510 likes | 748 Views
HIPAA Training and Education Series. Health Insurance Portability and Accountability Act ( HIPAA ) Program Privacy Overview Training . PLEASE NOTE THE FOLLOWING IMPORTANT INFORMATION:. The slides you will be viewing were developed for all DHR staff.
E N D
HIPAA Training and Education Series Health Insurance Portability and Accountability Act (HIPAA) Program Privacy Overview Training
PLEASE NOTE THE FOLLOWING IMPORTANT INFORMATION: • The slides you will be viewing were developed for all DHR staff. • Any laws or regulations regarding DMHDDAD consumer information that are more stringent do take precedence over the HIPAA standards. • When in doubt, check it out!
HIPAA Training and Education Series Table of Contents Lesson 1: Origin of the HIPAA Privacy Rules Lesson 2: Protected Health Information (PHI) Lesson 3: Permitted Uses and Disclosures of PHI Lesson 4: Minimum Necessary Disclosure Standard Lesson 5: Administrative Requirements and Obligations Lesson 6: Rights of Individuals Lesson 7: Summary
HIPAA Training and Education Series Lesson 1: Origin of the HIPAA Privacy Rules
“Banker who serves on a county health board calls in all mortgages of customers with cancer” “Congresswoman’s medical records faxed from an area hospital to the media on the eve of her election” “Hacker downloads medical records and Social Security Numbers of over 5,000 patients at a local University Medical Center” “Employees at a health plan improperly access private medical claims’ information of a famous athlete” Lesson 1: Origin of the HIPAA Privacy Rules
Lesson 1: Origin of the HIPAA Privacy Rules What is HIPAA Privacy? • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Improvement in healthcare systems • Administrative Simplification Provisions • Increased electronic transactions & general erosion of privacy in healthcare industry • HIPAA Privacy Rules address how and to whom PHI may be disclosed by healthcare entities covered under the law.
Lesson 1: Origin of the HIPAA Privacy Rules Who Must Comply? • Healthcare Providers (hospitals, physicians, nurses, Veterans Health Administration, etc.) • Health Plans (HMOs, PPOs, Medicare, Medicaid, etc.) • Healthcare Clearinghouses • DHR
Lesson 1: Origin of the HIPAA Privacy Rules Who Must Comply? • Business Associates • Trading Partners
HIPAA Training and Education Series Lesson 2: Protected Health Information (PHI)
Lesson 2: Protected Health Information (PHI) What is Protected Health Information? • Individually identifiable health information (IIHI) • Transmitted or stored electronically • Examples of PHI include: • Name, age, sex and other personal demographic information • Health status information • Prescription drug information • Healthcare payment information • Prior existing conditions
Lesson 2: Protected Health Information (PHI) What is Protected Health Information? • Applies to health information transactions such as: • Claim payments and remittance advices • Provider claims and attachments • Premium invoices and payments • Eligibility information • Authorization and referral certifications • First report of injury
Lesson 2: Protected Health Information (PHI) How is PHI disclosed or transmitted? • Telephone • Fax Machine • Internet/Intranet, Direct Dial-up Lines, Direct Data Entry and other EDI (Electronic Data Interchange) • Orally • Letters and Other Written Material
Lesson 2: Protected Health Information (PHI) How is PHI stored? • Magnetic disk (hard disk, floppy disk, etc.) • Tape • Written or “hard copies” of medical records, enrollment forms, claim forms, beneficiary inquiries etc.
Lesson 2: Protected Health Information (PHI) What is the importance and value of protecting health information? • We all have the right to keep information about ourselves private and free from improper use or disclosure. • In the electronic age, PHI may be more susceptible to privacy violations. • If the healthcare industry is to progress, it is imperative that consumers feel assured that their PHI is safe and free from privacy violations.
HIPAA Training and Education Series Lesson 3: Permitted Uses and Disclosures of PHI
Lesson 3: Permitted Uses and Disclosures What Uses and Disclosures of PHI Require an Authorization? • Third party disclosures • Marketing and fund raising activities • Non-health related affiliates • Underwriting or risk rating activities • Employment determinations • Sale, rental or barter of PHI • Psychotherapy notes
Lesson 3: Permitted Uses and Disclosures What PHI Uses and Disclosures do not Require an Authorization? • Treatment, payment and healthcare operations (TPO) • Public health agency activities • Health oversight and regulatory agency activities • Judicial proceedings and law enforcement investigations • Healthcare fraud investigations • Emergency situations • Research purposes • If information is “de-identified”
Lesson 3: Permitted Uses and Disclosures Verification Procedures • DHR must verify the identity and the authority of a person requesting access to PHI. • DHR must secure documentation, statements or other representations, whether oral or written, from the person requesting the PHI. • May use professional judgment
HIPAA Training and Education Series Lesson 4:Minimum Necessary Disclosure Standard
Lesson 4: Minimum Necessary Disclosure Standard What does “minimum necessary” mean? • Making a reasonable effort not to use or disclose more than the minimum amount of information necessary to accomplish an intended task
Lesson 4: Minimum Necessary Disclosure Standard Why is minimum necessary so important? • An individual has the right to expect that their PHI will remain secure and confidential. • The more PHI is used or disclosed, the more likely it is to be revealed to third parties. • Limiting the exchange of PHI to the “minimum necessary” reduces the potential of fraud and abuse.
Lesson 4: Minimum Necessary Disclosure Standard How is minimum necessary determined? • DHR will determine who needs access to PHI and the amount of PHI needed per function. • Varies by division and function • DHR will evaluate each and every business activity requiring the use and/or disclosure of PHI. • Once the minimum necessary is determined, DHR will communicate to all affected parties (employees, business associates, trading partners, etc.).
Lesson 4: Minimum Necessary Disclosure Standard Responding to a request for the disclosure of PHI • DHR will develop criteria that limit disclosures only to that necessary to comply with a specific request. • Disclosure requests must be individually reviewed by employees according to the developed criteria. • Ensure that only the minimum amount necessary is disclosed • Exceptions include requests from another covered entity, certain public officials or agencies, certain business associates, researchers, etc.
HIPAA Training and Education Series Lesson 5: Administrative Requirements and Obligations
Lesson 5: Administrative Requirements and Obligations What are the administrative requirements under HIPAA Privacy? • Privacy Official • Privacy Training Program • Safeguards • Complaints • Sanctions • Documented Policies and Procedures • Notice of Privacy Practices • “Business Associate” Contracts
Lesson 5: Administrative Requirements and Obligations Privacy Officer • DHR will designate a privacy official or officer • Responsible for the development, implementation and maintenance of the privacy policies and procedures • In addition, DHR will designate a contact person to receive and process privacy complaints and to provide further information about privacy practices
Lesson 5: Administrative Requirements and Obligations Privacy Training Program • DHR will train all employees about privacy policies and procedures for PHI. • DHR will document that training has been provided. • Training will be completed within specific timeframes.
Lesson 5: Administrative Requirements and Obligations Safeguards • DHR will implement and maintain appropriate administrative, technical, and physical safeguards. • DHR will safeguard PHI from any intentional or unintentional use or disclosure, or violation of the requirements of the regulation. • PHI safeguards are also a requirement of the HIPAA Security Rules.
Lesson 5: Administrative Requirements and Obligations Complaints • DHR will develop and maintain a process for individuals to make complaints concerning: • Privacy policies and procedures; • Compliance with privacy policies and procedures ; and • Compliance with the Privacy requirements of HIPAA.
Lesson 5: Administrative Requirements and Obligations Sanctions • DHR will implement appropriate sanctions for failure to comply with privacy policies and procedures of the HIPAA regulations. • DHR will apply appropriate sanctions against employees who fail to comply with the privacy policies and procedures of the regulations.
Lesson 5: Administrative Requirements and Obligations Documented Policies and Procedures • DHR will develop and implement privacy policies and procedures with respect to PHI. • Address DHR’s specific privacy practices as well as all of the elements of the HIPAA privacy rules • DHR will change or update its policies and procedures as necessary and appropriate to remain in compliance.
Lesson 5: Administrative Requirements and Obligations Notice of Privacy Practices • DHR employees will provide individuals with a Notice of Privacy Practices. • Notice must be in plain language. • DHR will revise Privacy Notice with any material change to DHR’s privacy practices. • Direct treatment providers will make a good faith effort to obtain the patient's written acknowledgement of the Notice of Privacy Practices and rights.
Lesson 5: Administrative Requirements and Obligations Business Associate Contracts • Business Associates are entities with which DHR shares or exchanges PHI. • Business Associates must comply with HIPAA, indirectly, through mandated Business Associate Contracts with DHR. • Business Associate Contracts allow DHR to obtain satisfactory assurance that the Business Associate will appropriately safeguard PHI. • If DHR becomes aware of a material breach by the Business Associate, the contract (and relationship) must be terminated.
HIPAA Training and Education Series Lesson 6: Rights of Individuals
Lesson 6: Rights of Individuals What are the Rights of Individuals Under HIPAA Privacy? • PHI uses and disclosures are permitted only with authorization. • Request privacy protection for PHI • Confidential communications regarding PHI • Access to PHI • Amendment or correction of PHI • Accounting of PHI disclosures
Lesson 6: Rights of Individuals Uses & Disclosures Permitted Only with an Authorization • Individuals have the right to expect that certain uses and disclosures of their PHI will be permitted only with an authorization. • The authorization is not valid unless signed by the individual in question.
Lesson 6: Rights of Individuals Request Privacy Protection for PHI Individuals have the right to request that DHR restrict: • Uses and disclosures for treatment, payment and healthcare operations (TPO), and • Disclosures permitted for involvement in the individual’s care and notification purposes. DHR does not have to agree to the request, but must have procedures in place to process request.
Lesson 6: Rights of Individuals Confidential Communications Regarding PHI • Individuals have the right to confidential communications regarding their PHI. • DHR must accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at alternative locations. • Applies to health plans when disclosure of all or part of PHI could endanger the individual.
Lesson 6: Rights of Individuals Access to PHI • Individuals have the right to unfettered access to PHI that is used to make decisions about the individual. • Such PHI must be kept for 6 years • Exceptions include access to psychotherapy notes, PHI used in judicial or administrative actions, etc.
Lesson 6: Rights of Individuals Amendment or Correction of PHI • An individual has the right to amend or correct his or her PHI in a designated record set (e.g. medical record) for as long as the covered entity maintains the information. • DHR does not have to agree to amend or correct the PHI.
Lesson 6: Rights of Individuals Accounting of Disclosures • An individual has the right to receive an accounting of PHI disclosures made in the six years prior to the request. • Exceptions include disclosures for treatment, payment and healthcare operations, disclosures to the individual, for national security purposes, etc. • A written account of such disclosures must include the date of the disclosure, to whom the information was disclosed, and a description of the information disclosed.
HIPAA Training and Education Series Lesson 7: Summary
Lesson 7: Summary What are the Penalties for Non-Compliance? • Violation of HIPAA Privacy Rules may lead to both civil and criminal penalties. • Civil penalties range between $100 for a single violation to as much as $25,000 for multiple violations of the same requirement during a calendar year. • Criminal penalties range from $50,000 and one year in imprisonment for a simple PHI disclosure to as much as $250,000 and 10 years imprisonment for wrongful disclosure.
Lesson 7: Summary The Importance of Privacy • HIPAA Privacy Rules address how and to whom protected health information may be disclosed. • The increased use of electronic transactions of health care data and the general erosion of privacy necessitate minimum standards for the privacy of PHI. • HIPAA Privacy Rules intend to assure individuals that their PHI will remain private and free from improper use or disclosure.
Lesson 7: Summary Covered Entities “Covered entities” generally include: • Healthcare providers • Healthcare payers • Healthcare clearinghouses
Lesson 7: Summary Protected Health Information (PHI) • PHI is any and all individually identifiable health information. • PHI may be in electronic, paper-based, or oral form. • Includes PHI that is stored as well as disclosed by a covered entity
Lesson 7: Summary Permitted Uses and Disclosures • Treatment, payment, and other standard healthcare operations (TPO) do not require an authorization. • Disclosures to a third party, disclosures for employment determinations, the sale, rental or barter of PHI, and other such uses and disclosures are not permitted without a signed authorization.
Lesson 7: Summary Minimum Necessary Disclosure Standard • Must make a reasonable effort not to use or disclose more than the minimum amount of information necessary to accomplish an intended task. • Minimum necessary does not apply to activities related to healthcare treatment, payment or healthcare operations (TPO), and to certain other activities such as disclosures to the Department of Health and Human Services (DHHS).
Lesson 7: Summary Administrative Requirements and Obligations • Requirements and obligations include: • A Privacy Official • A Privacy Training Program • Administrative Safeguards • A Complaints Process • Sanctions for Violations of Privacy • Documented Policies and Procedures • A Notice of Privacy Practices • “Business Associate” Contracts
Lesson 7: Summary Rights of Individuals • Uses and disclosures of PHI permitted only with authorization • Request privacy protection for PHI • Confidential communications regarding PHI • Access to PHI • Amendment or correction of PHI • Accounting of Disclosures of PHI