1 / 35

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA). CCAC. Learning Outcomes. Define HIPAA Describe Privacy Rule/Covered Entities Define Protected Health Information (PHI) Know When to Use and Disclose PHI Define De-identified PHI Describe Need to Comply With HIPAA.

edmund
Download Presentation

Health Insurance Portability and Accountability Act (HIPAA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Insurance Portability and Accountability Act (HIPAA) CCAC

  2. Learning Outcomes • Define HIPAA • Describe Privacy Rule/Covered Entities • Define Protected Health Information (PHI) • Know When to Use and Disclose PHI • Define De-identified PHI • Describe Need to Comply With HIPAA

  3. What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996 • Department of Health and Human Services (DHHS) administers the Act

  4. HIPAA Primary Objectives • Improve portability and continuity of health insurance coverage • Combat waste, fraud and abuse in health care • Promote the use of medical savings accounts • Improve access to long-term care services • Simplify administration of health insurance

  5. Why the Need for HIPAA? • Advancements in Technology • Allows greater access to protected health information (PHI) • Increased use of electronic transmission of patient data

  6. HIPAA Privacy Rule • Published in Federal Register December 28, 2000 • 45 CFR: Part 160: General Administrative Requirements • 45 CFR: Part 162: Administrative Requirements • 45 CFR: Part 164: Security and Privacy • http://www.hhs.gov/ocr/hipaa

  7. Covered Entities • Health Plan • Health Care Clearinghouse • Health Care Provider

  8. Covered Entities • Business Associate • Hybrid

  9. Protected Health Information (PHI) • Individually Identifiable Health Information held or transmitted by a covered entity or its business associate • in any form or media • whether electronic, paper or oral

  10. Individually Identifiable Health Information • Past, present or future physical or mental health condition or payment for provision of health care, or • Provision of health care identifying the individual by • Name • Address • Birth date • Social Security Number

  11. Protected Health Information (PHI) • Electronic • Computer Systems • Oral • Formal and Informal Presentations, Discussions • Written • Medical Records, Reports, Publications, Letters, Faxes

  12. Permitted Uses and Disclosures • Without an individual’s authorization: • Treatment, Payment, and Health Care Operations • Opportunity to Agree or Object • Incidental to otherwise permitted use • Public Interest and Benefit Activities • Limited Data Set

  13. Permitted Uses and Disclosures • May Not use or disclose except either as the: • Privacy Rule permits or requires, or • Individual or personal representative authorizes in writing • Must disclose in two situations: • To individuals when requested • DHHS in compliance investigation or review or enforcement action

  14. Minimum Necessary • Covered entity must: • Make reasonable effort to disclose minimum amount of information to meet the purpose • Develop and implement policies and procedures for reasonable limit • Not use, disclose, or request the entire medical record unless it can justify whole record is reasonably needed for the purpose

  15. Individual’s Rights • Know who may use and/or disclose PHI and to whom PHI is disclosed and for what purpose • Know the duration of the use/disclosure of PHI • Revoke the use and/or disclosure of PHI at any time in writing • Have access to inspect and obtain a copy of own PHI • Provide Written Authorization for use and/or disclosure of PHI

  16. Limited Data Set • Certain, specified direct identifiers removed • Used and disclosed for • Research • Health care operations • Public health purposes • Recipient promises safeguards

  17. De-Identified Health Information • No restrictions on use or disclosure • Neither identifies or provides a reasonable basis to identify an individual • Two ways to de-identify • Formal determination of qualified person • Removal of specified identifiers

  18. HIPAA Exercise #1 • What are specified identifiers? • List on a flipchart

  19. ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ Specified Identifiers

  20. ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ ________________ Specified Identifiers

  21. Authorization • Who provides? • What is included? • When is it necessary? • Who is involved in the process?

  22. Authorization • Provided by individual in writing • Written in specific terms • May allow use and disclosure by covered entity or third party • Written in plain language

  23. Authorization • Contains specific information • Description of information to be used/disclosed in specific and meaningful fashion • Persons disclosing and receiving • Expiration date or “none” • Right to revoke • Individual’s signature and date

  24. Authorization • Covered Entity and Individual • Privacy Board • Institutional Review Board (Research) • Copy provided to individual • Examples of required use

  25. Authorization Required • Psychotherapy Notes • Marketing with following exceptions: • Face-to-face between covered entity and individual • Covered entity’s provision of promotional gifts of nominal value • If direct or indirect remuneration from a third party, fact must be revealed

  26. Authorization in Research • Waiver or Authorization Required • Review and Approval by a Privacy Board or IRB • Statement identifying Board and Date of Approval • Signed by Chair or designee

  27. Privacy Practices Notice • Covered entities must provide since April 14, 2003 • Notice to contain certain elements • Deliver to patients • Posted at each service deliver site • Available on request • On Website

  28. Privacy Practices Notice • Obtain written acknowledgement from patients of receipt • Document reason for failure to obtain written acknowledgement

  29. Enforcement of HIPAA • Office of Civil Rights (OCR) is responsible • Covered entity investigated after a complaint is received • Process may include • Investigations and Compliance Reviews

  30. Compliance with HIPAA • Processes for Filing Complaints • Covered Entities to provide • records • compliance reports • Cooperate with and permit access to information

  31. Penalties • General Penalty: $100 per person per violation up to $25,000/year • Wrongful Disclosure Penalties • Enforced by Department of Justice • Fined up to $50,000, imprisoned not more than 1 year or both

  32. Penalties • Wrongful Disclosure Penalties • Fined up to $100,000, imprisoned not more than 5 years or both for obtaining PHI under false pretenses • Fined up to $250,000, imprisoned not more than 10 years for obtaining PHI with intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm

  33. HIPAA Exercise #2 • Handout in binder • Fill in the blanks with the number preceding the correct answer • Some numbers may be used more than once

  34. Summary • HIPAA and the Privacy Rule • Covered Entities Responsibilities • Individually Identifiable Health Information • Use and Disclosure of PHI • Authorizations • De-Identified PHI • Compliance with HIPAA

  35. References • OCR Privacy Rule Summary Revised 05/03 • HIPAA Privacy Rule • Annotated to Reflect August 14, 2002 Modifications; HIPAA Advisory.com/Courtest of William MacBain, MacBain & MacBain, LLC • Public Law 104-191, August 21, 1996, An Act • http://www.hhs.gov/ocr/hipaa

More Related