THE HIPAA PRIVACY RULE

THE HIPAA PRIVACY RULE PowerPoint PPT Presentation


  • 253 Views
  • Uploaded on
  • Presentation posted in: General

What is HIPAA?. HealthInsurancePortability andAccountabilityAct (Passed into law in 1996). Four Parts of HIPAA. 1. Standardized Electronic Data Interchange transactions and codes for all covered entities2. Standards for security of data systems3. Privacy protections for individual health information4. Standard national identifiers for health care.

Download Presentation

THE HIPAA PRIVACY RULE

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


1. THE HIPAA PRIVACY RULE UNM Health Sciences Center Compliance Office October 2004 Welcome participants Welcome participants

2. What is HIPAA? Health Insurance Portability and Accountability Act (Passed into law in 1996)

3. Four Parts of HIPAA 1. Standardized Electronic Data Interchange transactions and codes for all covered entities 2. Standards for security of data systems 3. Privacy protections for individual health information 4. Standard national identifiers for health care Includes health claims, health plan eligibility enrollment/disenrollment, payments for care & health plan premiums, etc. In the past, health providers and plans have used many different electronic formats to transact medical claims. Implementing a national standard is intended to result in the use of one format to simplify and improve transaction efficiency nationwide. Final Rule published in Feb. 2003. Takes effect April 2005. Provides for uniform level of protection of all EPHI. Requires CE’s to ensure the confidentiality, integrity and availability of all EPHI the CE creates, receives, maintains or transmits. Establishes 1st set of basic national privacy standards and provides patients with a basic level of protection. In the past, healthcare organizations have used multiple identification formats when conducting business which was a costly & error-prone process. Standard identifiers are expected to reduce these problems. The standard adopts an employer’s identification # (EIN) or tax ID # as the standard for electronic transactions. Final standards have not been published.Includes health claims, health plan eligibility enrollment/disenrollment, payments for care & health plan premiums, etc. In the past, health providers and plans have used many different electronic formats to transact medical claims. Implementing a national standard is intended to result in the use of one format to simplify and improve transaction efficiency nationwide. Final Rule published in Feb. 2003. Takes effect April 2005. Provides for uniform level of protection of all EPHI. Requires CE’s to ensure the confidentiality, integrity and availability of all EPHI the CE creates, receives, maintains or transmits. Establishes 1st set of basic national privacy standards and provides patients with a basic level of protection. In the past, healthcare organizations have used multiple identification formats when conducting business which was a costly & error-prone process. Standard identifiers are expected to reduce these problems. The standard adopts an employer’s identification # (EIN) or tax ID # as the standard for electronic transactions. Final standards have not been published.

4. The Privacy Rule… establishes a Federal floor of safeguards to protect the confidentiality of medical information allows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used took effect on April 14, 2003

5. What Does The Privacy Rule Protect? Individually Identifiable Health Information, commonly referred to as “Protected Health Information” or “PHI”

6. PHI is information transmitted in any form, oral, written, or electronic that is: 1) Created or received by a covered entity; and 2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) There is a reasonable basis to believe the information can be used to identify the individual

7. As you can see, PHI, in a nutshell, covers demographic information for patients, their relatives, households and employers that was obtained during the course of medical treatment. As you can see, PHI, in a nutshell, covers demographic information for patients, their relatives, households and employers that was obtained during the course of medical treatment.

8. Who Must Comply with HIPAA? Health Plans Health Care Clearinghouses Health Care Providers who conduct certain financial and administrative transactions electronically These entities are commonly known as Covered Entities (CE). HIPAA does not give HHS the right to regulate other types of private businesses or public agencies, such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits.HIPAA does not give HHS the right to regulate other types of private businesses or public agencies, such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits.

9. What must a covered entity do to be in compliance with HIPAA? Notify patients about their privacy rights and how their information can be used Adopt and implement privacy procedures Train employees so they understand the privacy procedures Designate a Privacy Officer Secure patient records containing PHI

10. Vocabulary of HIPAA Protected Health Information (PHI) is individually identifiable health information that contains unique features or details by which the individual can be identified. Treatment, Payment and Health Care Operations (TPO) are common uses of PHI for which HIPAA does not require an authorization.

11. Vocabulary of HIPAA Disclosure means the release, transfer, provision of access to, or divulging of information outside the entity holding the information. Use means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity

12. Vocabulary of HIPAA Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work, is under the direct control of such entity. Business Associate is a person or entity that performs a function or activity on behalf of a CE that requires the creation, use or disclosure of PHI but who is not considered part of the CE’s workforce.

13. Notice of Privacy Practices Plain language Specified uniform header Description & at least one example of each type of use and disclosure made for TPO Description of each permitted or required use or disclosure without authorization Sufficient detail of each use and disclosure to put individual on notice Statement that all other uses or disclosures will only be made with the individual’s authorization Delineation of individual’s privacy rights

14. New Patient’s Rights Right to written Notice of Privacy Practices (NPP) that informs consumers how PHI will be used and to whom it is disclosed Right of timely access to see and copy records for reasonable fee Right to request amendment of record Right to restrict access and use Right to an accounting of disclosures Right to revoke authorization

15. Requests for Amendment A patient may request, in writing, to have health information or a record about the patient amended. The CE does not have to agree to the amendment, however, the request to amend becomes a part of the patient’s medical record. Patients may request amendments to the information they find in the medical record. Although we do not have to agree to the amendment, we must review all requests to determine if an amendment is warranted. This is done in consultation with the treating physician.Patients may request amendments to the information they find in the medical record. Although we do not have to agree to the amendment, we must review all requests to determine if an amendment is warranted. This is done in consultation with the treating physician.

16. Requests for Restrictions Patients may request, in writing, a restriction or limitation on the health information that a CE uses or discloses. The CE is not required to agree to the restriction. Even though we do not have to agree to the restriction, we do have to review all requests and determine if they should be accepted. If they are accepted, the restriction must be communicated to all affected areas and it must be included in the medical record. Even though we do not have to agree to the restriction, we do have to review all requests and determine if they should be accepted. If they are accepted, the restriction must be communicated to all affected areas and it must be included in the medical record.

17. Accounting of Disclosures Patients are entitled to request a list of people and organizations who have received their PHI. Patients must submit a written Request for Accounting of Disclosures. A CE must respond to a patient’s request for an accounting within 60 days of receipt of the request. The accounting does not include TPO disclosures.The accounting does not include TPO disclosures.

18. The accounting of disclosures should include disclosures… Required by law For public health activities About victims of abuse, neglect or domestic violence For health oversight activities For judicial and administrative proceedings For law enforcement purposes For research purposes (if authorization was waived) For specialized government functions For workers’ compensation

19. AUTHORIZATION… Is a detailed document that gives covered entities permission to use PHI for specified purposes. Is required for the use and disclosure of PHI not otherwise allowed by the Privacy Rule Does not apply to TPO Does not apply to uses and disclosures required by law May be revoked at any time in writing Required by law: Public Health Activities – reporting births and deaths or adverse events Abuse, Neglect of Domestic Violence Health Oversight Agency Judicial and Administrative Proceedings – criminal trials, litigation, subpoenas Law Enforcement Decedents Organ, Eye or Tissue Donation Aversion of Serious Threat Specialized Government Function Workers’ CompensationRequired by law: Public Health Activities – reporting births and deaths or adverse events Abuse, Neglect of Domestic Violence Health Oversight Agency Judicial and Administrative Proceedings – criminal trials, litigation, subpoenas Law Enforcement Decedents Organ, Eye or Tissue Donation Aversion of Serious Threat Specialized Government Function Workers’ Compensation

20. Authorization Requirements An authorization must describe: the PHI to be used and disclosed; the person authorized to make the use or disclosure; the person to whom the covered entity may make the disclosure; an expiration date; and the purpose for which the information may be used or disclosed.

21. Minimum Necessary Standard HIPAA requires covered entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made (i.e. the minimum necessary amount of information).

22. Minimum Necessary Does Not Apply To: Treatment Disclosures to the individual who is the subject of the PHI Uses or disclosures made pursuant to an individual’s authorization Uses or disclosures that are required by law

23. Do I need to know? Ask yourself: Do I need this information to do my job and provide good patient care? What is the least amount of information I need to do my job? If the answer to the first question is no, you should not be accessing the PHI in question. Please take these question seriously and think about them as you come into contact with PHI.If the answer to the first question is no, you should not be accessing the PHI in question. Please take these question seriously and think about them as you come into contact with PHI.

24. Incidental Disclosure A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure.

25. Is this a HIPAA privacy violation? No. It is a classic example of an incidental disclosure. Dr. Nixon is engaging in a permitted acitivity. The correct answer is that an incidental disclosure occurred and that it is allowed under HIPAA. Next SlideIs this a HIPAA privacy violation? No. It is a classic example of an incidental disclosure. Dr. Nixon is engaging in a permitted acitivity. The correct answer is that an incidental disclosure occurred and that it is allowed under HIPAA. Next Slide

26. Protecting Patient Privacy “Do’s” Do: Close curtains and speak softly when discussing treatments in semi-private rooms Log off of the computer when you are finished Dispose of patient information by shredding or storing in locked containers for destruction Clear patient information off of your desk when you leave your desk Since the ultimate goal of the Privacy Rule is to protect the privacy of our patients, here are some things to keep in mind when you are dealing with patient information.Since the ultimate goal of the Privacy Rule is to protect the privacy of our patients, here are some things to keep in mind when you are dealing with patient information.

27. Protecting Patient Privacy “Don’ts” Don’t: Tell anyone what you overhear about a patient Discuss a patient in public areas such as elevators, hallways, or cafeterias Look at information about a patient unless you need it to do your job

28. Rules for Using Computers Keep your password a secret Do not log in using someone else’s password Log off of the computer when you are finished using it Turn the computer screen away from public view Do not remove equipment, disks, or software without permission Here are some basic guidelines for when you are using your computers. The Security Rule of HIPAA goes into affect in April 2005. Once that regulation is enacted, you will receive more detailed information.Here are some basic guidelines for when you are using your computers. The Security Rule of HIPAA goes into affect in April 2005. Once that regulation is enacted, you will receive more detailed information.

29. Rules for Using Faxes Sending: Call the intended recipient before sending the fax Double-check the fax number before sending Use cover sheets for faxes Receiving: Tell the person faxing information to alert you when he/she is about to send the fax Take faxes off of the machine immediately Do not let faxed patient information lie around unattended There has been a lot of misconceptions about faxing PHI. Here are the rules for sending and receiving faxes.There has been a lot of misconceptions about faxing PHI. Here are the rules for sending and receiving faxes.

30. Business Associate A person or entity that performs a function or activity on behalf of a CE that requires the creation, use or disclosure of PHI but who is not considered part of the CE’s workforce. BA functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management BA services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Exceptions to the BA standard: disclosures for treatment; persons/organizations those function does not involve the use or disclosure of PHI (janitorial service); person/organization acting merely as a conduit for PHI (US Postal Service)BA functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management BA services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Exceptions to the BA standard: disclosures for treatment; persons/organizations those function does not involve the use or disclosure of PHI (janitorial service); person/organization acting merely as a conduit for PHI (US Postal Service)

31. Business Associates Must be helping the covered entity carry out its health care functions Must have a written contract or agreement with the covered entity that assures that they will appropriately safeguard any PHI they receive or create PHI cannot be disclosed to the BA for their own independent use or purpose. They must use the PHI only for the purposes for which their services were engaged. The usual method of obtaining satisfactory assurances is through a Business Associate Agreement that describes the permitted and required uses of PHI by the BA, provides that the BA will not use or further disclose PHI other than as permitted or required by the K or by law, and requires the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract. PHI cannot be disclosed to the BA for their own independent use or purpose. They must use the PHI only for the purposes for which their services were engaged. The usual method of obtaining satisfactory assurances is through a Business Associate Agreement that describes the permitted and required uses of PHI by the BA, provides that the BA will not use or further disclose PHI other than as permitted or required by the K or by law, and requires the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.

32. HIPAA’s Impact on Research Activities NO ONE is permitted to use PHI for research without complying with the new HIPAA requirements These HIPAA requirements are entirely separate from the existing federal human subject research regulations. HIPAA requirements: Preparatory to Research, Authorization, Waiver of Authorization, or Limited Data Set Informed Consent is not authorization.HIPAA requirements: Preparatory to Research, Authorization, Waiver of Authorization, or Limited Data Set Informed Consent is not authorization.

33. Please Note: The Privacy Policies and Procedures do not replace or override other rules or procedures established by the Institutional Review Board (“IRB”). Both must be complied with in order to conduct human subject research.

34. State Law vs. HIPAA If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient: Greater privacy rights, Greater access to information, or Greater privacy protections.

35. Penalties for Privacy Violations Civil Penalties under HIPAA: Maximum fine of $25,000 per violation Criminal Penalties under HIPAA: Maximum of 10 years in jail and/or a $250,000 fine for serious offenses Organization Actions: Employee disciplinary actions including suspension or termination for violations of UNM’s policies and procedures Criminal sanctions may be imposed for offenses where there is intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm. Criminal sanctions may be imposed for offenses where there is intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.

36. The Privacy Rule Requirement You may not retaliate against or intimidate an employee who files a HIPAA complaint.

37. HSC COMPLIANCE HOTLINE 1-888-899-6092 Call if you: Have questions about the Privacy Rule Want to report a privacy violation (This toll-free hotline is operated by Global Compliance Services and is available 24 hours a day.)

38. TEST YOUR KNOWLEDGE!

39. Trainer Talking Point: Is this an appropriate disclosure? Lori should not have permitted Terri to have access to Ms. Pate’s medical record. No. Ms. Pate’s PHI has nothing to do with Terri’s job. Trainer Talking Point: Is this an appropriate disclosure? Lori should not have permitted Terri to have access to Ms. Pate’s medical record. No. Ms. Pate’s PHI has nothing to do with Terri’s job.

40. Trainer Talking Point: This is inappropriate behavior. Even though the patient’s name was not used, the situation was described in such detail that someone could possibly determine who the patient was that coded during that day. Additionally, a relative of that patient could have also been on the elevator and known that the doctors were discussing their family member. This conversation should be confined to areas where the chance of someone overhearing is minimized. Trainer Talking Point: This is inappropriate behavior. Even though the patient’s name was not used, the situation was described in such detail that someone could possibly determine who the patient was that coded during that day. Additionally, a relative of that patient could have also been on the elevator and known that the doctors were discussing their family member. This conversation should be confined to areas where the chance of someone overhearing is minimized.

41. Has the patient’s privacy right been violated? This would constitute a disclosure of PHI. Under HIPAA, a disclosure occurs whenever access to information is made available or divulged in any manner to a third party or entity outside of the covered entity. The patient’s phone number constitutes PHI because it may easily be used to identify or contact the patient. If there was a pay phone available or if it was possible to wait and contact the patient from his home or office, Dr. Cook had an obligation to do so. Dr. Cook could have also called the answering service and asked them to transfer him to the patient. That way, the only information left on the friend’s cell phone would have been the answering service’s number and no PHI would have been disclosed. Has the patient’s privacy right been violated? This would constitute a disclosure of PHI. Under HIPAA, a disclosure occurs whenever access to information is made available or divulged in any manner to a third party or entity outside of the covered entity. The patient’s phone number constitutes PHI because it may easily be used to identify or contact the patient. If there was a pay phone available or if it was possible to wait and contact the patient from his home or office, Dr. Cook had an obligation to do so. Dr. Cook could have also called the answering service and asked them to transfer him to the patient. That way, the only information left on the friend’s cell phone would have been the answering service’s number and no PHI would have been disclosed.

42. Trainer Talking Point: This is inappropriate behavior. You should only be accessing patient information that you need to be able to do your job. You should not access records for any other reason even if you think the person would not mind or they verbally asked you to do so. If it is not for work related reasons, you must obtain patient authorization. Even if it is your record or you have a valid authorization, you must follow hospital procedure to access the information.Trainer Talking Point: This is inappropriate behavior. You should only be accessing patient information that you need to be able to do your job. You should not access records for any other reason even if you think the person would not mind or they verbally asked you to do so. If it is not for work related reasons, you must obtain patient authorization. Even if it is your record or you have a valid authorization, you must follow hospital procedure to access the information.

43. Trainer Talking Point: Is this a HIPAA violation? Yes. Henry is guilty of selling PHI for personal gain. This scenario is taken from an actual case that is taking place in Houston. The employee was convicted of commercial bribery for illegally selling patient medical records to personal injury lawyers. This is one of the 1st criminal convictions for a violation of HIPAA. Now the last area of HIPAA we will look at is the Organized Health Care Agreement Letters (Next slide) Trainer Talking Point: Is this a HIPAA violation? Yes. Henry is guilty of selling PHI for personal gain. This scenario is taken from an actual case that is taking place in Houston. The employee was convicted of commercial bribery for illegally selling patient medical records to personal injury lawyers. This is one of the 1st criminal convictions for a violation of HIPAA. Now the last area of HIPAA we will look at is the Organized Health Care Agreement Letters (Next slide)

44. Get to Know Your Privacy Team! Jeffery Wiggins HSC Compliance Director 505-272-2588 Sophia Collaros HSC Privacy Officer 505-272-1493 Icel Kendrick HSC Compliance Operations Manager 505-272-5994

  • Login