270 likes | 527 Views
HIPAA and Privacy Rule Training. What is HIPAA?. The Health Insurance Portability and Accountability Act of 1996. Federal Law designed to protect sensitive information. HIPAA violations are enforced by the Department of Health and Human Services. What information is covered under HIPAA?.
E N D
What is HIPAA? • The Health Insurance Portability and Accountability Act of 1996. • Federal Law designed to protect sensitive information. • HIPAA violations are enforced by the Department of Health and Human Services.
What information is covered under HIPAA? • Virtually ALL health information, or protected health information (PHI) in any format, to include: • Paper • Electronic • Oral
Examples of Sensitive Information. • Social Security number • Credit Card numbers • Driver’s License • Research data • Computer passwords • Individual identifiable health information • Personal information
Notice of Privacy practices • Health care providers provide them to patients. • They describe how the HIPAA-covered entity uses and discloses health information.
What is the privacy rule? • The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information. • The U.S Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Addresses the use and disclosure of individuals health information called “PHI” (protected health information) by covered entities subject to the Privacy Rule.
What is a covered entity? • A covered entity is any person or organization that furnishes, bills or is paid for health care services in the normal course of the business. • Pursuant to HIPAA, individually identifiable health information collected or created in a covered entity is considered “protected health information” (PHI)
A covered entity is one of the following… • Health Care Provider • Health Plan • Health Care Clearinghouse
Health care provider • This includes providers such as.. • Doctors • Clinics • Psychologists • Dentists • Chiropractors • Nursing Homes • Pharmacies • ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
A health plan • This includes… • Health insurance companies • HMOs • Company health plans • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
Health care clearing house • This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
PHI Defined • Protected Health information. • Any information that can be used to identify a patient (whether living or deceased) and which relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and the payment for those services.
Identifiers under HIPAA • Patient name • Telephone number • Social Security number • Fax number • Vehicle identification number • Email address • Web URL’s • Dates • Names of relatives • Full face photograph or images • Health care record number • Account number • Biometric identifier • Device identifier • Health plan beneficiary number • Certificate or license number • Any other unique number, code, or characteristic that can be linked to an individual.
Basic principle of Privacy rule • To define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. • A covered entity may not use or disclose protected health information, except either: • as the Privacy Rule permits or requires. • as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Access Must Be Authorized An employee may only access or disclose a patient’s PHI when this access is part of the employee’s job duties.
Unauthorized Access • It is never acceptable for an employer to look at PHI “just out of curiosity” even if no harm is intended. • All information is entitled to the same protection whether it may be from a close friend or family and must be kept private.
Authorizations • Covered entity may use/disclose PHI to carry out essential health care functions. • Treatment • Payment • Health care operations • Disclosures for other purposes usually require a specific, written authorization from the individual of the information.
Treatment Treatment means the provision, coordination, or management of health care by one or more health care providers, including: • Consultation between health care providers; or • Patient referrals
Payment Payment means activities of: • Health care providers to obtain payment or be reimbursed for their services. • Health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care.
Health Care Operations • Health care operations are administrative, financial, legal and quality improvement activities • Necessary to run business and to support core functions of treatment and payment • Quality assessment and improvement activities • Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance • Fraud and abuse detection
Minimum necessary • Only members of the workforce who need protected health information may have access to it. • You should only have access to the “minimum necessary” amount of PHI to do their job.
Verification • You can disclose PHI to a person authorized to have the PHI. • You may need to verify that the individual really is who they claim to be.
Breaches • A breach occurs when information that by law must be protected is: • Lost, stolen, or improperly disposed of (i.e. paper or device upon which the information is recorded cannot be accounted for • Hacked into by people or mechanized programs that are not authorized to have access • Communicated or sent to others who have no official need to receive it (for example, gossip from information learned of a medical record)
What does all this mean to you. • Do not share PHI of your client with anybody who does not need to know, such as your family and friends. • Do not save PHI of your client to your laptop, flash drive or other electronic media unless you are required to do so. • Do not leave PHI out for everyone to see. Do not leave PHI in a voicemail message. Do not put PHI in a trash or recycle bin, but make sure it is shredded.
Remember! • HIPAA is a Federal Law. • HIPAA mistakes can have the same types of consequences as any mistakes you may make at work. • Purposely disclosing PHI to unauthorized individuals is a criminal offense.
Spot the HIPAA violation (8min) http://www.youtube.com/watch?v=HuEoKsN6RKU The Omnibus Rule (3min) http://www.youtube.com/watch?v=mX-QL9PoePU HIPAA Training for Caregivers (23min) http://www.youtube.com/watch?v=VpxkRKH60fk