Health Insurance Portability and Accountability Act (HIPAA) Program - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Health Insurance Portability and Accountability Act (HIPAA) Program

Description:

HIPAA Privacy Rules intend to assure individuals that their PHI will remain private and free from improper use or disclosure. Covered Entities Covered entities ... – PowerPoint PPT presentation

Number of Views:296
Avg rating:3.0/5.0
Slides: 52
Provided by: pspol
Category:

less

Transcript and Presenter's Notes

Title: Health Insurance Portability and Accountability Act (HIPAA) Program


1
HIPAA Training and Education Series
  • Health Insurance Portability and Accountability
    Act (HIPAA) Program
  • Privacy Overview
  • Training

2
PLEASE NOTE THE FOLLOWING IMPORTANT
INFORMATION
  • The slides you will be viewing were developed for
    all DHR staff.
  • Any laws or regulations regarding DMHDDAD
    consumer information that are more stringent do
    take precedence over the HIPAA standards.
  • When in doubt, check it out!

3
HIPAA Training and Education Series
  • Table of Contents
  • Lesson 1 Origin of the HIPAA Privacy Rules
  • Lesson 2 Protected Health Information (PHI)
  • Lesson 3 Permitted Uses and Disclosures of PHI
  • Lesson 4 Minimum Necessary Disclosure Standard
  • Lesson 5 Administrative Requirements and
    Obligations
  • Lesson 6 Rights of Individuals
  • Lesson 7 Summary

4
HIPAA Training and Education Series
  • Lesson 1 Origin of the HIPAA Privacy Rules

5
Lesson 1 Origin of the HIPAA Privacy Rules
  • Banker who serves on a county health board calls
    in all mortgages of customers with cancer
  •  
  • Congresswomans medical records faxed from an
    area hospital to the media on the eve of her
    election
  •  
  • Hacker downloads medical records and Social
    Security Numbers of over 5,000 patients at a
    local University Medical Center
  •  
  • Employees at a health plan improperly access
    private medical claims information of a famous
    athlete

6
Lesson 1 Origin of the HIPAA Privacy Rules
  • What is HIPAA Privacy?
  • Health Insurance Portability and Accountability
    Act of 1996 (HIPAA)
  • Improvement in healthcare systems
  • Administrative Simplification Provisions
  • Increased electronic transactions general
    erosion of privacy in healthcare industry
  • HIPAA Privacy Rules address how and to whom PHI
    may be disclosed by healthcare entities covered
    under the law.

7
Lesson 1 Origin of the HIPAA Privacy Rules
  • Who Must Comply?
  • Healthcare Providers (hospitals, physicians,
    nurses, Veterans Health Administration, etc.)
  • Health Plans (HMOs, PPOs, Medicare, Medicaid,
    etc.)
  • Healthcare Clearinghouses
  • DHR

8
Lesson 1 Origin of the HIPAA Privacy Rules
  • Who Must Comply?
  • Business Associates
  • Trading Partners

9
HIPAA Training and Education Series
  • Lesson 2 Protected Health Information (PHI)

10
Lesson 2 Protected Health Information (PHI)
  • What is Protected Health Information?
  • Individually identifiable health information
    (IIHI)
  • Transmitted or stored electronically
  • Examples of PHI include
  • Name, age, sex and other personal demographic
    information
  • Health status information
  • Prescription drug information
  • Healthcare payment information
  • Prior existing conditions

11
Lesson 2 Protected Health Information (PHI)
  • What is Protected Health Information?
  • Applies to health information transactions such
    as
  • Claim payments and remittance advices
  • Provider claims and attachments
  • Premium invoices and payments
  • Eligibility information
  • Authorization and referral certifications
  • First report of injury

12
Lesson 2 Protected Health Information (PHI)
  • How is PHI disclosed or transmitted?
  •  
  • Telephone
  • Fax Machine
  • Internet/Intranet, Direct Dial-up Lines, Direct
    Data Entry and other EDI (Electronic Data
    Interchange)
  • Orally
  • Letters and Other Written Material

13
Lesson 2 Protected Health Information (PHI)
  • How is PHI stored?
  • Magnetic disk (hard disk, floppy disk, etc.)
  • Tape
  • Written or hard copies of medical records,
    enrollment forms, claim forms, beneficiary
    inquiries etc.

14
Lesson 2 Protected Health Information (PHI)
  • What is the importance and value of protecting
    health information?
  • We all have the right to keep information about
    ourselves private and free from improper use or
    disclosure.
  • In the electronic age, PHI may be more
    susceptible to privacy violations.
  • If the healthcare industry is to progress, it is
    imperative that consumers feel assured that their
    PHI is safe and free from privacy violations.

15
HIPAA Training and Education Series
  • Lesson 3 Permitted Uses and Disclosures of PHI

16
Lesson 3 Permitted Uses and Disclosures
  • What Uses and Disclosures of PHI Require an
    Authorization?
  • Third party disclosures
  • Marketing and fund raising activities
  • Non-health related affiliates
  • Underwriting or risk rating activities
  • Employment determinations
  • Sale, rental or barter of PHI
  • Psychotherapy notes

17
Lesson 3 Permitted Uses and Disclosures
  • What PHI Uses and Disclosures do not Require an
    Authorization?
  • Treatment, payment and healthcare operations
    (TPO)
  • Public health agency activities
  • Health oversight and regulatory agency activities
  • Judicial proceedings and law enforcement
    investigations
  • Healthcare fraud investigations
  • Emergency situations
  • Research purposes
  • If information is de-identified

18
Lesson 3 Permitted Uses and Disclosures
  • Verification Procedures
  • DHR must verify the identity and the authority of
    a person requesting access to PHI.
  • DHR must secure documentation, statements or
    other representations, whether oral or written,
    from the person requesting the PHI.
  • May use professional judgment

19
HIPAA Training and Education Series
Lesson 4 Minimum Necessary Disclosure Standard
20
Lesson 4 Minimum Necessary Disclosure Standard
  • What does minimum necessary mean?
  • Making a reasonable effort not to use or disclose
    more than the minimum amount of information
    necessary to accomplish an intended task

21
Lesson 4 Minimum Necessary Disclosure Standard
  • Why is minimum necessary so important?
  • An individual has the right to expect that their
    PHI will remain secure and confidential.
  • The more PHI is used or disclosed, the more
    likely it is to be revealed to third parties.
  • Limiting the exchange of PHI to the minimum
    necessary reduces the potential of fraud and
    abuse.

22
Lesson 4 Minimum Necessary Disclosure Standard
  • How is minimum necessary determined?
  • DHR will determine who needs access to PHI and
    the amount of PHI needed per function.
  • Varies by division and function
  • DHR will evaluate each and every business
    activity requiring the use and/or disclosure of
    PHI.
  • Once the minimum necessary is determined, DHR
    will communicate to all affected parties
    (employees, business associates, trading
    partners, etc.).

23
Lesson 4 Minimum Necessary Disclosure Standard
  • Responding to a request for the disclosure of PHI
  • DHR will develop criteria that limit disclosures
    only to that necessary to comply with a specific
    request.
  • Disclosure requests must be individually reviewed
    by employees according to the developed criteria.
  • Ensure that only the minimum amount necessary is
    disclosed
  • Exceptions include requests from another covered
    entity, certain public officials or agencies,
    certain business associates, researchers, etc.

24
HIPAA Training and Education Series
Lesson 5 Administrative Requirements and
Obligations
25
Lesson 5 Administrative Requirements and
Obligations
  • What are the administrative requirements under
    HIPAA Privacy?
  • Privacy Official
  • Privacy Training Program
  • Safeguards
  • Complaints
  • Sanctions
  • Documented Policies and Procedures
  • Notice of Privacy Practices
  • Business Associate Contracts

26
Lesson 5 Administrative Requirements and
Obligations
  • Privacy Officer
  • DHR will designate a privacy official or officer
  • Responsible for the development, implementation
    and maintenance of the privacy policies and
    procedures
  • In addition, DHR will designate a contact person
    to receive and process privacy complaints and to
    provide further information about privacy
    practices

27
Lesson 5 Administrative Requirements and
Obligations
  • Privacy Training Program
  • DHR will train all employees about privacy
    policies and procedures for PHI.
  • DHR will document that training has been
    provided.
  • Training will be completed within specific
    timeframes.

28
Lesson 5 Administrative Requirements and
Obligations
  • Safeguards
  • DHR will implement and maintain appropriate
    administrative, technical, and physical
    safeguards.
  • DHR will safeguard PHI from any intentional or
    unintentional use or disclosure, or violation of
    the requirements of the regulation.
  • PHI safeguards are also a requirement of the
    HIPAA Security Rules.

29
Lesson 5 Administrative Requirements and
Obligations
  • Complaints
  • DHR will develop and maintain a process for
    individuals to make complaints concerning
  • Privacy policies and procedures
  • Compliance with privacy policies and procedures
    and
  • Compliance with the Privacy requirements of HIPAA.

30
Lesson 5 Administrative Requirements and
Obligations
  • Sanctions
  • DHR will implement appropriate sanctions for
    failure to comply with privacy policies and
    procedures of the HIPAA regulations.
  • DHR will apply appropriate sanctions against
    employees who fail to comply with the privacy
    policies and procedures of the regulations.

31
Lesson 5 Administrative Requirements and
Obligations
  • Documented Policies and Procedures
  • DHR will develop and implement privacy policies
    and procedures with respect to PHI.
  • Address DHRs specific privacy practices as well
    as all of the elements of the HIPAA privacy rules
  • DHR will change or update its policies and
    procedures as necessary and appropriate to remain
    in compliance.

32
Lesson 5 Administrative Requirements and
Obligations
  • Notice of Privacy Practices
  • DHR employees will provide individuals with a
    Notice of Privacy Practices.
  • Notice must be in plain language.
  • DHR will revise Privacy Notice with any material
    change to DHRs privacy practices.
  • Direct treatment providers will make a good faith
    effort to obtain the patient's written
    acknowledgement of the Notice of Privacy
    Practices and rights.

33
Lesson 5 Administrative Requirements and
Obligations
  • Business Associate Contracts
  • Business Associates are entities with which DHR
    shares or exchanges PHI.
  • Business Associates must comply with HIPAA,
    indirectly, through mandated Business Associate
    Contracts with DHR.
  • Business Associate Contracts allow DHR to obtain
    satisfactory assurance that the Business
    Associate will appropriately safeguard PHI.
  • If DHR becomes aware of a material breach by the
    Business Associate, the contract (and
    relationship) must be terminated.

34
HIPAA Training and Education Series
Lesson 6 Rights of Individuals
35
Lesson 6 Rights of Individuals
  • What are the Rights of Individuals Under HIPAA
    Privacy?
  • PHI uses and disclosures are permitted only with
    authorization.
  • Request privacy protection for PHI
  • Confidential communications regarding PHI
  • Access to PHI
  • Amendment or correction of PHI
  • Accounting of PHI disclosures

36
Lesson 6 Rights of Individuals
  • Uses Disclosures Permitted Only with an
    Authorization
  • Individuals have the right to expect that certain
    uses and disclosures of their PHI will be
    permitted only with an authorization.
  • The authorization is not valid unless signed by
    the individual in question.

37
Lesson 6 Rights of Individuals
  • Request Privacy Protection for PHI
  • Individuals have the right to request that DHR
    restrict
  • Uses and disclosures for treatment, payment and
    healthcare operations (TPO), and
  • Disclosures permitted for involvement in the
    individuals care and notification purposes.
  • DHR does not have to agree to the request, but
    must have procedures in place to process request.

38
Lesson 6 Rights of Individuals
  • Confidential Communications Regarding PHI
  • Individuals have the right to confidential
    communications regarding their PHI.
  • DHR must accommodate reasonable requests by
    individuals to receive communications of PHI by
    alternative means or at alternative locations.
  • Applies to health plans when disclosure of all or
    part of PHI could endanger the individual.

39
Lesson 6 Rights of Individuals
  • Access to PHI
  • Individuals have the right to unfettered access
    to PHI that is used to make decisions about the
    individual.
  • Such PHI must be kept for 6 years
  • Exceptions include access to psychotherapy notes,
    PHI used in judicial or administrative actions,
    etc.

40
Lesson 6 Rights of Individuals
  • Amendment or Correction of PHI
  • An individual has the right to amend or correct
    his or her PHI in a designated record set (e.g.
    medical record) for as long as the covered entity
    maintains the information.
  • DHR does not have to agree to amend or correct
    the PHI.

41
Lesson 6 Rights of Individuals
  • Accounting of Disclosures
  • An individual has the right to receive an
    accounting of PHI disclosures made in the six
    years prior to the request.
  • Exceptions include disclosures for treatment,
    payment and healthcare operations, disclosures to
    the individual, for national security purposes,
    etc.
  • A written account of such disclosures must
    include the date of the disclosure, to whom the
    information was disclosed, and a description of
    the information disclosed.

42
HIPAA Training and Education Series
Lesson 7 Summary
43
Lesson 7 Summary
  • What are the Penalties for Non-Compliance?
  • Violation of HIPAA Privacy Rules may lead to both
    civil and criminal penalties.
  • Civil penalties range between 100 for a single
    violation to as much as 25,000 for multiple
    violations of the same requirement during a
    calendar year.
  • Criminal penalties range from 50,000 and one
    year in imprisonment for a simple PHI disclosure
    to as much as 250,000 and 10 years imprisonment
    for wrongful disclosure.

44
Lesson 7 Summary
  • The Importance of Privacy
  • HIPAA Privacy Rules address how and to whom
    protected health information may be disclosed.
  • The increased use of electronic transactions of
    health care data and the general erosion of
    privacy necessitate minimum standards for the
    privacy of PHI.
  • HIPAA Privacy Rules intend to assure individuals
    that their PHI will remain private and free from
    improper use or disclosure.

45
Lesson 7 Summary
  • Covered Entities
  • Covered entities generally include
  • Healthcare providers
  • Healthcare payers
  • Healthcare clearinghouses

46
Lesson 7 Summary
  • Protected Health Information (PHI)
  • PHI is any and all individually identifiable
    health information.
  • PHI may be in electronic, paper-based, or oral
    form.
  • Includes PHI that is stored as well as disclosed
    by a covered entity

47
Lesson 7 Summary
  • Permitted Uses and Disclosures
  • Treatment, payment, and other standard healthcare
    operations (TPO) do not require an authorization.
  • Disclosures to a third party, disclosures for
    employment determinations, the sale, rental or
    barter of PHI, and other such uses and
    disclosures are not permitted without a signed
    authorization.

48
Lesson 7 Summary
  • Minimum Necessary Disclosure Standard
  • Must make a reasonable effort not to use or
    disclose more than the minimum amount of
    information necessary to accomplish an intended
    task.
  • Minimum necessary does not apply to activities
    related to healthcare treatment, payment or
    healthcare operations (TPO), and to certain other
    activities such as disclosures to the Department
    of Health and Human Services (DHHS).

49
Lesson 7 Summary
  • Administrative Requirements and Obligations
  • Requirements and obligations include
  •  
  • A Privacy Official
  • A Privacy Training Program
  • Administrative Safeguards
  • A Complaints Process
  • Sanctions for Violations of Privacy
  • Documented Policies and Procedures
  • A Notice of Privacy Practices
  • Business Associate Contracts

50
Lesson 7 Summary
  • Rights of Individuals
  •  
  • Uses and disclosures of PHI permitted only with
    authorization
  • Request privacy protection for PHI
  • Confidential communications regarding PHI
  • Access to PHI
  • Amendment or correction of PHI
  • Accounting of Disclosures of PHI

51
  • FOLLOW THESE DIRECTIONS TO RECEIVE CREDIT
  • ENSURE YOU VIEW THE HIPAA 101 PRESENTATION
  • ENSURE YOU COMPLETE THE COMPETENCY
  • EXAM AND SEND TO HRD
  • ENSURE YOU COMPLETE A INSERVICE TRAINING
  • ROSTER AND SEND TO HRD
Write a Comment
User Comments (0)
About PowerShow.com