2015

HIPAA Basic Privacy Training

2

2015

Objectives

By the end of this program, participants should beable to:

• Discuss the background and purpose of theHealth Insurance Portability and AccountabilityAct (HIPAA) Privacy Rule

• Identify the ways in which HIPAAapplies to healthcare providers

• Review basic HIPAA definitions

• Apply HIPAA basics in the practicesetting

3

2015

What is HIPAA?

HIPAA is a federal law enacted in 1996.

The original intent of HIPAA was to reduce costs,simplify administrative processes, and improve theprivacy and security of individuals’ health informationin the healthcare industry.

HIPAA has five major provisions.

HIPAA’s Privacy Rule was enacted to protect theconfidentiality of patients’ health information.

4

2015

Definitions

CoveredEntity (CE)

Healthcare providers, health plans, and healthcareclearinghouses who electronically transmit any healthinformation.

ProtectedHealthInformation(PHI)

Information the CE creates or receives that identifies thepatient, including demographic information (e.g.,addresses, phone numbers, etc.). PHI can relate to thepast, present, or future physical or mental health orcondition of a patient.

BusinessAssociate(BA)

A person or entity that performs certain functions oractivities that involve the use or disclosure of PHI onbehalf of, or provides services to, a CE.

Breach An impermissible use or disclosure of PHI thatcompromises the security or privacy of PHI.

5

2015

To Whom Does HIPAA Apply?

HIPAA applies to all staff(including temporary staff,students, and volunteers)and any vendors (businessassociates) that haveaccess to PHI.

6

2015

Staff responsibilities

All staff members have a duty to:

• Maintain the confidentiality of patients’ PHI as required byHIPAA

• Use, view, or discuss patients’ PHI only as required by jobresponsibilities

• Understand HIPAA policies

• Immediately notify the organization’s privacy officer ofany suspected or actual breach of patients’ PHI

• Direct questions or concerns to the organization’s privacyofficer

NOTE: Never informally discuss or make comments aboutpatients.

7

2015

Applying HIPAA in the Practice Setting

• The Notice of Privacy Practices sets forth how anorganization will use and disclose patients’ PHI(including examples).

• All patients arerequired to have anopportunity to obtainand read a copy ofthe organization’sNotice of PrivacyPractices and sign anacknowledgement form on their first visit orencounter.

Notice of Privacy Practices

8

2015

Releasing Patients’ PHI — Patient Rights

Patients have a right to:

• View and receive a copyof their medical records

• Request amendments orchanges to their medicalrecords

• Request restrictions tothe use or disclosure oftheir PHI

• Request an accounting ofthe disclosures of theirPHI

9

2015

Releasing Patients’ PHI — Basic Rules

Patients’ information can be released withoutauthorization if the purpose is for treatment, payment, orhealthcare operations.

Disclosure of patients’ PHI for anything other thantreatment, payment, or healthcare operations requirescompletion of an authorization.

Certain exceptions exist for public health monitoringactivities (e.g., disease reporting), government oversight,and some law enforcement investigations; however, staffshould always consult with the privacy officer to ensureproper release.

10

2015

Disclosure of PHI to BAs

Authorizations are not required for BAs who performcertain functions for the CE.

Examples of BAs include billing companies, transcriptionservices, IT vendors, and accountants.

Patient authorizations are not necessary for BAs; however,business associate agreements — which set out the dutiesrequired of the BA to protect patients’ PHI — are required.

11

2015

What is the Minimum Necessary Standard?

Whenever patients’ PHI is used or disclosed, whether toanother CE or BA, only the information necessary toaccomplish the intended purpose should be disclosed.

Example: The practice uses a collection agency that hasrequested billing information on several patients. Thepractice sends the billing information, but also includespatients’ diagnostic information. The collection agencydoes not need the diagnostic information to perform itstasks; thus, the practice has violated the minimumnecessary standard.

12

2015

Breach Notification — Examples

NOTE: Staff should immediately notify a supervisor or privacy officer ifthey suspect or discover a breach has occurred.

Looking at aneighbor’s medical

record out of curiosity

Mailing billinginformation to the

wrong patient

Losing anunencrypted thumb

drive

Talking to a familymember about a

patient

Providing records toan attorney without

authorization

Lost or stolencomputer thatcontains PHI

13

2015

Civil Monetary Penalties

• Failure to comply with policies and procedures mayresult in corrective action.

• CEs (including individual employees) and BAs aresubject to civil monetary penalties (fines) and criminalpenalties.

14

2015

Prohibited Conduct Penalty

Knowingly obtaining or disclosing PHIwithout authorization

Up to $50,000 fine and1 year in prison

If done under false pretensesUp to $100,000 fine and5 years in prison

If done with intent to sell, transfer, or usethe information for commercial advantage,personal gain, or malicious harm

Up to $250,000 fine and10 years in prison

42 U.S.C. § 1320d-5(d)

Criminal Penalties

15

2015

Frequently Asked Questions

• Yes, as long as the patient does notobject.

Can I call a patient’sname in the waiting

room?

• You can provide the information only ifthe patient has listed his/her spouse as aperson who may receive their PHI.

A patient’s spouse callsto ask about recent testresults? Can I provide

him/her with thisinformation?

• Yes, if the patient designates faxing ormailing as the way he/she wants toreceive a copy of the record. The patientshould sign an authorization to provide arecord of the release.

Can I fax or mail a copyof a patient’s medical

record?

16

2015

Frequently Asked Questions

• You should never release the originalrecord, which is the property of thehealthcare organization. HIPAA stipulatesthat patients may receive a copy. Youcan offer to allow the patient to inspectthe original record onsite with someonepresent.

The patient asks forhis/her original record.

Can I provide theoriginal?

• Yes, you are required to comply with therequest as long as the patient pays forthe services out of pocket.

The patient hasrequested that we do

not provide informationto his/her insurancecompany. Can we

honor that request?

17

2015

Summary

Be familiar with HIPAA policies in your organization and how theyspecifically affect your job role.

Understand patients’ rights in relation to reviewing, requesting,and releasing PHI.

Understand rules in relation to the release of PHI to BAs, aswell as the concept of “minimum necessary standard.”

Promptly report any suspected breaches.

Don‘t hesitate to ask questions.