1 / 49

Indiana University School of Optometry

WHAT DOES HIPAA STAND FOR?HIPAA Stands for:HealthInsurancePortability andAccountabilityAct of 1996WHO DOES HIPAA AFFECT?HIPAA is a regulation that affects the entire healthcare system from patients to employers, health plans, physician offices, hospitals, optometric offices, dental offices, billing companies, healthcare clearinghouses and other entities providing healthcare treatment. WHAT IS THE SCOPE OF HIPAA?HIPAA affects the Privacy and Security of protected health info32273

virgo
Download Presentation

Indiana University School of Optometry

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Indiana University School of Optometry HIPAA training module Staff Faculty Students 1 DATE: May 2009

    2. WHAT DOES HIPAA STAND FOR? HIPAA Stands for: Health Insurance Portability and Accountability Act of 1996 WHO DOES HIPAA AFFECT? HIPAA is a regulation that affects the entire healthcare system from patients to employers, health plans, physician offices, hospitals, optometric offices, dental offices, billing companies, healthcare clearinghouses and other entities providing healthcare treatment. WHAT IS THE SCOPE OF HIPAA? HIPAA affects the Privacy and Security of protected health information. 2 DATE: May 2009

    3. Training WHY YOU NEED TO KNOW ABOUT HIPAA? Because you work in a medical environment, you may have access to patient health information. This training module will help you to understand your responsibilities under HIPAA when working with this information. All healthcare providers who conduct financial and administrative transactions are required to comply with HIPAA. This includes all students, faculty, staff and even volunteers. 3 DATE: May 2009

    4. HIPAA Standards The Privacy Rule The Security Standard 4 DATE: May 2009

    5. Privacy Rule Effective April 14, 2003 and is intended to protect or safeguard the privacy of protected health information. Protected Health Information: PHI can take many forms, including printed information, as well as verbal or electronic communications and records. Examples include but not limited to: medical records, notes entered into a PDA, telephone conversations, e-mails, faxes, reports, verbal conversations, billing information, etc. Under HIPAA, PHI must be kept private and secure. Notice of Privacy Practices Right to receive a “Notice of Privacy Practices” Right to authorize any use or disclosure of protected health information Right to restrict use or disclosure of protected health information Right to an accounting of disclosure of protected health information Right to inspect, copy and request amendments to protected health information 5 DATE: May 2009

    6. CONFIDENTIALITY OF HEALTH INFORMATION Indiana University School of Optometry believes that all patients and employees have the right to have their medical, financial, personal and other information, records, data, etc protected from unauthorized viewing, discussion or disclosure. In order to safeguard this right, employees may only look at, use discuss or disclose Company, Patient or Employee information for reasons which are necessary to the performance of their assigned duties. Protected health information can be shared with other outside providers and members of the staff on a “need to know” basis. Verbal communication of confidential information is never to be discussed in open, public areas. Disclose information only with the authorization of the adult patient or parent/legal guardian of a child under the age of 18. 6 DATE: May 2009

    7. CONFIDENTIALITY OF HEALTH INFORMATION CONT’D Protected health information should only be given out via the telephone in limited circumstances. Verification of the requestor and the necessity for them to have the information must be obtained. Confirming scheduled appointments if patient or parent of a minor are not available may be done via a message but no specific information regarding the nature of the appointment may be left Do not leave specific test results or the details of the test given on an answering machine. Leave only a message to call a specific staff member’s names and the appropriate phone number. 7 DATE: May 2009

    8. CONFIDENTIALITY OF HEALTH INFORMATION CONT’D CHALLENGING INDIVIDUALS Each employee is responsible for challenging an individual who accesses areas that contain protected health information. Employees should question and verify the need of that individual accessing the area. BREACH OF CONFIDENTIALITY A breach of University, patient or employee confidentiality, whether intentional or unintentional may result in the immediate termination of employment. 8 DATE: May 2009

    9. WAYS TO MAINTAIN CONFIDENTIALITY Discuss patient information privately; never in elevators, lobbies, or corridors. Charts, forms and information containing patient information should be face down and if in a mailbox or wall box should face the wall or door. Dispose of unnecessary patient information in proper receptacles for shredding, not ordinary trash. 9 DATE: May 2009

    10. FAXING PROTECTED HEALTH INFORMATION All appropriate measures should be taken to protect confidentiality of patient information whenever fax machines are used as a mechanism for transmission. A cover sheet containing a standard confidentiality statement must be used with each transmission of protected health information All pre-programmed fax numbers must be verified for accuracy on an annual basis. Create a checklist of pre-programmed fax numbers to be verified annually. All fax machines and printers that are used for transmitting or printing protected health information must be placed in secure areas. A secure area is one that is not accessible to the general public or is easily accessed by patients or other individuals. 10 DATE: May 2009

    11. ACCESSING PROTECTED HEALTH INFORMATION Direct access to patient medical records for routine business functions shall not be permitted except to treating optometrists, students and Indiana University School of Optometry employees who: Display the proper identification, have a “need to know” to perform their job duties and have been instructed on policies of confidentiality including penalties arising from violation. How will HIPAA impact you? - Do not ask for more information than you need. - Do not use more information than you need, even if the information is accessible. - Do not share more information than is necessary with an authorized person 11 DATE: May 2009

    12. ACCESSING PROTECTED HEALTH INFORMATION You have a right to use and share Protected Health Information and you should do so with care and discretion. Incidental disclosures that occur as a by-product of permitted communications are not violations of the HIPAA Privacy Rule, as long as you take reasonable care to protect a patient’s confidentiality, and limit the amount of information you use and share according to the minimum necessary. HIPAA applies to all students, volunteers, faculty and staff that have access to PHI- even if you do not see patients. If you participate in medical research, then you should be aware that HIPAA provides special rules regarding the use of Protected Health Information (PHI) in research. You may not use and disclose PHI for research purposes just because you treat the patient or otherwise have access to the information. You should keep all research data confidential and secure when working on an approved research study. For more information regarding HIPAA research requirements, please refer to the Research Standard Operating Procedures published on the Indiana University Office of Research Administration website. http://www.researchadmin.iu.edu/ 12 DATE: May 2009

    13. ACCESS TO INFORMATION Patients have the right to access and obtain a copy of their medical or billing information. Patients at our facilities have always had this right, unless prohibited by law. We must act upon a request within 30 days (60 days if information is off-site) 13 DATE: May 2009

    14. AUTHORIZATION Valid authorization must be in writing and contain the following items: name and address of the patient name of the person or facility requesting the release of the patient’s record name of the person or provider to whom the patient’s health record is to be released purpose of the release specific and meaningful description of the information to be released from the health record signature of the patient, or the signature of the patient’s legal representative date on which the consent was signed statement of the individual’s right to revoke the authorization date, event, or condition on which the consent will expire if not previously revoked. 14 DATE: May 2009

    15. AUTHORIZATION IS NOT REQUIRED FOR THE FOLLOWING: For Payment reasons: To the patient’s health insurance in pursuit of payment To Billing/Auditing personnel with a need to know For Treatment reasons: Emergency release via telephone for patient care Release to health care providers who are involved in the treatment of the patient and have a demonstrated need. Direct patient transfer to other health care facilities Referrals within IUSO for further evaluation or treatment Facilitate conversation for patients with limited English proficiency - To spouses, friends, and family members if the provider can reasonably infer that the patient does not object and it is in their best interest For Operational reasons: Research/audits by governmental agencies Peer Review/ QA review COE accreditation visits Risk Management 15 DATE: May 2009

    16. AUTHORIZATION IS REQUIRED FOR THE FOLLOWING: Attorneys not directly employed by IUSO (requests for records after accidents, etc.) Insurance companies (that are not part of the patient’s bill at IUSO) Life insurance Employers/employment agencies Armed forces Health care facilities -- if not a direct patient transfer or the listed referring physician Prisoners - cannot by released directly to a prisoner. Information may be released to the Medical Director or to the superintendent of the facility where the prisoner resides. The medical director or the superintendent may sign authorization. Residents of boy’s / girl’s school (same as for prisoner applies) Schools (authorization is accepted from superintendent of school system in lieu of patient/parent/guardian) Physicians not on IUSO staff unless we are referring the patient for care Social agencies Disability determination Workers’ Compensation 16 DATE: May 2009

    17. THE FOLLOWING DISCLOSURES ARE REQUIRED BY LAW: Follow-up by child protective services/prosecutor’s office when IUSO has filed a request To avert a serious threat to health or safety To facilitate organ or tissue donation Public health risks To prevent or control disease, injury or disability To report any abuse or neglect of a patient To report reactions to medications or problems with products (FDA, etc.) To notify patients of a recall of a medication or product they may be using To notify a person who may have been exposed to a disease or at risk for contracting or spreading a disease or condition Health oversight activities (qualified state and federal surveyors with proper identification) 17 DATE: May 2009

    18. THE FOLLOWING DISCLOSURES ARE REQUIRED BY LAW CONT’D: National Security and Intelligence Activities Protective Services for the President and others Law Enforcement In response to a court order, subpoena, warrant, summons or similar process To identify or locate a suspect, fugitive, material witness, or missing person About the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim’s agreement About criminal conduct at IUSO In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime Medical information about foreign military personnel to the appropriate foreign military authority 18 DATE: May 2009

    19. REQUEST FOR AMENDMENT Individuals have the right to request an amendment to their designated record set (medical or billing records) for as long as IUSO maintains the information All requests for amendments must be made in writing and IUSO has 60 days to act (with possible 30-day extension). IUSO must: notify the individual that the amendment was accepted inform relevant persons identified by the individual *We can never delete the original information.* The amendment allows for the patient to supply a written supplement to their protected health information. 19 DATE: May 2009

    20. DENYING A REQUEST FOR AMENDMENT We may deny the patient’s request for amendment if the information: was not created by us (unless originator is no longer available.) is not part of their medical or billing records. was not available for inspection. is accurate and complete. 20 DATE: May 2009

    21. DENYING A REQUEST FOR AMENDMENT What step do we take when we deny the request for amendment? We must provide timely, written notice of the denial to the individual The notice must explain the following: reason for denial right to submit written statement of disagreement or have request and denial included with future disclosures individual’s right to complain to us or directly to the government We may prepare a rebuttal statement to the individual’s statement of disagreement; a copy of the rebuttal statement must be given to individual Must include request and denial with future disclosures 21 DATE: May 2009

    22. ACCOUNTING OF DISCLOSURES Individuals have the right to request an “accounting of disclosures.” The request must be made in writing. The following disclosures of health information do not require tracking: Disclosures for treatment, payment and healthcare operations Disclosures made to the individual or authorized by the individual Disclosures made to persons involved in the individual’s care Disclosures for national security or intelligence purposes Disclosures to correctional institutions or law enforcement Disclosures made prior to the date of compliance of the privacy standard 22 DATE: May 2009

    23. RIGHT TO REQUEST RESTRICTIONS Individuals have the right to request restrictions to the use and disclosure of their protected health information. We are not required to allow the restrictions but are required to permit the request. If IUSO agrees to the restrictions, we may not make uses or disclosures that are inconsistent with the restrictions, unless the uses or disclosures are mandated by law. The request for restrictions must be made in writing. IUSO will document and retain the restriction for a period of at least 6 years from the date of its creation or the date it last was in effect, whichever is later. 23 DATE: May 2009

    24. BUSINESS ASSOCIATES Business Associate: A person or entity who provides certain functions, activities, or services for IUSO, involving the use and/or disclosure of protected health information, other than a member of our workforce. The Business Associate requirements do not apply to entities who disclose protected health information (PHI) to providers for treatment purposes. In order to comply with the Health Insurance Portability and Accountability Act (HIPAA), IUSO will maintain a central repository of all non-employment contracts and business associate agreements. 24 DATE: May 2009

    25. The Security Standard IUSO must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information. “Reasonable safeguards” mean that we must take reasonable efforts to prevent uses and disclosures not permitted by the rule Applies to the security of an organization’s computer system and any information collected, obtained, transmitted or stored electronically. Indiana University School of Optometry must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information. Reasonable Safeguards” mean that we must make reasonable efforts to prevent uses and disclosures not permitted by the rule. 25 DATE: May 2009

    26. The Security Standard What are the information security standards for protection of e-PHI? Information Security – means to ensure the confidentiality, integrity and availability of information through safeguards. Confidentiality – that information will not be disclosed to unauthorized individuals or processes. Integrity – the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems. Availability – the property that data or information is accessible and useable upon demand by authorized person. 26 DATE: May 2009

    27. The Security Standard What are the Federal Security Rule General Requirements? (45 CFR 164.306-a) Ensure the Confidentiality, Integrity and availability (CIA) of all electronic Protected Health Information (e-PHI) that the covered entity creates, receives, maintains or transmits is protected against reasonably anticipated threats or hazards to the security or integrity of ePHI (i.e., hackers, virus, data back-ups) . Protect against unauthorized disclosures. Train workforce members.. 27 DATE: May 2009

    28. The Security Standard HIPAA mandates certain “safeguards” to keep Protected health Information (PHI) secure: Ensure the confidentiality, integrity and availability of all electric protected health information the covered entity creates , receives, maintains, or transmits. DATE: May 2009 28

    29. The Security Standard Password Do not ever share your password with others. Do not write down or store passwords where others may find them. Workstation Lock your work station if you leave it unattended for any length of time during the day and prevent “shoulder Surfing” when you are working. Store sensitive data on Information Systems Servers, not on your work station. Notebooks/Portable Devices Make sure computers, monitors, fax machines, PDAs and other equipment that may contain patient health information is kept in a secure location DATE: May 2009 29

    30. The Security Standard Electronic Mail Avoid sending sensitive information, including Patient Health Information by e-mail. Removable Media Keep media, including diskettes, CD/DVDs, Zip Disks and other removable storage devices in a secure, locked location. When you are ready to dispose of the media, make sure all PHI is deleted or destroyed.. DATE: May 2009 30

    31. The Security Standard The Security Standard is not just a requirement that technical people have to be concerned about. The bulk of the implementation will be administrative (including policies and procedures) and will require everyone to participate. The University has policies which outline your responsibilities as a workforce member. Prior to receiving an assigned Network ID for IUSO computing resources you signed a User Agreement Form. By signing it you undertake obligations specified for you. You must protect all IU held data, not just ePHI UTIS Policies: http:// www.itpo.iu.edu DATE: May 2009 31

    32. The Security Standard What are the consequences for security violations? Risk to Integrity of confidential information. (i.e., identify theft) Loss of confidentiality, integrity and availability of data (and time) due to poor or untested disaster data recover plan Loss of patients trust, employee trust and public trust Costly reporting requirements Internal disciplinary action(s), termination of employment Penalties, prosecution and potential for sanctions/lawsuits DATE: May 2009 32

    33. RESOURCES FOR QUESTIONS?? http://aspe.hhs.gov/admnsimp/Index.htm http://www.ahima.org/ http://www.aha.org/hipaa/ http://www.hcfa.gov/medicaid/hipaa/ http://www.aamc.org/members/gir/gasp/ Reference: Mary D. Brandt Outlook Associates, Inc. HIPAA Real World Strategies Joint Healthcare Information Technology Alliance May 24, 2001 33 DATE: May 2009

    34. Job Specific HIPAA examples The following examples addressing frequently asked questions are broken down by personnel category within the School of Optometry Receptionists / front office employees Billing personnel Technicians Maintenance / shop workers Faculty and students 34 DATE: May 2009

    35. Receptionists Q: Can we use sign in sheets in the clinic? A: Yes, as long as no health information is included on the sheet Q: Can we leave messages for patients about their upcoming appointments? A: Yes, as long as no specific health information is included in the message 35 DATE: May 2009

    36. Receptionists Q: Can I release PHI to a patient’s spouse or another family member? A: Yes. We can release PHI to a patient’s spouse, relative, or close friend if we can reasonably infer that the patient does not object and that it will be in the patient’s best interest 36 DATE: May 2009

    37. Receptionists Q: Can I discuss a patient’s situation with them on the phone when other patients are at the desk or in the lobby? A: You may, but caution should be used to minimize exposure to others. This is an example of an incidental disclosure that is unavoidable in day to day practice 37 DATE: May 2009

    38. Receptionists Q: Can an adult who is not a child’s parent or legal guardian accompany them to the exam room? Can we share the child’s PHI with them? A: From a strictly HIPAA standpoint, yes, but other regulations governing minors may still mandate that parental consent is documented 38 DATE: May 2009

    39. Receptionists Q: Do all patients have to take a notice of our privacy practices? A: No. We must offer it to everyone one time. If they refuse it simply document the attempt to give it to them. Q: Can we fax PHI? A: Yes, if standard precautions are taken to ensure reasonable security of the transmitted data 39 DATE: May 2009

    40. Receptionists Q: Is authorization required to release records / PHI to another doctor’s office? A: It depends. If the other provider is involved in the current, contiguous care of the patient then no. If the patient has switched care to another office on their own (moved away, etc.) and the office requests records then it requires the patient’s authorization. 40 DATE: May 2009

    41. Billing personnel Q: Can I share a patients PHI with their insurance company? A: Yes, this is considered part of treatment, payment, or health care operations and does not require the patient’s authorization Q: What information can I share? A: The minimum amount necessary that is required to conduct the billing transaction (i.e., ICD 9 Diagnosis codes and procedure codes) 41 DATE: May 2009

    42. Technicians Q: Can we discuss a patient’s prescription with them on the dispensary floor? A: Yes, as long as reasonable precautions are taken to minimize disclosure to other patients. This would be an unavoidable incidental disclosure. Q: Can we leave messages stating that glasses or contacts are in? A: Yes, as long as no specifics regarding the prescription are included. 42 DATE: May 2009

    43. Maintenance / shop workers Q: Can I access the health information in a patient’s chart? A: No. There would be no need for individuals in this job category to access such information in order to do their jobs. Q: Do we have to make major physical changes to our clinics? A: No, we are expected to take reasonable precautions to minimize unwanted disclosures but major physical changes are not expected. 43 DATE: May 2009

    44. Faculty / Students Q: Can we discuss a patient’s PHI with their family members on the phone? A: Yes, as long as we can reasonably infer that the patient does not object and it will be in their best interest. Q: What if one of those people is in the exam room with the patient? A: Yes, if they are in the exam room it is assumed that it acceptable to the patient that they are there 44 DATE: May 2009

    45. Faculty / Students Q: Can we discuss a patient’s PHI with other providers involved in their care or other providers to whom we are referring them? A: Yes. This is part of treatment and does not require authorization. 45 DATE: May 2009

    46. Faculty / Students Q: Can we discuss patients’ conditions with our colleagues or use their information for case reports, etc.? A: Yes, as long as there is no information identifying the individual and they are not 90 years old or older. If any image of them is to be published you still need their permission. 46 DATE: May 2009

    47. Faculty / Students Q: Can I leave a message with the specific results of testing for a patient? A: No. Simply leave a message for the patient to get back in touch with you. 47 DATE: May 2009

    48. Faculty / Students Q: Can we speak to a minor child’s relative regarding examination results if that relative is not a legal guardian? A: Again, HIPAA says yes, but other regulations may apply Example: A woman takes her daughter and her niece in for an eye exam at the same time. 48 DATE: May 2009

    49. NOTICE OF PRIVACY PRACTICES HIPAA requires us to inform all patients of our Notice of Privacy Practices (screenings are excluded) Each patient will receive a copy one time Established patients will be asked to sign the Patient Intake Form that they have received the NPP. This will be placed on the chart. New patients will acknowledge receipt with their signature on the demographic intake form Patients may request another copy of IUSO’s Notice of Privacy Practices at any time. A copy is on our web site and in the lobby of each clinic. There is a formal process for patients to: Request copies of their medical record Obtain a list of who has accessed their information Make amendments to their medical records Complain to IUSO or the Department of Health and Human Services about our privacy practices 49 DATE: May 2009

    50. Indiana University School of Optometry Reminder: PHI can take many forms Under HIPAA PHI must be kept private and secure HIPAA applies to faculty, staff, students and volunteers Ensure “safeguards” are in place to secure PHI 50 DATE: May 2009

More Related