HIPAA Privacy Keys to Success - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

HIPAA Privacy Keys to Success

Description:

HIPAA 101 Keys to Success Author: Registered User Last modified by: gfr1972 Created Date: 2/14/2003 2:39:40 PM Document presentation format: On-screen Show (4:3) – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 34
Provided by: Regis285
Category:
Tags: hipaa | hipaa | keys | privacy | success

less

Transcript and Presenter's Notes

Title: HIPAA Privacy Keys to Success


1
HIPAA PrivacyKeys to Success
  • Updated January 2010

2
HIPAA and Its Purpose
  • What is HIPAA?
  • Health Insurance Portability and Accountability
    Act of 1996
  • Title II Administrative Simplification
  • Its a federal law
  • HIPAA is mandatory, penalties for failure to
    comply
  • Purpose
  • Protect health insurance coverage, improve access
    to healthcare
  • Reduce fraud and abuse
  • Improve quality of healthcare in general
  • Reduce healthcare administrative costs
    (electronic transactions)

3
HITECH and Its Purpose
  • What is HITECH?
  • Health Information Technology for Economic and
    Clinical Health Act
  • Subtitle D of the American Recovery and
    Reinvestment Act of 2009 (ARRA)
  • Its a federal law
  • Purpose
  • Makes massive changes to privacy and security
    laws
  • Applies to covered entities and business
    associates
  • Creates a nationwide electronic health record
  • Increases penalties for privacy and security
    violations

4
Key HITECH Changes
  • Breach Notification requirements
  • AOD for treatment, payment, and healthcare
    operations in electronic health record (EHR)
    environment
  • Business Associate Agreements
  • Restrictions
  • Right to access
  • Criminal provisions
  • Penalties
  • OCR Privacy Audits
  • Copy charges for providing copies from EHR
  • HIPAA preemption applies to new provisions
  • Private cause of action
  • Sharing of civil monetary penalties with harmed
    individuals

5
Civil Penalties for Non-compliance
Violation Category Each Violation All such violations of an identical provision in a calendar year
Did Not Know 100 - 50,000 1,500,000
Reasonable Cause 1,000 50,000 1,500,000
Willful Neglect Corrected 10,000 - 50,000 1,500,000
Willful Neglect Not Corrected 50,000 1,500,000
As of 2/17/09
6
Criminal Penalties for Non-compliance
  • For health plans, providers, clearinghouses and
    business associates that knowingly and improperly
    disclose information or obtain information under
    false pretenses. These penalties can apply to
    any person.
  • Penalties higher for actions designed to generate
    monetary gain
  • up to 50,000 and one year in prison for
    obtaining or disclosing protected health
    information
  • up to 100,000 and up to five years in prison for
    obtaining protected health information under
    "false pretenses"
  • up to 250,000 and up to 10 years in prison for
    obtaining or disclosing protected health
    information with the intent to sell, transfer or
    use it for commercial advantage, personal gain or
    malicious harm

7
Facility Privacy Official
  • Your FPO is Cynthia Kean, HIM Director
  • Responsible for
  • Privacy Program
  • Privacy Rights of patients
  • Requests for Privacy Restrictions
  • Facilitating the training and education of staff

8
HIPAA Terminology
  • HIPAA Health Insurance Portability and
    Accountability Act
  • HITECH Health Information Technology for
    Economic and Clinical Health Act
  • PHI Protected Health Information
  • CE Covered Entity (Hospital)
  • ACE Affiliated Covered Entity (Common
    ownership) OHCA Organized Health Care
    Arrangement (The hospital and medical staff will
    be considered an Organized Health Care
    Arrangement)
  • DRS Designated Record Set (medical record and
    billing record)
  • AOD Accounting of Disclosures (patients right
    to receive)
  • Directory Hospital census list used by
    volunteers and operators with name and room

9
How will HIPAA affect you?
  • Coversheets with confidential statement need to
    be used on all external faxes.
  • Screens will need to be placed out of public view
    when possible
  • Patient charts will need to be placed in secure
    area
  • PHI will need to be placed in Cintas containers
    for disposal
  • Patient family members will give a passcode for
    other than directory releases
  • Patient information should only be accessed if
    there is a need to know

10
How will HIPAA affect you?
  • Registration will be giving out a Notice of
    Privacy Practices brochure to every patient
    concerning our patient privacy protection policy.
  • Patients will be given the option to opt out
    of our directory.
  • Patients have a right to a copy of their medical
    record
  • Authorizations need to be obtained from patient
    to release information for reasons other than for
    treatment, payment or healthcare operations (TPO)

11
What is Protected by HIPAA (PHI)?
  • Name
  • Address including street, city, county, zip code
    and equivalent geocodes
  • Names of relatives
  • Name of employers
  • All elements of dates except year (i.e. DOB,
    Admission, Discharge, Expiration, etc.)
  • Telephone numbers
  • Fax Numbers
  • Electronic e-mail addresses
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Web Universal Resource Locator (URL)
  • Internet Protocol (IP) address number
  • Finger or voice prints
  • Photographic images
  • Any other unique identifying number,
    characteristic, code

12
What is a Covered Entity (CE)?
  • Health plans, Health care clearinghouses, and
    Health care providers that transmit
    electronically for billing
  • Examples
  • Hospitals
  • Physician Practices
  • Insurance companies
  • Ambulance Transportation Services
  • Hospice
  • Home Health

13
What does that mean to me?
  • You can share information without patient
    authorization as it relates to TPO
  • Other covered entities will request only minimum
    necessary to perform their job
  • You may request the minimal information necessary
    from them for reasons of TPO without patient
    authorization
  • May need to verify the requestor according to
    policy

14
Disclosing PHI to Family Members and Friends Who
Call the Unit
  • Patient will be assigned a four-digit passcode .
    Knowledge of this passcode will allow
    information, (PHI), to be shared with the family
    member or friend
  • Distribution of passcode will be the
    responsibility of the patient
  • Passcode may be changed during treatment
  • Revocation and password change form must be
    routed to FPO
  • Passcode will be last 4-digits of patient account
    number

15
Verification of Requestors
  • Requestors via phone will need
  • Patient SS, DOB and one of the following
  • Account number, street address, MR, birth
    certificate, insurance card or policy number
  • Scenarios
  • Unknown physician calling from cell phone
  • Family member or friend calling without passcode

16
External Faxing Guidelines
  • Limit when possible
  • Verify fax number
  • Utilize preset numbers when applicable
  • Fax machine located in secure location
  • ALWAYS use cover sheet with confidentiality
    statement for transmittals
  • Highly sensitive information should not be faxed
    (HIV status, abuse records, etc.)

17
Patients Right to Access
  • Forward to HIM for processing
  • Must be able to provide access and/or hard copy
    of record
  • If patient is in-house, HIM will manage access
    process

18
Patients Right to Amend
  • Forward request to HIM for processing
  • Right of patient to request amendment to records.
    Request must be in writing
  • Cannot change or omit documentation already in
    the medical record
  • If patient is in-house HIM will manage amendment
    process

19
Patients Right to Opt out of Directory
  • Patient can opt out of directory at anytime but
    will probably happen during admission process
  • You may not acknowledge the patient is in the
    facility or give information about the patient to
    friends, family or others who may inquire
  • Can still release information to family and
    friends with 4-digit passcode as defined in the
    Directory policy.
  • Forward any request for opt out to Registration
    for processing

20
Right to Privacy Restrictions
  • Patients have the right to request a privacy
    restriction of their PHI
  • NEVER agree to a restriction that a patient may
    request
  • All requests must be made in writing and given to
    the FPO to make a decision on
  • NO request is so small that it should not be
    routed to the FPO

21
Patient Privacy Complaints
  • FPO must maintain complaint log in accordance
    with the complaint process
  • ALL privacy complaints must be routed to the FPO
  • Responses cannot be accompanied by retaliatory
    actions by the hospital
  • Disposition of complaint must be consistent with
    the facilitys Sanctions for Privacy Violations
  • Risk Management module of Meditech may be used
    for complaint tracking

22
Accounting of Disclosures (AOD)
  • Right to an accounting of disclosures of
    protected health information
  • An individual has a right to receive an
    accounting of disclosures of protected health
    information made by a covered entity in the six
    years prior to the date on which the accounting
    is requested, except for disclosures
  • For TPO
  • To the patient
  • For directory purposes
  • To law enforcement or correctional institutions
  • For national security

Additional requirements forthcoming as a result
of HITECH regulations
23
How will Accounting of Disclosures (AOD) affect
me?
  • You must enter information into the AOD for
  • State mandated reporting
  • Suspected Abuse Victims
  • Certain Disease reporting such as STDs
  • Brain Injury
  • Organ and Tissue Donations
  • Health Oversight Activities (JCAHO)

24
Notice of Privacy Practices
  • Patient will receive Notice upon each
    registration
  • Outlines patient rights
  • Right to access
  • Right to amend
  • Confidential Communication
  • Right to Privacy Restriction
  • Right to Opt out of Directory

25
Sharing Information with Other Treatment Providers
  • We can share information with physicians and
    office staff, hospitals, or other treatment
    facilities just as we do today
  • Need to verify the requestor according to policy
  • Patient information (PHI) can be released for
    reasons of treatment, payment or health care
    operations

26
Confidential Communications
  • Request for use of alternate address or phone
    number for future contact
  • Route any request for Confidential Communications
    to Admissions
  • Should communicate only with alternate address
    given

27
Breach Notification
  • HITECH provisions require the following
    notifications when breaches (as defined in the
    regulations) occur
  • To the patient
  • To the Department of Health and Human Services
  • To the media when the breach involves more than
    500 individuals in the same state or jurisdiction

28
Ensuring Security Compliance
  • Ensure users log off terminals when not in use.
  • PCs should have screen savers whenever
    possible.
  • Computer screens should be positioned so
    information (PHI) is not
  • readable by the public or other unauthorized
    viewers
  • Printers should be positioned in protected
    locations so that printed
  • information is not accessible or viewable by an
    unauthorized
  • person.
  • PHI must be properly disposed.

29
Common Exposures on Nursing Units
  • Discussions of patient information in public
    places such as elevators, hallways and cafeterias
  • Printed or electronic information left in public
    view (e.g., charts left on counters)
  • Discussing patient information on social
    networking sites (e.g., Facebook, Twitter)
  • PHI in regular trash
  • Records that are accessed without need to know in
    order to perform job duties
  • Unauthorized individuals hearing patient
    sensitive information such as diagnosis or
    treatment

30
Sanctions
  • 3 levels of violations that require disciplinary
    action
  • Accidental and/or due to lack of proper education
  • Purposeful violation of privacy policy or an
    unacceptable number of previous violations
  • Purposeful violation of privacy policy with
    associated potential for patient harm
  • FPO to review facility sanctions policy examples

31
Test Your Knowledge
  • The FPO at JFK Medical Center is
  • Gina Melby, CEO
  • The President of the Medical Staff
  • Cynthia Kean, HIM Director
  • Jim Leamon, CFO
  • Does the patient have the right to access or
    obtain a copy their medical record?
  • Yes
  • No
  • Can a patient amend their record?
  • Yes
  • No
  • What is protected by HIPAA (PHI-Protected Health
    Information)?

32
Test Your Knowledge
  • What right is NOT provided under HIPAA?
  • Right to Opt out of the dictionary
  • Right to not pay the bill
  • Right to amend
  • Right to request Confidential Communication
  • 6. Under HITECH when a breach occurs the
    following must be notified, EXCEPT
  • The Department of Health and Human Services
  • The media when more than 500 individuals reside
    in the same state or jurisdiction
  • The patients next of kin
  • The patient
  • One of the purposes of HITECH is to create an
    electronic health record
  • True
  • False

33
To Test Your Knowledge
  • Patients have the right to request a privacy
    restriction of their PHI. This request must
    always be forwarded to the
  • Admitting Physician
  • The FPO
  • The Chief Nursing Officer
  • The Quality Director
  • Criminal penalties for non-compliance can apply
    to any person
  • True
  • False
  • Examples of exposure would be
  • discussions of a patients diagnosis in the
    elevator
  • PHI in the trashcan
  • sharing PHI without an authorization when one is
    required
  • sharing of passwords
Write a Comment
User Comments (0)
About PowerShow.com