HIPAA Privacy Training - DAS. Keeping It To Ourselves! Protecting Client Confidentiality…. Introduction. Vin Lombardo Henry Jovanelly Gene Shook (Keane) Purpose: Comply with the training requirements of HIPAA. Topics of Discussion. What is HIPAA
Keeping It To Ourselves!
Protecting Client Confidentiality…
Gene Shook (Keane)
Comply with the training requirements of HIPAA
Health Insurance Portability and Accountability Act of 1996 (August 21) Public Law 104 –191
It came out of the failed health-care reform effort of the Clinton administration. In the early 1990s there was a lot of concern about people who were restrained in moving from one employer to another because they were afraid of losing their health insurance due to pre-existing conditions. So although the overall health-reform efforts failed, one of the things that came out of those efforts was this bill, which was aimed at allowing the portability ofhealth insurance by preventing insurers from imposing requirements about pre-existing conditions when you move from one employer to another. At the time, employerswere concerned that this was going to lead to an increase in health insurancecosts. So there was an effort made to reduce costs in the health-care system as a way of offsetting the increased costs caused by these portability requirements.
$30 Billion in savings over 10 years in administration costs ($18 Billion implementation cost)
Title II. Administrative Simplification
electronic healthcare transactions, must use a
national standard format. The act designates
standards for 10 specific transaction sets.
(835 Payment, 837 Claim)
of industry standard codes to be used with
transactions. Various coding systems are
already in use to identify:
2. Privacy and Confidentiality
This rule protects the privacy of information related to an individual's health, treatment, or healthcare payment.
3. Security of Health Information & Electronic Signature Standards
information that is:
have to meet:
4. Unique Identifiers for Providers, Employers, and Health Plans
assigned by different agencies and insurers. HIPAA sees this as confusing, conducive to error, and costly.
Protected Health Information (PHI) is information that identifies an individual and relates to the person’s physical or mental health or condition, the provision of health care to that person, or payment for the provision of health care to that person.
DAS will limit the disclosure of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose of the authorized use, disclosure, or request.
Some items that identify an individual are: Name, Address, Telephone or FAX #, Email Address, Names of Relatives, SS#, Birth Date, Account Number, Name of Employers, any other item that can ID a person in a small sample…
DAS will identify and make reasonable efforts to limit the access:
To those persons or classes of persons, as appropriate, in its workforce who need access to Protected Health Information (PHI) to carry out their duties
DAS will limit any request for Protected Health Information (PHI):
To that which is reasonably necessary to accomplish the purpose for which the authorized request is made
It just means that if a person needs a date from a file, don’t give them the whole file. Give authorized individuals the minimum necessary to get the job done.
DAS will de-identify Protected Health Information (PHI) (eliminate or cross out, identifiers of the individual or of relatives, employers, or household members of the individual), to limit the disclosure of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose of the authorized disclosure
This is not necessary for TPO (to carry out Treatment, Payment or health care Operations)
It is our policy that we respect the right of an individual to request restrictions on uses and disclosures of PHI and permit an individual to request confidential communication of PHI at alternative locations or by alternate means.
DAS will document the restriction and termination of the restriction, should it occur.
The following will apply to requests for alternative confidential communications:
DAS will not require an explanation from the individual
The uses and disclosures of PHI are then subject to the agreed upon restriction and/or the confidential communications requirements.
DAS will give an individual the right to access and inspect or obtain a copy of his/her PHI for as long as DAS maintains the PHI. DAS will act on a request for access no later than 30 days after receipt of the request.
DAS will verify the identity of a person requesting Protected Health Information (PHI) and the authority of any such person to have access to the Protected Health Information (PHI)
DAS is a Clearinghouse and only uses and discloses healthcare information for Treatment, Payment and Health Care Operations (TPO). The Client Agencies for which it processes the data have already obtained the appropriate authorizations and consents.
All employees are required to sign a confidentiality agreement as a condition of employment whereby they agree not to request, use or disclose protected information unless necessary to perform their job
Verification is done when the identity of the requestor is not known or when documentation is required
Routine communication, where entity relationships have been established, do not require special verification procedures
Verification Methods Examples:
Phone: Caller ID; if they are holding a Statement, ask for identifying information off of the statement; if not, ask Social Security Number, date-of-birth,
Letter: Verify name and address
Signed Authorization, Claim Number, Company Tax ID Number, Letterhead, Callback, Copy of Appointing Document, Identification Badge, other official credentials; warrant, subpoena, order, or other legal process issued
Non-routine disclosures, not covered in the Policies and Procedures, must be reviewed on an individual basis by a Team Leader. Unresolved issues are to be brought to the DAS HIPAA Privacy Officer for resolution
A log for the recording of all non-routine disclosures will be maintained. A copy going back six years prior to request will be made available to clients at their request for $.50 per page to cover the cost of copying and mailing
Non-routine disclosures will be recorded on the Avatar Admission Comments Screen, with-in 60 days. Items to be keyed in:
Date of disclosure
Name of entity or person who received the PHI (address if known)
Brief description of PHI disclosed
Brief statement of purpose of disclosure
Use or Disclosure
See Team Leader/
(Treatment, Payment, Operations)
Proceedings, National Security, National Health
Marketing, Fund-Raising, Medical Research
*YES, where identity of requester is not known (like an unrecognized voice on the phone)
The verification requirements are met if DAS relies on the exercise of professional judgment or acts on a good faith belief in making a disclosure
DAS will create, document and maintain a position of privacy official that is responsible for the development, implementation and maintenance of the policies and procedures of DAS
Responsible for receiving complaints regarding privacy of Protected Health Information (PHI)
DAS will train all members of its workforce on the policies and procedures with respect to Protected Health Information (PHI) as necessary and appropriate for the members of the workforce to carry out their functions within DAS
DAS will have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information (PHI).
Scalable confidentiality and security procedures, designated security officer, sanctions for violations, signed statement by all employees regarding confidentiality of data
Unique ID and Password, system stores password encrypted, weak passwords not allowed, automatic time logoff, system enforced password changes, firewall, virus checking
Secure computer room, secure access to displays and printers, secure destruction of printouts, other outputs and obsolete equipment, disaster recovery plan in place and tested
DAS will document all complaints received, and their disposition, if any, in written or electronic form. These documents must be retained for a period no less than six years
DAS will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone making a Privacy complaint
Consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce (can result in dismissal, other disciplinary actions, criminal prosecution and/or civil suit)
DAS will implement Policies and Procedures with respect to Protected Health Information (PHI) that are designed to comply with the standards, implementation specifications or other requirements of the Health Insurance Portability and Accountability Act of 1996
An organization or person who performs activities on behalf of or in coordination with DAS that involves the use or disclosure of individually identifiable health information
DAS will ensure continued privacy protections of health information by entering into a Business Associate Contract
Business Associate agrees that it shall be prohibited from using or disclosing the information provided or made availableby DAS for any purpose other than as expressly permitted or required by the Contract
Business Associate Contract Covers:
Business Associate Contract wording will be included in every vendor contract’s terms and conditions for the state of Connecticut through DAS’ Procurement Unit
MOU will be executed between DAS and our partnering state agencies
It is all about information – There is an explosion of Health Information out there – There is an information explosion:
Just to give you a perspective on information today: The Internet is doubling in content every 100 days. The Sunday edition of the New York Times alone now contains more information than all the written information available in the 15th Century. There are more than 300,000 books published every year. When Columbus discovered America, the largest library in the world was the Queen’s College Library in Cambridge. It contained only 199 books. Most of us have more than that in our homes today.