1 / 98

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES

alicia
Download Presentation

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers I’m the designated Privacy Official for Edward White Hospital. I work with all facility personnel involved with any aspect of the release and use of patient information. This is necessary to ensure full compliance with our policies and procedures, legal requirements, and the new HIPAA Privacy rule.I’m the designated Privacy Official for Edward White Hospital. I work with all facility personnel involved with any aspect of the release and use of patient information. This is necessary to ensure full compliance with our policies and procedures, legal requirements, and the new HIPAA Privacy rule.

    2. COMPLIANCE DEADLINE HIPAA Privacy Rule The final privacy rule was published on April 14th, 2001 and becomes effective next April 14th, 2003. Unlike Y2K, the HIPAA does not end when April 15th arrives. It will become a way of life. After that date, penalties can be imposed on facilities that are found to have poor Privacy Practices. One year extensions are available for certain parts of the privacy rule, and they will request the extensions on our behalf. But HCA does plan to be fully compliant by the April 14, 2003 date.The final privacy rule was published on April 14th, 2001 and becomes effective next April 14th, 2003. Unlike Y2K, the HIPAA does not end when April 15th arrives. It will become a way of life. After that date, penalties can be imposed on facilities that are found to have poor Privacy Practices. One year extensions are available for certain parts of the privacy rule, and they will request the extensions on our behalf. But HCA does plan to be fully compliant by the April 14, 2003 date.

    3. What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA is the acronym for Health Insurance Portability and Accountability act of 1996. Provides continuity of healthcare coverage: Limits preexisting condition exclusions, Prohibits discrimination based on health status Administrative Simplification: Encourages development of a electronic health information system, Establishes standards and requirements for electronic transmission of certain health information Recognized need to improve protection of health privacy: Congress given until August, 1999 to pass legislation, If not passed by Congress, Dept of HHS had authority to provide protection through regulation HIPAA is the “floor” regarding privacy protection – more stringent state laws still apply and can be enacted HIPAA is the acronym for Health Insurance Portability and Accountability act of 1996. Provides continuity of healthcare coverage: Limits preexisting condition exclusions, Prohibits discrimination based on health status Administrative Simplification: Encourages development of a electronic health information system, Establishes standards and requirements for electronic transmission of certain health information Recognized need to improve protection of health privacy: Congress given until August, 1999 to pass legislation, If not passed by Congress, Dept of HHS had authority to provide protection through regulation HIPAA is the “floor” regarding privacy protection – more stringent state laws still apply and can be enacted

    7. Why do we need HIPAA? 1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV. 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care. 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users. Closer to Home As time passes, hospitals contract out more responsibilities, and conduct more electronic transactions. Privacy standards were the obvious next step. Here are some good examples of why we need to enact legislation to protect patient information….As time passes, hospitals contract out more responsibilities, and conduct more electronic transactions. Privacy standards were the obvious next step. Here are some good examples of why we need to enact legislation to protect patient information….

    8. Title II - Administrative Simplification Federal Law vs. State Laws Protect health insurance coverage, improve access to healthcare Reduce fraud and abuse Establish new pt rights and privacy control by establishing common transaction sets for sending and securing pt information Improve efficiency and effectiveness of healthcare Reduce healthcare administrative costs (electronic transactions) ???

    9. Who must comply? HIPAA applies to all Covered Entities (CE) that transmit protected health information electronically such as.. All covered entities are responsible for complying with HIPAA regulations. We are not responsible for policing them unless we are aware of reportable violation. All covered entities are responsible for complying with HIPAA regulations. We are not responsible for policing them unless we are aware of reportable violation.

    10. Unlike Y2K, HIPAA compliance does not end.

    11. Confidentiality The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.

    12. Practicing Privacy Treat all information as if it were about you or your family. Access only those systems you are officially authorized to access. Use only your own User ID and Password to access systems. Access only the information you need to do your job. Here’s some simple rules to follow to protect PHI. Please stress these practices to your employees during department meetings.Here’s some simple rules to follow to protect PHI. Please stress these practices to your employees during department meetings.

    13. Practicing Privacy Refrain from discussing patient information in public places. Create a “hard to guess” password and never share it. Log-off or lock your computer workstation when you leave it. Use: IIHI and PHI may be shared without specific authorization for treatment, payment and health care operations by covered entities Disclosure: IIHI and PHI may be disclosed without authorization for certain national priority purposes under defined circumstances; however, written authorization, as specified, is required for other purposes including research. Minimum Necessary: Unless IIHI or PHI is used for treatment, the amount of information used or disclosed must be restricted to the “minimum necessary” to accomplish the relevant purpose De-Identification: A covered entity is obligated to remove specific identifying characteristics from IIHI Reasonable: Covered entities must make reasonable efforts to supply the minimum necessary and de-identified information taking into consideration practical and technological limitations, and recognizing that it may be impossible to make health information completely anonymousUse: IIHI and PHI may be shared without specific authorization for treatment, payment and health care operations by covered entities Disclosure: IIHI and PHI may be disclosed without authorization for certain national priority purposes under defined circumstances; however, written authorization, as specified, is required for other purposes including research. Minimum Necessary: Unless IIHI or PHI is used for treatment, the amount of information used or disclosed must be restricted to the “minimum necessary” to accomplish the relevant purpose De-Identification: A covered entity is obligated to remove specific identifying characteristics from IIHI Reasonable: Covered entities must make reasonable efforts to supply the minimum necessary and de-identified information taking into consideration practical and technological limitations, and recognizing that it may be impossible to make health information completely anonymous

    14. HIPAA MYTHS WHITE BOARDS SIGN IN SHEETS PAGING CALLING OUT NAMES NAMES ON DOORS STRUCTURES TO PREVENT DISCLOSURES

    15. Oral Communications The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others: Staff may oral communicate at the nursing stations Health care professionals may discuss a pt’s treatment in a joint treatment area Health care professionals may discuss a pt’s condition during patient rounds

    16. Common Terminology/Abbreviations (not all inclusive) Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent or authorization under TPO. Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes for daily functions and srvcs

    17. Terminology, Con’t Covered Entity (CE) – A health plan, healthcare clearing house, healthcare provider who transmits any health information in connection to a transaction. Designated Record Set (DRS) – Includes medical record and billing information, in whole or in part, by or for the covered entity to make decisions about patients

    18. Terminology, Con’t. Business Associate (BA) – Person, business or other entity who, on behalf of organization covered by regulations, performs or assists in performing function/activity involving use or disclosure of PHI. Patient Health Information (PHI) – any identifying piece of info on pt –

    19. Terminology - What is PHI? Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins) In general, privacy is about who has the right to access patient information. The rule covers all patient information in your possession, whether or not the information is in electronic form. This information is known as protected health information, or PHI. [read slide paragraph] Some examples of PHI are……. In general, privacy is about who has the right to access patient information. The rule covers all patient information in your possession, whether or not the information is in electronic form. This information is known as protected health information, or PHI. [read slide paragraph] Some examples of PHI are…….

    20. Terminology, con’t Organized Health Care Arrangement (OHCA) – A clinically integrated care setting in which individuals typically receive health care from more than one provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, clergy, etc.

    21. Terminology, Con’t Notice of Privacy Practices (NOPP) Disclosure of how PHI is used Directory policy Confidential Communications Right to Access Right to Amend Accounting for Disclosures Right to request restrictions on certain uses and disclosures FPO contact information Formal complaint process When the patient arrives, he will receive a notice of privacy practices. This notice informs the patient of his rights with respect to PHI as well as our legal duties to protect it. The privacy notice addresses, but it not limited to, the following……. Disclosure of how PHI is used: Used for Treatment, Payment, and Health Care Ops. Directory Policy: The patient has the right to opt out of being listed in the facility directory. Otherwise, we may disclose information to members of the clergy or other persons who ask for the individual by name. To invoke this right the patient will need to request to opt out and complete the Directory Opt Out form. The FPO or designee shall be notified that the opt out request has been made and the confidential flag has been set. The departments involved in care should be notified of the status change via OE. Printed census reports are discouraged because they can display patient information after the decision to Opt Out was made. Confidential Communications: The patient has the right to request communications by alternative means or at alternate addresses. The request should be accommodated if they are reasonable. In other words, we’re not fed-exing their bills to their vacation spots. Again, there will be a special form the patient submits to the FPO. Involved departments are notified (billing, HIM, Gallup) Right to Access: The patient has the right to inspect and obtain a paper copy of PHI contained in their record set. Exceptions include psychotherapy notes, info used in civil, criminal or administrative actions, or info subject to prohibition by CLIA. We must provide the information within 30 days. If we can’t, we must request a 30 day extension in writing. Right to Amend: The patient has the right to amend their PHI…a form is required. Accounting for Disclosures: The patient has the right to request a list of persons who requested PHI from our facility. They can request an accounting report once a year without charge, and a nominal charge thereafter. Restrictions: High risk rule. May not be processed without the FPOs approval. Most restrictions would lead the the inability to provide treatment, bill for payment, or perform health care operations. Other requests for restrictions may be impossible to grant due to system limitations. FPO: The rule requires a designated facility privacy officer to be named. Complaint: A policy to address patient complaints and privacy violations is forthcoming.When the patient arrives, he will receive a notice of privacy practices. This notice informs the patient of his rights with respect to PHI as well as our legal duties to protect it. The privacy notice addresses, but it not limited to, the following……. Disclosure of how PHI is used: Used for Treatment, Payment, and Health Care Ops. Directory Policy: The patient has the right to opt out of being listed in the facility directory. Otherwise, we may disclose information to members of the clergy or other persons who ask for the individual by name. To invoke this right the patient will need to request to opt out and complete the Directory Opt Out form. The FPO or designee shall be notified that the opt out request has been made and the confidential flag has been set. The departments involved in care should be notified of the status change via OE. Printed census reports are discouraged because they can display patient information after the decision to Opt Out was made. Confidential Communications: The patient has the right to request communications by alternative means or at alternate addresses. The request should be accommodated if they are reasonable. In other words, we’re not fed-exing their bills to their vacation spots. Again, there will be a special form the patient submits to the FPO. Involved departments are notified (billing, HIM, Gallup) Right to Access: The patient has the right to inspect and obtain a paper copy of PHI contained in their record set. Exceptions include psychotherapy notes, info used in civil, criminal or administrative actions, or info subject to prohibition by CLIA. We must provide the information within 30 days. If we can’t, we must request a 30 day extension in writing. Right to Amend: The patient has the right to amend their PHI…a form is required. Accounting for Disclosures: The patient has the right to request a list of persons who requested PHI from our facility. They can request an accounting report once a year without charge, and a nominal charge thereafter. Restrictions: High risk rule. May not be processed without the FPOs approval. Most restrictions would lead the the inability to provide treatment, bill for payment, or perform health care operations. Other requests for restrictions may be impossible to grant due to system limitations. FPO: The rule requires a designated facility privacy officer to be named. Complaint: A policy to address patient complaints and privacy violations is forthcoming.

    22. When can we use PHI? We can use PHI for Treatment, Payment and Healthcare Operations (TPO). Business Associates (BA) Affiliated Covered Entity (ACE) Organized Health Care Arrangement (OHCA) Once the notice of privacy practices is signed by the patient, we can use their PHI for treatment, payment, and healthcare operations. The hospital, a covered entity, obtains the signed notice from the patient. The notice covers everyone in that entity; employees, volunteers and trainees. What about non-hospital based physicians, vendors and other HCA facilities? Sometimes outside services are necessary to perform all the necessary functions. Our notice of privacy practices informs the patient that we coordinate their care with these other persons or businesses. This will eliminate the need for multiple privacy consents from the following groups… Business Associates: A business associate is a person or business… who performs, or assists in performing a function or activity… involving the use or disclosure of PHI. A business associate is not someone in your own workforce, such as an employee, volunteer, or trainee. (ex. All About Staffing, transcriptionists, collection agencies) ACE: These are our sister hospitals and surgery centers. The multi-facility security committee structure will be used to organize as an ACE. All FPOs will have documentation concerning members of the ACE. (ex. 4th St Surgery Center, St Pete, Northside) OHCA: Needed between hospital and medical staff for sharing information outside of treatment (QA, radiology docs, pathologist). This serves as a joint privacy notice from the facility and medical staff. The approach will be to include all of the non-employed physicians in the OHCA unless they specifically opt out. If physicians opt out, they would have to carry their own consent forms. Physicians with staff privileges are part of the OHCA only when they are rendering care at the hospital. Their private offices are not part of the OHCA.Once the notice of privacy practices is signed by the patient, we can use their PHI for treatment, payment, and healthcare operations. The hospital, a covered entity, obtains the signed notice from the patient. The notice covers everyone in that entity; employees, volunteers and trainees. What about non-hospital based physicians, vendors and other HCA facilities? Sometimes outside services are necessary to perform all the necessary functions. Our notice of privacy practices informs the patient that we coordinate their care with these other persons or businesses. This will eliminate the need for multiple privacy consents from the following groups… Business Associates: A business associate is a person or business… who performs, or assists in performing a function or activity… involving the use or disclosure of PHI. A business associate is not someone in your own workforce, such as an employee, volunteer, or trainee. (ex. All About Staffing, transcriptionists, collection agencies) ACE: These are our sister hospitals and surgery centers. The multi-facility security committee structure will be used to organize as an ACE. All FPOs will have documentation concerning members of the ACE. (ex. 4th St Surgery Center, St Pete, Northside) OHCA: Needed between hospital and medical staff for sharing information outside of treatment (QA, radiology docs, pathologist). This serves as a joint privacy notice from the facility and medical staff. The approach will be to include all of the non-employed physicians in the OHCA unless they specifically opt out. If physicians opt out, they would have to carry their own consent forms. Physicians with staff privileges are part of the OHCA only when they are rendering care at the hospital. Their private offices are not part of the OHCA.

    23. Do you need to know this information to do your job? “need to know basis” (Appropriate Access Policies) In the course of your daily duties, ask yourself. Do you need to know this information? Is the information necessary to perform your job? In the course of your daily duties, ask yourself. Do you need to know this information? Is the information necessary to perform your job?

    24. MINIMUM NECESSARY INFO

    25. POLICIES 9 CORPORATE POLICIES 23 FACILITY POLICIES

    26. CORPORATE POLICIES

    27. PATIENT PRIVACY PROGRAM REQUIREMENTS

    28. Privacy Official Policy

    29. PATIENT PRIVACY PROTECTION

    30. Right to Access

    31. RIGHT TO AMEND

    32. RIGHT TO REQUEST PRIVACY RESTRICTIONS

    33. RIGHT TO REQUEST PRIVACY RESTRICTIONS

    34. RIGHT TO REQUEST PRIVACY RESTRICTIONS

    35. NOTICE OF PRIVACY PRACTICES

    36. NOPP

    37. NOPP

    38. RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION

    39. CONFIDENTIAL COMMUNICATION (cont’d)

    40. CONFIDENTIAL COMMUNICATION (cont’d)

    41. ACCOUNTING OF DISCLOSURES

    42. AOD (cont’d)

    43. AOD (cont’d)

    44. AOD

    45. AOD

    46. FACILITY POLICIES

    47. VERIFICATION OF EXTERNAL REQUESTORS

    48. VERIFICATION (CONT’D)

    49. VERIFICATION (CONT’D)

    50. OPTING OUT OF DIRECTORY

    51. OPTING OUT (cont’d)

    52. OPTING OUT (cont’d)

    53. COMPLAINT PROCESS

    54. RELEASE TO LAW ENFORCEMENT, JUDICIAL

    55. LAW ENFORCEMENT (cont’d)

    56. CLERGY ACCESS

    57. CLERGY ACCESS

    58. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

    59. RELEASING UNDER THE PUBLIC GOOD

    60. PUBLIC GOOD (cont’d)

    61. PRIVACY MONITORING

    62. PRIVACY MONITORING

    63. SANCTIONS FOR PRIVACY VIOLATIONS

    64. Disclosures to Other Health Care Providers

    65. Designated Record Set Policy HIM Includes: Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients. **Information from another facility - received before patient discharged

    66. Privacy Fundraising Requirements In general, individual patient authorization must be obtained to use or disclose a patient’s PHI for fundraising purposes.

    67. Education Requirements

    68. FAX POLICY

    69. MARKETING POLICIY

    70. DEIDENTIFICATION

    71. LIMITED DATA SET

    72. RELEASE TO FAMILY AND FRIENDS

    73. MINIMUM NECESSARY INFORMATION

    74. POLICIES POSTED ATLAS Policies & Procedures CHS HIPAA Facility Corporate Forms MOX Library HIPAA

    75. SECURITY

    76. Protecting our patient's privacy is part of the quality care we provide at Coliseum Medical Centers – It’s the Law – Unlike Y2K, HIPAA is not just a compliance date. It will be a culture change for all of healthcare. Protecting patient’s privacy will become part of the quality care we provide at Edward White Hospital. Unlike Y2K, HIPAA is not just a compliance date. It will be a culture change for all of healthcare. Protecting patient’s privacy will become part of the quality care we provide at Edward White Hospital.

    77. Email and Internet Access

    79. Incident Reporting

    82. LOG IN SUCCESS OR FAILURE

    86. NEED TO KNOW

    88. PASSWORD MAINTENANCE

    91. POLICIES AND STANDARDS

    94. WORKSTATION SECURITY

More Related