540 likes | 979 Views
HIPAA Workforce Training. PRIVACY and HIPAA. MANDATORY. Completion of training is mandatory under HIPAA for the entire workforce of the MHRB Including volunteers, like yourselves. What is HIPPA?.
E N D
HIPAA Workforce Training PRIVACY and HIPAA
MANDATORY • Completion of training is mandatoryunder HIPAA for the entire workforce of the MHRB Including volunteers, like yourselves.
What is HIPPA? In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). This new law was enacted as part of a broad congressional attempt at incremental healthcare reform. HIPAA has two primary purposes. One is to provide continuous insurance coverage for workers who change jobs, and the other is to “reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper”.
HIPAA Workforce Training • HIPAA requires that the MHRB create HIPAA policies and procedures that may affect your work as a Board member.
This HIPAA Training Program will answer… • What does HIPAA do? • Who has to follow the HIPAA law? • What is Protected Health Information? • When do we start? • How does HIPAA affect you? • Why is HIPAA important?
What does HIPPA do? • HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that… • Protects the privacy of a client’s personal and health information • Provides for electronic and physical security of personal and health information • Simplifies billing and other transactions
HIPAA is the FLOOR • HIPAA regulations are the minimum starting point for protecting health information and do not supersede any rules, regulations, or standards that are more stringent. For example, if ODMH rules are more stringent than HIPAA rules, we must follow the ODMH rule.
Organizational and Administrative Requirements • A Privacy Officer must be appointed to implement and develop privacy policies and procedures for the agency. • Must train all employees (current and new) on privacy policies and procedures. • Must amend all business associate contracts to establish the permitted and required uses and disclosures of PHI. • Must verify the identity and authority of person requesting PHI.
Organizational and Administrative Requirements • Must disseminate a notice of our privacy practices to existing clients and all new clients and within 60 days of any material revision. • Must notify clients every 3 years of the availability of the notice. • A covered entity with a website must post their notice on the web.
Organizational and Administrative Requirements • Must document compliance with notice requirements and keep copies of notices issued. • Must document who is responsible for receiving and processing client inquiries regarding his/her PHI.
Organizational and Administrative Requirements • Must provide a process for individuals to make complaints and document such complaints and their disposition. • Must develop anti-retaliation policy.
Who has to follow HIPAA? Everyone!
Who Is Impacted? • Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. • Health plans – an individual or group health plan that provides or pays the cost of medical care. • Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. • Business Associates and Trading Partners
Business Associate • A person or entity to whom a covered entity discloses protected health information, to perform a function on behalf of or to provide services to a covered entity. • Includes lawyers, accountants, consultants, and accrediting agencies. • Must have a contract obligating them to safeguard protected health information.
Business Associate Contracts • Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations • If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary of Health and Human Services.
Business Associate Obligations • Must not use or disclose protected health information in violation of the law or contract. • Implement safeguards against improper use or disclosure. • Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. • Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. • At termination of the contract, return or destroy protected health information.
What Is Impacted? TRANSACTIONS • A transaction is the exchange of information between two parties to carry out financial and administrative activities related to health care. It includes: • Health claims or encounter information, • Health care payment and Explanation of Benefits (EOB),
What Is Impacted?Transactions Continued • Coordination of benefits, • Enrollment/disenrollment in a health plan, • Eligibility for a health plan, • Health plan premium payments, • Referral certification and authorization, • First report of injury, and • Health claims attachments.
What Is Impacted? PROTECTED HEALTH INFORMATION Protected Health Information is defined as any information, whether oral or recorded, in any form or medium, that- • Is created or received by a provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and • Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
What is considered Protected Health Information? • A person’s name, address, birth date, age, phone and fax numbers, e-mail address • Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results • Billing records, claim data, referral authorizations, explanation of benefits • Research records
The Board may create, use and share a person’s PHI for: • Treatment • Billing and Payment • Agency Business Management and Operations • Disclosures Required by Law • Public Health and Other Governmental Reporting
PHI Consent • Some uses and disclosures of PHI do not require consent. • The use and disclosure of protected health information relating to treatment, payment, or health care operations does not require prior written consent.
Minimum Necessary Rule When using or disclosing Protected Health Information (PHI) or when requesting PHI from another covered entity, The Board must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless an exception applies.
Minimum Necessary RuleExceptions The minimum necessary requirement does not apply in the following instances: • Disclosures to or requests by a health care entity for purposes of treatment. • Uses or disclosures made to the individual who is the subject of the PHI. • Uses or disclosures made pursuant to a valid authorization initiated by the individual. • Disclosures to the secretary of the Department of Health and Human Services (HHS). • Uses or disclosures that are required by law. • Uses or disclosures required for compliance under HIPAA, including compliance with the implementation specifications for conducting standard data transactions.
Requests for Disclosure The Board may rely on a request for disclosure as the minimum necessary for the stated purpose when: • Making permitted disclosures to public officials, if the public official represents that the information is theminimum necessary for the stated purpose(s). • The information is requested by another covered entity. • The information is requested by a professional who is a member of The Board’s workforce or is a business associate of Board for the purpose of providing professional services to The Board if the professional represents that the information requested is the minimum necessary for the stated purpose(s). • The information is requested for research purposes and the person requesting the information has provided documentation or representations to The Boardverifying such intended purpose.
When a disclosure is required by federal, state, or local law, judicial or administrative proceedings, or law enforcement. Disclosure without your consent can occur in certain emergency treatment situations. To avoid harm. For specific government functions. For workers' compensation purposes. Appointment reminders and health-related benefits or services. For fundraising activities, public health activities, organ donations, and for research purposes. Using and Disclosing PHIWithout Consent
Verification In certain instances, as permitted or required by law, The Board can or must disclose an individual’s PHI, even where there is no specific consent or authorization from the individual to do so. No PHI will be disclosed without precautions being made to assure that the identity of the person requesting PHI information is verified and that they have the authority to have access to the information requested.
Verification of Identity When the identity of the person seeking disclosure of an individual’s PHI is not known to The Board, verification of the person’s identity is as follows: • If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status. • If the request is in writing, the request is on the appropriate government letterhead • or other accepted proof of identity is documented. • If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the governments’ authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
Verification of Authority To verify the authority of a public official, The Board may rely on any of the following: • A written statement of the legal authority under which the information is requested or, • 2. if a written statement is impracticable, an oral statement of such legal authority, • 3. If a request is made pursuant to legal process, a warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal will be presumed to constitute legal authority.
Privacy Notice • Every client is provided with a Notice of Privacy Practices upon enrollment at a contract agency The Notice describes” • How the MHRB can use and share protected health information, and • Every client’s privacy rights • The privacy notice is also published on the MHRB’s web page. • Copies of the Notice of Privacy are available from the Privacy Officer or Secretary.
Clients’ PHI Rights One of the purposes of the new HIPAA rule is to give clients more control over their PHI. Such as: • The right to request limits on uses and disclosures of their PHI. • The right to choose how the agency sends PHI to them. • The right to view and obtain copies of their PHI. • The right to correct or update their PHI.
How do clients exercise these rights? • Special forms to request changes, corrections, copies, etc. are available from the Privacy Officer.
What client information must be protected? • We must protect a client’s personal and health information that: • Is created, kept, filed, used or shared • Is written, spoken, electronic or digital • As already stated HIPAA defines client personal and health information as Protected Health Information or “PHI” for short.
When do we start? NOW!
How will HIPAA affect your duties? • If you currently see, use, share and/or create a person’s protected health information as part of your job or duties, HIPAA will change the way you work. • You must protect the privacy of the client and MHRB’s workforce protected health information.
When can you use PHI? • ONLY to do your job or duties! • At all other times, protect a client’s information as if it were your own information!
How can you use PHI? • You may look at a person’s PHI only if you need it to do your job or duties. • You may use a person’s PHI only if you need it to do your job or duties. • You may give a person’s PHI to others when it is necessary for them to do their jobs. • You may talk to others about a person’s PHI only if it is necessary to do your job or duties.
Why is HIPAA important? Protecting privacy is important! • We all want our PHI to be private • Our clients want their PHI to be private • It’s the right thing to do • It’s the law
What can happen if we don’t follow HIPAA? • Someone who does not protect a person’s personal and/or health care privacy could: • Lose his/her job • Pay fines • Go to jail
Fines? Fines range from $50,000 to $250,000 per incident
Jail? Jail terms can be up to 10 years per incident
Did you know….? • The Board must protect your personal health information with as much diligence and security as we protect clients’ PHI.
When do we have to protect PHI? NOW!
HIPAA Stories Please read the following two HIPAA stories carefully as you will be asked to discuss them on the quiz.
HIPAA Story #1: Annie After serving on the client’s rights appeal committee, I ran into the customer Annie, who filed the appeal at the grocery store. She came up to me and started talking about her appeal, the medications she was placed on and how she was not feeling any better. I told her I could not discuss her appeal that it was confidential, and that it takes time for some medications to work. Did I do the right thing?
HIPAA Story #2: Barry I happened to be using the copier in the MHRB office when a fax arrived. I did not read any of the details but recognized the client name on the incident report. I did not do anything with the information and kept it to myself. Did I do the right thing?
Where to Find Out More About HIPAA • The Privacy Notice is on the agency’s Internet Website: www.whmhrb.org • Contact Kim Tapie, Compliance and Privacy Officer with questions and/or concerns • Review HIPAA materials in the Board’s Operations Manual
The End! Congratulations! You have completed The HIPAA Privacy Training .