HIPAA Privacy and Security Requirements - PowerPoint PPT Presentation

hipaa privacy and security requirements n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Privacy and Security Requirements PowerPoint Presentation
Download Presentation
HIPAA Privacy and Security Requirements

play fullscreen
1 / 71
Download Presentation
HIPAA Privacy and Security Requirements
Download Presentation

HIPAA Privacy and Security Requirements

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information

  2. Program Content • Overview of Privacy and Security • A Hypothetical Case History • Using and Sharing Information • The Notice of Privacy Practices • Authorization • Privacy Accounting • Patient Access to Health Information • Information Security • Wrap-up

  3. HIPAA Privacy & Security – Section 1Overview of Privacy and Security How HIPAA views privacy and security … and threats to privacy and security

  4. Privacy & Security Goals • The goals of privacy— • Patient control over sharing of information • Disclosure of how information will be used • The goals of security— • Information available to those who need it • Information not available to those who don’t

  5. Key Concepts and Terms • Protected Health Information • Use and Disclosure • Notice and Acknowledgement • Authorization • Business Associate • Workforce • Personal Representative • Minimum necessary

  6. Key Concepts and TermsProtected Health Information • General definition • Information that identifies an individual and describes his/her medical condition or treatment • Specifically includes • Clinical information • Information on payment • Basic demographic information • Name, address, and telephone number • Applies to written and electronic information

  7. Key Concepts and TermsUse and Disclosure • Information is used by members of our workforce for • Collection of information by clinical staff • Review of patient charts by clinical staff • Completion of billing forms by clerical staff • Accounting and bookkeeping entries • Information is disclosed when it is shared with others • Transmission of information to a health plan • Transmission of information to a billing service • Transmission of prescriptions to a pharmacy • Consultation with an independent provider • Reporting to government agencies

  8. Key Concepts and TermsNotice and Acknowledgement • Notice of Privacy Practices • A statement given to each patient describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA • Acknowledgement • Written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it

  9. Key Concepts and TermsAuthorization • Required for uses and disclosures other than for • Treatment • Payment • Health care operations • To comply with legal mandates • Signed by the patient or patient’s personal representative

  10. Key Concepts and TermsWorkforce • Members of the medical practice • Employees of the medical practice • Independent contractors we hire

  11. Key Concepts and TermsBusiness Associate • An entity that performs services for the practice • Examples: • Billing services • Accreditation agencies • Must give satisfactory assurances

  12. Key Concepts and TermsPersonal Representative • A person who can act on behalf of the patient • Must have legal authority to act on the patient’s behalf • A personal representative may: • Acknowledge the Notice of Privacy Practices • Authorize use and disclosure of information • Request and receive an accounting of use and disclosure • Request amendment of health information

  13. Key Concepts and TermsMinimum necessary • HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose • Examples: • Any information requested for treatment • Any information in a standard transaction • Information required by administrative task • Information specified in request from • Law enforcement officials • Regulatory officials • Subpoena or court order

  14. Quiz 1: Key Concepts • Does protected health information includes the patient’s name, address, and basic demographic information? • Do privacy protections apply to both information recorded on paper and information stored electronically? • Can a family member or close personal friend act as the representative of the patient? • Is a business associate contract required only for those business associates who create or process protected health information?

  15. HIPAA Privacy & Security – Section 2A Hypothetical Case History The privacy regulation in action: An overview

  16. A Hypothetical Case History • A patient calls for an appointment • The patient arrives for first visit • The patient is called by the nurse • Care discussed with patient’s spouse • Claim prepared and submitted to health plan • Newsletter sent to practice’s patients • Mailing list requested by local pharmacy • Patient requests accounting of disclosures • Patient asks for information from chart • Patient requests correction of information

  17. A Hypothetical Case HistoryMaking an appointment • Collect basic patient information • Name • Telephone number • Telephone number • Health plan • Information is protected • Does not violate privacy rules

  18. A Hypothetical Case HistoryPatient Arrival • Patient is given the Notice • Staff seek Acknowledgement of Notice

  19. A Hypothetical Case HistoryIn the Waiting Room • Disclosure of limited information • Patients signature on “sign-in” sheet • Staff call patient from waiting area • Does not violate privacy rules

  20. A Hypothetical Case HistoryDiscussion with patient’s spouse • Information shared with family members • Patient has opportunity to object • Does not violate privacy rules

  21. A Hypothetical Case HistoryClaim Submission • Disclosure of information to health plan • Does not require patient authorization • Does not violate privacy rules

  22. A Hypothetical Case HistoryPatient Newsletter • Uses protected information • Does not require authorization • Does not violate privacy rules

  23. A Hypothetical Case HistoryMailing lists • Must have patient’s permission to sell or provide mailing lists to other organizations

  24. A Hypothetical Case HistoryAccounting for disclosures • Must provide list of certain disclosures • When requested by patient

  25. A Hypothetical Case HistoryCopying information from chart • Must allow patients to inspect charts • Must provide copies when requested

  26. A Hypothetical Case HistoryCorrection of information • Patients may request ‘corrections’ • No obligation to make changes • Must document request and any changes

  27. HIPAA Privacy & Security – Section 3Using & Sharing Information Who can have what information and under what circumstances?

  28. Overview • Uses and disclosures that… • Do not require patient authorization • Require specific patient authorization • Disclosures to family members • Incidental disclosures

  29. Authorization not needed for… • Treatment of the patient • Obtaining payment • Out day-to-day operations • Legally mandated reporting or disclosure

  30. Authorization not needed Use and Disclosure for Treatment • Definition of treatment • Collection of information • Review of patient records and test results • Consultation with other providers • Referral to another provider • Transmitting information to other providers • No restriction on information sharing

  31. Authorization not needed Use and Disclosure for Payment • Definition of payment • Eligibility inquiries • Coverage determinations • Submission of claims • Claim status inquiries • Remittance of payment • Credit card and other payment methods • Standard transaction data elements

  32. Authorization not needed Use and Disclosure for Operations • Health Care Operations include: • Maintenance of medical records • Maintenance of accounting records • Quality assurance activities • Staff credentialing and performance evaluation • Conducting financial and management audits • Investigating complaints • Supporting legal activities • Resolving grievances • General business management • Staff may use and disclose only the minimum necessary information

  33. Authorization not needed Legally Mandated Disclosures • Police and Law Enforcement • Public Health Reporting • Reportable infectious diseases • Vital events (birth and death) • Abuse and Neglect Reporting • Licensing and regulatory oversight • Legal proceedings

  34. Disclosures to Family Members • Disclosure is permitted… • To spouses • To parents and legal guardians • To others involved in care • Obtaining patient’s permission • When patient is able to object • When patient is not able to object • Allows sharing of Information related to the patient’s care

  35. Incidental Disclosures • Examples of incidental disclosure • An overheard conversation among staff members • An overheard discussion between staff and patients • An overheard telephone call to a patient • Test results being filed in patient records • Incidental disclosures are permitted……but should be avoided • Incidental disclosures need not be documented • Try to minimize incidental disclosures! • Conduct discussions in private areas • Limit discussion when others are present

  36. Quiz 2: Using & Sharing Information • Are there any limits on the use or disclosure of patient information for the purpose of treatment? • Does a patient have to authorize the disclosure of information to a health plan? • Does a patient have to authorize disclosure of information to law enforcement agencies? • Does HIPAA prevent us from complying with state-mandated disease reporting, e.g., for infectious diseases? • Can we use patient information for any purpose without obtaining the patient’s authorization?

  37. HIPAA Privacy & Security – Section 4Notice of Privacy Practices Helping patients understand how their information will be used – and how their privacy is protected

  38. What the Notice Tells Patients • How their information will be used • With whom their information will be shared • When an authorization is needed • How to request an accounting of uses and disclosures • How to request access to information • How to request changes in information

  39. Review of the Notice • Uses and disclosures that don’t require authorization • Treatment • Payment • Health care operations • Legally mandated disclosures • Patient rights • Request restrictions on use and disclosure • Request confidential communications • Obtain an accounting of uses and disclosures • Review protected health information • Request changes to information

  40. Providing the Notice to Patients • Responsibility of receptionist • Provide during first patient visit • Review key provisions • Discuss and resolve requests for… • Restrictions on use and disclosure • Confidential communications

  41. Acknowledgement By Patient • Staff must try to obtain acknowledgement • Documents that notice was given • Required on first visit only • Obtain prior to treatment • Use of acknowledgement form • Patient signature and date • Document attempt if patient can’t acknowledge • Emergency treatment exception • Patient gets a copy of the acknowledgement • Original filed with patient record

  42. Quiz 3: Notice of Privacy Practices • Does a patient have to be given a Notice prior to treatment? • Does a patient have to be given a Notice on each visit? • Does the patient have to sign the acknowledgement of the Notice? • Do staff have to document a patient’s inability or refusal to sign an acknowledgement of the Notice? • Can a patient restrict use and disclosure of protected health information?

  43. HIPAA Privacy & Security – Section 5Authorization Using and disclosing information for purposes not covered by the notice

  44. When is authorization needed? • Medical/clinical research • Investigational treatment • Research protocols • Exception for “de-identified” data • Marketing • Promoting third-party products/services • Providing mailing lists to others • Other uses and disclosures except • For treatment, payment, health care operations • To comply with legal mandates

  45. Content of Authorization • Authorization must… • Identify the information to be used or disclosed • Identify users/persons to whom disclosed • Identify purposes of use or disclosure • Note the potential for redisclosure • Conditioning treatment on authorization • Treatment available only to research subjects • Treatment requested by the patient for disclosure • Authorization may signed by… • Patient, or • Patient representative

  46. Obtaining Authorization • Review authorization form with patient • What information will be used • What the information will be used for • Who will use the information • Note the potential for re-disclosure • Obtain patient/representative signature • File authorization form in records

  47. Quiz 4: Authorization • Is an authorization needed if a patient has signed a consent to participate in a research program? • Does an authorization have to specify the information to be disclosed and the purpose of the disclosure? • Does an authorization have to identify who will use or receive the information? • Does a patient have to authorize disclosure of a camp or school physical? • Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study? • Does a patient have to authorize disclosure of information to himself or herself or to a spouse?

  48. HIPAA Privacy & Security – Section 6Privacy Accounting Informing patients of certain uses and disclosures of protected health information

  49. Recording Uses/Disclosures • The goal of the accounting • Let patients know who has received their information – and why • Facilitate amendment/correction when erroneous information has been disclosed • Does not require tracking of… • Uses and disclosures for purposes of treatment, payment, and health care operations • Uses and disclosures covered by an authorization • Bottom line: only requires tracking and disclosure of… • Legally mandated disclosures • Unauthorized disclosures

  50. Requesting an Accounting • Patients submit an accounting request • Fees for accounting • No charge for first accounting • May charge for second and subsequent accountings in 12 month period