HIPAA Workforce Training

1
HIPAA Workforce Training

• PRIVACY and HIPAA

2
MANDATORY

• Completion of training is mandatory under
• HIPAA for the entire workforce of the MHRB
• Including volunteers, like yourselves.

3
What is HIPPA?

• In 1996 President Clinton signed the Health
  Insurance Portability and Accountability Act
  (HIPAA). This new law was enacted as part of a
  broad congressional attempt at incremental
  healthcare reform.
• HIPAA has two primary purposes. One is to
  provide continuous insurance coverage for workers
  who change jobs, and the other is to reduce the
  costs and administrative burdens of health care
  by making possible the standardized, electronic
  transmission of many administrative and financial
  transactions that are currently carried out
  manually on paper.

4
HIPAA Workforce Training

• HIPAA requires that the MHRB create HIPAA
  policies and procedures that may affect your work
  as a Board member.

5
This HIPAA Training Program will answer

• What does HIPAA do?
• Who has to follow the HIPAA law?
• What is Protected Health Information?
• When do we start?
• How does HIPAA affect you?
• Why is HIPAA important?

6
What does HIPPA do?

• HIPAA is the Health Insurance Portability and
  Accountability Act of 1996. It is a federal law
  that
• Protects the privacy of a clients personal and
  health information
• Provides for electronic and physical security of
  personal and health information
• Simplifies billing and other transactions

7
An Overview of the Law
8
HIPAA is the FLOOR

• HIPAA regulations are the minimum starting point
  for protecting health information and do not
  supersede any rules, regulations, or standards
  that are more stringent. For example, if ODMH
  rules are more stringent than HIPAA rules, we
  must follow the ODMH rule.

9
Organizational and Administrative Requirements

• A Privacy Officer must be appointed to implement
  and develop privacy policies and procedures for
  the agency.
• Must train all employees (current and new) on
  privacy policies and procedures.
• Must amend all business associate contracts to
  establish the permitted and required uses and
  disclosures of PHI.
• Must verify the identity and authority of person
  requesting PHI.

10
Organizational and Administrative Requirements

• Must disseminate a notice of our privacy
  practices to existing clients and all new clients
  and within 60 days of any material revision.
• Must notify clients every 3 years of the
  availability of the notice.
• A covered entity with a website must post their
  notice on the web.

11
Organizational and Administrative Requirements

• Must document compliance with notice requirements
  and keep copies of notices issued.
• Must document who is responsible for receiving
  and processing client inquiries regarding his/her
  PHI.

12
Organizational and Administrative Requirements

• Must provide a process for individuals to make
  complaints and document such complaints and their
  disposition.
• Must develop anti-retaliation policy.

13
Who has to follow HIPAA?
Everyone!
14
Who Is Impacted?

• Health care providers A provider of medical,
  psychiatric, or other health services, and any
  other person or entity furnishing health care
  services or supplies.
• Health plans an individual or group health plan
  that provides or pays the cost of medical care.
• Clearinghouses A public or private entity that
  processes or facilitates the processing of
  non-standard data elements of health information
  into standard data elements and who transmits any
  health information in electronic form in
  connection with a transaction covered in the
  legislation.
• Business Associates and Trading Partners

15
Business Associate

• A person or entity to whom a covered entity
  discloses protected health information, to
  perform a function on behalf of or to provide
  services to a covered entity.
• Includes lawyers, accountants, consultants, and
  accrediting agencies.
• Must have a contract obligating them to safeguard
  protected health information.

16
Business Associate Contracts

• Must establish the permitted and required uses
  and disclosures of protected health information
  by the business associate and may not authorize
  further disclosure in violation of the
  regulations
• If the covered entity knows of a practice or
  pattern of activity that constitutes a material
  breach of the business associates obligations
  under the contract, the covered entity must take
  reasonable steps to ensure cure of the breach or
  terminate the contract or report the problem to
  the Secretary of Health and Human Services.

17
Business Associate Obligations

• Must not use or disclose protected health
  information in violation of the law or contract.
• Implement safeguards against improper use or
  disclosure.
• Ensure that any agents or subcontractors agree to
  fulfill contractual and legal obligations.
• Afford individual access to records make
  available records for amendment by the
  individual account to the individual for use or
  disclosure other than for payment, treatment, or
  operations.
• At termination of the contract, return or destroy
  protected health information.

18
What Is Impacted?

• TRANSACTIONS
• A transaction is the exchange of information
  between two parties to carry out financial and
  administrative activities related to health care.
  It includes
• Health claims or encounter information,
• Health care payment and Explanation of Benefits
  (EOB),

19
What Is Impacted?Transactions Continued

• Coordination of benefits,
• Enrollment/disenrollment in a health plan,
• Eligibility for a health plan,
• Health plan premium payments,
• Referral certification and authorization,
• First report of injury, and
• Health claims attachments.

20
What Is Impacted?

• PROTECTED HEALTH INFORMATION
• Protected Health Information is defined as any
  information, whether oral or recorded, in any
  form or medium, that-
• Is created or received by a provider, health
  plan, public health authority, employer, life
  insurer, school, or clearinghouse and
• Relates to the past, present or future physical
  or mental health or condition of an individual,
  the provision of health care to an individual, or
  the past, present, or future payment for the
  provision of health care to an individual.

21
What is considered Protected Health Information?

• A persons name, address, birth date, age, phone
  and fax numbers, e-mail address
• Medical records, diagnosis, x-rays, photos,
  prescriptions, lab work, test results
• Billing records, claim data, referral
  authorizations, explanation of benefits
• Research records

22
The Board may create, use and share a persons
PHI for

• Treatment
• Billing and Payment
• Agency Business Management and Operations
• Disclosures Required by Law
• Public Health and Other Governmental Reporting

23
PHI Consent

• Some uses and disclosures of PHI do not require
  consent.
• The use and disclosure of protected health
  information relating to treatment, payment, or
  health care operations does not require prior
  written consent.

24
Minimum Necessary Rule

• When using or disclosing Protected Health
  Information (PHI) or when requesting PHI from
  another covered entity, The Board must make
  reasonable efforts to limit PHI to the minimum
  necessary to accomplish the intended purpose of
  the use, disclosure, or request, unless an
  exception applies.

25
Minimum Necessary RuleExceptions

• The minimum necessary requirement does not apply
  in the following instances
•  
• Disclosures to or requests by a health care
  entity for purposes of treatment.
• Uses or disclosures made to the individual who is
  the subject of the PHI.
• Uses or disclosures made pursuant to a valid
  authorization initiated by the individual.
• Disclosures to the secretary of the Department of
  Health and Human Services (HHS).
• Uses or disclosures that are required by law.
• Uses or disclosures required for compliance under
  HIPAA, including compliance with the
  implementation specifications for conducting
  standard data transactions.

26
Requests for Disclosure

• The Board may rely on a request for disclosure as
  the minimum necessary for the stated purpose
  when
• Making permitted disclosures to public officials,
  if the public official represents that the
  information is the minimum necessary for the
  stated purpose(s).
• The information is requested by another covered
  entity.
• The information is requested by a professional
  who is a member of The Boards workforce or is a
  business associate of Board for the purpose of
  providing professional services to The Board if
  the professional represents that the information
  requested is the minimum necessary for the stated
  purpose(s).
• The information is requested for research
  purposes and the person requesting the
  information has provided documentation or
  representations to The Board verifying such
  intended purpose.

27
Using and Disclosing PHIWithout Consent

• For workers' compensation purposes.
• Appointment reminders and health-related
  benefits or services.
• For fundraising activities, public health
  activities, organ donations, and for research
  purposes.

• When a disclosure is required by federal, state,
  or local law, judicial or administrative
  proceedings, or law enforcement.
• Disclosure without your consent can occur in
  certain emergency treatment situations.
• To avoid harm.
• For specific government functions.

28
Verification

• In certain instances, as permitted or required by
  law, The Board can or must disclose an
  individuals PHI, even where there is no specific
  consent or authorization from the individual to
  do so.
• No PHI will be disclosed without precautions
  being made to assure that the identity of the
  person requesting PHI information is verified and
  that they have the authority to have access to
  the information requested.

29
Verification of Identity

• When the identity of the person seeking
  disclosure of an individuals PHI is not known to
  The Board, verification of the persons identity
  is as follows
• If the request is made in person, presentation of
  an agency identification badge, other official
  credentials, or other proof of government status.
• If the request is in writing, the request is on
  the appropriate government letterhead
• or other accepted proof of identity is
  documented.
• If the disclosure is to a person acting on behalf
  of a public official, a written statement on
  appropriate government letterhead that the person
  is acting under the governments authority or
  other evidence or documentation of agency, such
  as a contract for services, memorandum of
  understanding, or purchase order, that
  establishes that the person is acting on behalf
  of the public official.

30
Verification of Authority

• To verify the authority of a public official, The
  Board may rely on any of the following
• A written statement of the legal authority under
  which the information is requested or,
• 2. if a written statement is impracticable, an
  oral statement of such legal authority,
• 3. If a request is made pursuant to legal
  process, a warrant, subpoena, order, or other
  legal process issued by a grand jury or a
  judicial or administrative tribunal will be
  presumed to constitute legal authority.

31
Privacy Notice

• Every client is provided with a Notice of Privacy
  Practices upon enrollment at a contract agency
  The Notice describes
• How the MHRB can use and share protected health
  information, and
• Every clients privacy rights
• The privacy notice is also published on the
  MHRBs web page.
• Copies of the Notice of Privacy are available
  from the Privacy Officer or Secretary.

32
Clients PHI Rights

• One of the purposes of the new HIPAA rule is to
  give clients more control over their PHI. Such
  as
• The right to request limits on uses and
  disclosures of their PHI.
• The right to choose how the agency sends PHI to
  them.
• The right to view and obtain copies of their PHI.
  
• The right to correct or update their PHI.

33
How do clients exercise these rights?

• Special forms to request changes, corrections,
  copies, etc. are available from the Privacy
  Officer.

34
What client information must be protected?

• We must protect a clients personal and health
  information that
• Is created, kept, filed, used or shared
• Is written, spoken, electronic or digital
• As already stated HIPAA defines client personal
  and health information as Protected Health
  Information or PHI for short.

35
When do we start?
NOW!
36
How will HIPAA affect your duties?

• If you currently see, use, share and/or create a
  persons protected health information as part of
  your job or duties, HIPAA will change the way you
  work.
• You must protect the privacy of the client and
  MHRBs workforce protected health information.

37
When can you use PHI?

• ONLY to do your job or duties!
• At all other times, protect a clients
  information as if it were your own information!

38
How can you use PHI?

• You may look at a persons
• PHI only if you need it to do
• your job or duties.
• You may use a persons PHI
• only if you need it to do your job or duties.
• You may give a persons PHI to
• others when it is necessary for them to do their
  jobs.
• You may talk to others about a persons PHI only
  if it is necessary to do your job or duties.

39
Why is HIPAA important?

• Protecting privacy is important!
• We all want our PHI to be private
• Our clients want their PHI to be private
• Its the right thing to do
• Its the law

40
What can happen if we dont follow HIPAA?

• Someone who does not protect a persons personal
  and/or health care privacy could
• Lose his/her job
• Pay fines
• Go to jail

41
Fines?

• Fines range
• from 50,000 to
• 250,000 per
• incident

42
Jail?

• Jail terms
• can be up to
• 10 years
• per incident

43
Did you know.?

• The Board must protect your personal health
  information with as much diligence and security
  as we protect clients PHI.

44
When do we have to protect PHI?
NOW!
45
HIPAA Stories

• Please read the following two HIPAA stories
  carefully as you will be asked to discuss them
• on the quiz.

46
HIPAA Story 1 Annie
After serving on the clients rights appeal
committee, I ran into the customer Annie, who
filed the appeal at the grocery store. She came
up to me and started talking about her appeal,
the medications she was placed on and how she was
not feeling any better. I told her I could not
discuss her appeal that it was confidential, and
that it takes time for some medications to work.
Did I do the right thing?
47
HIPAA Story 2 Barry
I happened to be using the copier in the MHRB
office when a fax arrived. I did not read any of
the details but recognized the client name on the
incident report. I did not do anything with the
information and kept it to myself. Did I do the
right thing?
48
Where to Find Out More About HIPAA

• The Privacy Notice is on the agencys Internet
  Website www.whmhrb.org
• Contact Kim Tapie, Compliance and Privacy Officer
  with questions and/or concerns
• Review HIPAA materials in the Boards Operations
  Manual

49
The End!
Congratulations! You have completed The HIPAA
Privacy Training .