"Nuts & Bolts 2" - A Guide to the Clinical Years Section 2: Vital Information for Clinical Clerkships Table of Contents What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable, protected health information. The law is composed of two major legislative actions: provisions for health insurance reform and requirements for administrative simplification. Complying with all aspects of HIPAA will require providers and virtually all entities within the healthcare industry (including clinical research) to make significant changes to their information systems, operations policies and procedures and business practices. Simply put, HIPAA calls for: 1. Standardization of electronic patient health, administrative and financial data 2. Unique health identifiers for individuals, employers, health plans and health care providers 3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future. Administrative Simplification: 1. Electronic Health Transactions Standards Health providers and plans use many different electronic formats. Implementing a national standard will mean we will all use one format, thereby "simplifying" and improving transaction efficiency nationwide. Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms, and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding. 2. Unique Indentifiers for Providers, Employers, Health Plans, and Patients The current system allows us to have multiple ID numbers when dealing with each other, which HIPAA sees as confusing, conducive to error, and costly. It is expected that standard identifiers will reduce these problems. 3. Security of Health Information & Electronic Signature Standards The new Security Standard will provide a uniform level of protection of all health information that is housed or transmitted electronically and pertains to an individual. In addition, organizations who use Electronic Signatures will have to meet a standard ensuring message integrity, user authentication, and non-repudiation. The Security standard applies not only to the transactions adopted under HIPAA, but to all individual health information that is maintained or transmitted. 4. Privacy and Confidentiality Privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The Privacy standards: · limit the non-consensual use and release of private health information; · give patients new rights to access their medical records and to know who else has accessed them; · restrict most disclosure of health information to the minimum needed for the intended purpose; · establish new criminal and civil sanctions for improper use or disclosure; · establish new requirements for access to records by researchers and others. The new regulation reflects the five basic principles outlined at that time: · Consumer Control: The regulation provides consumers with critical new rights to control the release of their medical information · Boundaries: With few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment. · Accountability: Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated. · Public Responsibility: The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse. · Security: It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. Failure to comply with any of the electronic data, security, or privacy standards can result in civil monetary penalties up to $25,000 per standard per year. Violation of the privacy regulations for commercial or malicious purposes can result in criminal penalties of $50,000 to $250,000 in fines and one to ten years of imprisonment. For complete information about HIPAA, including information about what constitutes Protected Health Information (PHI) and what is required of you as a student, we ask that you fully review the materials at http://www.ucsf.edu/hipaa/   Confidentiality Statement I _____________________(please print name), as an employee, physician, resident, student, or volunteer at UCSF Medical Center: · Understand that it is my legal and ethical responsibility to maintain the confidentiality of all Patient Medical Records, Employee Information, Financial Information, Proprietary Information, Confidential Information used in research, and other confidential information relating to UCSF Medical Center. · Agree not to disclose any such information or records to any person outside UCSF Medical Center without proper authorization. · Agree to discuss confidentiality information only in the work place and only for job related purposes, and to refrain from discussing this information outside of the work place or within the hearing of other people who do not have a need to know about the information. · Recognize that unauthorized release of confidential information may make me subject to legal action and/or disciplinary action. · Understand that any and all references to HIV testing, such as any clinical test, laboratory or otherwise used to identify HIV, a component of HIV, or antibodies or antigens to HIV, are specially protected and that unauthorized disclosure may make me subject to legal action and/or disciplinary action. · Understand that the law specially protects psychiatric and drug abuse records, and that unauthorized release of such information may make me subject to legal action and/or disciplinary action. · Understand that my access to all electronic systems is audited regularly, and that any inappropriate access to information may make me subject to legal action and/or disciplinary action. · Understand that I am not to share my log-in or user ID and/or password with anyone, and that any access to UCSF Medical Center systems made under my log-in or user ID and password is my responsibility. · Understand that violation of any portion of the policies and procedures related to confidentiality of patient records or any violation of federal regulations governing the patient's right to privacy may result in immediate termination of my employment/professional relationship with UCSF Medical Center. I acknowledge that I have read and understand the above statements, have discussed them with my supervisor, and have had all my questions answered. The class of 2006 signed this document during the HIPAA training in March 2003.