HIPAA Basic Privacy Training - Medical ProtectiveBasics+2015.pdf3 2015 What is HIPAA? HIPAA is a...
Transcript of HIPAA Basic Privacy Training - Medical ProtectiveBasics+2015.pdf3 2015 What is HIPAA? HIPAA is a...
2015
HIPAA Basic Privacy Training
2
2015
Objectives
By the end of this program, participants should beable to:
• Discuss the background and purpose of theHealth Insurance Portability and AccountabilityAct (HIPAA) Privacy Rule
• Identify the ways in which HIPAAapplies to healthcare providers
• Review basic HIPAA definitions
• Apply HIPAA basics in the practicesetting
3
2015
What is HIPAA?
HIPAA is a federal law enacted in 1996.
The original intent of HIPAA was to reduce costs,simplify administrative processes, and improve theprivacy and security of individuals’ health informationin the healthcare industry.
HIPAA has five major provisions.
HIPAA’s Privacy Rule was enacted to protect theconfidentiality of patients’ health information.
4
2015
Definitions
CoveredEntity (CE)
Healthcare providers, health plans, and healthcareclearinghouses who electronically transmit any healthinformation.
ProtectedHealthInformation(PHI)
Information the CE creates or receives that identifies thepatient, including demographic information (e.g.,addresses, phone numbers, etc.). PHI can relate to thepast, present, or future physical or mental health orcondition of a patient.
BusinessAssociate(BA)
A person or entity that performs certain functions oractivities that involve the use or disclosure of PHI onbehalf of, or provides services to, a CE.
Breach An impermissible use or disclosure of PHI thatcompromises the security or privacy of PHI.
5
2015
To Whom Does HIPAA Apply?
HIPAA applies to all staff(including temporary staff,students, and volunteers)and any vendors (businessassociates) that haveaccess to PHI.
6
2015
Staff responsibilities
All staff members have a duty to:
• Maintain the confidentiality of patients’ PHI as required byHIPAA
• Use, view, or discuss patients’ PHI only as required by jobresponsibilities
• Understand HIPAA policies
• Immediately notify the organization’s privacy officer ofany suspected or actual breach of patients’ PHI
• Direct questions or concerns to the organization’s privacyofficer
NOTE: Never informally discuss or make comments aboutpatients.
7
2015
Applying HIPAA in the Practice Setting
• The Notice of Privacy Practices sets forth how anorganization will use and disclose patients’ PHI(including examples).
• All patients arerequired to have anopportunity to obtainand read a copy ofthe organization’sNotice of PrivacyPractices and sign anacknowledgement form on their first visit orencounter.
Notice of Privacy Practices
8
2015
Releasing Patients’ PHI — Patient Rights
Patients have a right to:
• View and receive a copyof their medical records
• Request amendments orchanges to their medicalrecords
• Request restrictions tothe use or disclosure oftheir PHI
• Request an accounting ofthe disclosures of theirPHI
9
2015
Releasing Patients’ PHI — Basic Rules
Patients’ information can be released withoutauthorization if the purpose is for treatment, payment, orhealthcare operations.
Disclosure of patients’ PHI for anything other thantreatment, payment, or healthcare operations requirescompletion of an authorization.
Certain exceptions exist for public health monitoringactivities (e.g., disease reporting), government oversight,and some law enforcement investigations; however, staffshould always consult with the privacy officer to ensureproper release.
10
2015
Disclosure of PHI to BAs
Authorizations are not required for BAs who performcertain functions for the CE.
Examples of BAs include billing companies, transcriptionservices, IT vendors, and accountants.
Patient authorizations are not necessary for BAs; however,business associate agreements — which set out the dutiesrequired of the BA to protect patients’ PHI — are required.
11
2015
What is the Minimum Necessary Standard?
Whenever patients’ PHI is used or disclosed, whether toanother CE or BA, only the information necessary toaccomplish the intended purpose should be disclosed.
Example: The practice uses a collection agency that hasrequested billing information on several patients. Thepractice sends the billing information, but also includespatients’ diagnostic information. The collection agencydoes not need the diagnostic information to perform itstasks; thus, the practice has violated the minimumnecessary standard.
12
2015
Breach Notification — Examples
NOTE: Staff should immediately notify a supervisor or privacy officer ifthey suspect or discover a breach has occurred.
Looking at aneighbor’s medical
record out of curiosity
Mailing billinginformation to the
wrong patient
Losing anunencrypted thumb
drive
Talking to a familymember about a
patient
Providing records toan attorney without
authorization
Lost or stolencomputer thatcontains PHI
13
2015
Civil Monetary Penalties
• Failure to comply with policies and procedures mayresult in corrective action.
• CEs (including individual employees) and BAs aresubject to civil monetary penalties (fines) and criminalpenalties.
14
2015
Prohibited Conduct Penalty
Knowingly obtaining or disclosing PHIwithout authorization
Up to $50,000 fine and1 year in prison
If done under false pretensesUp to $100,000 fine and5 years in prison
If done with intent to sell, transfer, or usethe information for commercial advantage,personal gain, or malicious harm
Up to $250,000 fine and10 years in prison
42 U.S.C. § 1320d-5(d)
Criminal Penalties
15
2015
Frequently Asked Questions
• Yes, as long as the patient does notobject.
Can I call a patient’sname in the waiting
room?
• You can provide the information only ifthe patient has listed his/her spouse as aperson who may receive their PHI.
A patient’s spouse callsto ask about recent testresults? Can I provide
him/her with thisinformation?
• Yes, if the patient designates faxing ormailing as the way he/she wants toreceive a copy of the record. The patientshould sign an authorization to provide arecord of the release.
Can I fax or mail a copyof a patient’s medical
record?
16
2015
Frequently Asked Questions
• You should never release the originalrecord, which is the property of thehealthcare organization. HIPAA stipulatesthat patients may receive a copy. Youcan offer to allow the patient to inspectthe original record onsite with someonepresent.
The patient asks forhis/her original record.
Can I provide theoriginal?
• Yes, you are required to comply with therequest as long as the patient pays forthe services out of pocket.
The patient hasrequested that we do
not provide informationto his/her insurancecompany. Can we
honor that request?
17
2015
Summary
Be familiar with HIPAA policies in your organization and how theyspecifically affect your job role.
Understand patients’ rights in relation to reviewing, requesting,and releasing PHI.
Understand rules in relation to the release of PHI to BAs, aswell as the concept of “minimum necessary standard.”
Promptly report any suspected breaches.
Don‘t hesitate to ask questions.