HIPAA Health Insurance Portability and Accountability Act - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

HIPAA Health Insurance Portability and Accountability Act

Description:

HIPAA Health Insurance Portability and Accountability Act ... Security Awareness at JIRDC Security Awareness JIRDC data must be kept secure at all times. – PowerPoint PPT presentation

Number of Views:492
Avg rating:3.0/5.0
Slides: 57
Provided by: PaulRas9
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Health Insurance Portability and Accountability Act


1
HIPAA
Health Insurance Portability and Accountability
Act
HIPAA is a law that JIRDC staff must follow.
This program will focus on the rights of people
who live at JIRDC and their guardians. As a
consumer of health care, you also have these
rights.
Click to go to the next slide.
2
The Health Insurance Portability and
Accountability Act (HIPAA)
  • What is HIPAA?
  • What does this mean to us at JIRDC?
  • What are the six Privacy Rights?
  • What is Protected Health Information (PHI)?
  • What do we do with PHI?
  • What changes must we make here at JIRDC?
  • How long do we have and what if we dont?

Click to go to the next slide.
3
HIPAA - What is it?
  • Congress passed a law the Health Insurance
    Portability and Accountability Act (HIPAA) - in
    order to require insurance companies, hospitals,
    and other health care providers to protect
    peoples privacy.
  • JIRDC has been classified as a health care
    provider, so we must meet the requirements of
    this law.

Click to go to the next slide.
4
What does it mean to us?
  • People who live at JIRDC and their guardians have
    six Privacy Rights.
  • We must understand what Protected Health
    Information (PHI) is.
  • We must be very careful with PHI and learn to use
    minimum necessary.
  • All staff must receive Privacy training.

Click to go to the next slide.
5
Residents Have Six Privacy Rights
Please click to read each of the rights.
  1. The right to receive a copy of JIRDCs Notice of
    Privacy Practices
  2. The right to inspect and receive a copy of
    information in files we keep
  3. The right to request a change in information
  4. The right to know who we have shared their
    information with
  5. The right to request restrictions on who we share
    information with
  6. The right to request an alternative method of
    contact

Because the people living at JIRDC each have a
legal guardian, the guardian will be the person
who exercises these rights.
Click to go to the next slide.
6
Notice of JIRDC Privacy Practices
1
  • We have developed a detailed notice of JIRDC
    privacy practices explaining how Protected Health
    Information (PHI) is handled for treatment,
    payment, and health care operations and
    explaining the Privacy Rights.
  • The social workers are responsible
    for sending a JIRDC Notice of
    Privacy Practices to each guardian.

Click to go to the next slide.
7
Access of Individuals to PHI
2
  • JIRDC residents and their guardians have a right
    to inspect certain records that we keep.
  • The request begins with the completion of a
    Request for Consumer Access to Protected
    Information Form.
  • If we receive a request by an individual to view
    their record (all or part), we must act on the
    request within 30 days.

Click to go to the next slide.
8
Location of JIRDC Records
  • JIRDC has identified certain records that may
    be inspected. The primary records are
  • record in the home
  • record housed in the Resident Records Department

The log book is an example of a record that may
not be inspected because it contains information
about more than one person.
Click to go to the next slide.
9
Location of Request Form
  • Each guardian must sign a form when requesting
    to see the records. The Social Worker or Home
    Coordinator will have this form.
  • Although we have 30 days to allow access, it
    should not take long to reply to a request.

Click to go to the next slide.
10
Amending PHI
3
  • If a guardian feels that some information in the
    record is not correct, he may ask for a change to
    be made.
  • Residents and their guardians have the right to
    request amendments to PHI by completing a
    Request for Amendment of Health Care
    Information form.
  • We must respond to requests for amendment within
    60 days.
  • If we determine the PHI is accurate and complete,
    it does not have to be amended.

Click to go to the next slide.
11
Accounting of Disclosures of PHI
4
  • A guardian may ask to see a record of individuals
    who have seen the residents chart for the 6
    years prior to the request.
  • This does not include disclosures for treatment,
    payment, or operations.
  • This also does not include disclosures to the
    individual or guardian or to law enforcement.
  • No information must be provided
    about disclosures that occurred
    prior to April 14, 2003.

Click to go to the next slide.
12
Requesting Restrictionson Disclosures of PHI
5
  • Guardians may request that we limit the use and
    disclosure of health information about residents
    for the purposes of treatment, payment, and
    operations.
  • We are not required to agree to their request to
    limit the number of people who view the record.
  • If we do agree to it, we must follow the agreed
    restrictions (except for emergency treatment).

Click to go to the next slide.
13
Receiving PHI - Alternative Means or Alternative
Locations
6
  • Guardians usually prefer that information be
    mailed to their home addresses and that phone
    calls be made to their home phones. However, a
    guardian may ask JIRDC to use a different
    address, phone number, e-mail, FAX, etc.

Click to go to the next slide.
14
Receiving PHI - Alternative Means or Alternative
Locations
6
  • We must provide our guardians with the
    opportunity to receive PHI communications by
    alternative means or at alternative locations
    (such as a work address instead of a home
    address).
  • We must oblige all reasonable requests.

Click to go to the next slide.
15
Refraining from Retaliation
  • Guardians who want to exercise their rights
    should not receive any negative responses from
    staff.
  • JIRDC must not intimidate, threaten, coerce,
    discriminate, or retaliate against any person
    attempting to exercise their rights under the
    privacy regulations.
  • All staff must remain neutral toward
    guardians choosing to exercise their rights.

Click to go to the next slide.
16
Protecting Confidential Information Learned at
JIRDC
  • ALL information about a person who lives at JIRDC
    which is learned as a result of performing your
    job is confidential information.
  • According to state law, all JIRDC employees are
    responsible for assuring confidentiality.
  • If you dont protect information about people who
    live at JIRDC, you can be fined, suspended, or
    dismissed from your job.
  • The Federal HIPAA law focuses on Protected Health
    Information (PHI).

Click to go to the next slide.
17
What is Protected Health Information (PHI)?
  • Any health information that can be identified to
    a person is PHI.
  • We are using a very liberal definition of health
    information that includes treatment, care, and
    demographic information.
  • The fact that a person lives at JIRDC is PHI.
  • PHI can be dates (except just year) record
    number Social Security Number full face
    photographic image or any other unique,
    identifying information.

Click to go to the next slide.
18
Recognizing PHI When You See It
  • PHI is not just information in the resident
    record. PHI can look like anything.

PHI can be spoken, such as a conversation or
answering machine message.
PHI can be written, such as on a piece of paper,
a computer monitor, or a chalkboard.
Click to go to the next slide.
19
Recognizing PHI When You See It
  • PHI reveals something about a persons past,
    present, or future health or condition.
  • PHI is individually identifiable (gives a
    reasonable basis for determining a persons
    identity). PHI is about a specific person. You
    may know the person if you hear their name or if
    you can guess who it is by the information that
    is provided.

Click to go to the next slide.
20
It can look like anything
Rule 1
  • Data appearing on computer monitors
  • Lab test results
  • Resident schedule boards
  • A conversation about a residents health
  • An appointment reminder left on a guardians
    answering machine
  • File server backup tapes
  • Financial records

Click to go to the next slide.
21
It reveals something about health
Rule 2
  • It does not have to be present health. It
    can also be past or future health.
  • It does not have to be about bad health. Joe is
    feeling fine also qualifies as PHI.
  • Since knowledge that a person lives
    at JIRDC strongly implies a diagnosis of mental
    retardation, this also qualifies as
    PHI.

Click to go to the next slide.
22
It is individually identifiable
Rule 3
  • This means that someone seeing or hearing the
    health information can identify the person its
    about.
  • The information must provide a reasonable basis
    for determining the persons identity.
  • When health information is paired with unique
    identifiers (like client number or a photograph)
    it is always PHI.

Click to go to the next slide.
23
What do we do with PHI?
  • Protect it! Keep it private by not leaving it
    lying around where it can be seen.
  • Except for treatment reasons, provide the
    minimum necessary to meet the needs of the
    requestor.
  • Minimum necessary means providing just enough
    information to meet the needs of the requestor
    and no more.

Click to go to the next slide.
24
Some things we do to protect PHI
  • Pick up all meeting handouts
    and erase blackboards when meetings
    are done.
  • Working on PHI? When you leave for lunch, cover
    it up AND lock it up.
  • Talking PHI on the phone? Keep your voice low if
    you might be overheard.
  • Avoid mentioning PHI at restaurants.

Click to go to the next slide.
25
Dealing with PHI Test Yourself
? ? ? ? ? ? ? ? ?
Five situations related to minimum necessary
follow. Read each situation. Determine if
each situation was handled correctly.
Click to go to the next slide.
26
Dealing with PHI Scenario 1
? ? ? ? ? ? ? ? ?
  • Mary is escorting four residents to a movie. As
    they are leaving, Marys supervisor tells her to
    make sure Phil gets to sit very close to the
    screen because he is having some vision problems
    stemming from developing cataracts.

Was this situation handled correctly?
Click to go to the next slide.
27
Dealing with PHI Scenario 1
? ? ? ? ? ? ? ? ?
  • Since treatment of Phils cataracts was not
    involved, the minimum necessary rule applies
    here. It was appropriate for Marys supervisor
    to tell her to make sure Phil gets to sit very
    close to the screen because he is having some
    vision problems. It was not necessary to mention
    his cataracts.

This is NOT minimum necessary.
Click to go to the next slide.
28
Dealing with PHI Scenario 2
? ? ? ? ? ? ? ? ?
  • Mary has been asked to drive Phil to a shoe store
    and help him purchase new shoes. Marys
    supervisor tells her to make sure Phils new
    shoes have good arch support because he has heel
    spurs.

Was this situation handled correctly?
Click to go to the next slide.
29
Dealing with PHI Scenario 2
? ? ? ? ? ? ? ? ?
  • Selecting the proper shoes is a big part of the
    treatment of heel spurs. Communicating the fact
    that Phil has heel spurs was for treatment
    reasons, so the minimum necessary rule does not
    apply. It was appropriate for Marys supervisor
    to mention the heel spurs. It would also be
    appropriate for Mary to mention it to the store
    clerk.

This is a treatment situation and minimum
necessary does not apply.
Click to go to the next slide.
30
Dealing with PHI Scenario 3
? ? ? ? ? ? ? ? ?
  • A JIRDC advocate is interviewing Mary about a
    bruise that has appeared on Phils arm. Mary
    answers questions about the bruise, but decides
    not to tell the advocate about two other bruises
    on Phils leg since this information does not
    seem to meet the minimum necessary rule.

Was this situation handled correctly?
Click to go to the next slide.
31
Dealing with PHI Scenario 3
? ? ? ? ? ? ? ? ?
  • The advocates investigation of possible abuse is
    a part of Phils treatment at JIRDC and the
    minimum necessary rule does not apply. Mary
    should have mentioned the leg bruises to the
    inquiring resident advocate.

Advocates have the right to see all information.
Minimum necessary does not apply.
Click to go to the next slide.
32
Dealing with PHI Scenario 4
? ? ? ? ? ? ? ? ?
  • Phils mother shows up unexpectedly with a copy
    of JIRDCs Notice of Privacy Practices in her
    hand. She wants to examine Phils chart. Mary
    remembers this is a new right, takes her to the
    chart, and lets her examine it.

Was this situation handled correctly?
Click to go to the next slide.
33
Dealing with PHI Scenario 4
? ? ? ? ? ? ? ? ?
  • Requests to examine records must be handled by
    the Home Coordinator. Mary should have helped
    Phils mother submit her request to the Home
    Coordinator in writing (required) and should not
    have allowed her to examine any records.

A guardian must complete a written request
to see the record.
Click to go to the next slide.
34
Dealing with PHI Scenario 5
? ? ? ? ? ? ? ? ?
  • Phil suddenly develops very shallow breathing and
    is taken to Grace Hospitals emergency room.
    Staff take Phils resident record with them. The
    entire record is made available to emergency room
    physicians as they attempt to determine the cause
    of Phils shallow breathing.

Was this situation handled correctly?
Click to go to the next slide.
35
Dealing with PHI Scenario 5
? ? ? ? ? ? ? ? ?
  • The sharing of Phils PHI with the staff at Grace
    Hospital was for treatment reasons. The minimum
    necessary rule does not apply.

This is a treatment situation and minimum
necessary does not apply.
Click to go to the next slide.
36
Rules We Must Follow at JIRDC
JIRDC staff have many rules regarding the
handling of PHI. Many of the rules involve how
computers are used. ALL of the rules involve
common sense.
Click to go to the next slide.
37
Some Rules We Must Follow
  • PHI must be secured when no one is in the area
    no open log books.
  • No PHI should be viewable in public
    areas.
  • No PHI should be sent in e-mail
    (except password-protected attachments).
  • No PHI should be left at copy machines, fax
    machines, or conference rooms.
  • Discarded PHI must be shredded.

Click to go to the next slide.
38
Computer Rules We Must Follow
  • Computer monitors showing PHI must be positioned
    for privacy.
  • Computer passwords must not be shared and must be
    reasonably un-guessable.
  • Computer passwords must not be left visible or
    hidden where they can be found.
  • Computer users must log-off the network when
    leaving computers unattended.

Click to go to the next slide.
39
More Rules We Must Follow
  • If you notice your login name has been changed
    while you were away from your computer, report it
    to Computer Services.
  • If you see an intruder lockout message while
    logging into the network, report it to Computer
    Services.
  • Pay attention to any unusual login names that
    show up on your computer. Report what you see to
    Computer Services.

Click to go to the next slide.
40
Even More Rules We Must Follow
  • We must not discuss a resident within the hearing
    of other individuals or visitors.
  • We must not leave keys unattended.
  • When sharing resident health information, we must
    share the minimum necessary (except for
    treatment reasons).
  • JIRDC must sanction staff for violations of the
    Privacy rules.

Click to go to the next slide.
41
Security Awareness at JIRDC
All JIRDC staff are responsible for keeping data
secure. Computer data should be kept safe by the
person who created the disk, CD, or printout. All
security incidents must be reported as soon as
possible.
Click to go to the next slide.
42
Security Awareness
  • JIRDC data must be kept secure at all times.
    Staff who use computers and staff who do not use
    computers are responsible for protecting
    information.
  • Information created on JIRDC computers is
    considered property of JIRDC and the State of NC
    regardless of how information is stored.

Click to go to the next slide.
43
Security Awareness Continued
  • Computer printouts, floppy disks, or CDs which
    are found not under direct observation of a
    responsible data owner should be picked up by the
    person who finds them and turned in
    to their supervisor.

Click to go to the next slide.
44
Security Awareness Continued
  • A security incident is a violation, or imminent
    threat of violation, of computer security
    policies. Notify your supervisor or the
    JIRDC Computer Help Desk as soon as
    possible if you suspect a security incident has
    occurred.

Click to go to the next slide.
45
Workforce Privacy Sanctions
If staff break the rules, there are 3
levels of violations and punishments.
The 1st level is accidental.
The 2nd level is purposeful.
The 3rd level is malicious.
Malicious violations are the most serious
and can result in loss of jobs and
criminal prosecution.
Click to go to the next slide.
46
Workforce Privacy Sanctions- Accidental
Violations -
  • This violation occurs when an employee
    unintentionally or carelessly accesses or reveals
    resident information to others without a
    legitimate need to know.
  • Examples Discussing a resident
    in a public area without discretion
    sharing your network password.
  • Sanctions include verbal counseling and training
    or written counseling and training.

Click to go to the next slide.
47
Workforce Privacy Sanctions- Purposeful
Violations -
  • This violation occurs when an employee accesses
    or discusses information about a resident for
    purposes other than the care of the resident or
    to perform one's specific job
    responsibilities.
  • Examples Using another employees
    login name and password
    looking up resident information
    out of curiosity.
  • Sanctions include written counseling and training
    or suspension and training.

Click to go to the next slide.
48
Workforce Privacy Sanctions- Malicious
Violations -
  • This violation occurs when an employee accesses
    or reveals resident information to others for
    personal gain or with malicious intent.
  • Examples Destroying or altering
    data intentionally releasing information
    in an attempt to harm a resident
    or JIRDC.
  • Sanctions include written counseling and
    training, termination, and prosecution.

Click to go to the next slide.
49
Failure to Comply Penalties
JIRDC and the employee can be punished for
violations. The following fine is for JIRDC
  • 100/violation/person,
    up to 25,000 per person
    per year per
    standard violated

Click to go to the next slide.
50
Failure to Comply Penalties
The remaining fines and jail time apply to the
employee
  • Up to 50,000 and 1 year in prison
    for inappropriate use of PHI
  • Up to 100,000 and 5 years in prison
    for using PHI under false pretenses
  • Up to 250,000 and 10 years
    for intent to sell or use PHI
    for personal gain or
    malicious harm

Click to go to the next slide.
51
Lets Review!Residents Have Six Privacy Rights
  1. The right to receive a copy of JIRDCs Notice of
    Privacy Practices
  2. The right to inspect and receive a copy of
    information in files we keep
  3. The right to request a change in information
  4. The right to know who we have shared their
    information with
  5. The right to request restrictions on who we share
    information with
  6. The right to request an alternative method of
    contact

Click to go to the next slide.
52
Lets Review!Three Rules for Recognizing PHI
  • PHI can look like anything.
  • PHI reveals something about health.
  • PHI can be identified to an individual.

Click to go to the next slide.
53
Lets Review!PHI Must be Protected
  • We must not leave it lying around where it can
    be seen.
  • We must not post it
    in public places.
  • We must be careful
    what we say when
    we can be overheard.

Click to go to the next slide.
54
Lets Review!What is Minimum Necessary?
  • Except for treatment reasons, when sharing health
    information about a resident you should share the
    minimum necessary amount of information.
  • That means what it takes to
    get the job done and no more.
  • There should be no gossiping
    about resident health matters.

Click to go to the next slide.
55
Lets Review!Violations MUST be Punished
  • Violations of HIPAA Privacy rules MUST be
    punished by JIRDC Administration.
  • Minor violations will be viewed as training
    opportunities.
  • There are some very severe penalties for
    violating the privacy rights of
    JIRDC residents.
  • How severe? Up to 10 years in jail and a
    250,000 fine.

Click to go to the next slide.
56
How much have you learned?
You have finished the HIPAA slide show. Tell the
LRC Instructor that you are ready to take the
quiz.
Click to end the slide show.
Write a Comment
User Comments (0)
About PowerShow.com