HIPAA 101

1
HIPAA 101

• Health Insurance Portability and Accountability
  Act (HIPAA)

2
HIPAA Purpose

• The primary purpose of the HIPAA legislation is
  to improve the efficiency and effectiveness of
  the countrys health care system by
• Creating standards to protect individuals medical
  records and other protected health information.
• Ensuring the security of client and patients
  health care information.

3
Course Overview

• Overview of the Federal HIPAA legislation
• The HIPAA Privacy Rule
• Protecting Client Information
• Client Rights
• DCF HIPAA Operating Procedures and Policies

4
Terms

• Course language mirrors federal law.
• Terminology interpretations mirror federal
  interpretations.
• Ask for an explanation of all new terms.

5
HIPAA rules apply to the entire agency and to all
employees.
6
DCF is a covered entity

• A covered entity is a
• Health Plan
• Health Care Clearinghouse
• Health Care Provider
• DCF is considered a covered entity because many
  activities within the agency meet the definition
  of one or more of these.

7
What does the HIPAA Privacy Rule Require?
8
The HIPAA Privacy Rule

• establishes appropriate safeguards to protect the
  privacy of health care information
• sets boundaries on the use and release of health
  information
• holds violators accountable if patient rights are
  violated (civil and criminal penalties)

9
HIPAA rules and Florida law
State Laws are the ceilingwhat we do already
HIPAA is the floorminimum standards
10
DCF Responsibilities

• Notify clients about their privacy rights
• Adopt and implement privacy procedures across the
  agency
• Train employees on privacy procedures
• Ensure business associates protect our client's
  information
• Designate an agency Privacy Officer

11
What is a Business Associate?

• Individuals or companies hired to do work for a
  covered entity that requires the use or
  disclosure of protected information.

12
What is Protected Health Information?
13
Protected Health Information (PHI)

• Individually identifiable information
• Transmitted or maintained in any electronic,
  written, or spoken format.
• For example, e-mail, fax, on-line databases,
  voice mail, video/audio recordings, or
  conversations.

14
Individually Identifiable Information

• Identifying data is any data that could
  reasonably be used to identify the person.
• Identifiers include data that can identify the
  individual, as well as his or her family members,
  household members, or employer.

15
The following are examples of identifiers

• Names
• All geographic subdivisions smaller than a state,
  including street address, city, county, precinct,
  zip code, and their equivalent geocodes
• All elements of dates (except year) directly
  related to an individual, including birth date,
  admission date, discharge date, and date of death
  (the birth year of individuals age 90 and over is
  also an identifier).
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers

• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including fingerprints and
  voice prints
• Full face photographic images and any comparable
  images and
• Any other unique identifying number,
  characteristic or code.

16
PHI Use and Disclosure

• The Privacy Rule prohibits use or disclosure of
  protected health information unless
• It is used to provide treatment, payment, or
  health care operations, or
• Its use is authorized by the client, or
• Not sharing the information would prevent timely
  health care or be a risk to public safety.

17
Incidental Uses and Disclosures

• Occurs as a result of another use or disclosure
  permitted by rule.
• Allowable as long as reasonable safeguards are
  taken and minimum necessary standards are in
  place.

18
Reasonable Safeguards

• Actions the Department must take to ensure that
  the primary consideration when discussing
  protected health information of our clients or
  patients is for the appropriate treatment of the
  client or patient.

19
Reasonable Safeguard Examples

• Speaking quietly when discussing a
  client/patients condition with family members in
  waiting rooms or other public areas
• Avoiding using client/patient names in elevators
  and hallways
• Posting signs reminding staff to protect privacy
• Securing documents in locked offices and cabinets

• Using passwords and other security measures on
  computers.

20
Minimum Necessary Standard

• The minimum necessary means that the department
  will develop policies and procedures that limit
  the sharing of protected health information to
  the minimum necessary to do the job.

• These policies must
• Limit who has access to PHI
• Specify the conditions PHI can be accessed

21

• Client Rights

22
Clients have the right to

• Written notice of the Departments privacy
  practices
• Require their authorization for the release of
  information
• Request restrictions on the use of their PHI

• Inspect and copy their PHI as documented by the
  Department
• Request that improper uses are corrected
• Obtain a report of disclosures of their PHI
• File a grievance or complaint

23
DCF HIPAA Policies
24
CFOP 60-17 Chapters 1 and 2

• Establishes a uniform process for implementing
  and disseminating the privacy standards required
  by HIPAA regulations, within DCF.
• Notice of Privacy Policy
• Management and protection of Individually
  Identifiable Information policy
• Complaint/Grievance procedures

25
Notice of Privacy policy

• All employees and volunteers must read, sign, and
  follow the policy.
• DCF must maintain a posted copy of the Notice of
  Privacy Policy in areas accessible to employees
  and volunteers.

• Violation of this policy will result in
  disciplinary action and may result in criminal
  and civil penalties.

26
Management and Protection of Individually
Identifiable Information

• Written for our clients, patients, parents or
  guardians of clients or patients, caregivers,
  foster care parents, and adoptive parents to
  explain
• The Departments HIPAA related duties
• Reasons the Department will use/share protected
  information
• Client rights
• How to file a complaint or grievance

27
Management and Protection of Individually
Identifiable Information

• Shall be visibly posted at each facility,
  program, and service center and in waiting rooms
  and client interviewing rooms at facilities
  serving clients.
• All new clients and patients will be provided
  with a copy of the policy at time of initial
  contact with the Department.

28
Complaint /Grievance Procedure
Patient/Client believes rights under HIPAA may
have been violated
Patient/Client files a written or oral complaint
with local Privacy Officer (EEO Coordinator)
Local Privacy Officer coordinates investigation
with Central Office HIPAA Privacy Officer
If issue not resolved to patient/client
satisfactions, he or she can file a complaint or
grievance with the Federal Office of Civil Rights.
29
The Departments Privacy Officer

• Assistant Director, Office of Civil Rights
• 850-487-1901orSuncom 277-1901

30
HIPAA Information Resources

• HIPAA Operating Procedures are available
  electronically on the DCF web site
  http//eww.dcf.state.fl.us
• Additional HIPAA resources are available on the
  following web-sites
• My Florida.com http//www.myflorid
  a.com/hipaa/
• US Dept. Of Health and Human
  Services http//www.hhs.gov/ocr/
  hipaa/

31
HIPAA 101REVIEW

• Implementing the Privacy Rule

32
DCF must

• Safeguard the privacy of client/patient PHI,
  which includes past, present, or future
• Health conditions
• Provision of health care
• Payment for health care
• Provide notice of the Departments privacy
  practices
• Explain how, when, and why we may disclose or use
  client/patient PHI

33
Allowable uses of PHI

• General Rule Use and Disclosure not related to
  treatment, payment or operations must be
  authorized by the client.
• For treatment
• To obtain payment
• For department Operations

34
Exceptions to the Rule

• The Department can use or disclose client PHI
  without written authorization for the following
  reasons
• The law requires disclosure
• For public health activities
• For health oversight activities
• Relating to decedents
• For research purposes
• To avert threats to health or safety

35
Client Rights

• Request restrictions on uses or disclosures
• Chose how DCF contacts the client
• Inspect and copy his or her PHI records
• Request an amendment of PHI records
• Request a written audit of PHI disclosures
• Receive a copy of the Notice of Privacy policy
  and the Management and Identification of
  Individually Identifiable Information policy

36
Complaint/Grievance Procedure

• CFOP 60-17, Chapter 2 Protected Health
  Information Complaint/Grievance Procedure
• Policy
• Complaint investigation process
• Decision and disposition
• No retaliation protections
• Complaints or grievances can be filed with the
  DCF Office of Civil Rights or with the Federal
  HHS Office of Civil Rights

37
The End