MSgt who works in PH says to a friend
who is not a member of the MDG, “I know your girlfriend has an STD.”
The PH officer hears about it and calls you to ask what should be done.
q What should you do and how should you follow this potential breach of
PHI? What guidance and direction would you give your HIPAA Privacy
Officer (HPO), who is a lower rank than the MSgt?
q The Specialized Government Functions provision in HIPAA rules,
outlined in the DoD 6025.18-R, allows the Medical Group to disclose
information to appropriate military command authorities or their
designated representative(s). Your HPO comes and tells you that an
Army Colonel on the base for an exercise is a Senior Aide for the 4 star
Admiral commander who is running the Joint Exercise. He says he
needs a daily list of the exercise members who come to the MDG so he
can brief the Admiral on the health status of the unit. You do not have a
MCA list from the Admiral. When the HPO first told the Colonel he
could not get the list, the Colonel became visibly angry and demanded
to speak with the CO of the MTF.
q What actions would you take to assist the HPO from being intimidated
by the Colonel and how would you provide top cover on this situation?
Excellent Healthcare, Clinical Currency
31. “HIPAA-theticals” for
discussion
q A airman in the Patient Administration section reports to you that one
of the other technicians has been accessing AHLTA/CHCS and
reviewing the medical status of other MTF staff.
q Do you consider this a privacy breach? Should you involve your HIPAA
Security Officer with your HIPAA Privacy Officer? What rule did this
Airman break if any? What resources do you have available to
investigate this issue?
q A member of your MTF contacts an AD Patient’s unit and speaks to the
member’s direct supervisor. The MTF staff member discusses the
patient’s medical condition with the supervisor.
q Do you consider this a Privacy Violation? What rule did the MTF staff
member break if any? Who should have the MTF Staff member
contacted, if not the direct supervisor?
Excellent Healthcare, Clinical Currency
32. AFMOA Health Info
Compliance POCs
•
•
•
•
•
•
•
Chief, Health Benefits Support Branch: 210-395-9944
Support Branch: 210-395-9926 (DSN: 969)
North: 210-395-9953
South: 210-395-9814
West: 210-395-9921
OCONUS: 210-395-9948
Org email box: afmoahipaatraining@us.af.mil
Excellent Healthcare, Clinical Currency
33. Resources
n
n
n
DoD 6025.18-R
AFI 41-210
AFI 41-217
n
Military Health System
- http://www.tricare.mil/tmaprivacy/Hipaa.cfm
n
Department of Health and Human Services
-
n
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
AF HIPAA Guide
- https://kx.afms.mil/kxweb/dotmil/kj.do?functionalArea=HIPAA
n
HIPAA Briefing for Commanders
https://kx.afms.mil/kxweb/dotmil/kjFolderList.do?folder=Toolkits&functionalArea=AFMOAHealthBenefits
Excellent Healthcare, Clinical Currency