Hipaa in the usa what part do you understand

HIPAAHealth Insurance Portability and

Accountability Act

WHAT IS HIPAA?

•Health•Insurance•Portability and•Accountability•Act

WHAT DOES HIPAA CONSIST OF?

• 1. Standardized Electronic Data Interchange transactions and codes for all covered entities.• 2.Standards for security of data

systems.• 3.Privacy protections for individual

health information.• 4.Standard national identifiers for

health care.

IMPORTANT HIPAA DEFINITIONS

• Privacy - state of being concealed; secret• Confidentiality – containing private information (Ex.

Medical Record).• Authorization – to give permission for; to grant

power to.• Breach Confidentiality – to break an agreement, to

violate a promise. • Disclosure – means the release, transfer, provision

of access to, or divulging of information outside the entity holding the information.

• Use – means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity.

THE LOSS AND RULES

IMPORTANT HIPAA TERMINOLOGY; PROTECTED HEALTH INFORMATION

• Protected Health Information [PHI] – is information that is created or received by a covered entity that:• Relates to the past, present, or future physical or

mental health of an individual.• Identifies the individual or contains reasonable

information that can be used to identify the individual(s).• Examples of Protected Health Information:• Name, address, telephone, fax, email, social

security number, medical diagnoses, medical records, account numbers and photographs or images.

IMPORTANT HIPAA TERMINOLOGY;COVERED ENTITIES

• Covered Entities [CE] – are the individuals responsible for implementing HIPAA rules and regulations. Some examples are:• Health Plans• Health Care Clearinghouses• Health Care Providers who conduct certain

financial and administrative transactions electronically.

IMPORTANT HIPAA TERMINOLOGY;TREATMENT, PAYMENT AND HEALTH CARE

OPERATIONS

• Treatment, Payment and Health Care Operations [TPO] – are common uses of Protected Health Information [PHI] for which HIPAA does not require an authorization.

IMPORTANT HIPAA TERMINOLOGY;NOTICE OF PRIVACY PRACTICE

• Notice of Privacy Practice [NPP]- a notice given to patients concerning the use and disclosure of their Protected Health Information [PHI]

WHO CARRIES OUT HIPAA RULES AND REGULATIONS?

• Covered Entities are responsible for implementing HIPAA rules and regulations.• These are• Health Plans• Health Care Clearinghouses• Health Care providers

WHAT MUST A COVERED ENTITY DO TO BE IN COMPLIANCE WITH HIPAA?

• Notify patients about their privacy rights and how their information can be used.• Adopt and implement privacy procedures.• Train employees so they understand the

privacy procedures.• Designate a Privacy Officer.• Secure patient records containing Protected

Health Information [PHI].

WHAT ARE A PATIENT’S RIGHTS UNDER HIPAA?

• Right to written Notice of Privacy Practices [NPP] that informs consumers how Protected Health Information [PHI] will be used and to whom it is disclosed• Right of timely access to see and copy records

for a reasonable fee• Right to an amendment of records• Right to restrict access and use• Right to an accounting of disclosures• Right to revoke authorization

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?PRIVACY RULE

• The Privacy Rule:• Establishes a Federal floor of safeguards to protect the

confidentiality of medical information.• Allows patients to make informed choices when

seeking care and reimbursement for care based on how personal health information may be used.

• This rule is used to protect Protected Health Information [PHI]

• This rule took effect on April 14, 2003. • YOU MAY NOT RETALIATE AGAINST OR INTIMIDATE AN

EMPLOYEE WHO FILES A HIPAA COMPLAINT.


RIGHTS?REQUEST FOR AMENDMENT

• Request for Amendment is a patient’s right to request, in writing, to have health information or a record about the patient amended.• The Covered Entity does not have to agree

to the amendment, however if the CE does agree, the request to amend will become a part of the patients medical record.


RIGHTS?REQUEST FOR RESTRICTIONS

• Request for Restrictions is a patient’s right to request, in writing, a restriction or limitation on the health information that a Covered Entity uses or disclosures.• The Covered Entity is not required to agree

to the restriction.


RIGHTS?ACCOUNTING OF DISCLOSURES

• Accounting of Disclosures is the patient’s right to request a list of people and organizations who have received their Protected Health Information [PHI].• Patients must submit a written Request for Accounting of

Disclosures.• A Covered Entity [CE] must respond to a the patient’s request

for an accounting within 60 days of receipt of the request.

• Some Examples of Disclosures are disclosures that are:• Required by law • For public health activities• About victims of abuse, neglect, or domestic violence• For judicial and administrative proceedings• For research activities• For law enforcement activities• For workers compensation


RIGHTS?AUTHORIZATIONS

• An Authorization is a detailed document that gives covered entities permission to use Protected Health Information [PHI] for specified purposes.• It is required for the use and disclosure of Protected

Health Information [PHI] not otherwise allowed by the Privacy Rule.

• Does not apply to Treatment, Payment and Health Care Operations [TPO].

• Does not apply to uses and disclosures required by law.

• AN AUTHORIZATION MAY BE REVOKED AT ANY TIME IN WRITING.

WHAT ARE THE REQUIREMENTS OF AN AUTHORIZATION?

• An Authorization must include:• The Protected Health Information [PHI] to be

used and disclosed;• The person authorized to make the use or

disclosure;• The person to whom the Covered Entity may

make the disclosure;• An expiration date; and• The purpose for which the information may

be used or disclosed.


RIGHTS?MINIMUM NECESSARY STANDARD

• HIPAA requires Covered Entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made [the minimum necessary amount of information needed to perform the job].

• The Minimum Necessary DOES NOT APPLY TO:• Treatment• Disclosures to the individual who is the subject of the

Protected Health Information [PHI]• Uses or disclosures made pursuant to an individual’s

authorization• Uses or disclosures that are required by law.


RIGHTS?RESEARCH ACTIVITIES

• NO ONE is permitted to use Protected Health Information for research without complying with the new HIPAA requirements.

• These HIPAA requirements are entirely separate from the existing federal human subject research regulations. • The Privacy Policies and Procedures do not

replace or override other rules or procedures established by the Institutional Review Board [IRB], both must be complied with in order to conduct human research.

HOW DO I PROTECT MY PATIENT’S PRIVACY?DO’S AND DON'TS

HOW DO I PROTECT MY PATIENT’S PRIVACY?SAFE COMPUTER AND FAX USE

HOW DO I PROTECT MY PATIENT’S PRIVACY?SAFEGUARDS

• Physical Safeguards• Computer terminals are not placed in public areas.

• Technical Safeguards• Every associate must keep his/her password

confidential.• No photographs or recordings of any type are to be

taken of patients in the clinical setting.• No cameras, tablets, cell phones or any electronic

devices with photography capabilities are permitted in the clinical environment

• Administrative Safeguards• Policy and procedure for release of patient

information.

WHO ELSE IS RESPONSIBLE FOR PROTECTING PATIENT PRIVACY?

BUSINESS ASSOCIATES

• Business Associate• A person or entity that performs a function or

activity on behalf of a Covered Entity [CE] that requires the creation, use or disclosure of Protected Health Information [PHI] but who is not considered part of the Covered Entities' workforce. They must have a written contract or agreement that assures they will appropriately safeguard Protected Health Information [PHI] they create or receive.

HOW DO I PROTECT MY PATIENT’S PRIVACY?BUSINESS ASSOCIATES PT.11

• Examples of Business Associates• A third party administrator who assists a health plan

with claims processing.• A CPA firm whose accounting services to a health care

provider involve access to protected health information.• A health care clearinghouse that translates a claim from

a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

• An independent medical transcriptionist who provides transcription services to a physician.

• A pharmacy benefits manager who manages a health plan’s pharmacist network.

WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?

INCIDENTAL DISCLOSURE

• A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure. • Examples of Incidental Disclosure• A hospital visitor may overhear a provider’s

confidential conversation with another provider or a patient

• A hospital visitor may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard

WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?

BREACH

• A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

WHAT IS DONE AFTER PATIENT PRIVACY HAS BEEN COMPROMISED?

HITECH ACT

• What is the HITECH act?• As a result of the American Recovery and

Reinvestment Act of 2009, legislation passed the Health Information Technology for Economic and Clinical Health Care Act which places additional privacy and security requirements.• This requires any entity that handles Protected

Health Information [PHI] to report breaches, whether in paper or electronic form within timeframe that HITECH requires.

• HITECH applies to all business entities associated with healthcare organizations such as banks, claims, clearing houses, billing firms, health information exchanges and software companies.

WHAT ARE THE BREACH NOTIFICATION REQUIREMENTS?

• Notification is required to the affected individuals, the government and in certain cases the media [if the breach involves more than 500 people] in the event of a breach of “Unsecured Protected Health Information”.• These breach requirements are applicable to both

Covered Entities [CE] and their Business Associates.• If the Covered Entities Business Associate has a

breach, they must report it within 60 days.• The snail mail requirement states that the healthcare

organization must send out a first class letter to any patients that might have been affected by the breach. [Electronic mail is allowed given the patient agreed to receive electronic notices]

WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HITECH?

• There are serious penalties for non-compliance, ranging from fines of $100 to $50,000 per violation, capped at $25,000 to $1.5 million per violation of the same standard.• Criminal penalties of 1 to 10 years in jail for

gross negligence.• HITECH also created new methods for

enforcement, allowing state attorney generals to enforce HIPAA regulations.

WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HIPAA?

PENALTIES FOR PRIVACY VIOLATIONS

• Civil Penalties under HIPAA:• Maximum fine of $25,000 per violation.

• Criminal Penalties under HIPAA:• Maximum of 10 years in jail and/or a $250,000 fine

for serious offenses.• Organization Actions:

• Employee disciplinary actions including suspension or termination for violations of the organizations policies and procedures.

WHO ENFORCES MEDICAL PRIVACY REGULATIONS?

• Office for Civil Rights• A patient may complain to the Privacy Officer in a

hospital or;• The Director of Health and Human Services [HHS]

ARE THERE OTHER LAWS THAT PROTECT PATIENT PRIVACY?

STATE LAW VS. HIPAA

• If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:• Greater privacy rights,• Greater access to information, or• Greater privacy protections.

Hipaa in the usa what part do you understand

Law

Transcript of Hipaa in the usa what part do you understand