330 likes | 344 Views
Health Insurance Portability and Accountability Act. Leanna Levin. What does HIPAA do?. HIPAA requires every health plan, health care provider, and health care clearinghouse in the country to protect patient privacy. Who is included?.
E N D
Health Insurance Portability and Accountability Act Leanna Levin
What does HIPAA do? • HIPAA requires every health plan, health care provider, and health care clearinghouse in the country to protect patient privacy.
Who is included? • These include every hospital, doctor, nurse, home health care provider, nursing home, pharmacy, self-insurance company, health insurer and health-plan provider. • Basically any party that handles protected health information is now required to take privacy measures.
What we are going to talk about today • Duties for those under HIPAA • Compliance • Protection of client’s privacy • Security of health information • Psychotherapy • documentation • release of information
Standards. Transactions. and Code Sets • The HIPAA ruling set forth on April 14, 2003 is an updated version of the HIPAA statutes of 1996. • Because of new and improved technology, HIPAA’s Privacy Rule concentrates on electronically transmitted information.
The Administrative Simplification • So what is electronic and what do you need to do to comply with HIPAA regulations? • The provisions state that covered entities that maintain or transmit health information are required to “maintain reasonable and appropriate administration, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonable anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information.”
Compliance • A covered entity must comply with the “applicable standards implementation specifications, and requirements… with respect to electronic protected health information”
Privacy of Individually Identifiable Health Information • Under the newly mandated privacy law: • There must be a privacy officer to make sure there is compliance and handle patient concerns and complaints about privacy violations
Privacy of Individually Identifiable Health Information • There needs to be a repositioning of the computer screen so that someone walking by cant see private patients information • The computer is also used to limit the personal information required on public sign in sheets
Privacy of Individually Identifiable Health Information • an evaluation of the positions that need access to each kind of information, • medical records, doctor’s notes, personal information • the decisions and the policies put in place need to be documented to keep medical documents limited to need-to-know viewing
Privacy of Individually Identifiable Health Information • a training program needs to be put into place so the employees are aware of the proper privacy standards for handling medical information • document that training
Privacy of Individually Identifiable Health Information • Patient’s Rights: • waivers need to be signed for patients to allow parties not directly involved in patient care—such as insurance companies, financial institutions and employers—to see patient information
Privacy of Individually Identifiable Health Information • Patient’s Rights: • forms need to be created that allow patients to inspect and copy their records, restrict who sees them, amend them and get a list of who has seen them
Privacy of Individually Identifiable Health Information • Not Patient’s Rights: • Professionals seeking advice on treating a patient can discuss the matter with other professionals without the authorization from the patient. • Conflict with the Code of Ethics
Security of Health Information • Administration Safeguards • include a security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plans, evaluations, and contracts
Security Management Process • A Risk Analysis is conducted to assess the vulnerabilities and risks to the confidentiality, integrity and availability of electronic private health information. • Appropriate sanctions are implemented for workforce members who fail to comply.
Assigned Security Responsibility • An individual must be identified who is responsible for the development and implementation of security policies and procedures
Workforce Security • The policies and procedures need to be implemented to ensure that all assigned members of the workforce have appropriate access to electronic private health information and to prevent those who should not have access
Information Access Management • Implement policies and procedures for establishing, authorizing, reviewing, documenting, and modifying a user’s right to access a workstation, transaction, program, process, or other means of accessing electronic private health information • Who can access what?
Security Awareness and Training • Implement a security awareness and training program for all members of the workforce, including management that includes training on protection from malicious software, log in monitoring, password management, and periodic security reminders.
Security Incident Procedures • Incident response and reporting procedures are required to remove the potential harmful effects of the incident and provide documentation of the incident and outcome.
Contingency Plan • Implement policies and procedures for responding to emergencies or other occurrences that damage systems containing electronic privacy health information.
Evaluation • Perform a periodic technical and nontechnical evaluation based upon the initial standards and also after environmental and operational changes affecting electronic privacy health information.
Business Associate Contracts • The employees not only need to attend the training programs, but they are also required to sign a contract stating they understand the policies and will abide by them. • A chain of trust agreements through written contracts exists to ensure all members are abiding by the standards.
HIPAA and Psychotherapy Notes • Compared to discussion of information amongst professionals, the release of psychotherapy notes is more complicated • more protection • disclosure of psychotherapy notes requires patient authorization--or specific permission--to release this sensitive information.
Psychotherapy Notes and Insurance Companies • in the past, insurance companies have requested entire patient records--including psychotherapy notes--in making coverage decisions • now health plans cannot refuse to provide reimbursement if a patient does not agree to release information covered under the psychotherapy notes provision
HIPPA and Psychotherapy Notes Cont. • Patients do not have the right to obtain a copy of the notes under HIPAA—different than the allowance of medical documents. • When a psychotherapist denies a patient access to these notes, the denial isn't subject to a review process.
HIPAA Definition of Psychotherapy Notes • Psychotherapy notes are kept separate from medical records for this reason • If a psychotherapist keeps this type of information in a patient's general chart, or if it's not distinguishable as separate from the rest of the record, access to the information doesn't require specific patient authorization.
When can a therapists notes be used? • There are special protections for use of psychotherapy notes . • disclosure of psychotherapy notes requires an authorization from the patient/client except:
When can a psychotherapists’ notes be revealed under HIPAA? • for the originator of the notes (i.e., the mental health practitioner), for treatment of the subject patient; • for students, trainees or practitioners, for supervised training programs; • to defend a legal action or other proceeding brought by the patient against the covered entity; • for lawful health oversight activities or as otherwise required by law, • for coroners or medical examiners (where the patient is deceased); or • where, consistent with applicable law and the standards to ethical conduct, there is a good faith belief that the use or disclosure is necessary to prevent or lessen a serious threat to health or safety.
Conclusions • As a rehabilitation counselor, what do you have to comply to? • What does a patient has a right to and what not? • What protections are there for psychotherapy notes?
Helpful websites and Resources • www.hippa.org • www.hhs.gov/ocr/hipaa/ • www.hippadvisory.com • www.cms.hhs.gov/hipaa • www.apa.org • www.counseling.org • HIPAA at the University of Florida • 273-5094 HIPAA Privacy Officer Susan Blair