1 / 25

Mastering HIPAA in 2012 December 7, 2012 Aubree Fisher, CHPC HIPAA Compliance Auditor IV

Mastering HIPAA in 2012 December 7, 2012 Aubree Fisher, CHPC HIPAA Compliance Auditor IV Novant Health, Inc. What is HIP AA ?. The H ealth I nsurance P ortability and A ccountability A ct (HIPAA) is a federal law that was implemented with four major purposes in mind:

dagmar
Download Presentation

Mastering HIPAA in 2012 December 7, 2012 Aubree Fisher, CHPC HIPAA Compliance Auditor IV

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mastering HIPAA in 2012 December 7, 2012 Aubree Fisher, CHPC HIPAA Compliance Auditor IV Novant Health, Inc.

  2. What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was implemented with four major purposes in mind: • Protect the privacy of patient information • Provide for the electronic and physical security of patient health information • Require “minimum necessary” use and disclosure • Specify what rights patients have in approving the access and use of their medical information

  3. What is Protected Health Information (PHI)? There are 18 Identifiers defined by HIPAA: • Name • Postal address • All elements of dates except year • Telephone number • Fax number • Email address • URL address • IP address • Social security number • Account numbers • License numbers • Medical record number • Health plan beneficiary # • Device identifiers and serial number • Vehicle identifier and serial number • Biometric identifiers • Full face photos and other comparable images • Any other unique identifying number, code or characteristic

  4. Extra! Extra! Read All About it… • Greensboro, NC- Medical Records for 623 patients found in Dumpster • Tucson, AZ – Employees terminated after accessing records of shooting victims • Boston, MA – PHI of 192 Infectious Disease patients was left on a subway • Los Angeles, CA – Employee sentenced to four months in prison after accessing records on celebrities and his supervisors

  5. Under HIPAA, Patients Have the Right To…

  6. Office for Civil Rights (OCR) • Over 58,000 complaints handled by the Office for Civil Rights (OCR) since implementation of HIPAA Privacy Rule in 2003: • Over 12,500 resolved via investigation and enforcement • Over 6,500 resolved via investigation and finding no violation • Over 33,500 resolved via closure of complaints that were not valid • Top Five Issues in Investigated Cases Closed with Corrective Action: • Impermissible Uses and Disclosures • Safeguards • Access • Minimum Necessary • Notice

  7. Recent Regulations • HITECH Rule under ARRA • As part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards; • Breach notification requirements • Fine and penalty increases for privacy violations • Right to request copies of the electronic healthcare records in electronic format • Mandates that Business Associates are civilly and criminally liable for privacy and security violations

  8. Fines and Penalties HIPAA Civil Penalties - Note: Penalties may not exceed a calendar year cap for multiple violations of the same requirement

  9. Fines and Penalties Civil penalties will vary depending on factors such as: • The date of the violation, • Whether the covered entity knew or should have known of the failure to comply, or • Whether the covered entity’s failure to comply was due to willful neglect

  10. OCR Audit Protocol • The American Recovery and Reinvestment Act of 2009 requires HHS to provide periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards • To implement this mandate, OCR is piloting a program to perform up to 115 audits of covered entities to assess HIPAA privacy, security and breach notification performance • Audits are conducted in two phases – initial audits to test newly developed protocol and final pilot audits through December 2012

  11. OCR Audit Protocol • Every Covered Entity (CE) is eligible for an audit • Entities selected for an audit will receive a notification letter from the OCR and asked to provide documentation to the auditor • Every audit will include a site visit and result in an audit report • Final report will indicate how the audit was conducted, what the findings were, and what actions the covered entity is taking in response to those findings. • Not intended to be punitive, but rather measure compliance with regulations • Serious compliance issues identified may trigger a separate enforcement investigation by the OCR

  12. How to handle disclosures for the following purposes… • Treatment, Payment and Healthcare Operations • Certain Reportable situations • Subpoenas • Discussions with Family and Friends

  13. T-P-O • Treatment – PHI may be shared with other healthcare providers for treatment purposes, and an authorization is not required. • Payment – A patient’s healthcare insurance company can receive PHI pertaining to the patient’s treatment for a specific date of service. • Operations - PHI may be shared if necessary for activities that support treatment and payment as well as for teaching purposes, medical staff/peer review, legal and auditing activities and general business management.

  14. Reportable Situations • Certain reportable situations may be disclosed as dictated by state and/or federal law • These disclosures do not require an authorization • Accounting of Disclosure is required

  15. Subpoenas • Disclosure may be made without authorization if a valid subpoena is received • Accounting of Disclosure is required • Subpoena should be signed by the appropriate court official • Subpoenas may request your presence in court or the release of medical records • Request should be specific

  16. Discussions with Family and Friends • HIPAA allows you to discuss PHI with a family, friend or other person identified by the patient as “involved in their care”. • Patient has to be given the opportunity to object to the disclosure • Discuss only what that person needs to know • Always use your professional judgment prior to discussing information with family and friends • Written authorization from the patient is notrequired

  17. How to handle disclosures to the following… • Employers • Attorneys • Law Enforcement

  18. Employers • Generally, authorization must be obtained before making a release to a patient’s employer. • Exceptions may include: • Disclosures for work-related illness or injuries • As needed for the employer to comply with OSHA or other similar state or federal laws • For medical surveillance, such as: • Random drug screening • Physicals for fitness for duty

  19. Attorneys • Authorization is required before releasing PHI to an attorney • Exceptions may include: • Valid court ordered subpoena • Sending records under seal to the court

  20. Law Enforcement • Confidentiality rules still apply • Exceptions may include: • Search Warrant • Arrest Warrant • Signed Authorization Form • Verify the officer’s identity • Ask to see their ID badge • Call the police department where he/she works

  21. The Minor Consent Rule • Under NC state law, a patient under the age of 18 may consent to the treatment, diagnosis or prevention of: • STDs • Pregnancy • Substance Abuse • Emotional Disturbances

  22. The Minor Consent Rule • Minor must sign authorization for release of records for these conditions • There may be exceptions: • Life threatening situations • Minor not at capacity to make appropriate decisions

  23. Minors • Generally, parental or legal guardian consent is required for treatment • Parent or legal guardian may request medical records for the minor and must sign an authorization

  24. Always remember, to the patient… • ALL information is private information!

  25. Your Turn… Any questions???

More Related