Training Course HIPAA Health Insurance Portability and - - PowerPoint PPT Presentation

Training Course



HIPAA – Health Insurance Portability and Accountability Act

 HIPAA initially went into effect April 14, 2003  HIPAA is a set of rules that is to be followed by doctors,

hospitals and other health care providers.

 Privacy Rule  Security Rule  HIPAA helps ensure that all medical records, medical

billing, and patient accounts meet certain consistent standards with regard to documentation, handling and privacy.

 It is required that all employees who deal with

personal health information (PHI) are trained on the HIPAA Privacy and Security Rules.

 This has become even more important due to an

increase in HIPAA enforcement by the Office of Civil Rights (OCR).

 The OCR is the federal agency in charge of enforcing HIPAA.  By doing proper employee HIPAA training and having Privacy

& Security Policies in place, it can lessen the chance of enforcement actions by the OCR.

 Privacy Rule

 The Privacy Rule establishes national standards to protect

individuals’ medical records and other personal health information.

 The Rule requires appropriate safeguards to protect the

privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made

• f such information without patient authorization.

 The Rule also gives patients rights over their health

information, including rights to examine and obtain a copy

• f their health records, and to request corrections.

 The Privacy Rule permits these Uses & Disclosures:

 Disclosure to the individual/personal representative

(parent/guardian)

 Disclosure for treatment, payment, and health care

• perations

 Disclosures required by state or federal law  Disclosures to Business Associates  Disclosures as authorized by the patient

 Disclosure to Family/Friends when authorized per the patient

• r when it is in the best interest of the patient

 Public Health Activities  To public health authority  To report child abuse/neglect  To FDA  Law Enforcement Purposes  Abuse, Neglect, and Domestic Violence  Judicial and Administrative Proceedings  If you are unsure whether a disclosure is permitted talk to the

Compliance Officer or HIPAA Officer

 When the individual is present (and has the capacity) and:  Agreed or has previously agreed to the disclosure  Has had the opportunity to object to the disclosure and does not; or  It can be reasonably decided given the circumstances that the person

does not object

 Example: When a patient brings someone into the exam room with

them, the caregiver can reasonably determine the individual does not object to the disclosure of their health information.

 When the individual is unable to consent in an emergency  Professional determines it is in the patient’s best interest  May use professional judgment to make reasonable decisions

about who is permitted to pick up prescriptions, supplies, or

• ther similar forms of PHI

 Incidental uses and disclosures are defined as secondary uses

• r disclosures that:

 Are permitted by HIPAA  Cannot be reasonably prevented  Are limited in nature  Occur as a by-product of an otherwise permissible use or

disclosure

 Reasonable Safeguards and Minimum Necessary

Standards are in place

 Example – A doctor can confer at a nurse’s station without

fear of being in violation of the rule if overheard by a

• passerby. And, provided reasonable safeguards and

appropriate minimum necessary standards are in place.

 Protected health information (PHI) should not be

accessed or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.

 The minimum necessary standard requires covered

entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.



Minimum Necessary Standard does not apply to the following:

 Disclosures to or requests made by a healthcare provider for treatment

purposes

 Uses and disclosures by or to a patient for their own PHI  Disclosures made under a valid authorization  Disclosures to public officials when disclosure is required by law and

the official represents that the information requested is the minimum required for the purpose

 A Business Associate (BA) is any individual or entity that

creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (CE).

 All Business Associates need to sign a Business Associate

Agreement (BAA).

 The BAA states - Any privacy rule limitation on how a CE

may use or disclose PHI automatically extends to BA.

 If there is a breach of PHI on the BA’s behalf, they need to

inform the CE immediately.

 The Privacy Rule gives patients the right to:

 Access their PHI  Request restrictions to their PHI  Request amendments to their PHI  Request an accounting of disclosures  Request confidential communications

 A covered entity (CE) has 30 days to provide access

to a patient

 There is a one-time 30 day extension

 If a patient requests an electronic copy of PHI, the

CE must provide access in an electronic format

 If the EMR has links to images or other data, the

images/data must also be included in the electronic copy provided to the patient

 Encrypted Email, Thumb Drive, Patient Portal

 If requested by an individual, a CE must transmit a

copy of PHI directly to another person designated by the individual

 Request must be in writing, signed by the individual, and

clearly identify the designated person and where to send the copy of PHI

 A patient has the right to request restrictions to a

health plan when paying in full

 Except when disclosure is required by law  If the patient does not pay, the CE can bill and disclose

information to the insurance plan

 The CE can ask patients to pay upfront  The CE can require prepayment where precertification

would otherwise be required



Right to Request Confidential Communications

 Must agree to reasonable requests, cannot ask why



Right to Amendment

 Patient requests for amendment of a medical record must be made in

writing.

 The patient must provide the reason for requesting the amendment.



Right to Accounting of Disclosures

 Must account for certain disclosures (date, time, who received, what was

disclosed, and why)

 Do not need to account for:

 Treatment, payment or healthcare operations  To individual  Incidental/authorized  More than six years prior

 When a patient signs an acknowledgement that they

received the Notice of Privacy Practices, this is not a substitute for the HIPAA authorization/consent form.

 The patient still needs to sign and give authorization

for disclosure of their PHI in certain situations.

 This requires certain language in the consent form

 Purpose of use/disclosure  Right to revoke

 Security Rule

 The Security Rule covers electronic personal health information

(ePHI) and states how it needs to be protected. There are specific standards that have to be met to protect ePHI.

 CEs must complete a Security Risk Assessment and

implement protections based on the assessment.

 The assessment looks at every area in our

• rganization that stores ePHI.

 HIPAA states the Security Risk Assessment needs to

be completed each year.

 We can protect ePHI by:

 Encryption

 Laptops  Desktops  Phones  If something is not encrypted use extreme caution!

 Use Passwords/change passwords  Log off when leaving your work station  Security Rule audits throughout the year

 What is a breach of PHI?

 A breach is an impermissible use or disclosure of

“unsecured PHI”.

 Unsecured PHI is a hardcopy or electronic PHI that has

not been rendered “unusable” and “unreadable” or encrypted.

 Impermissible use or disclosure is presumed to be a

breach, unless the CE can demonstrate that there is a low probability that the PHI has been compromised.

 The CE must notify the patient(s), government, and possibly

the media and press if there is a violation of the Privacy and Security Rule.

 Factors to assess the probability that PHI has been

compromised:

 Nature and extent of PHI involved, including identifiers and

likelihood of re-identification

 Unauthorized person who used the PHI or to whom the

disclosure was made

 Whether PHI was actually acquired and used  If you ever suspect there has been an unsecured disclosure of

PHI make sure to talk to the HIPAA Officer or Compliance Officer.



Curious Employees

 Remember Minimum Necessary Standards

 What patient information do you need to access in order to do your job?

 Unauthorized Access is a prohibited practice

 Do not access family & friends PHI unless authorized  Do not access co-workers PHI unless authorized

 Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.  Accessing or reviewing ANY patient’s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.  Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI.



HIPAA employee sanctions will be followed

\

 OFC is required by law to sanction employees who violate

HIPAA Privacy & Security Rules.

 Any violations of HIPAA will be handled under OFC’s

discipline policy, similar to other employee discipline issues.

 An employee who breaches OFC’s HIPAA policies &

procedures is subject to formal disciplinary action, up to and including termination.

 OFC will be auditing all employees.

 Please be diligent in accessing only records you are

authorized to do so.

 This means only accessing a patient’s PHI that is needed for your

job function.

 As an employee of OFC, your conduct will at all times be

compliant with HIPAA.

 If you have any questions or concerns regarding the HIPAA

Privacy & Security Rules, please contact:

 HIPAA Officer (Bobbi Nawrocki)

 386-6689

 Compliance Officer (Julie Morgan)

 386-6651