Training Course HIPAA Health Insurance Portability and - PowerPoint PPT Presentation

Training Course

HIPAA – Health Insurance Portability and Accountability Act   HIPAA initially went into effect April 14, 2003  HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.  Privacy Rule  Security Rule  HIPAA helps ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling and privacy.

 It is required that all employees who deal with personal health information (PHI) are trained on the HIPAA Privacy and Security Rules.  This has become even more important due to an increase in HIPAA enforcement by the Office of Civil Rights (OCR).  The OCR is the federal agency in charge of enforcing HIPAA.  By doing proper employee HIPAA training and having Privacy & Security Policies in place, it can lessen the chance of enforcement actions by the OCR.

 Privacy Rule  The Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.  The Rule requires appropriate safeguards to protect the privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.  The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

 The Privacy Rule permits these Uses & Disclosures:  Disclosure to the individual/personal representative (parent/guardian)  Disclosure for treatment, payment, and health care operations  Disclosures required by state or federal law  Disclosures to Business Associates  Disclosures as authorized by the patient

 Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient  Public Health Activities  To public health authority  To report child abuse/neglect  To FDA  Law Enforcement Purposes  Abuse, Neglect, and Domestic Violence  Judicial and Administrative Proceedings  If you are unsure whether a disclosure is permitted talk to the Compliance Officer or HIPAA Officer

 When the individual is present (and has the capacity) and:  Agreed or has previously agreed to the disclosure  Has had the opportunity to object to the disclosure and does not; or  It can be reasonably decided given the circumstances that the person does not object  Example: When a patient brings someone into the exam room with them, the caregiver can reasonably determine the individual does not object to the disclosure of their health information.  When the individual is unable to consent in an emergency  Professional determines it is in the patient’s best interest  May use professional judgment to make reasonable decisions about who is permitted to pick up prescriptions, supplies, or other similar forms of PHI

 Incidental uses and disclosures are defined as secondary uses or disclosures that:  Are permitted by HIPAA  Cannot be reasonably prevented  Are limited in nature  Occur as a by-product of an otherwise permissible use or disclosure  Reasonable Safeguards and Minimum Necessary Standards are in place  Example – A doctor can confer at a nurse’s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.

 Protected health information (PHI) should not be accessed or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.  The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.

Minimum Necessary Standard does not apply to the following:   Disclosures to or requests made by a healthcare provider for treatment purposes  Uses and disclosures by or to a patient for their own PHI  Disclosures made under a valid authorization  Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose

 A Business Associate (BA) is any individual or entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (CE).  All Business Associates need to sign a Business Associate Agreement (BAA).  The BAA states - Any privacy rule limitation on how a CE may use or disclose PHI automatically extends to BA.  If there is a breach of PHI on the BA’s behalf, they need to inform the CE immediately.

 The Privacy Rule gives patients the right to:  Access their PHI  Request restrictions to their PHI  Request amendments to their PHI  Request an accounting of disclosures  Request confidential communications

 A covered entity (CE) has 30 days to provide access to a patient  There is a one-time 30 day extension  If a patient requests an electronic copy of PHI, the CE must provide access in an electronic format  If the EMR has links to images or other data, the images/data must also be included in the electronic copy provided to the patient  Encrypted Email, Thumb Drive, Patient Portal

 If requested by an individual, a CE must transmit a copy of PHI directly to another person designated by the individual  Request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI

 A patient has the right to request restrictions to a health plan when paying in full  Except when disclosure is required by law  If the patient does not pay, the CE can bill and disclose information to the insurance plan  The CE can ask patients to pay upfront  The CE can require prepayment where precertification would otherwise be required

Right to Request Confidential Communications   Must agree to reasonable requests, cannot ask why Right to Amendment   Patient requests for amendment of a medical record must be made in writing.  The patient must provide the reason for requesting the amendment. Right to Accounting of Disclosures   Must account for certain disclosures (date, time, who received, what was disclosed, and why)  Do not need to account for:  Treatment, payment or healthcare operations  To individual  Incidental/authorized  More than six years prior

 When a patient signs an acknowledgement that they received the Notice of Privacy Practices, this is not a substitute for the HIPAA authorization/consent form.  The patient still needs to sign and give authorization for disclosure of their PHI in certain situations.  This requires certain language in the consent form  Purpose of use/disclosure  Right to revoke

 Security Rule  The Security Rule covers electronic personal health information (ePHI) and states how it needs to be protected. There are specific standards that have to be met to protect ePHI.  CEs must complete a Security Risk Assessment and implement protections based on the assessment.  The assessment looks at every area in our organization that stores ePHI.  HIPAA states the Security Risk Assessment needs to be completed each year.

 We can protect ePHI by:  Encryption  Laptops  Desktops  Phones  If something is not encrypted use extreme caution!  Use Passwords/change passwords  Log off when leaving your work station  Security Rule audits throughout the year

 What is a breach of PHI?  A breach is an impermissible use or disclosure of “unsecured PHI”.  Unsecured PHI is a hardcopy or electronic PHI that has not been rendered “unusable” and “unreadable” or encrypted.  Impermissible use or disclosure is presumed to be a breach, unless the CE can demonstrate that there is a low probability that the PHI has been compromised.  The CE must notify the patient(s), government, and possibly the media and press if there is a violation of the Privacy and Security Rule.

 Factors to assess the probability that PHI has been compromised:  Nature and extent of PHI involved, including identifiers and likelihood of re-identification  Unauthorized person who used the PHI or to whom the disclosure was made  Whether PHI was actually acquired and used  If you ever suspect there has been an unsecured disclosure of PHI make sure to talk to the HIPAA Officer or Compliance Officer.

Curious Employees   Remember Minimum Necessary Standards  What patient information do you need to access in order to do your job?  Unauthorized Access is a prohibited practice  Do not access family & friends PHI unless authorized  Do no t access co-workers PHI unless authorized  Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.  Accessing or reviewing ANY patient’s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.  Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI.  HIPAA employee sanctions will be followed \