hipaa training n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 54

HIPAA TRAINING - PowerPoint PPT Presentation

  • Uploaded on

HIPAA TRAINING. Presentation provided by Greater Columbia Behavioral Health. HIPAA.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA TRAINING' - miller

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa training


Presentation provided by Greater Columbia Behavioral Health

We must follow HIPAA regulations to protect consumers. The following slides will introduce HIPAA, including the reasons for it and how it impacts health care. At the end of the presentation you will be asked to complete several questions to assess your understanding of HIPAA and its impact on day-to-day health care. You must answer the questions in order to complete your HIPAA training.
by the time
By the time…

…you’ve completed this slideshow, you will be able to answer the following questions:

  • What is HIPAA and to whom does it apply?
  • What is PHI and how is it protected?
  • When are additional authorizations required?
  • What are the penalties for violation?
the primary intent
The Primary Intent…

and purpose of this law was to protect health insurance coverage for workers and their families when they changed or lost their jobs. It was recognized that this new protection would impose administrative burdens on health care providers, payers, and clearinghouses, and therefore, the law includes a section called Administrative Simplification. This section was designed to reduce the burden associated with the transfer of health information between organizations. The approach was to accelerate the move from paper-based administrative and financial transactions to electronic transactions through the establishment of nationwide standards.

the health insurance portability and accountability act hipaa
The Health Insurance Portability and Accountability Act (HIPAA)

When HIPAA was passed by Congress in 1996.

  • In addition to its goal to reduce health care costs nationwide by requiring use of electronic data interchange (EDI) for routine health care transactions.
  • Its goal was to protect the security and privacy of the health records used in these EDI transactions.
HIPAA contains Privacy & Security rules responding to health care concerns such as:
  • Fears that once patients’ records are stored electronically on networks, a couple of clicks could transmit those records worldwide and
  • Loss of personal control over personal information and
  • Anger at the constant barrage of marketing
hipaa security privacy rules
HIPAA Security & Privacy rules…
  • Established federal mandated requirements for the creation, transmission, and disclosure of individually identifiable health information that affect anyone who encounters patient information

HIPAA uses the term PHI – Protected Health Information

phi is
PHI is…

Information relating to an identified individual’s past, present, or future:

  • Physical or mental health or condition
  • Provision of health care services
  • Payment for provision of health care

45 CFR 164.501

phi includes
PHI includes…

Oral or recorded information, maintained or transmitted in any form or medium.

The law refers to ‘covered entities’ and the work that they perform as ‘covered functions’.

Covered Entities are Health Plans, Clearing Houses, and Providers.

hipaa business associate ba
HIPAA Business Associate (BA)

HIPAA extends beyond the walls of the covered entity to Business Associates…

Someone that contracts with the covered entity will be subject to the same HIPAA regulations as the covered entity. Examples are an entity’s shredding company, printing company, and other contractors.

the patient consumer
The Patient – Consumer….
  • Is entitled to notice about how their PHI will be used
  • Is entitled to expect that caregivers will be careful with their PHI
  • Is entitled to a copy of their record
  • Is entitled to request correction of their record
  • Is entitled to Receive Confidential Communication
  • Is entitled to Complain about a disclosure of their PHI

All requests or complaints regarding these rights, should be directed to the HIPAA Privacy/Security Officer at ______________.

hipaa requires that patients receive a notice of privacy practices npp that
HIPAA Requires that Patients Receive a Notice of Privacy Practices (NPP) that…
  • Advises the patient about the covered entity’s privacy practices.

Distribution of the NPP is usually done at the first face-to-face meeting except in a major emergency or due to an incapacitated patient.

  • Covered entities must try to get a patient’s written acknowledgement of the receipt of the NPP or make a written record of why this was not done.
use and disclosure of phi
Use and Disclosure of PHI

A covered entity is permitted by HIPAA to Use (internal) and Disclosure (external) of PHI for the purposes of:

  • Treatment – the provision of health care
  • Payment – the provision of benefits & premium payment
  • Operations – normal business activities (reporting, data collection & eligibility checks, etc.)
the minimum necessary rule
The Minimum Necessary Rule…

The amount of PHI used or disclosed is restricted to the minimum amount of information necessary. Healthcare providers and health plans must make reasonable efforts not to use, disclose, or request more than is necessary to accomplish a task.

Exceptions are:

  • Disclosure to a provider for treatment
  • Release to an individual of their own PHI
  • Disclosures required by law
minimum necessary and tpo
Minimum Necessary and TPO

TPO is Treatment, Payment, and Operations.

  • Patients must provide consent for use of PHI in treatment, payment, and healthcare operations.
  • Providers and health plans must distinguish activities that fall outside TPO such as research, fundraising, and marketing.
The “minimum necessary” rule does not restrict the information used or disclosed in treatment.

The “minimum necessary” rule does apply to payment and health care operations.

besides for use in tpo when should an entity disclose phi
Besides for use in TPO, When should an entity disclose PHI?...
  • A covered entity isrequired to disclose PHI to:
    • An individual (their own PHI) when requested
    • The Secretary of the U.S. Department of Human and Health Services for investigation of complaints or to determine a covered entity’s compliance.
  • A covered entity is permitted to disclose PHI outside in special circumstances such as:
    • required by law
    • court proceedings
    • to avert a serious threat to health or safety
    • emergencies
    • abuse/neglect
    • special government functions
A co-worker is on the phone discussing a treatment-related issue. You inadvertently overhear PHI about a patient.

What should you do?

A co-worker calls you and asks for information about a friend’s mental health encounter.

How do you respond?

Before looking at a consumer’s health information, ask yourself one simple question:

“Do I need to know this to do my job?”

Before sharing a consumer’s health information, ask yourself:

“Does this person need to know this to do their job?”

You are advised that a visitor has arrived to see you. You are currently busy completing a work-related task. However, the visitor has come by several times before and knows where you are located.

Should the visitor be allowed to enter on their own?


Have all visitors, including family and ex employees escorted by an employee when entering or exiting the facility.

You should also ensure that all PHI is obscured from view, prior to the arrival of the visitor.

hipaa authorization
HIPAA Authorization…

Is written authorization from a patient to use or disclose PHI for specific purposes(such as employment related, research or marketing and also needed for psychotherapy notes)

An authorization can be revoked at any time in writing.

It must include the name of the patient, the purpose of the disclosure, an expiration date, a signature and date and an explanation of how to revoke the authorization.

authorization to disclose psychotherapy notes
Authorization to Disclose Psychotherapy Notes

Psych notes are recorded during a counseling session. The notes are to be kept separate from the rest of the patient’s record.

Psych notes exclude:

  • Prescription info and monitoring
  • Session start & stop times
  • Modalities & frequencies of treatment
  • Results of clinical tests
  • Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.
Psych notes are granted special protection under HIPAA.

A separate disclosure is required to release psych notes.


  • Use of notes by the originator for treatment
  • Use by the covered entity for training
  • Use in defense in a legal action
  • Disclosure to HHS for HIPAA enforcement
  • Use by a coroner or medical examiner
Unlike other health records, psychotherapy notes are not subject to disclosure to the patient.
what is the npi
What is the NPI?
  • The National Provider Identifier (NPI) is the unique health identifier for health care providers. The NPI is a 10-digit numeric identifier with a check digit.
  • The National Provider System (NPS) will be the system used to assign unique numbers to health care providers.
  • Health Care Providers must obtain an NPI and use it on standard transactions; Health Plans and Health Care Clearinghouses must use the NPI to identify health care providers on standard transactions where the health care provider’s identifier is required.
  • Health Care Providers, Health Plans (except small health plans), and Health Care Clearinghouses must comply with the implementation no later than May 23, 2007. Small Health Plans must comply with the NPI implementation specifications no later than May 23, 2008.
code sets
Code Sets…

HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers.  Code sets are the codes used to identify specific diagnosis and clinical procedures on claims and encounter forms. The HCPCS, CPT-4 and ICD-9 codes are examples of code sets for procedures and diagnose.  

In the context of HIPAA, privacy determines who should have access, what constitutes the patient’s rights to confidentiality, and what constitutes inappropriate access to health records.

Confidentiality establishes how the records (or the systems that hold those records) should be protected from inappropriate access.

Security is the means by which you ensure privacy and confidentiality.

Threats to health information security and privacy include:

·        Intentional misuse from internal personnel

·        Malicious or criminal misuse from internal personnel

·        Unauthorized physical intrusion of the data system by an external person

·        Unauthorized intrusion of the data system by an external person via information networks. 

HIPAA mandates that security standards be applied in four main areas:
  • Administrative Procedures
  • Physical Safeguards
  • Protection for Data Storage
  • Protection for Data in Transit
administrative procedures
Administrative Procedures

Covered entities need to:

  • Implement training programs
  • Have a contingency plan
  • Conduct a risk assessment
  • Create policies and procedures including a password policy
  • Have a formal mechanism for processing records
  • Follow a termination process
  • Establish roles and responsibilities for security
physical safeguards
Physical Safeguards

Covered entities need to:

  • Secure physical access by locking doors, escorting visitors, wearing IDs
  • Secure unattended workstations by using password protected screensavers and locking computers when unattended. You can manually lock your workstation by holding down the Windows key and the L key.
  • Store notebook computers, PDAs, jump drives and any portable media in a secure place and password protect them
  • Encrypt PHI on notebooks, PDAs, jump drives, and on any portable media.
You are walking by a trash can and notice a pile of consumer reports or other documents with PHI have been laid on top of the trash.

Should you be concerned?

Consumer information should never be thrown away in an unlocked bin unless it has been shredded or destroyed.
protection for data storage
Protection for Data Storage

Covered entities need to:

  • Have a Data Back-up Plan
  • Have a Disaster Recovery Plan
  • Store Paper, Tapes, Disks securely
  • Dispose of Paper PHI securely
protection for data in transit
Protection for Data in Transit

Covered entities need to:

  • Use Encryption for PHI
  • Use Audit Trails
  • Report adverse events
  • Use precautions when sending PHI on faxes
what can i do the basics
What can I do?...The Basics
  • Keep your work area free of PHI when not present
  • Lock your computer when you walk away
  • Log off at the end of the day
  • Double check the number you’re calling before faxing PHI and pick up your faxes A.S.A.P. Use a cover page with a confidentiality statement.
  • Emails containing PHI may only be emailed to others on the entity’s domain. If transmitting PHI with a provider, you must use the a VPN.
  • Don’t share your password
  • Dispose of sensitive materials in shredders or locked bins
what can i do the basics continued
What can I do? – The BasicsContinued
  • If you have a Building or door code, don’t share it.
  • Wear your id
  • Escort your visitors
  • Talk quietly on the phone when it involves PHI or close your door if needed
  • Don’t access more PHI than you need to do your job
  • Don’t leave your notebook computer on the seat of your car
  • Don’t allow anyone at home to access your work
  • Report any security incidents immediately
when do i report a breach of phi
When do I Report a Breach of PHI?...

Employees must report a breach to their supervisor when PHI shared does not pertain to:

  • Treatment
  • Payment
  • Operations
  • Consumer authorization
  • Uses and disclosures permissible under federal and state law
You are at the fax machine or printer to pick up a document. There is consumer PHI already in the receiving bin.

What should you do?

Notify the Office manager or supervisor that there is PHI on the fax machine. They will deliver the document to the recipient and if you see private information, keep it to yourself.
  • For PHI in the receiving bin of the printer, notify the HIPAA Privacy/Security Officer. Documents will be delivered to the recipient with a reminder not to leave PHI unattended on the printer.
incidental disclosures
Incidental Disclosures

Examples of incidental disclosures:

  • A patient seen in a waiting area
  • A conversation between a provider and a patient in a semi-private room heard by the other occupant

Incidental Disclosures are not violations if the covered entity has safeguards in place and they are observed by the staff.


Covered entities are required to develop and impose sanctions appropriate to the nature of the HIPAA violations. The type of sanction applied should vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of PHI. Sanctions can range from a warning to termination.

penalties for violations
Penalties for Violations

Civil Penalties

Violations can result in civil monetary penalties of $100 per violation, up to $25,000 per year.

Criminal Penalties

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, whom "knowingly" obtain or disclose individually identifiable health information in violation of HIPAA regulations face a fine of up to $50,000, as well as imprisonment up to 1 year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison. Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.


The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

of note
Of note…

According to reports, the US government has not imposed a single fine for violations of the HIPAA.

There have been several complaints received by the Bush Administration on HIPAA violations. However, only two criminal cases have been prosecuted to date.

June 6, 2006 …”HIPAA Compliance Journal”

The R.S.N. (Regional Support Network) HIPAA Policies & Agreementsare available on their website at www.gcbh.org
  • Designated Record Set
  • Administrative Requirements for Implementation of HIPAA
  • Administrative Requirements – Documentation
  • Business Associate Addendum
  • Confidentiality and Security Agreement
  • Computer and Information Security
  • Computer and Information Security Agreement
  • Workstation Use and Portable Computer
  • Remote Access
  • Password Protection
  • Consumer Protected Health information Rights
  • Confidentially, use and Disclosure of Protected Health Information
  • E-mail and Internet Security
  • FAX
  • HIPAA Complaint
  • Information Systems Security Checklist – Onsite Inspection
  • Sources of PHI – Inventory and Location
  • Privacy officer Job Responsibilities
  • Sanction
  • HIPAA Training
  • Staff Training Plan for Privacy and Security
  • Virus Protection
  • HIPAA Administrative Simplification Definitions
  • Privacy and Security Plan
  • Removal of PHI from Office
  • GCBH Privacy Notice