HIPAA Privacy Keys to Success
description
Transcript of HIPAA Privacy Keys to Success
HIPAA PrivacyHIPAA PrivacyKeys to SuccessKeys to Success
Education for Nursing and all other Clinical Students
Effective January 2010
HIPAA Job Specific Education 1
HIPAA and Its PurposeHIPAA and Its Purpose
What is HIPAA? Health Insurance
Portability and Accountability Act of 1996
Title II – Administrative Simplification
It’s a federal law HIPAA is mandatory,
penalties for failure to comply
Purpose: Protect health
insurance coverage, improve access to healthcare
Reduce fraud and abuse
Improve quality of healthcare in general
Reduce healthcare administrative costs (electronic transactions)
HIPAA Job Specific Education 2
HITECH and Its PurposeHITECH and Its Purpose
What is HITECH? Health Information
Technology for Economic and Clinical Health Act
Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)
It’s a federal law
Purpose: Makes massive changes
to privacy and security laws
Applies to covered entities and business associates
Creates a nationwide electronic health record
Increases penalties for privacy and security violations
HIPAA Job Specific Education 3
Key HITECH ChangesKey HITECH Changes
◦ Breach Notification requirements
◦ AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment
◦ Business Associate Agreements
◦ Restrictions◦ Right to access
◦ Criminal provisions◦ Penalties◦ OCR Privacy Audits◦ Copy charges for
providing copies from EHR
◦ HIPAA preemption applies to new provisions
◦ Private cause of action◦ Sharing of civil
monetary penalties with harmed individuals
HIPAA Job Specific Education 4
Civil Penalties for Non-compliance*Civil Penalties for Non-compliance*
HIPAA Job Specific Education 5
Violation Category Each Violation All such violations of an identical provision in a calendar year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected
$50,000 $1,500,000
*As of 2/17/10
Criminal Penalties for Criminal Penalties for Non-complianceNon-compliance
For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any “person”.
Penalties higher for actions designed to generate monetary gain up to $50,000 and one year in prison for obtaining or disclosing
protected health information
up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"
up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
HIPAA Job Specific Education 6
Facility Privacy Official (FPO)Facility Privacy Official (FPO)
Your FPO is: Susan Armstrong, HIM Director
Responsible for:◦Implementation of Privacy and Information
Security Program ◦Privacy Rights of patients◦Requests for Privacy Restrictions◦Facilitating the training and education of
workforce members
HIPAA Job Specific Education 7
HIPAA TerminologyHIPAA Terminology
HITECH: Health Information Technology for Economic and Clinical Health Act
HIPAA: Health Insurance Portability and Accountability Act
PHI: Protected Health InformationCE: Covered Entity (Hospital)OHCA: Organized Health Care Arrangement (The
hospital and medical staff will be considered an Organized Health Care Arrangement)
DRS: Designated Record Set (medical record and billing record)
Directory: Hospital census list used by volunteers and operators with name and room
TPO: Treatment, Payment and Healthcare Operations
HIPAA Job Specific Education 8
What is Protected by HIPAA What is Protected by HIPAA (PHI)?(PHI)?
NameAddress including street, city,
county, zip code and equivalent geocodes
Names of relativesName of employersBirth dateTelephone numbersFax NumbersElectronic e-mail addressesSocial Security NumberMedical record number
Health plan beneficiary number
Account numberCertificate/license numberAny vehicle or other device
serial numberWeb Universal Resource
Locator (URL)Internet Protocol (IP) address
numberFinger or voice printsPhotographic imagesAny other unique identifying
number, characteristic, code
HIPAA Job Specific Education 9
How will HIPAA affect you?How will HIPAA affect you? Coversheets with confidential statement need to be used
on all external faxes. Patient charts will need to be placed in secure area PHI will need to be placed in Cintas Shred containers for
disposal Unless specifically authorized by the patient, patient
family members should only be told the basic condition and location
Patient information should only be accessed if there is a need to know
Never discuss patient care in front of visitors– politely ask the visitors to step out for a moment – if the patient states they can stay be sure to document this in the chart.
HIPAA Job Specific Education 10
How will HIPAA affect you?How will HIPAA affect you?Do not write down any names or identifiable
patient information in your student notes – if in doubt check with your instructor
Patient charts need to be placed in secure areasPHI will need to be placed in Cintas Shred
containers for disposal – NOT IN TRASH CANSPatient information should only be accessed if
there is a need to knowPatients have a right to a copy of their medical
record but they must go to medical records and sign a release and only after the chart is completed after discharge
HIPAA Job Specific Education 11
Patient Privacy ComplaintsPatient Privacy Complaints
FPO must maintain complaint log in accordance with the complaint process
ALL privacy complaints must be routed to the FPO
Responses cannot be accompanied by retaliatory actions by the hospital
Disposition of complaint must be consistent with the facility’s Sanctions for Privacy Violations
HIPAA Job Specific Education 12
Notice of Privacy PracticesNotice of Privacy Practices Patient will receive a Notice upon each registration The Notice outlines patient’s privacy rights as:
◦ Right to access your PHI◦ Right to amend (append or add to) your PHI – if you
disagree with the information◦ Confidential Communication-alternative means or to
an alternative location◦ Right to Privacy Restriction-use or disclosures of your
PHI◦ Right to Opt out of Directory-no disclosure of patient’s
name, location, condition of patient, or religious affiliation
◦ Right to an accounting for disclosures – where your information went without your authorization
HIPAA Job Specific Education 13
Breach NotificationBreach NotificationHITECH provisions require the following
notifications when breaches (as defined in the regulations) occur:◦To the patient◦To the Department of Health and Human
Services◦To the media when the breach involves more
than 500 individuals in the same state or jurisdiction
HIPAA Job Specific Education 14
Ensuring Security Ensuring Security ComplianceCompliance
Ensure users log off computer systems and medical devices when not in use.
PC’s should have screen savers whenever possible.
Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers
Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person.
PHI must be properly disposed.
HIPAA Job Specific Education 15
Common ExposuresCommon Exposures
Discussions of patient information in public places such as hallways and cafeterias
Printed or electronic information left in public view (e.g., charts left on counters)
Discussing patient information on social networking sites (e.g., Facebook, Twitter)
PHI in regular trashRecords that are accessed without need to know
in order to perform job dutiesUnauthorized individuals hearing patient
sensitive information such as diagnosis or treatment
HIPAA Job Specific Education 16