© 2012 Progressive Surgical Solutions, LLC

HIP

AA

OVERVIEW

LEARNING OBJECTIVES 1

Define HIPAA.

2 Differentiate between the

Privacy Rule and the Security Rule.

3 List 5 HIPAA

requirements for ASCs.

The purpose of this learning module is to provide a platform to understand the law known as HIPAA and it’s relevance to the ASC.

4 Define how HIPAA

is enforced.

HIPAA

2 © 2012 Progressive Surgical Solutions, LLC

Terms to Know

ADMINISTRATIVE SIMPLIFICATION: Objectives are to improve effectiveness in healthcare delivery by creating standardized electronic data interchange formats and implement controls to protect an individual’s health information (privacy and security). ARRA: Federal economic stimulus bill, the “American Recovery and Reinvestment Act of 2009”. HITECH: Health Information Technology for Economic and Clinical Health Act, a portion of the ARRA of 2009, intended to promote health information technology. The HITECH Act added additional privacy and security safeguards to the original HIPAA legislation. HHS: Department of Health and Human Services EHR: Electronic Health Record—electronic version of patients’ medical history, maintained by the health care provider in the course of care services. MINIMUM NECESSARY DISCLOSURE: The principal that, to the extent practical, individually identifiable health information should only be disclosed to the extent needed to support the purpose of the disclosure. PHI: Protected Health Information ePHI: Electronic version of Protected Health Information IIHI: Individually Identifiable Health Information

Laws to Know HIPAA: An acronym for Health Insurance Portability and Accountability Act of 1996. HIPAA protects the privacy of individuals’ Protected Health Information (PHI). In April 2003, the privacy regulations issued under HIPAA took effect. These regulations protect the privacy of PHI and apply to medical information including who can access the records and whether written patient consent is required to release them. In addition, the regulations include security rules for secure transmission of data over the internet or any other electronic means.

The principle of confidentiality protects the patient from disclosure of confidences entrusted to the health care provider during the course of treatment. As confidential information may be documented in the medical record, the physician has an obligation to maintain the security of those records.

Staff should be knowledgeable of the regulations governing the release of medical information and versed in the use of appropriate forms, responses to insurance carriers, attorneys, etc. PRIVACY RULE: A Federal law giving patients an array of rights over his/her health information and sets rules and limits on who can look at and receive health information. The Privacy Rule applies to ALL forms of individuals’ protected health information, whether electronic, written, or oral. At the same time, it is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes. SECURITY RULE: A Federal law that specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of ELECTRONIC PHI.

3

HIPAA

© 2012 Progressive Surgical Solutions, LLC

Who Must Comply With HIPAA?

Entities that must follow the HIPAA regulations are called COVERED ENTITIES.

Most Health Care Providers including doctors, hospitals, ASC’s, clinics, psychologists, dentists, nursing homes, and pharmacies.

Health Plans including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare.

Health Care Clearinghouses including entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

One that/who maintains protected health information in any form including paper medical records, electronic medical records, and verbal communications.

Business Associates including third party vendors, who perform certain functions or services on behalf of different covered entities and share PHI. Note: Covered entities should always enter into a contract with business associates.

HIPAA

4 © 2012 Progressive Surgical Solutions, LLC

HIPAA Requirements

The facility ensures strict confidentiality of all patient information. • Confidentiality extends to patient sign-in lists, computer screen visibility, and

patient-related phone conversations.

1

2 The facility has a compliance program that is consistent with the HIPAA Privacy Rules and which also complies with confidentiality requirements under state law. The program should contain the following:

• Assign a privacy officer--this individual is responsible for privacy within their organization.

• Written policies and procedures to demonstrate compliance with the law that reflects the size and type of facility and that addresses any risks specific to the facility.

• Commitment of staff to their obligation to protect confidentiality of PHI. • HIPAA compliance education should be included in the new employee’s

orientation program as well as ongoing training on an annual basis. Documentation of training must be kept on site.

• Reasonable safeguards to protect the privacy of PHI including protection against intentional and unintentional uses or disclosures.

• Monitoring and ongoing evaluation to ensure continued compliance. • Provision for consistent discipline of employees who fail to comply with policies

and procedures required by HIPAA. • Business Associates agreements and any other confidentiality requirements

imposed by state law.

There is documentation that patients are given the HIPAA Notice of Privacy Practices. A Policy and Procedure documenting how the Notice is distributed to the patient should be written.

3

The Notice of Privacy Practices must be posted in the office where it is readily visible to the patient. This document informs patients of their rights and provides them with adequate written notice of PHI use and disclosure policies of the covered entity. An authorization must be signed by patients in order for the covered entity to use or disclose PHI for non-healthcare related uses, such as marketing, clinical research, etc.

4

Medical Records are: • Accessible only to authorized individuals as defined by the facility in writing • Stored in a secure area, readily accessible to appropriate health care providers,

and inaccessible to the public • Stored in a secure area in which all reasonable efforts have been made to

protect records from fire or other natural disasters

5

5

HIPAA

© 2012 Progressive Surgical Solutions, LLC

6

HIPAA Requirements cont.

EMR Security should include: • EMR screens are restricted in access by position and information limited based

on the user’s “need to know” • Electronic information access should be designated as “read-only” or “read-

write” • Terminals should all have screen protection and automatic log-off

7 Outside contractors unrelated to the delivery of health care, such as cleaning services, should not have access to confidential medical information.

8 There are categories of individuals/entities that may request release of information including attorneys, Medicare investigators, etc., and there are conditions that require mandatory reporting, i.e. abuse, infectious diseases, etc. There should be labels on the chart to indicate sensitive material or participation in research studies.

HIPAA Privacy & Security Rules Summary

ü HIPAA Privacy and Security Rules mandates privacy protection of individually identifiable health information (IIHI) when held by a covered entity, except in limited circumstances.

ü The standards requirements grant patients a right to see, control and receive a copy of their health information.

ü All CE’s must review the Privacy & Security Rule standards and specifications.

ü Always assess current risks, vulnerabilities and gaps

ü Document all processes, procedures and decisions

HIPAA

6 © 2012 Progressive Surgical Solutions, LLC

HIPAA Enforcement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. OCR’s enforcement activities have obtained significant results that have improved the privacy and security practices of CE’s. OCR enforces the Privacy and Security Rules by:

• Investigating complaints filed within it • Conducting compliance reviews to determine if

CE’s are in compliance • Performing education to foster compliance with

the Rule’s requirements OCR also works with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.

Implications of Non-Compliance • Financial penalties • Public exposure • Loss of Accreditation • Damages for litigation • Civil and criminal

sanctions including possible imprisonment

HIPAA Compliance is not a one-time implementation project.

IT IS AN ON-GOING

RESPONSIBILITY, which needs to be part of the ASC culture!!

American Medical Association www.ama-assn.org/ama/pub/category/4234.html

Centers for Medicare and Medicaid Services www.cms.hhs.gov/HIPAAgeninfo

Code of Federal Regulations www.cfr

Department of Health and Human Services www.dhhs.org

Office of Civil Rights of DHHS www.hhs.gov/ocr/hipaa

References

© 2012 Progressive Surgical Solutions, LLC

Log in to eSupport to request a post test.

Other CEU Learning Modules available on • OSHA Overview • Abuse Identification • Fluoroscopic Imaging in the OR • Hazard Communication • Radiation Safety • Infection Control 1 • Infection Control 2 • Latex Sensitivity • Steam Sterilization • TASS and Endophthalmitis • Workplace Violence • Disaster Preparedness • Sterilization Best Practices in the ASC

CONTACT US:

www.pss4asc.com

info@pss4asc.com

(855) PSS – 4ASC (855) 777 – 4272