1 / 45

HIPAA

HIPAA. Compliance. An Overview of HIPAA. Presented by the Office of the General Counsel. H ealth I nsurance P ortability and A ccountability A ct. HIPAA. Compliance. HIPAA. HIPAA. Compliance. HIPAA’s Goals. Simplify the Administration of Electronic Health Information

kesler
Download Presentation

HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Compliance An Overview of HIPAA Presented by the Office of the General Counsel

  2. Health Insurance Portability and Accountability Act HIPAA Compliance HIPAA

  3. HIPAA Compliance HIPAA’s Goals • Simplify the Administration of Electronic Health Information • Protect an Individual’s Privacy Rights with regard to Health Information

  4. HIPAA Compliance When is HIPAA effective? • First Deadline: October 2002 • Possible Extension until Oct. 2003 • AU must have Compliance plan • Privacy Regulations: April 2003 • AU target date for compliance

  5. HIPAA Compliance Who Must Comply? “ Each Covered Entity who maintains or transmits health information” • Health Plans • Health Care Clearinghouse • Health Care Providers

  6. HIPAA Compliance Who is a Provider? “Any person or entity that furnishes, bills, or is paid for health care in the normal course of business.” • Health Care = any “care, services, or supplies related to the health of an individual”

  7. Athletic Department Hearing / Eye Clinics Self – Insurance Health Plans HIPAA Compliance Examples of Providers / Plans • Student Health Center • Psychology Clinics • EAP

  8. HIPAA Compliance 4 Key HIPAA Elements • Electronic Transaction & Code Set Standards • Security Standards • Privacy Regulations • National Identifiers

  9. HIPAA Compliance Electronic Transaction & Code Set Standards • General Rule: “If a covered entity (either itself or through an agent) conducts a Covered Transaction electronically, the transaction must be conducted using the HIPAA form.”

  10. HIPAA Compliance Electronic Transaction & Code Set Standards Required Elements • Covered Entity • Electronically transmits • Covered Transaction

  11. Submission of Claims for payment Checking eligibility Enrollment & Disenrollment Referrals and pre-certification Claims attachments Payment & claims remittance Coordination of Benefits Checking claims’ status HIPAA Compliance Covered Transactions

  12. HIPAA Compliance Electronic Transaction & Code Set Standards Requirements of ETS • Standard Formats • Standard Data Content • Standard Codes

  13. HIPAA Compliance Electronic Transaction & Code Set Standards Where to find the ETS standards: • http://aspe.hhs.gov/admnsimp • www.wpc-edi.com/HIPAA • www.afehct.org

  14. HIPAA Compliance Security Standards • Intended to protect against • Unauthorized access • Accidental / Intentional disclosure to unauthorized persons • Alteration, destruction, or loss

  15. HIPAA Compliance Security Standards Who is Covered? • Any covered entity • That Storesinformation electronically • Does not have to be a covered transaction

  16. HIPAA Compliance Security Standards - Elements - • Administrative Procedures • Protects health info • Manages personnel Conduct • Physical Safeguards • Protects physical systems / buildings • Technical Security • Controls access to health information

  17. HIPAA Compliance Administrative Procedures • Security Analysis • Information access privileges • Password & Authentication policies • Plans for disasters & security breaches • Disciplinary process & penalties • Employee & Vendor Training • Security Officer

  18. HIPAA Compliance Physical Safeguards • Document ways computer & physical records are protected • Use of keys, locks, etc. to control access to computers • Restriction of access to authorized persons • Tracking of medical records • Workstation location policy

  19. HIPAA Compliance Technical Security • Single sign-on technology • New user ID’s, passwords • Audit trails for health info

  20. HIPAA Compliance Security Standards General Comments • Still in proposed form • Not technically specific • Amount of security required is scalable based on dept. size and resources

  21. HIPAA Compliance Privacy Regulations • General Rule: “A covered entity may not use or disclose Protected Health Information (PHI) except as permitted by the privacy regulations.”

  22. HIPAA Compliance Privacy Regulations • PHI – Protected Health Information • Individually Identifiable • Any form or medium • Electronic, Oral, or Written • Created or Received • Relates to past, present, future condition or payment of individual • Exception: FERPA records

  23. HIPAA Compliance Privacy Regulations • General Requirement: “Must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish intended purpose.”

  24. HIPAA Compliance Privacy Regulations Main Elements • Rules for Use & Disclosure of PHI • Patient’s Rights to Health Info • Administrative Procedures • Business Partner Requirement

  25. HIPAA Compliance Rules for Use & Disclosure Consent vs. Authorization Consent: If a general written consent is obtained, a provider may use/disclose PHI for “TPO” Authorization: If use/disclosure is not for “TPO”, use/disclosure forbidden without a more specific authorization “TPO” = Treatment/Payment/Health Care Operations

  26. HIPAA Compliance Rules for Use & Disclosure “TPO” = Treatment / Payment / Health Care Operations Treatment: Provision, coordination, management of healthcare Payment: Actions to obtain payment Operations: Internal day-to-day business Ex: QA, Peer Review, Customer Service

  27. HIPAA Compliance Rules for Use & Disclosure Consent • Must be in plain language • Must specify use of PHI • Can make a prerequisite to treatment (Can refuse treatment) • Exceptions: Emergency, Required by Law, Communication barriers,

  28. HIPAA Compliance Rules for Use & Disclosure Authorization • Cannot be a condition of treatment • Must Inform about specific use and right to refuse, revoke, and inspect • Psychotherapy Notes require Authorization • Examples • Research • Marketing • Fundraising

  29. HIPAA Compliance Patient’s Rights • Right to Notice of Privacy Practices • Right of Access to PHI • Right to Accounting of Disclosures for 6 years • Right to request restriction of TPO use to family members • Not required to agree if TPO

  30. HIPAA Compliance Administrative Procedures • Document policies, procedures, & systems to achieve compliance • Complaint Mechanisms • Employee Sanctions • Documented training of employees • Mitigation of harmful effects • Designated Privacy officer

  31. HIPAA Compliance Business Associates • General Rule: • A covered entity must have a business associate contract to ensure that its business associates also are in compliance with HIPAA’s protection of PHI.

  32. HIPAA Compliance Business Associates • Business Associates… • Perform a function involving use / disclosure of PHI on behalf of the covered entity • Perform legal, accounting, consulting, data aggregation, administrative, management, or financial services involving PHI for the covered entity

  33. HIPAA Compliance Business Associates • Examples: • Billing companies • Computer Vendors • Attorneys, Accountants, Auditors • Consultants • Document storage / destruction companies

  34. HIPAA Compliance Business Associates • Business Associate Contracts: • Restrict use & disclosure of PHI • Require appropriate safeguards • Require similar requirements of subcontractors • Require B.A. to disclose breaches • Require B.A. to remedy breaches or risk termination of contract

  35. HIPAA Compliance

  36. HIPAA Compliance Hybrid Entity • Requirements • Single Legal Entity • Primary business is not healthcare • Advantages • Only “Healthcare Components” must comply with HIPAA • Disadvantage • Firewall between HC Components and Non-Components

  37. HIPAA Compliance Hybrid Entity • Auburn must… • Identify Healthcare Components • Identify Business Associates of the HC Components • Erect the ‘firewalls’ between HC Components & Non-Components

  38. HIPAA Compliance Penalties for Non-Compliance ** Both Individuals & Entities can incur criminal and/or civil penalties Civil Penalties: $100 - $25,000 Criminal Penalties: Max 10 yrs. Prison Max $250,000 fine

  39. HIPAA Compliance HIPAA Timeline • ETS Standards: October 16, 2002 • Extended to Oct. 2003 w/ University extension • Privacy Regs: April 14, 2003 • Security Regs: Date expected by August 2002

  40. HIPAA Compliance Next Steps toward Compliance • Fill out the AU HIPAA Survey • Review how PHI is stored, accessed, protected, & destroyed • Think about easy steps to better protect PHI • Designate 1+ person to review specific HIPAA policies

  41. HIPAA Compliance For more HIPAA info… • www.hipaa.org • Links to complete final rules & proposed rules • www.hipaadvisory.com • News, primers, and complete rules • www.hrm.uab.edu/HIPAA • UAB’s training site

  42. Additional Questions? Contact the Provost’s Office

More Related