Title: Health Insurance Portability and Accountability Act HIPAA Program
1HIPAA Training and Education Series
- Health Insurance Portability and Accountability
Act (HIPAA) Program - Privacy Overview
- Training
2PLEASE NOTE THE FOLLOWING IMPORTANT
INFORMATION
- The slides you will be viewing were developed for
all DHR staff. - Any laws or regulations regarding DMHDDAD
consumer information that are more stringent do
take precedence over the HIPAA standards. - When in doubt, check it out!
3HIPAA Training and Education Series
- Table of Contents
- Lesson 1 Origin of the HIPAA Privacy Rules
- Lesson 2 Protected Health Information (PHI)
- Lesson 3 Permitted Uses and Disclosures of PHI
- Lesson 4 Minimum Necessary Disclosure Standard
- Lesson 5 Administrative Requirements and
Obligations - Lesson 6 Rights of Individuals
- Lesson 7 Summary
4HIPAA Training and Education Series
- Lesson 1 Origin of the HIPAA Privacy Rules
5Lesson 1 Origin of the HIPAA Privacy Rules
- Banker who serves on a county health board calls
in all mortgages of customers with cancer -
- Congresswomans medical records faxed from an
area hospital to the media on the eve of her
election -
- Hacker downloads medical records and Social
Security Numbers of over 5,000 patients at a
local University Medical Center -
- Employees at a health plan improperly access
private medical claims information of a famous
athlete
6Lesson 1 Origin of the HIPAA Privacy Rules
- What is HIPAA Privacy?
- Health Insurance Portability and Accountability
Act of 1996 (HIPAA) - Improvement in healthcare systems
- Administrative Simplification Provisions
- Increased electronic transactions general
erosion of privacy in healthcare industry - HIPAA Privacy Rules address how and to whom PHI
may be disclosed by healthcare entities covered
under the law.
7Lesson 1 Origin of the HIPAA Privacy Rules
- Who Must Comply?
- Healthcare Providers (hospitals, physicians,
nurses, Veterans Health Administration, etc.) - Health Plans (HMOs, PPOs, Medicare, Medicaid,
etc.) - Healthcare Clearinghouses
- DHR
8Lesson 1 Origin of the HIPAA Privacy Rules
- Who Must Comply?
- Business Associates
- Trading Partners
9HIPAA Training and Education Series
- Lesson 2 Protected Health Information (PHI)
10Lesson 2 Protected Health Information (PHI)
- What is Protected Health Information?
- Individually identifiable health information
(IIHI) - Transmitted or stored electronically
- Examples of PHI include
- Name, age, sex and other personal demographic
information - Health status information
- Prescription drug information
- Healthcare payment information
- Prior existing conditions
11Lesson 2 Protected Health Information (PHI)
- What is Protected Health Information?
- Applies to health information transactions such
as - Claim payments and remittance advices
- Provider claims and attachments
- Premium invoices and payments
- Eligibility information
- Authorization and referral certifications
- First report of injury
12Lesson 2 Protected Health Information (PHI)
- How is PHI disclosed or transmitted?
-
- Telephone
- Fax Machine
- Internet/Intranet, Direct Dial-up Lines, Direct
Data Entry and other EDI (Electronic Data
Interchange) - Orally
- Letters and Other Written Material
13Lesson 2 Protected Health Information (PHI)
- How is PHI stored?
- Magnetic disk (hard disk, floppy disk, etc.)
- Tape
- Written or hard copies of medical records,
enrollment forms, claim forms, beneficiary
inquiries etc.
14Lesson 2 Protected Health Information (PHI)
- What is the importance and value of protecting
health information? - We all have the right to keep information about
ourselves private and free from improper use or
disclosure. - In the electronic age, PHI may be more
susceptible to privacy violations. - If the healthcare industry is to progress, it is
imperative that consumers feel assured that their
PHI is safe and free from privacy violations.
15HIPAA Training and Education Series
- Lesson 3 Permitted Uses and Disclosures of PHI
16Lesson 3 Permitted Uses and Disclosures
- What Uses and Disclosures of PHI Require an
Authorization? - Third party disclosures
- Marketing and fund raising activities
- Non-health related affiliates
- Underwriting or risk rating activities
- Employment determinations
- Sale, rental or barter of PHI
- Psychotherapy notes
17Lesson 3 Permitted Uses and Disclosures
- What PHI Uses and Disclosures do not Require an
Authorization? - Treatment, payment and healthcare operations
(TPO) - Public health agency activities
- Health oversight and regulatory agency activities
- Judicial proceedings and law enforcement
investigations - Healthcare fraud investigations
- Emergency situations
- Research purposes
- If information is de-identified
18Lesson 3 Permitted Uses and Disclosures
- Verification Procedures
- DHR must verify the identity and the authority of
a person requesting access to PHI. - DHR must secure documentation, statements or
other representations, whether oral or written,
from the person requesting the PHI. - May use professional judgment
19HIPAA Training and Education Series
Lesson 4 Minimum Necessary Disclosure Standard
20Lesson 4 Minimum Necessary Disclosure Standard
- What does minimum necessary mean?
- Making a reasonable effort not to use or disclose
more than the minimum amount of information
necessary to accomplish an intended task
21Lesson 4 Minimum Necessary Disclosure Standard
- Why is minimum necessary so important?
- An individual has the right to expect that their
PHI will remain secure and confidential. - The more PHI is used or disclosed, the more
likely it is to be revealed to third parties. - Limiting the exchange of PHI to the minimum
necessary reduces the potential of fraud and
abuse.
22Lesson 4 Minimum Necessary Disclosure Standard
- How is minimum necessary determined?
- DHR will determine who needs access to PHI and
the amount of PHI needed per function. - Varies by division and function
- DHR will evaluate each and every business
activity requiring the use and/or disclosure of
PHI. - Once the minimum necessary is determined, DHR
will communicate to all affected parties
(employees, business associates, trading
partners, etc.).
23Lesson 4 Minimum Necessary Disclosure Standard
- Responding to a request for the disclosure of PHI
- DHR will develop criteria that limit disclosures
only to that necessary to comply with a specific
request. - Disclosure requests must be individually reviewed
by employees according to the developed criteria. - Ensure that only the minimum amount necessary is
disclosed - Exceptions include requests from another covered
entity, certain public officials or agencies,
certain business associates, researchers, etc.
24HIPAA Training and Education Series
Lesson 5 Administrative Requirements and
Obligations
25Lesson 5 Administrative Requirements and
Obligations
- What are the administrative requirements under
HIPAA Privacy? - Privacy Official
- Privacy Training Program
- Safeguards
- Complaints
- Sanctions
- Documented Policies and Procedures
- Notice of Privacy Practices
- Business Associate Contracts
26Lesson 5 Administrative Requirements and
Obligations
- Privacy Officer
- DHR will designate a privacy official or officer
- Responsible for the development, implementation
and maintenance of the privacy policies and
procedures - In addition, DHR will designate a contact person
to receive and process privacy complaints and to
provide further information about privacy
practices
27Lesson 5 Administrative Requirements and
Obligations
- Privacy Training Program
- DHR will train all employees about privacy
policies and procedures for PHI. - DHR will document that training has been
provided. - Training will be completed within specific
timeframes.
28Lesson 5 Administrative Requirements and
Obligations
- Safeguards
- DHR will implement and maintain appropriate
administrative, technical, and physical
safeguards. - DHR will safeguard PHI from any intentional or
unintentional use or disclosure, or violation of
the requirements of the regulation. - PHI safeguards are also a requirement of the
HIPAA Security Rules.
29Lesson 5 Administrative Requirements and
Obligations
- Complaints
- DHR will develop and maintain a process for
individuals to make complaints concerning - Privacy policies and procedures
- Compliance with privacy policies and procedures
and - Compliance with the Privacy requirements of HIPAA.
30Lesson 5 Administrative Requirements and
Obligations
- Sanctions
- DHR will implement appropriate sanctions for
failure to comply with privacy policies and
procedures of the HIPAA regulations. - DHR will apply appropriate sanctions against
employees who fail to comply with the privacy
policies and procedures of the regulations.
31Lesson 5 Administrative Requirements and
Obligations
- Documented Policies and Procedures
- DHR will develop and implement privacy policies
and procedures with respect to PHI. - Address DHRs specific privacy practices as well
as all of the elements of the HIPAA privacy rules
- DHR will change or update its policies and
procedures as necessary and appropriate to remain
in compliance.
32Lesson 5 Administrative Requirements and
Obligations
- Notice of Privacy Practices
- DHR employees will provide individuals with a
Notice of Privacy Practices. - Notice must be in plain language.
- DHR will revise Privacy Notice with any material
change to DHRs privacy practices. - Direct treatment providers will make a good faith
effort to obtain the patient's written
acknowledgement of the Notice of Privacy
Practices and rights.
33Lesson 5 Administrative Requirements and
Obligations
- Business Associate Contracts
- Business Associates are entities with which DHR
shares or exchanges PHI. - Business Associates must comply with HIPAA,
indirectly, through mandated Business Associate
Contracts with DHR. - Business Associate Contracts allow DHR to obtain
satisfactory assurance that the Business
Associate will appropriately safeguard PHI. - If DHR becomes aware of a material breach by the
Business Associate, the contract (and
relationship) must be terminated.
34HIPAA Training and Education Series
Lesson 6 Rights of Individuals
35Lesson 6 Rights of Individuals
- What are the Rights of Individuals Under HIPAA
Privacy? - PHI uses and disclosures are permitted only with
authorization. - Request privacy protection for PHI
- Confidential communications regarding PHI
- Access to PHI
- Amendment or correction of PHI
- Accounting of PHI disclosures
36Lesson 6 Rights of Individuals
- Uses Disclosures Permitted Only with an
Authorization - Individuals have the right to expect that certain
uses and disclosures of their PHI will be
permitted only with an authorization. - The authorization is not valid unless signed by
the individual in question.
37Lesson 6 Rights of Individuals
- Request Privacy Protection for PHI
- Individuals have the right to request that DHR
restrict - Uses and disclosures for treatment, payment and
healthcare operations (TPO), and - Disclosures permitted for involvement in the
individuals care and notification purposes. - DHR does not have to agree to the request, but
must have procedures in place to process request.
38Lesson 6 Rights of Individuals
- Confidential Communications Regarding PHI
- Individuals have the right to confidential
communications regarding their PHI. - DHR must accommodate reasonable requests by
individuals to receive communications of PHI by
alternative means or at alternative locations. - Applies to health plans when disclosure of all or
part of PHI could endanger the individual.
39Lesson 6 Rights of Individuals
- Access to PHI
- Individuals have the right to unfettered access
to PHI that is used to make decisions about the
individual. - Such PHI must be kept for 6 years
- Exceptions include access to psychotherapy notes,
PHI used in judicial or administrative actions,
etc.
40Lesson 6 Rights of Individuals
- Amendment or Correction of PHI
- An individual has the right to amend or correct
his or her PHI in a designated record set (e.g.
medical record) for as long as the covered entity
maintains the information. - DHR does not have to agree to amend or correct
the PHI.
41Lesson 6 Rights of Individuals
- Accounting of Disclosures
- An individual has the right to receive an
accounting of PHI disclosures made in the six
years prior to the request. - Exceptions include disclosures for treatment,
payment and healthcare operations, disclosures to
the individual, for national security purposes,
etc. - A written account of such disclosures must
include the date of the disclosure, to whom the
information was disclosed, and a description of
the information disclosed.
42HIPAA Training and Education Series
Lesson 7 Summary
43Lesson 7 Summary
- What are the Penalties for Non-Compliance?
- Violation of HIPAA Privacy Rules may lead to both
civil and criminal penalties. - Civil penalties range between 100 for a single
violation to as much as 25,000 for multiple
violations of the same requirement during a
calendar year. - Criminal penalties range from 50,000 and one
year in imprisonment for a simple PHI disclosure
to as much as 250,000 and 10 years imprisonment
for wrongful disclosure.
44Lesson 7 Summary
- The Importance of Privacy
- HIPAA Privacy Rules address how and to whom
protected health information may be disclosed. - The increased use of electronic transactions of
health care data and the general erosion of
privacy necessitate minimum standards for the
privacy of PHI. - HIPAA Privacy Rules intend to assure individuals
that their PHI will remain private and free from
improper use or disclosure.
45Lesson 7 Summary
- Covered Entities
- Covered entities generally include
- Healthcare providers
- Healthcare payers
- Healthcare clearinghouses
46Lesson 7 Summary
- Protected Health Information (PHI)
- PHI is any and all individually identifiable
health information. - PHI may be in electronic, paper-based, or oral
form. - Includes PHI that is stored as well as disclosed
by a covered entity
47Lesson 7 Summary
- Permitted Uses and Disclosures
- Treatment, payment, and other standard healthcare
operations (TPO) do not require an authorization. - Disclosures to a third party, disclosures for
employment determinations, the sale, rental or
barter of PHI, and other such uses and
disclosures are not permitted without a signed
authorization.
48Lesson 7 Summary
- Minimum Necessary Disclosure Standard
- Must make a reasonable effort not to use or
disclose more than the minimum amount of
information necessary to accomplish an intended
task. - Minimum necessary does not apply to activities
related to healthcare treatment, payment or
healthcare operations (TPO), and to certain other
activities such as disclosures to the Department
of Health and Human Services (DHHS).
49Lesson 7 Summary
- Administrative Requirements and Obligations
- Requirements and obligations include
-
- A Privacy Official
- A Privacy Training Program
- Administrative Safeguards
- A Complaints Process
- Sanctions for Violations of Privacy
- Documented Policies and Procedures
- A Notice of Privacy Practices
- Business Associate Contracts
50Lesson 7 Summary
- Rights of Individuals
-
- Uses and disclosures of PHI permitted only with
authorization - Request privacy protection for PHI
- Confidential communications regarding PHI
- Access to PHI
- Amendment or correction of PHI
- Accounting of Disclosures of PHI
51- FOLLOW THESE DIRECTIONS TO RECEIVE CREDIT
- ENSURE YOU VIEW THE HIPAA 101 PRESENTATION
- ENSURE YOU COMPLETE THE COMPETENCY
- EXAM AND SEND TO HRD
- ENSURE YOU COMPLETE A INSERVICE TRAINING
- ROSTER AND SEND TO HRD