Post on 11-Apr-2017
HIPAAHealth Insurance Portability and
Accountability Act
WHAT IS HIPAA?
•Health•Insurance•Portability and•Accountability•Act
WHAT DOES HIPAA CONSIST OF?
• 1. Standardized Electronic Data Interchange transactions and codes for all covered entities.• 2.Standards for security of data
systems.• 3.Privacy protections for individual
health information.• 4.Standard national identifiers for
health care.
IMPORTANT HIPAA DEFINITIONS
• Privacy - state of being concealed; secret• Confidentiality – containing private information (Ex.
Medical Record).• Authorization – to give permission for; to grant
power to.• Breach Confidentiality – to break an agreement, to
violate a promise. • Disclosure – means the release, transfer, provision
of access to, or divulging of information outside the entity holding the information.
• Use – means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity.
THE LOSS AND RULES
IMPORTANT HIPAA TERMINOLOGY; PROTECTED HEALTH INFORMATION
• Protected Health Information [PHI] – is information that is created or received by a covered entity that:• Relates to the past, present, or future physical or
mental health of an individual.• Identifies the individual or contains reasonable
information that can be used to identify the individual(s).• Examples of Protected Health Information:• Name, address, telephone, fax, email, social
security number, medical diagnoses, medical records, account numbers and photographs or images.
IMPORTANT HIPAA TERMINOLOGY;COVERED ENTITIES
• Covered Entities [CE] – are the individuals responsible for implementing HIPAA rules and regulations. Some examples are:• Health Plans• Health Care Clearinghouses• Health Care Providers who conduct certain
financial and administrative transactions electronically.
IMPORTANT HIPAA TERMINOLOGY;TREATMENT, PAYMENT AND HEALTH CARE
OPERATIONS
• Treatment, Payment and Health Care Operations [TPO] – are common uses of Protected Health Information [PHI] for which HIPAA does not require an authorization.
IMPORTANT HIPAA TERMINOLOGY;NOTICE OF PRIVACY PRACTICE
• Notice of Privacy Practice [NPP]- a notice given to patients concerning the use and disclosure of their Protected Health Information [PHI]
WHO CARRIES OUT HIPAA RULES AND REGULATIONS?
• Covered Entities are responsible for implementing HIPAA rules and regulations.• These are• Health Plans• Health Care Clearinghouses• Health Care providers
WHAT MUST A COVERED ENTITY DO TO BE IN COMPLIANCE WITH HIPAA?
• Notify patients about their privacy rights and how their information can be used.• Adopt and implement privacy procedures.• Train employees so they understand the
privacy procedures.• Designate a Privacy Officer.• Secure patient records containing Protected
Health Information [PHI].
WHAT ARE A PATIENT’S RIGHTS UNDER HIPAA?
• Right to written Notice of Privacy Practices [NPP] that informs consumers how Protected Health Information [PHI] will be used and to whom it is disclosed• Right of timely access to see and copy records
for a reasonable fee• Right to an amendment of records• Right to restrict access and use• Right to an accounting of disclosures• Right to revoke authorization
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?PRIVACY RULE
• The Privacy Rule:• Establishes a Federal floor of safeguards to protect the
confidentiality of medical information.• Allows patients to make informed choices when
seeking care and reimbursement for care based on how personal health information may be used.
• This rule is used to protect Protected Health Information [PHI]
• This rule took effect on April 14, 2003. • YOU MAY NOT RETALIATE AGAINST OR INTIMIDATE AN
EMPLOYEE WHO FILES A HIPAA COMPLAINT.
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?REQUEST FOR AMENDMENT
• Request for Amendment is a patient’s right to request, in writing, to have health information or a record about the patient amended.• The Covered Entity does not have to agree
to the amendment, however if the CE does agree, the request to amend will become a part of the patients medical record.
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?REQUEST FOR RESTRICTIONS
• Request for Restrictions is a patient’s right to request, in writing, a restriction or limitation on the health information that a Covered Entity uses or disclosures.• The Covered Entity is not required to agree
to the restriction.
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?ACCOUNTING OF DISCLOSURES
• Accounting of Disclosures is the patient’s right to request a list of people and organizations who have received their Protected Health Information [PHI].• Patients must submit a written Request for Accounting of
Disclosures.• A Covered Entity [CE] must respond to a the patient’s request
for an accounting within 60 days of receipt of the request.
• Some Examples of Disclosures are disclosures that are:• Required by law • For public health activities• About victims of abuse, neglect, or domestic violence• For judicial and administrative proceedings• For research activities• For law enforcement activities• For workers compensation
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?AUTHORIZATIONS
• An Authorization is a detailed document that gives covered entities permission to use Protected Health Information [PHI] for specified purposes.• It is required for the use and disclosure of Protected
Health Information [PHI] not otherwise allowed by the Privacy Rule.
• Does not apply to Treatment, Payment and Health Care Operations [TPO].
• Does not apply to uses and disclosures required by law.
• AN AUTHORIZATION MAY BE REVOKED AT ANY TIME IN WRITING.
WHAT ARE THE REQUIREMENTS OF AN AUTHORIZATION?
• An Authorization must include:• The Protected Health Information [PHI] to be
used and disclosed;• The person authorized to make the use or
disclosure;• The person to whom the Covered Entity may
make the disclosure;• An expiration date; and• The purpose for which the information may
be used or disclosed.
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?MINIMUM NECESSARY STANDARD
• HIPAA requires Covered Entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made [the minimum necessary amount of information needed to perform the job].
• The Minimum Necessary DOES NOT APPLY TO:• Treatment• Disclosures to the individual who is the subject of the
Protected Health Information [PHI]• Uses or disclosures made pursuant to an individual’s
authorization• Uses or disclosures that are required by law.
WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE
RIGHTS?RESEARCH ACTIVITIES
• NO ONE is permitted to use Protected Health Information for research without complying with the new HIPAA requirements.
• These HIPAA requirements are entirely separate from the existing federal human subject research regulations. • The Privacy Policies and Procedures do not
replace or override other rules or procedures established by the Institutional Review Board [IRB], both must be complied with in order to conduct human research.
HOW DO I PROTECT MY PATIENT’S PRIVACY?DO’S AND DON'TS
HOW DO I PROTECT MY PATIENT’S PRIVACY?SAFE COMPUTER AND FAX USE
HOW DO I PROTECT MY PATIENT’S PRIVACY?SAFEGUARDS
• Physical Safeguards• Computer terminals are not placed in public areas.
• Technical Safeguards• Every associate must keep his/her password
confidential.• No photographs or recordings of any type are to be
taken of patients in the clinical setting.• No cameras, tablets, cell phones or any electronic
devices with photography capabilities are permitted in the clinical environment
• Administrative Safeguards• Policy and procedure for release of patient
information.
WHO ELSE IS RESPONSIBLE FOR PROTECTING PATIENT PRIVACY?
BUSINESS ASSOCIATES
• Business Associate• A person or entity that performs a function or
activity on behalf of a Covered Entity [CE] that requires the creation, use or disclosure of Protected Health Information [PHI] but who is not considered part of the Covered Entities' workforce. They must have a written contract or agreement that assures they will appropriately safeguard Protected Health Information [PHI] they create or receive.
HOW DO I PROTECT MY PATIENT’S PRIVACY?BUSINESS ASSOCIATES PT.11
• Examples of Business Associates• A third party administrator who assists a health plan
with claims processing.• A CPA firm whose accounting services to a health care
provider involve access to protected health information.• A health care clearinghouse that translates a claim from
a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist who provides transcription services to a physician.
• A pharmacy benefits manager who manages a health plan’s pharmacist network.
WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?
INCIDENTAL DISCLOSURE
• A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure. • Examples of Incidental Disclosure• A hospital visitor may overhear a provider’s
confidential conversation with another provider or a patient
• A hospital visitor may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard
WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?
BREACH
• A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
WHAT IS DONE AFTER PATIENT PRIVACY HAS BEEN COMPROMISED?
HITECH ACT
• What is the HITECH act?• As a result of the American Recovery and
Reinvestment Act of 2009, legislation passed the Health Information Technology for Economic and Clinical Health Care Act which places additional privacy and security requirements.• This requires any entity that handles Protected
Health Information [PHI] to report breaches, whether in paper or electronic form within timeframe that HITECH requires.
• HITECH applies to all business entities associated with healthcare organizations such as banks, claims, clearing houses, billing firms, health information exchanges and software companies.
WHAT ARE THE BREACH NOTIFICATION REQUIREMENTS?
• Notification is required to the affected individuals, the government and in certain cases the media [if the breach involves more than 500 people] in the event of a breach of “Unsecured Protected Health Information”.• These breach requirements are applicable to both
Covered Entities [CE] and their Business Associates.• If the Covered Entities Business Associate has a
breach, they must report it within 60 days.• The snail mail requirement states that the healthcare
organization must send out a first class letter to any patients that might have been affected by the breach. [Electronic mail is allowed given the patient agreed to receive electronic notices]
WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HITECH?
• There are serious penalties for non-compliance, ranging from fines of $100 to $50,000 per violation, capped at $25,000 to $1.5 million per violation of the same standard.• Criminal penalties of 1 to 10 years in jail for
gross negligence.• HITECH also created new methods for
enforcement, allowing state attorney generals to enforce HIPAA regulations.
WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HIPAA?
PENALTIES FOR PRIVACY VIOLATIONS
• Civil Penalties under HIPAA:• Maximum fine of $25,000 per violation.
• Criminal Penalties under HIPAA:• Maximum of 10 years in jail and/or a $250,000 fine
for serious offenses.• Organization Actions:
• Employee disciplinary actions including suspension or termination for violations of the organizations policies and procedures.
WHO ENFORCES MEDICAL PRIVACY REGULATIONS?
• Office for Civil Rights• A patient may complain to the Privacy Officer in a
hospital or;• The Director of Health and Human Services [HHS]
ARE THERE OTHER LAWS THAT PROTECT PATIENT PRIVACY?
STATE LAW VS. HIPAA
• If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:• Greater privacy rights,• Greater access to information, or• Greater privacy protections.