360 likes | 495 Views
ON- LINE TRAINING EVENT. HIPAA (Health Insurance Portability & Accountability Act). ENTER. What is HIPAA ?. It’s a law enacted to 1) protect personal health information , 2) minimize health insurance fraud , and 3) reduce administrative health care expenses. NEXT.
E N D
ON- LINE TRAINING EVENT HIPAA (Health Insurance Portability & Accountability Act) ENTER
What is HIPAA? • It’s a law enacted to 1) protect personal health information, 2) minimize health insurance fraud, and 3) reduce administrative health care expenses. NEXT
What does HIPAA cover? • The law specifically addresses three (3) areas: • Medical Billing Transaction Standards • Protected Health Information (PHI) Privacy Standards • Information Security Standards NEXT
Transaction Standards • National medical billing transaction standards are in place… • Medical providers have been identified by an assigned number • Uniform transaction codes are used by medical providers • Common electronic medical billing transaction standards and guidelines are in use • Other Requirements • Data usage & storage policies • Compliant Business Associate contracts • Audits of Privacy, Security & Business Practices • Information sharing policies • “Minimum Necessary” information exchange • Electronic data information access controls NEXT
Security Standards • These standards ensure the confidentiality, integrity, & availability of protected electronic health information, and… • …protects against threats or hazards to the security of the information • Areas Involved with Security • Administrative • Physical Safeguards • Technical Security Services • Technical Security Mechanism NEXT
Information Security - Examples • Administrative Controls • Identifying Business Associates & Issuing Appropriate Agreements • Reinforce the Importance of Information Compliance • Cooperate with the internal HIPAA Audit & Risk Assessment Processes NEXT
Information Security – Examples (Cont’d) • Physical Safeguards • Positioning Computer Monitors away from view • Discussing patient/client information in a private location • Keeping patient/client records out of sight or access of others • Knowing who is in your Facility or Office & when (Sign In/Out) NEXT
Information Security – Examples (Cont’d) • Technical Security Services & Mechanisms • IS Department • Data Security includes Fire Walls, Pop Up Blockers, Virus Alerts, etc. • System Control Measures • Data Back-up Protocols • HIPAA Security Policies & Guidelines • Computer Data & Systems are County Property NEXT
Privacy Standards • These standards apply to protected health information (PHI) which includes any individually identifiable health information. It does not apply to data contained in educational or employment records. • The privacy standards apply to both electronic and hard copy records to include fax, photocopy, carbon copy, etc. • Protected Health Information (PHI), created by, stored or received by a covered entity falls under HIPAA and must be protected by establishing safeguards. NEXT
Privacy Standards (Cont’d) • Gives Individuals more control over their own PHI. • Sets rules for use and release of PHI • Strikes a balance when public responsibility requires disclosure of data to protect the public NEXT
Breach of Privacy Standards • Holds violators accountable with civil and criminal penalties • Penalties can be imposed if the individual’s rights are violated • Office of Civil Rights (OCR) is charged with enforcement • Internal investigation may result in progressive disciplinary action up to and including termination of employment • Information breach must be reported to OCR NEXT
Why is HIPAA important to Franklin County? • The County is a Covered Entity under HIPAA • The County provides and pays for the cost of healthcare • Corporate authority rests with the County Commissioners • County Commissioners are responsible for all contracts involving healthcare • The County & it’s Employees are responsible for Due Diligence • There is no liability insurance protection, because it is the law NEXT
HIPAA does not apply to PHI… • …when there are more stringent State or Federal regulations that do apply to the protected health information in question NEXT
What are an Individual’s Rights under HIPAA? • They have a right to… • …access and copy health records • …to request amendment or correction to their records • …to an accounting record of disclosures of information from their record • …to specify how confidential information is communicated • …to request restriction on how health information is disclosed or used NEXT
Policies & Procedures for a Covered Entity • Policies and procedures are required to address the various elements of HIPAA (Refer to the Employee Information Section of KIOSK, HIPAA to access these) • A Company must appoint a privacy officer to 1) Oversee the program, 2) Investigate Complaints, and 3) Train Employees • Franklin County Privacy Officer is Loretta McClure, Risk Manager NEXT
When can a covered entity use PHI? • The rule requires written “authorization” from the individual before anyone can release PHI for purposes other than: • Treatment • Payment • Healthcare operations • Covered health care providers must obtain a one-time “consent” to use or disclose PHI, even for treatment, payment or health care operations (Note: This is not an Authorization.) NEXT
Authorization • Gives a covered entity authority to use or disclose PHI for specified purposes • Other than treatment, payment, health care operations • Includes: • What information is being disclosed • Who is authorized to disclose the information • Who is going to use or receive the information NEXT
HITECH Requirements – Recent Revisions to HIPAA • New requirements managing PHI • Business Associates held to same standard as County • New rules for data breach notification to include thresholds, timelines, and methods • Business Associate must notify County of any data breach involving County provided information • Increased penalties NEXT
Business Associates • An individual or corporate “person” that performs on behalf of the County any function or activity involving the use or disclosure of PHI • Is not a member of the covered entity’s workforce • i.e., legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services or anything else for which the County may contract where PHI is involved NEXT
What are Business Associate (BA) requirements, under an Agreement? • Permitted PHI activities of BA identified • BA agrees not to use or disclose PHI other than as permitted by the agreement • BA agrees to use appropriate safeguards to prevent unauthorized use or disclosure of PHI • BA agrees to report any unauthorized use or disclosure of PHI to the County • BA ensures anyone receiving PHI under the agreement adheres to the same conditions as BA • Agreement termination, BA returns or destroys all County PHI in its possession or extends the protections of the contract to information retained NEXT
De-Identification of Information • Information that does not identify the individual and does not contain information that can be used to identify an individual is not covered by HIPAA. • Examples of de-identifying information: • No names • No geographic information • No dates related to the individual (i.e., birthday, date of hire, etc.) • No telephone numbers, e-mail addresses, social security numbers, account numbers, etc. NEXT
Workforce Responsibilities • Records handled on behalf of the County should be treated in a confidential manner. • Refer to County Confidentiality Policy & Statement Remember: Loose lips sink ships! NEXT
Important Points to Consider… • When You Must Share Information…Share only the least necessary amount information • A PHI breach requires immediate notice to the Privacy Officer (Risk Manager) • An Unusual Event form can be used to report potential HIPAA violations • Risk assessments and audits are a part of the Privacy Officer’s responsibility NEXT
HIPAA Quiz • Next you’ll receive a series of questions to be answered either “true” or “false”. • Only you will know the outcome of your responses. • Should you feel you can do better, please feel free to review the presentation again. START QUIZ
Question #1 • The County’s Privacy Officer should be notified of PHI breaches, HIPAA investigations, and requests for HIPAA training? TRUE FALSE
Question #2 • HIPAA covers three sections…1) Transaction Sets, 2) Information Security & 3) Information Privacy? TRUE FALSE
Question #3 • Information you handle on behalf of the County should be handled in a confidential manner? TRUE FALSE
Question #4 • PHI refers to Protected Health Information? TRUE FALSE
Question #5 • Medical information provided for an educational file or employment file is NOT considered PHI (Protected Health Information)? TRUE FALSE
Question #6 • Under the recent HITECH Act, Business Associates are now held to the same HIPAA standards as covered entities? TRUE FALSE
Question #7 • Business Associates are required to report a breach of information privacy or security to the related provider? TRUE FALSE
Question #8 • Individuals have the right to request copies of their medical record, request changes to that record, and request a list of disclosures of information from the record? TRUE FALSE
Question #9 • HIPAA was enacted to assist in reducing health insurance fraud, realize efficiencies in the health insurance administrative process, and expand consumer rights to their own personal health information? TRUE FALSE
Question #10 • HIPAA applies to all situations involving the discussion or disclosure of personal health information. TRUE FALSE
Questions… • Any questions concerning the presentation or HIPAA services available through the County can be directed to Loretta McClure, Risk Manager & Privacy Officer at ljmcclure@co.franklin.pa.us or (717)261-3819. NEXT
Complete Training • To be given credit for this training, be sure to submit your information (using the link below). THANK YOU for your participation! COMPLETE