WHAT IS HIPAA?

1
WHAT IS HIPAA?

• (The Health Insurance Portability and
  Accountability Act of 1996)

2
HIPAA

• Is a Federal Law

• Creates uniform standards for certain
  payment-related transactions (e.g., claims
  submissions and eligibility verification and
• Creates minimum standards for the privacy and
  security of patient information.

3
TRAINING REQUIREMENT

• Compliance with the HIPAA regulations is the
  responsibility of the entire staff. This
  includes employees, medical staff, volunteers,
  residents, and students
• Everyone must take steps to protect the
  confidentiality and privacy of patient
  information, and
• Everyone is required to receive HIPAA training.
• At the end of this presentation, you will be
  asked to sign a certification which says you have
  received this training and agree to abide by the
  Hospitals HIPAA policies.

4
HIPAA PRIVACY BASICSGENERAL PRIVACY RULE

• You may not USE or DISCLOSE Protected Health
  Information (PHI) except as permitted by the
  privacy regulations.

5
WHAT IS PROTECTED HEALTH INFORMATION OR PHI?

• PHI is any information relating to a persons
  health status, treatment or payment for health
  services which is created or received by the
  Hospital and which may identify the individual.
• Includes Oral, written and electronic records
  and communications.

6
QUESTION

• Which of the following is PHI?

• A patients name

• A patients address

• A patients Medicaid number

• A patients date of birth

• All of the above

7
Answer

• Each of those items is considered PHI, or
  Protected Health Information.

8
EXAMPLES OF WHERE YOU MIGHT ENCOUNTER PHI

• A sign-in sheet that includes the patients name
  and reason for her visit
• A code that documents a specific health procedure
  or test
• A patient identification bracelet or band, or an
  insurance card
• A conversation about a patients health over
  lunch with a colleague
• An appointment reminder message left on an
  answering machine

9
MORE EXAMPLES OF PHI

• Physician dictation that is yet to be transcribed
• Patient status boards
• A telephone call to verify health insurance
  coverage
• The OR schedule
• PAY CLOSE ATTENTION TO AREAS WHICH LEND
  THEMSELVES TO PRIVACY VIOLATIONS DO A
  WALK-THROUGH OF YOUR FLOOR/DEPARTMENT

10
PRIVACY NOTICE

• Prior to providing services (except in an
  emergency or if the patient lacks capacity), the
  Hospital must provide each patient with a privacy
  notice and make a good faith effort to obtain a
  written acknowledgment from the patient that
  he/she has received the Hospitals privacy
  notice.
• If the Hospital is unable to obtain the
  acknowledgment, it must document the attempt that
  was made, and the reasons why such attempt was
  not successful.
• The acknowledgement should be kept for at least
  six years.

11
PRIVACY NOTICE

• The Hospitals privacy notice describes
• How the Hospital uses and discloses PHI
• The patients rights concerning their PHI
• How the patient can make complaints (both to the
  Hospital and to the Office of Civil Rights)
  concerning privacy or security issues
• The Hospitals notice is a joint notice, and it
  covers the Hospital and its medical staff with
  regard to services rendered at the Hospital

12
PERMITTED DISCLOSURESFOR THE HOSPITALS USE

• The Hospital may use and disclose PHI without
  obtaining a HIPAA-compliant authorization form
  for the Hospitals Treatment, Payment and Health
  Care Operations purposes.
• Note You must still comply with other more
  stringent laws (e.g., NYS law, HIV law, mental
  health law, and drug and alcohol laws).

13

TREATMENT

• The provision, coordination and/or management of
  health care and related services including
  consultations and referrals.
• Examples
• If a patient receives care at a Hospital, the
  Hospital may send the patients blood to a
  reference laboratory for analysis.
• One physician may consult with another physician
  concerning the care of a particular patient.
• Hospital discharge personnel may provide
  information to nursing homes/home health agencies
  who may subsequently treat the patient.

13
14
PAYMENT

• The activities undertaken by a provider to obtain
  reimbursement for services provided.
• Examples
• The Admitting Office is permitted to contact an
  insurance company to determine if a
  patient has insurance coverage.
• The Billing Department is permitted to send a
  bill to the patient or the patients third party
  payor.

15
HEALTH CAREOPERATIONS

• The Hospitals routine activities such as quality
  assurance, case management, credentialing,
  accreditation, education of staff, business
  planning and customer service.
• Examples
• Presenting case studies at a performance
  improvement meeting
• Sending incident reports to malpractice carriers
• Training of staff, residents and interns
• Participating in JCAHO accreditation

16
PERMITTED DISCLOSURESFOR THE USE OF OTHERS

• In addition, the Hospital may disclose PHI
  without an authorization
• For other providers Treatment, Payment purposes
  and certain Healthcare Operations
• To DHHS
• To a patients family and personal
  representatives
• In a facility directory and
• In all other situations authorized by HIPAA.

17
AUTHORIZATIONS

• If the Hospital wants to use PHI for purposes
  other than treatment, payment or health care
  operations it must obtain a HIPAA-compliant
  authorization form.

• Examples
• Research
• Marketing
• Photographing patients
• (for other than treatment purposes)

• The authorization form must be signed by the
  patient or his/her legal representative
• The authorization form must be detailed and
  specific to the use or disclosure.

18
QUESTION
A patient comes to a hospital. Which of the
following can be performed without written
authorization from the patient or his/her legal
representative?

1. Doctors reviewing the treatment plan for elective
   surgery
2. Billing for elective surgery
3. Sending laboratory results to an outside lab
4. Discussing the patients care at a quality
   assurance meeting
5. All of the above

19
Answer

• Each of those actions can be performed without
  written authorization from the patient or his/her
  legal representative.

20
MINIMUM NECESSARY RULE

• You must limit the PHI which you use, disclose or
  request to the minimum necessary to accomplish
  your job responsibilities.

20
21
MINIMUM NECESSARY RULEEXAMPLES

• Example 1 When PHI is disclosed in response to
  a request from a health plan, only the
  information requested should be sent rather than
  the entire medical record.
• Example 2 When PHI is used by health care
  provider, such as a Physical Therapist to treat a
  patient, the therapist limits their use of the
  medical record to those portions that are
  essential to the treatment of the patient.

21
22
MINIMUM NECESSARY RULE EXCEPTIONS

• The minimum necessary rule does not apply when
  PHI is disclosed to or requested by the patient
  himself, or by a provider in order to treat an
  individual.

22
23
MINIMUM NECESSARY RULE (Contd)

• If you regularly receive reports containing PHI
  which you do not need to receive or if you have
  greater access to PHI than you need to perform
  your job, please contact
• your Department Manager or
• Terry Lillis, our Privacy Officer.

23
24
INDIRECT PROVIDERS

• Deliver care based upon the orders of another
  health care provider
• Transmit the results of these services directly
  to the provider who ordered the service (not to
  the patient)
• Are not required to obtain a privacy notice
  acknowledgment prior to providing services and
• Are not Business Associates.
• EXAMPLES Laboratories, pathologists, radiologists

25
HIPAA HOT SPOT HIPAA AND OTHER LAWS

• As the Hospital implements HIPAA, it must
  continue to follow current Hospital policy (which
  may be based upon other Federal and State law)
  unless the policy directly conflicts with HIPAA.
  
• If HIPAA and State law address the same topic,
  HIPAA applies, unless the State law offers the
  patient greater rights.

26
HIPAA HOT SPOT HIPAA AND OTHER LAWS

• EXAMPLES
• The Hospital must still follow New York State law
  relating to patient authorization for release of
  HIV records, even though these rules may be more
  strict than HIPAA.
• Although HIPAA does not require a HIPAA specific
  consent for permitted disclosures of PHI, the
  Hospital is still required to obtain other types
  of consents for health care purposes if required
  by law or Hospital policy (i.e., informed
  consents and consents for treatment).

27
PRIVACY OFFICER

• Terry Lillis, at 663-2003,is the hospitals
  Privacy Officer and is responsible for ensuring
  compliance with the HIPAA Privacy Standards. If
  you have any questions or are aware of any HIPAA
  violations, contact her immediately.
• Nick Casabona at 663-2370, as the Hospital's
  HIPAA Security Officer, is responsible for
  overseeing the technical aspects of the security
  of the electronic information.

27
28
COMPLAINTS

• Jean Zebroski, Director of Patient Relations at
  663-2058 is responsible for responding to
  complaints regarding HIPAA violations.
• Please refer any complaint relating to HIPAA
  directly to Jean.

29
HIPAA HOT SPOTPATIENT DIRECTORY INFORMATION

• HIPAA allows Hospitals to provide directory
  information to the public, but patients may
  request to opt out of being included in such
  directory. If they opt out, our Secured Patient
  Policy will be used to safeguard all of their
  information.

29
30
PATIENT RIGHTS

• Under HIPAA, patients have the following rights
• To request that the Hospital limit its use and
  disclosure of their PHI
• To receive communications by alternative means
  (e.g., e-mail or fax) or to alternative locations
  (the Hospital must accommodate all reasonable
  requests)
• To access their PHI
• To request amendments to their PHI, and
• To receive an accounting of certain disclosures
  of their PHI.

31
IMPLEMENTING PATIENTS RIGHTS

• Example A patient requests that PHI not be
  disclosed to any person other than his son.
• The Hospital is not required to agree to such a
  request, but if it does, it must modify the uses
  and disclosures it and its staff typically make.

32
ACCOUNTINGS

• HIPAA requires the Hospital to provide patients,
  upon request, with an accounting of certain
  disclosures of their PHI.
• The following disclosures do not need to be
  included on the accounting if performed in
  accordance with the HIPAA regulations

• Disclosures of PHI that were made for purposes of
  Treatment, Payment or Health Care Operations.
• Disclosures to the patient requesting the
  accounting
• Disclosures that are incidental to a permitted or
  required use of PHI

33
ACCOUNTINGS (Contd)

• Disclosures pursuant to a valid HIPAA
  authorization
• Disclosures to the Hospitals patient directory
• Disclosures to persons involved in the patients
  care and notices to family members or friends
  regarding the patients location, general
  condition and/or death
• Disclosures for national security or intelligence
  purposes
• Disclosures to correctional institutions or law
  enforcement officials, if involving criminal
  conduct that occurred on the Hospitals premises
  
• Disclosures of a limited data set and
• Disclosures made prior to April 14, 2003.

33
34
ACCOUNTINGS (Contd)

• The following are examples of disclosures that
  are required to be included in an accounting
• Disclosures in response to a subpoena, without a
  HIPAA authorization
• Infection control disclosures and
• Disclosures to regulatory agencies such as the
  department of health.

34
35
DISCUSSIONS WITH PATIENTS FAMILY AND FRIENDS

• In general, the Hospital may disclose to a family
  member, relative, or close personal friend of the
  patient, or any other person designated by the
  patient, patient information directly relevant to
  the persons involvement with or payment for the
  persons care (except HIV-related information,
  alcohol and/or substance abuse or mental health
  treatment).

36
DISCUSSIONS WITH PATIENTS FAMILY AND FRIENDS
(Contd)

• If the patient is present, PHI may be disclosed
  with patients agreement. If the patient is given
  the opportunity to object and does not object or
  if the Hospital reasonably infers from the
  circumstances that the patient does not object to
  the disclosure, then Hospital may disclose the
  information to the family member or friend.
• If the patient is not present, or the opportunity
  to agree or object cannot practically be provided
  (incapacity or emergency), the Hospital may
  determine disclosure is in the patients best
  interest.
• Disclose only the information directly relevant
  to the persons involvement with the patients
  health care.

37
HIPAA HOT SPOTTHE MEDIA

• Unless a patient requests otherwise, if a caller
  asks for information on a particular patient,
  HIPAA permits the Hospital to release one-word
  condition information and location information
  without obtaining prior authorization.
• At Winthrop, ALL communication with the Media
  are to be directed to the Vice President of
  External Affairs.
• REMEMBER Other laws may be more stringent
  (e.g., laws regarding HIV, mental hygiene, and
  substance abuse).

38
THE MEDIA (Contd)

• The media should not contact patients directly
  they should request an interview through the
  External Affairs Department at ext. 663-2706.
  During off-hours, the operator will contact the
  Vice President of External Affairs for you.
• The Hospital may deny the media access to the
  patient if it would aggravate the patients
  condition or interfere with patient care.

39
FINAL MEDIA TIPS

• The following activities require written
  authorization from the patient
• Drafting a detailed statement (i.e., anything
  beyond one-word condition) for approval by the
  patients legal representative
• Taking photographs of patients
• Interviewing patients
• In general, if the patient is a minor, permission
  for any of these activities must be obtained from
  a parent or legally authorized representative.

40
HIPAA HOT SPOTFAXING

• If you are faxing documents that contain PHI be
  sure to take the following steps
• Include a fax cover sheet with the approved HIPAA
  confidentiality statement on it.
• Perform random audits of sent faxes to ensure
  receipt by the correct party.
• Pre-program fax numbers.
• Routinely update fax number listings.
• Maintain the fax machine in a secure location.

41
HIPAA HOT SPOTPUBLIC CONVERSATIONS

• Avoid holding conversations about PHI in public
  areas such as lobbies, elevators, cafeterias and
  hallways. If you must do so, keep your voice low
  and be aware of people who may overhear your
  conversation.
• Note Conversations between providers, and
  between providers and patients, are permissible,
  even if incidentally overheard, as long as
  reasonable precautions were taken.

42
HIPAA HOT SPOTSREASONABLE SAFEGUARDS

• Do not leave PHI in public view (e.g., lying
  around on desks or nurses stations or unattended
  on a fax machine), and take care when disposing
  of PHI (e.g., shred paper when feasible or place
  paper in locked confidential waste baskets).

Never place PHI in an unsecured waste basket,
including the BLUE recycling bin.
43
MARKETING/FUNDRAISING

• HIPAA allows the Hospital to use PHI for certain
  limited marketing and fundraising, provided that
  specific requirements are met. If you wish to
  use PHI for marketing or fundraising contact
• John Broder,Vice President of External Affairs
• at 663-2706 for guidance.

44
RESEARCH

• There are several rules related to the use or
  disclosure of PHI for research purposes. These
  rules include
• Creation of a Privacy Review Board (which can be
  the current IRB) to review all use or disclosure
  of PHI for research purposes
• Use of HIPAA authorizations
• Use of Limited Data Set/Data Use Agreements
• De-identification of PHI
• If you participate in research activities,
  contact the Director of IRB, at 663-2552 for a
  detailed description of HIPAA research
  requirements.

45
REMEMBER

• When you
• Limit your own use and disclosure of or requests
  for information to the minimum necessary to
  perform the assigned task and
• Verify that information is being properly
  provided to an authorized person,
• You will
• Avoid the harmful effects of HIPAA violations.

46
HIPAA SECURITY BASICS

• Security of PHI must be an ongoing and
  comprehensive process, not an event.

47
SECURITY RISKS

1. Human error
2. Nature (fire, earthquake, flood)
3. Technology failures
4. Deliberate security breaches (internal and
   external threats)

48
MANAGE YOUR PASSWORD

• Use letters and numbers to create passwords
  (e.g., axw49).
• Avoid common selections (e.g., your name, pets
  name, childs name, etc.).
• Do not post your password on your computer or
  near your work area.
• Do not share passwords. If you forget you
  password, call the HELP Desk (663-4357).

49
PROTECT YOUR WORK AREA

• Avoid having PHI in public view.
• Do not leave unattended PHI on your computer
  screen or work station.
• Sign off when you are finished using a computer.
• Turn computer screen away from public view.

50
BEWARE OF VIRUSES AND OTHER HARMFUL SOFTWARE
Viruses and other malicious software are a
serious threat to the Hospital. To protect
against them

• Do not load information from outside on your
  computer without authorization
• Do not download information from the Internet
  without the express authorization of your
  Department Manager
• Do not open e-mails from unknown senders
• The Hospital will send you routine alerts when
  threats of new viruses become known.

51
FOLLOW HOSPITAL POLICY REGARDING REMOVAL AND
INSTALLATION OF HARDWARE AND SOFTWARE

• You may not install new hardware/software on the
  Hospital systems or remove hardware/software from
  the Hospital premises unless expressly authorized
  to do so by the Director of MIS or his designee.

51
52
REPORT INCIDENTS

• It is your responsibility to report
• Unauthorized successful or unsuccessful log-in to
  the system
• Any breaches in the security of PHI of which you
  become aware
• Sharing of passwords
• Incidents can be reported to Nick Casabona, our
  Security Officer at 663- 2370.

53
QUESTION

• Are any of the following HIPAA violations?
• A social worker posts her password on the side of
  her computer.
• Jane has a friend who forgot her password and
  wants Jane to lend her Janes password.
• A physician is sitting at a computer terminal and
  reviewing a patients information. The physician
  then gets an emergency call to assist with a
  patient. The physician leaves the computer
  terminal on showing the information.

54
Answer

• Answer Each of those actions would be a
  violation of HIPAA.

55
AUDIT TRAILS

• The Hospital is required to maintain records and
  review its employees use and access to
  information on the Hospital computer network.

55
56
OTHER SUGGESTED SECURITY PRACTICES

• ALWAYS wear your name tag.
• Ensure that all vendors are properly supervised
  and log in and out of the Hospital.
• Shred or discard PHI in secure trash bins.

57
HIPAA HOT SPOTE-MAIL

• Communications sent over an open network (which
  includes e-mail over the internet) must have
  certain safeguards, which might include
  encryption. Review the Hospitals security
  policies to determine the steps that must be
  taken in relation to e-mail and the Hospital's
  policy on sending/receiving PHI by e-mail.

58
SUMMARY
Protection of PHI is everyones responsibility.
Here is a summary of a few topics that were
discussed in this presentation

• Do not discuss patient information in public
  areas of the Hospital (e.g., cafeteria, lobby).

• Do not discuss patient information at home or at
  social gatherings.

• Do not share your password.

• Do not leave PHI lying around unattended.

• Do not send PHI over the internet unless
  authorized to do so.

• Do inform the Privacy or Security Officer about
  any concerns you may have about release of PHI.

59
ELECTRONIC TRANSACTION STANDARDS GENERAL RULE

• If a provider (either itself or through an agent,
  (e.g., billing company)), conducts a
  payment-related transaction electronically, the
  transaction must be conducted using the HIPAA
  format.
• Note If a payor still accepts covered
  transactions in paper format (e.g., paper
  claims), then such paper transactions do not
  necessarily have to conform to the new HIPAA
  formats.

Those involved in Electronic Transaction
Standards will be contacted directly and trained
as appropriate.
60
WHAT DOES IT MEAN TO STANDARDIZE A TRANSACTION?

• Standardized Formats
• Standard Data Content A new Federal definition
  of clean claim.
• Standard Codes ICD-9-CM, CPT-4, HCPCS, CDT-3,
  and HCPCS J codes.

61
HOW DOES HIPAA AFFECT YOUR RELATIONSHIP WITH THE
HOSPITAL

• If you are an employee, student or volunteer
• You are part of the Hospitals workforce
• You must comply with the Hospitals HIPAA
  compliance program
• Failure to comply will result in disciplinary
  action
• Failure to comply could trigger individual
  liability with penalties

62
INTERNAL SANCTIONS

• The Hospital is required to have policies
  regarding the disciplinary actions which may be
  taken if an employee fails to comply with these
  HIPAA policies.
• An employee who violates the Hospitals HIPAA
  policies may be subject to various sanctions
  including written censure, suspension or
  termination.
• Medical Staff Members who violate these HIPAA
  policies may be subject to disciplinary action
  under the Medical Staff By Laws.

63
FEDERAL SANCTIONS

• Under HIPAA, violations may result in the
  Hospital and the employee being subject to civil
  monetary penalties and criminal actions,
  depending on the nature and extent of the HIPAA
  violation.

64
CIVIL FINES

• Civil Fines of no more than 100 per violation
  with a maximum of 25,000 in each calendar year
  for violations of an identical requirement.
• Enforcer Office of Civil Rights

65
CRIMINAL PENALTIES FOR KNOWING MISUSE OF PHI
- THREE DEGREES

• Simple violations up to 50,000 plus up to 1
  year in prison.
• Violation committed under false pretenses up to
  100,000 plus up to 5 years in prison.
• Violation committed for gain or harm up to
  250,000 plus up to 10 years in prison.
• Enforcer OIG/Department of Justice

66
DISCUSSION/QUESTIONS
67
REVIEW CODE OF CONDUCT AND SIGN YOUR TRAINING
ACKNOWLEDGEMENT FORM!