Add to collection(s) Add to saved
  1. No category
Uploaded by Wendi Sharp East Bridge Wellness

HIPAA Powerpoint

advertisement 
HIPAA
Health Insurance Portability and Accountability Act
East Bridge Massage
What is HIPAA?
• Federal Law with Regulations on:
•
•
•
•
Privacy & Security of health information
Notification of breaches of confidentiality
Penalties for violating HIPAA
Establishes basic privacy and security protection of health
information.
• Guarantees individuals the right to access their health
information and learn how it is used and disclosed
• Simplifies payment for health care
•
Overseen by: Department of Health & Human Services (HHS)
and enforced by Office for Civil Rights (OCR)
What does HIPAA consist of?
• Standardized Electronic Data Interchange
transactions and codes for all covered entities.
• Standards for security of data systems.
• Privacy protections for individual health
information.
• Standard national identifiers for health care.
Why was HIPAA created?
• In 2000, many patients that were newly diagnosed with
depression received free samples of anti-depressant
medications in their mail.
• This left patients wondering how the pharmaceutical
companies were notified of their disease.
• After a long and thorough investigation, the Physician,
the Pharmaceutical company and a well-known pharmacy
chain were all indicted on breach of confidentiality
charges.
• This is one of the many reasons the Federal Government
needed to step in and create guidelines to protect patient
privacy.
Important HIPAA definitions
•
•
•
•
•
•
Privacy - state of being concealed; secret
Confidentiality – containing private information (Ex. Medical
Record).
Authorization – to give permission for; to grant power to.
Breach Confidentiality – to break an agreement, to violate a
promise.
Disclosure – means the release, transfer, provision of access to,
or divulging of information outside the entity holding the
information.
Use – means the sharing, employment, application, utilization,
examination, or analysis of individually identifiable information
within an entity.
Important HIPAA terminology
Protected Health Information
• Protected Health Information [PHI] – is information that
is created or received by a covered entity that:
• Relates to the past, present, or future physical or
mental health of an individual.
• Identifies the individual or contains reasonable
information that can be used to identify the
individual(s).
• Examples of Protected Health Information:
• Name, address, telephone, fax, email, social
security number, medical diagnoses, medical
records, account numbers and photographs or
images.
Important HIPAA terminology;
Covered Entities
• Covered Entities [CE] – are the individuals responsible for
implementing HIPAA rules and regulations. Some
examples are:
• Health Plans
• Health Care Clearinghouses
• Health Care Providers who conduct certain
financial and administrative transactions
electronically.
Important HIPAA terminology
Treatment, Payment and HC Operations
• Treatment, Payment and Health Care Operations
[TPO] – are common uses of Protected Health
Information [PHI] for which HIPAA does not require
an authorization.
Important HIPAA Terminology;
Notice of Privacy Practice
• Notice of Privacy Practice [NPP]- a notice given to
patients concerning the use and disclosure of their
Protected Health Information [PHI]
Who Carries out HIPAA rules and regulations?
• Covered Entities are responsible for
implementing HIPAA rules and regulations.
• These are
• Health Plans
• Health Care Clearinghouses
• Health Care providers
What must a covered entity do to be in
compliance with HIPAA?
• Notify patients about their privacy rights and how their
information can be used.
• Adopt and implement privacy procedures.
• Train employees so they understand the privacy
procedures.
• Designate a Privacy Officer.
• Secure patient records containing Protected Health
Information [PHI]. (Only use first name & initial; turn files
and other paperwork over. Don’t talk about patient
conditions etc)
What are a patient’s rights under
HIPAA?
• Right to written Notice of Privacy Practices [NPP] that
informs consumers how Protected Health Information
[PHI] will be used and to whom it is disclosed
• Right of timely access to see and copy records for a
reasonable fee
• Right to an amendment of records
• Right to restrict access and use
• Right to an accounting of disclosures
• Right to revoke authorization
What are the HIPAA rules and
regulations that protect these rights?
• Patient’s rights:
• Patients have a right to confidentiality of all
information that is provided to the healthcare
professional and institution.
• Health care professionals ensure that patient
information is secured at all times and if there are any
complaints, those complaints will be resolved in a
timely manner.
What are the HIPAA rules and
regulations that protect these rights?
Privacy Rule
•
The Privacy Rule:
•
•
•
•
•
Establishes a Federal floor of safeguards to protect the
confidentiality of medical information.
Allows patients to make informed choices when seeking care and
reimbursement for care based on how personal health
information may be used.
This rule is used to protect Protected Health Information [PHI]
This rule took effect on April 14, 2003.
YOU MAY NOT RETALIATE AGAINST OR INTIMIDATE AN
EMPLOYEE WHO FILES A HIPAA COMPLAINT.
What are the HIPAA rules and
regulations that protect these rights?
Request for amendment
• Request for Amendment is a patient’s right to request, in
writing, to have health information or a record about the
patient amended.
• The Covered Entity does not have to agree to the
amendment, however if the CE does agree, the
request to amend will become a part of the patient's
medical record.
What are the HIPAA rules and
regulations that protect these rights?
Request for restrictions
• Request for Restrictions is a patient’s right to request, in
writing, a restriction or limitation on the health
information that a Covered Entity uses or disclosures.
• The Covered Entity is not required to agree to the
restriction.
What are the HIPAA rules and
regulations that protect these rights?
Accounting of disclosures
•
Accounting of Disclosures is the patient’s right to request a list of
people and organizations who have received their Protected Health
Information [PHI].
• Patients must submit a written Request for Accounting of
Disclosures.
• A Covered Entity [CE] must respond to a patient’s request for an
accounting within 60 days of receipt of the request.
• Some Examples of Disclosures are disclosures that are:
• Required by law
• For public health activities
• About victims of abuse, neglect, or domestic violence
• For judicial and administrative proceedings
• For research activities
• For law enforcement activities
• For workers compensation
What are the HIPAA rules and
regulations that protect these rights?
Authorizations
•
An Authorization is a detailed document that gives covered entities
permission to use Protected Health Information [PHI] for specified
purposes.
•
•
•
•
It is required for the use and disclosure of Protected Health
Information [PHI] not otherwise allowed by the Privacy Rule.
Does not apply to Treatment, Payment and Health Care
Operations [TPO].
Does not apply to uses and disclosures required by law.
AN AUTHORIZATION MAY BE REVOKED AT ANY TIME IN WRITING.
What are the requirements of an
Authorization?
• An Authorization must include:
• The Protected Health Information [PHI] to be used
and disclosed;
• The person authorized to make the use or disclosure;
• The person to whom the Covered Entity may make
the disclosure;
• An expiration date; and
• The purpose for which the information may be used or
disclosed.
What are the HIPAA rules and
regulations that protect these rights?
Minimum necessary standard
•
•
HIPAA requires Covered Entities to take reasonable steps to disclose
only the information that is necessary for the purpose for which the
disclosure is to be made [the minimum necessary amount of
information needed to perform the job].
The Minimum Necessary DOES NOT APPLY TO:
•
•
•
•
Treatment
Disclosures to the individual who is the subject of the
Protected Health Information [PHI]
Uses or disclosures made pursuant to an individual’s
authorization
Uses or disclosures that are required by law.
What are the HIPAA rules and
regulations that protect these rights?
Research activities
• NO ONE is permitted to use Protected Health
Information for research without complying with the new
HIPAA requirements.
• These HIPAA requirements are entirely separate from the
existing federal human subject research regulations.
• The Privacy Policies and Procedures do not replace or
override other rules or procedures established by the
Institutional Review Board [IRB], both must be
complied with in order to conduct human research.
Don’ts
How do I protect my patient’s privacy?
Do’s and don'ts
Do:
• Tell anyone what you
overhear about a
patient.
• Close doors in
patient’s rooms when
discussing treatments.
• Log off the computer
when you are finished.
• Dispose of patient
information by
shredding or storing it
in a locked container
for destruction.
• Clear patient
information off of
your desk when your
leave your desk.
• Discuss a patient in
public areas, such as
front lobby, hallways or
breakrooms.
• Look at information
about a patient unless
you need it to do your
job.
Do’s
Don’t:
Computer Use
•Keep your password a
secret
Sending
•Do not log in using
someone else’s
password
•Use cover sheets for faxes
•Log off of the
computer when you are
finished using it.
•Turn the computer
screen away from
public view
•Do not remove
equipment, disks, or
software without
permission.
•Call the intended recipient before
sending the fax
•DO NOT SEND
[HIV results, Mental Abuse, Narcotic
Prescriptions, Alcohol/Substance/Child
Abuse
Receiving
•Tell the person faxing information to
alert you when he/she is about to send
the fax
•Take faxes off the machine immediately
•Do not let faxed patient information lie
around unattended
Safe Fax Use
Safe computer Use
How do I protect my patient’s privacy?
Safe Computer and fax use
How do I protect my patient’s privacy?
Safeguards
• Physical Safeguards
• Computer terminals are private. Patient files turned
•
•
over. Do not use patient full name when discussing.
Technical Safeguards
• Password protect phones and computers.
Administrative Safeguards
• Policy and procedure for release of patient
information.
Who else is responsible for
protecting patient privacy?
Business associates
• Business Associate
• A person or entity that performs a function or activity
on behalf of a Covered Entity [CE] that requires the
creation, use or disclosure of Protected Health
Information [PHI] but who is not considered part of
the Covered Entities' workforce. They must have a
written contract or agreement that assures they will
appropriately safeguard Protected Health Information
[PHI] they create or receive.
Examples of Business Associates
A health care
clearinghouse
that translates a
claim from a nonstandard format
into a standard
transaction on
behalf of a health
care provider and
forwards the
processed
transaction to a
payer.
A CPA firm
An
whose
A third-party independent
accounting
administrator
medical
who assists a transcriptioni services to a
health care
health plan
st who
provider
with claims
provides
involve access
processing. transcription to protected
services to a
health
physician.
information.
A pharmacy
benefits
manager who
manages a
health plan’s
pharmacist
network.
What are some ways HIPAA can be
violated?
Incidental disclosure
• A secondary use or disclosure that cannot
reasonably be prevented, is limited in nature, and
occurs as a by-product of an otherwise permitted
use or disclosure.
• Examples of Incidental Disclosure
• A hospital visitor may overhear a provider’s
•
confidential conversation with another provider or a
patient
A hospital visitor may glimpse a patient’s information
on a sign-in sheet or nursing station whiteboard
What are some ways HIPAA can be violated?
Breach
• A breach is, generally, an impermissible use or disclosure under the Privacy
Rule that compromises the security or privacy of the protected health
information.
What is done after patient privacy has
been compromised?
HITECH act
• What is the HITECH act?
•
As a result of the American Recovery and Reinvestment Act
of 2009, legislation passed the Health Information
Technology for Economic and Clinical Health Care Act which
places additional privacy and security requirements.
• This requires any entity that handles Protected Health
Information [PHI] to report breaches, whether in paper or
electronic form within timeframe that HITECH requires.
• HITECH applies to all business entities associated with
healthcare organizations such as banks, claims, clearing
houses, billing firms, health information exchanges and
software companies.
What are the breach notification
requirements?
• Notification is required to the affected individuals, the
government and in certain cases the media [if the breach
involves more than 500 people] in the event of a breach of
“Unsecured Protected Health Information”.
• These breach requirements are applicable to both
Covered Entities [CE] and their Business Associates.
• If the Covered Entities Business Associate has a breach,
they must report it within 60 days.
•
The snail mail requirement states that the healthcare
organization must send out a first-class letter to any patients
that might have been affected by the breach. [Electronic mail is
allowed given the patient agreed to receive electronic notices]
What are the consequences of not
complying with Hi-Tech?
• There are serious penalties for non-compliance, ranging
from fines of $100 to $50,000 per violation, capped at
$25,000 to $1.5 million per violation of the same standard.
• Criminal penalties of 1 to 10 years in jail for gross
negligence.
• HITECH also created new methods for enforcement,
allowing state attorney generals to enforce HIPAA
regulations.
What are the consequences of not
complying with HIPAA?
Penalties for privacy violations
• Civil Penalties under HIPAA:
•
Maximum fine of $25,000 per violation.
• Criminal Penalties under HIPAA:
•
Maximum of 10 years in jail and/or a $250,000 fine for serious
offenses.
• Organization Actions:
•
Employee disciplinary actions including suspension or
termination for violations of the organizations policies and
procedures.
Who enforces medical privacy
regulations?
• Office for Civil Rights
•
•
A patient may complain to the Privacy Officer
The Director of Health and Human Services [HHS]
Thank you for viewing.
Wendi Sharp, Clinic Manager
East Bridge Massage
Related documents
Lecture 10 (IM). Slides
Lecture 10 (IM). Slides
Understanding HIPAA Compliance
Understanding HIPAA Compliance
This is to certify that I, ______________________________________ (name of
This is to certify that I, ______________________________________ (name of
Download
advertisement