Health Insurance Portability and Accountability Act (HIPAA) Program

1
HIPAA Training and Education Series

• Health Insurance Portability and Accountability
  Act (HIPAA) Program
• Privacy Overview
• Training

2
PLEASE NOTE THE FOLLOWING IMPORTANT
INFORMATION

• The slides you will be viewing were developed for
  all DHR staff.
• Any laws or regulations regarding DMHDDAD
  consumer information that are more stringent do
  take precedence over the HIPAA standards.
• When in doubt, check it out!

3
HIPAA Training and Education Series

• Table of Contents
• Lesson 1 Origin of the HIPAA Privacy Rules
• Lesson 2 Protected Health Information (PHI)
• Lesson 3 Permitted Uses and Disclosures of PHI
• Lesson 4 Minimum Necessary Disclosure Standard
• Lesson 5 Administrative Requirements and
  Obligations
• Lesson 6 Rights of Individuals
• Lesson 7 Summary

4
HIPAA Training and Education Series

• Lesson 1 Origin of the HIPAA Privacy Rules

5
Lesson 1 Origin of the HIPAA Privacy Rules

• Banker who serves on a county health board calls
  in all mortgages of customers with cancer
•  
• Congresswomans medical records faxed from an
  area hospital to the media on the eve of her
  election
•  
• Hacker downloads medical records and Social
  Security Numbers of over 5,000 patients at a
  local University Medical Center
•  
• Employees at a health plan improperly access
  private medical claims information of a famous
  athlete

6
Lesson 1 Origin of the HIPAA Privacy Rules

• What is HIPAA Privacy?
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA)
• Improvement in healthcare systems
• Administrative Simplification Provisions
• Increased electronic transactions general
  erosion of privacy in healthcare industry
• HIPAA Privacy Rules address how and to whom PHI
  may be disclosed by healthcare entities covered
  under the law.

7
Lesson 1 Origin of the HIPAA Privacy Rules

• Who Must Comply?
• Healthcare Providers (hospitals, physicians,
  nurses, Veterans Health Administration, etc.)
• Health Plans (HMOs, PPOs, Medicare, Medicaid,
  etc.)
• Healthcare Clearinghouses
• DHR

8
Lesson 1 Origin of the HIPAA Privacy Rules

• Who Must Comply?
• Business Associates
• Trading Partners

9
HIPAA Training and Education Series

• Lesson 2 Protected Health Information (PHI)

10
Lesson 2 Protected Health Information (PHI)

• What is Protected Health Information?
• Individually identifiable health information
  (IIHI)
• Transmitted or stored electronically
• Examples of PHI include
• Name, age, sex and other personal demographic
  information
• Health status information
• Prescription drug information
• Healthcare payment information
• Prior existing conditions

11
Lesson 2 Protected Health Information (PHI)

• What is Protected Health Information?
• Applies to health information transactions such
  as
• Claim payments and remittance advices
• Provider claims and attachments
• Premium invoices and payments
• Eligibility information
• Authorization and referral certifications
• First report of injury

12
Lesson 2 Protected Health Information (PHI)

• How is PHI disclosed or transmitted?
•  
• Telephone
• Fax Machine
• Internet/Intranet, Direct Dial-up Lines, Direct
  Data Entry and other EDI (Electronic Data
  Interchange)
• Orally
• Letters and Other Written Material

13
Lesson 2 Protected Health Information (PHI)

• How is PHI stored?
• Magnetic disk (hard disk, floppy disk, etc.)
• Tape
• Written or hard copies of medical records,
  enrollment forms, claim forms, beneficiary
  inquiries etc.

14
Lesson 2 Protected Health Information (PHI)

• What is the importance and value of protecting
  health information?
• We all have the right to keep information about
  ourselves private and free from improper use or
  disclosure.
• In the electronic age, PHI may be more
  susceptible to privacy violations.
• If the healthcare industry is to progress, it is
  imperative that consumers feel assured that their
  PHI is safe and free from privacy violations.

15
HIPAA Training and Education Series

• Lesson 3 Permitted Uses and Disclosures of PHI

16
Lesson 3 Permitted Uses and Disclosures

• What Uses and Disclosures of PHI Require an
  Authorization?
• Third party disclosures
• Marketing and fund raising activities
• Non-health related affiliates
• Underwriting or risk rating activities
• Employment determinations
• Sale, rental or barter of PHI
• Psychotherapy notes

17
Lesson 3 Permitted Uses and Disclosures

• What PHI Uses and Disclosures do not Require an
  Authorization?
• Treatment, payment and healthcare operations
  (TPO)
• Public health agency activities
• Health oversight and regulatory agency activities
• Judicial proceedings and law enforcement
  investigations
• Healthcare fraud investigations
• Emergency situations
• Research purposes
• If information is de-identified

18
Lesson 3 Permitted Uses and Disclosures

• Verification Procedures
• DHR must verify the identity and the authority of
  a person requesting access to PHI.
• DHR must secure documentation, statements or
  other representations, whether oral or written,
  from the person requesting the PHI.
• May use professional judgment

19
HIPAA Training and Education Series
Lesson 4 Minimum Necessary Disclosure Standard
20
Lesson 4 Minimum Necessary Disclosure Standard

• What does minimum necessary mean?
• Making a reasonable effort not to use or disclose
  more than the minimum amount of information
  necessary to accomplish an intended task

21
Lesson 4 Minimum Necessary Disclosure Standard

• Why is minimum necessary so important?
• An individual has the right to expect that their
  PHI will remain secure and confidential.
• The more PHI is used or disclosed, the more
  likely it is to be revealed to third parties.
• Limiting the exchange of PHI to the minimum
  necessary reduces the potential of fraud and
  abuse.

22
Lesson 4 Minimum Necessary Disclosure Standard

• How is minimum necessary determined?
• DHR will determine who needs access to PHI and
  the amount of PHI needed per function.
• Varies by division and function
• DHR will evaluate each and every business
  activity requiring the use and/or disclosure of
  PHI.
• Once the minimum necessary is determined, DHR
  will communicate to all affected parties
  (employees, business associates, trading
  partners, etc.).

23
Lesson 4 Minimum Necessary Disclosure Standard

• Responding to a request for the disclosure of PHI
• DHR will develop criteria that limit disclosures
  only to that necessary to comply with a specific
  request.
• Disclosure requests must be individually reviewed
  by employees according to the developed criteria.
• Ensure that only the minimum amount necessary is
  disclosed
• Exceptions include requests from another covered
  entity, certain public officials or agencies,
  certain business associates, researchers, etc.

24
HIPAA Training and Education Series
Lesson 5 Administrative Requirements and
Obligations
25
Lesson 5 Administrative Requirements and
Obligations

• What are the administrative requirements under
  HIPAA Privacy?
• Privacy Official
• Privacy Training Program
• Safeguards
• Complaints
• Sanctions
• Documented Policies and Procedures
• Notice of Privacy Practices
• Business Associate Contracts

26
Lesson 5 Administrative Requirements and
Obligations

• Privacy Officer
• DHR will designate a privacy official or officer
• Responsible for the development, implementation
  and maintenance of the privacy policies and
  procedures
• In addition, DHR will designate a contact person
  to receive and process privacy complaints and to
  provide further information about privacy
  practices

27
Lesson 5 Administrative Requirements and
Obligations

• Privacy Training Program
• DHR will train all employees about privacy
  policies and procedures for PHI.
• DHR will document that training has been
  provided.
• Training will be completed within specific
  timeframes.

28
Lesson 5 Administrative Requirements and
Obligations

• Safeguards
• DHR will implement and maintain appropriate
  administrative, technical, and physical
  safeguards.
• DHR will safeguard PHI from any intentional or
  unintentional use or disclosure, or violation of
  the requirements of the regulation.
• PHI safeguards are also a requirement of the
  HIPAA Security Rules.

29
Lesson 5 Administrative Requirements and
Obligations

• Complaints
• DHR will develop and maintain a process for
  individuals to make complaints concerning
• Privacy policies and procedures
• Compliance with privacy policies and procedures
  and
• Compliance with the Privacy requirements of HIPAA.

30
Lesson 5 Administrative Requirements and
Obligations

• Sanctions
• DHR will implement appropriate sanctions for
  failure to comply with privacy policies and
  procedures of the HIPAA regulations.
• DHR will apply appropriate sanctions against
  employees who fail to comply with the privacy
  policies and procedures of the regulations.

31
Lesson 5 Administrative Requirements and
Obligations

• Documented Policies and Procedures
• DHR will develop and implement privacy policies
  and procedures with respect to PHI.
• Address DHRs specific privacy practices as well
  as all of the elements of the HIPAA privacy rules
  
• DHR will change or update its policies and
  procedures as necessary and appropriate to remain
  in compliance.

32
Lesson 5 Administrative Requirements and
Obligations

• Notice of Privacy Practices
• DHR employees will provide individuals with a
  Notice of Privacy Practices.
• Notice must be in plain language.
• DHR will revise Privacy Notice with any material
  change to DHRs privacy practices.
• Direct treatment providers will make a good faith
  effort to obtain the patient's written
  acknowledgement of the Notice of Privacy
  Practices and rights.

33
Lesson 5 Administrative Requirements and
Obligations

• Business Associate Contracts
• Business Associates are entities with which DHR
  shares or exchanges PHI.
• Business Associates must comply with HIPAA,
  indirectly, through mandated Business Associate
  Contracts with DHR.
• Business Associate Contracts allow DHR to obtain
  satisfactory assurance that the Business
  Associate will appropriately safeguard PHI.
• If DHR becomes aware of a material breach by the
  Business Associate, the contract (and
  relationship) must be terminated.

34
HIPAA Training and Education Series
Lesson 6 Rights of Individuals
35
Lesson 6 Rights of Individuals

• What are the Rights of Individuals Under HIPAA
  Privacy?
• PHI uses and disclosures are permitted only with
  authorization.
• Request privacy protection for PHI
• Confidential communications regarding PHI
• Access to PHI
• Amendment or correction of PHI
• Accounting of PHI disclosures

36
Lesson 6 Rights of Individuals

• Uses Disclosures Permitted Only with an
  Authorization
• Individuals have the right to expect that certain
  uses and disclosures of their PHI will be
  permitted only with an authorization.
• The authorization is not valid unless signed by
  the individual in question.

37
Lesson 6 Rights of Individuals

• Request Privacy Protection for PHI
• Individuals have the right to request that DHR
  restrict
• Uses and disclosures for treatment, payment and
  healthcare operations (TPO), and
• Disclosures permitted for involvement in the
  individuals care and notification purposes.
• DHR does not have to agree to the request, but
  must have procedures in place to process request.

38
Lesson 6 Rights of Individuals

• Confidential Communications Regarding PHI
• Individuals have the right to confidential
  communications regarding their PHI.
• DHR must accommodate reasonable requests by
  individuals to receive communications of PHI by
  alternative means or at alternative locations.
• Applies to health plans when disclosure of all or
  part of PHI could endanger the individual.

39
Lesson 6 Rights of Individuals

• Access to PHI
• Individuals have the right to unfettered access
  to PHI that is used to make decisions about the
  individual.
• Such PHI must be kept for 6 years
• Exceptions include access to psychotherapy notes,
  PHI used in judicial or administrative actions,
  etc.

40
Lesson 6 Rights of Individuals

• Amendment or Correction of PHI
• An individual has the right to amend or correct
  his or her PHI in a designated record set (e.g.
  medical record) for as long as the covered entity
  maintains the information.
• DHR does not have to agree to amend or correct
  the PHI.

41
Lesson 6 Rights of Individuals

• Accounting of Disclosures
• An individual has the right to receive an
  accounting of PHI disclosures made in the six
  years prior to the request.
• Exceptions include disclosures for treatment,
  payment and healthcare operations, disclosures to
  the individual, for national security purposes,
  etc.
• A written account of such disclosures must
  include the date of the disclosure, to whom the
  information was disclosed, and a description of
  the information disclosed.

42
HIPAA Training and Education Series
Lesson 7 Summary
43
Lesson 7 Summary

• What are the Penalties for Non-Compliance?
• Violation of HIPAA Privacy Rules may lead to both
  civil and criminal penalties.
• Civil penalties range between 100 for a single
  violation to as much as 25,000 for multiple
  violations of the same requirement during a
  calendar year.
• Criminal penalties range from 50,000 and one
  year in imprisonment for a simple PHI disclosure
  to as much as 250,000 and 10 years imprisonment
  for wrongful disclosure.

44
Lesson 7 Summary

• The Importance of Privacy
• HIPAA Privacy Rules address how and to whom
  protected health information may be disclosed.
• The increased use of electronic transactions of
  health care data and the general erosion of
  privacy necessitate minimum standards for the
  privacy of PHI.
• HIPAA Privacy Rules intend to assure individuals
  that their PHI will remain private and free from
  improper use or disclosure.

45
Lesson 7 Summary

• Covered Entities
• Covered entities generally include
• Healthcare providers
• Healthcare payers
• Healthcare clearinghouses

46
Lesson 7 Summary

• Protected Health Information (PHI)
• PHI is any and all individually identifiable
  health information.
• PHI may be in electronic, paper-based, or oral
  form.
• Includes PHI that is stored as well as disclosed
  by a covered entity

47
Lesson 7 Summary

• Permitted Uses and Disclosures
• Treatment, payment, and other standard healthcare
  operations (TPO) do not require an authorization.
• Disclosures to a third party, disclosures for
  employment determinations, the sale, rental or
  barter of PHI, and other such uses and
  disclosures are not permitted without a signed
  authorization.

48
Lesson 7 Summary

• Minimum Necessary Disclosure Standard
• Must make a reasonable effort not to use or
  disclose more than the minimum amount of
  information necessary to accomplish an intended
  task.
• Minimum necessary does not apply to activities
  related to healthcare treatment, payment or
  healthcare operations (TPO), and to certain other
  activities such as disclosures to the Department
  of Health and Human Services (DHHS).

49
Lesson 7 Summary

• Administrative Requirements and Obligations
• Requirements and obligations include
•  
• A Privacy Official
• A Privacy Training Program
• Administrative Safeguards
• A Complaints Process
• Sanctions for Violations of Privacy
• Documented Policies and Procedures
• A Notice of Privacy Practices
• Business Associate Contracts

50
Lesson 7 Summary

• Rights of Individuals
•  
• Uses and disclosures of PHI permitted only with
  authorization
• Request privacy protection for PHI
• Confidential communications regarding PHI
• Access to PHI
• Amendment or correction of PHI
• Accounting of Disclosures of PHI

51

• FOLLOW THESE DIRECTIONS TO RECEIVE CREDIT
• ENSURE YOU VIEW THE HIPAA 101 PRESENTATION
• ENSURE YOU COMPLETE THE COMPETENCY
• EXAM AND SEND TO HRD
• ENSURE YOU COMPLETE A INSERVICE TRAINING
• ROSTER AND SEND TO HRD