HIPAA: Defining Privacy Issues in Speech-Language Pathology

This text-based course is a transcript of the webinar, “HIPAA: Defining Privacy Issues in Speech-Language Pathology,” presented by K. Todd Houston, Ph.D., CCC-SLP, LSLS, Cert AVT. >> Dr. Todd Houston:  As Amy mentioned, I am an associate professor at the University of Akron.  That being said, I will let everyone know up front that I am not an attorney.  Do not take anything that I say today as legal advice.  It is nothing more than my experience to a degree with the Health Insurance Portability and Accountability Act (HIPAA) in setting up clinics, working to make sure that everything that I do is compliant, and that our services at the University of Akron, as well as other centers and universities that I have worked in, are compliant.  That is the perspective that I am speaking from. I imagine that everyone here today is probably working in healthcare, probably working in hospitals, skilled nursing facilities, private practices, maybe speech and hearing centers, and maybe even the public schools. ObjectivesOur objectives today are to talk about the importance of HIPAA and how it is applied within the practice of speech-language pathology.  I want to talk about some of the covered entities that are addressed in the privacy rule.  We will also define what Protected Health Information is.  We will talk about how HIPAA interacts with other laws, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act and how that affects the practice of speech language pathology.  I will mention HITECH Act, because it is also a part of the Affordable Care Act, but I will not spend too much time on it, as that is a whole other presentation.  I will give you some direction about HITECH and how it affects HIPAA and vice versa. Basics of HIPAAWhat do we know about HIPAA?  What are the basics?  The actual name of the act is the Health Insurance Portability and Accountability Act, and you see this spelled and abbreviated in one million different ways.  However, it is HIPAA.  Make sure you are referring to the act appropriately. HIPAA has three different areas: the Privacy Rule, the Security Rule, and then a Breach Notification rule.  We will get into these in more detail during this presentation.  These are the three areas that I think confuse most people. If we think about HIPAA, it is broken into two broad sections.  You have Title 1, which talks about healthcare access portability and renewability.  Title 1 of the Act gets into protecting individuals’ health insurance coverage when they lose or change a job.  It also has some language related to pre-existing conditions and how that should not, in some cases, prevent someone from getting healthcare coverage.  The Affordable Care Act goes way beyond that, and guarantees that.  Some of you have changed jobs or unfortunately have been in a situation where you were laid off and you have COBRA options available to you. That is essentially what Title 1 is all about.Title 2 is the section of the Act that we will spend most of our time on today.  It deals with the provisions for privacy and security, talks about the electronic standards for transmission of information, and also requires unique identifiers for various providers.  Within that Title 2 aspect of the Act is where we find the privacy rule, security rule, and breach notification rule. What are those three areas? We will get into more detail as we go along today.  The privacy rule basically protects privacy and addresses the use and disclosure of protected health information (PHI).  PHI is a term that comes up often; this is the protected health information of the patient.  Security rules get into the national standards for security of electronic protected health information.  This is how we share that information and what the rules are for sharing.  The security rule goes into some detail, but probably most people would say not enough detail.  As you can imagine, with security issues around electronic information, in terms of computers and data sharing, that is changing every day.  They are not rewriting these laws every day.  Some people get quite frustrated that it does not go into more detail.  We will discuss some information around security rules, and then the breach notification rules and what they say.  They require the covered entities and the business associates to provide notification following a breach of unsecured protected health information.  Where a lot of people get hung up with HIPAA is the idea of who is and is not a business associate, and who should be following HIPAA and who should not, in terms of the business associates that you may be working with.  I hope to shed some light on that today as well.Privacy RuleCovered entities. Let's discuss the privacy rule and what that means.  Essentially, it applies to healthcare providers who transmit health information, a health plan, or what is called a healthcare clearinghouse.  We will talk a bit about each one. In our context, as speech-language pathologists, we obviously are healthcare providers. I have listed a few of the other healthcare providers.  Healthcare providers include all providers of health and medical services, such as SLPs, hospitals, physicians, nursing homes, or other practitioners that are defined as healthcare providers by Medicare.  Any other person or organization that furnishes, bills, or is paid for healthcare would also be considered a healthcare provider. Health plans are the insurance plans that an individual may have.  These are others: insurance policies, healthcare policies, health maintenance organizations (HMOs), or other government healthcare plans like Medicare, Medicaid, and even veterans’ healthcare in VA hospitals. There are also healthcare clearinghouses.  Those are entities that process health information that they receive from other entities; e.g., billing services, re-pricing companies, or even community health management systems that are in place to help manage healthcare for a group of providers, whether it is physicians’ practices or hospitals. The covered entity would be any one of these different areas: the healthcare provider themselves, the health plan, or the clearinghouse. Business associates. With that, we also have business associates. ...