Presented by Carol Crews, CMPE
1



Health Insurance Portability and Accountability Act (HIPAA) of
1996
Congress called for the Department of Health & Human
Services to develop standards and requirements for the
electronic transmission of health information
Title II - Administrative Simplification provision - provides
legislation around privacy, security and electronic data
In a constantly changing environment, FCSRMC is committed to
educating employees about healthcare information concerning
HIPAA.
2

Standardization of Electronic Transactions & Code Sets

Privacy

Security

National Provider Identifiers

Electronic Signatures

Electronic Medical Records
3
•
•
•
A covered entity includes a health plan or payor (including
government payors), a healthcare clearinghouse such as a billing
service, or a healthcare provider such as a physician, hospital, or
pharmacy. (Does not include Life, Worker’s Comp, Disability or
Property and Casualty plans).
All healthcare providers who transmit any healthcare information in
electronic form, which includes telephones, fax machines and
computers, are considered covered entities.
FSCRMC, acting as the covered entity and it’s member colleges,
acting as the plan sponsor, have undertaken fiduciary duties to the
plan. A covered health plan includes a group health plan, which is
defined as an employee welfare benefit plan under ERISA. This may
include hospital and medical benefit plans, dental plans, vision
plans, health flexible spending accounts and employee assistance
plans.
4



Covered Entities (CEs) must have contracts from any third
party or business associate who may have access to PHI while
carrying out certain functions or activities on behalf of the
college or covered entity. Business Associates includes
vendors, contractors and subcontractors for CEs.
Business Associates are accountable for protecting the
privacy/security of PHI and are directly liable for criminal and
civil penalties for violations.
Business Associates must notify the CE if they discover a data
breach and must include the ID of each subject and any other
information that the CE is required to include in the notice of
a breach.
5
•
•
•
Anything that connects a patient or employee/individual to
his or her information
Medical records and health data containing individually
identifiable health information
Names, identification numbers (social security number,
address, phone number), medical records, physician’s
personal notes, and billing information
6
Any health information that is collected from the patient/individual, or
created or received by a Covered Entity, that could potentially identify
an individual such as:

the past, present or future physical or mental health or condition
of an individual

the provision of healthcare

the past, present or future payment for the provision of
healthcare by your college
7
• Names
• Geographic subdivisions smaller that a state (city, street
address, county, precinct, zip code)
• All elements of dates (birth date, admission date, discharge
date, date of death). Exception - years
• Telephone & fax numbers
• E-Mail address
• Social Security Numbers
• Medical records numbers
• Health plan beneficiary numbers
• Account Numbers
• Certificate/license numbers
8
Other Examples:
• Vehicle identifiers and serial numbers, (including license
plate numbers)
• Device identifiers and serial numbers
• URL’s (Uniform Resource Locator)
• IP Address numbers
• Biometric identifiers, including voice and fingerprints
• Full face photographic images
• Any other unique identifying number, characteristic, or
code
9
HIPAA’s Privacy Rule covers the use and disclosure of PHI for:
•
•
•
•
Individually Identifiable Health Information (IIHI) held or
disclosed by a health plan regardless of how it is
communicated (electronically, verbally, or written)
Information shared, examined, applied or analyzed by a
covered entity that receives or maintains it
Information that is disclosed when released, transferred,
allowed to be accessed or divulged outside the entity
Patient or employee/individual rights over health information
10
HIPAA's Privacy Rule is everyone's business - from the CEO
to the maintenance staff. It protects our fundamental right
to privacy and the confidentiality of our medical
information.
Basically, the HIPAA Privacy Rule:
• Imposes restrictions on the use and disclosure of
personal health information
•
Created new rights for individuals concerning their
health information
11
Covered entities cannot share PHI without the individual's
awareness of their privacy rights.
To use and disclose PHI for purposes other than treatment,
payment and health operation purposes, Covered Entities must
obtain a standard consent or authorization with a few
exceptions.
Consent can be revoked by an employee/individual (patient) in
writing.
It is the policy of FCSRMC and it’s member colleges that
individuals have a right to request that no disclosure be made of
PHI. FCSRMC or it’s member colleges is not obligated to grant
the request.
12
A summary of the Privacy Notice that is brief and written in plain
language will be provided to the employee/individual. It will
outline:
•
How PHI will be used and disclosed
•
The patient/employee's privacy rights, date, and patient or
patient representative's signature
•
Refer patient to review the organization's Notice of Privacy
Practices
This should be provided by the Group’s Health Plan TPA to the
Group Health Plan participants.
13
Authorization:
 Can be requested for specific purposes
 For use/disclosure of PHI outside the health care facility
for the continuum of care
 Generally, for reasons other than treatment, payment
and health operation purposes
 Only covers use/disclosure outlined in the form
 Must have an expiration date
Authorization forms must contain:
 Description of PHI to be used/disclosed
 Name of Covered Entity authorized to use/disclose
 The party to whom PHI will be released
 Date, signature and expiration date
14
The individual who is the subject of the information:
 has authorized the use or disclosure
 has received the Notice of Privacy Practices developed and
distributed by your third party administrator (TPA) thus
allowing the use or disclosure, and the use or disclosure is
for reatment, payment or health care operations
 agrees with the disclosure via the authorization form or a
signed copy of this Privacy Policy and the disclosure is to
persons involved in the processing or assistance of health
care claims
 is provided the disclosure for compliance-related purposes
15



The use or disclosure is for one of the HIPAA “public
purposes” (i.e. required by law, etc.)
The information is disclosed for the purposes of a judicial or
administrative proceeding only when accompanied by
appropriate documentation and directed to the TPA.
Patient Health Information will never be utilized to make
employment decisions (hiring, termination, promotion)
16
The Privacy Rule gives employees/individuals the right to:

Review the Notice of Privacy Practices

Review past access and request amendments

Limit access to PHI - Access is limited to people who need it
for their specific job function and only the minimum
necessary to accomplish the assigned job function
17
The following requests should be directed to and processed by
the Group’s Health Plan TPA:

Request a review and/or amendment of the health record

Restrict disclosures

Have access to his/her own PHI

Receive a PHI disclosure for disclosures that have occurred
outside the TPO relationships
18


File a written complaint if privacy is violated.
◦ Complaints should be directed to the college’s privacy
contact, and any intimidating or retaliatory acts is
prohibited.
Know that their PHI is safeguarded to protect PHI from any
intentional or unintentional use or disclosure that is in
violation of the HIPAA Privacy Rule.
◦ Physical protection of premises and PHI
◦ Technical protection of PHI maintained electronically
◦ Administrative protection
19
The U.S. Department of Health and Human Services’ Office of Civil
Rights (OCR) has been assigned the authority to enforce the Privacy
Rule. The OCR has several responsibilities:
•
•
•
Investigating complaints it receives from individuals who believe
that a Covered Entity is not complying with HIPAA privacy
requirements
Providing Covered Entities with assistance in order to achieve
compliance
Making determinations regarding exceptions to state law preemption.
Any person or organization can file a complaint with OCR, but
complaints typically must be filed within 180 days of the occurrence of
an action in violation of the Privacy Rule.
20
Security encompasses the measures organizations must take to
protect information within their possession from internal and
external threats.
The Security Rule:

Focuses on requirements for safeguarding PHI in the
electronic form through policies, procedures and technology
in order to preserve confidentiality, integrity and availability
of electronic PHI.

Mandates that PHI is concealed from people who do not have
the right to see the information.

Mandates integrity of data by ensuring information has not
been improperly changed or deleted.
21




Establish an “accounting” procedure to track uses and
releases of PHI
Limit access to only those employees that require it
(“Minimum necessary”)
“Minimum necessary” use must identify persons or
classes of persons who need access to PHI to carry out
their duties
“Minimum necessary” use must identify the categories
of PHI for each person or class of persons (job
descriptions is one of the most common areas)
22

Current and former employees (malicious
intent, curiosity, carelessness)

Visitors

Business Associates

Hackers, criminals, terrorists

Improper use or disposal of PHI
23

Ensure that security plans, policies, procedures, training and
contractual agreements exist

Establish an employee termination policy

Security incident reporting system (report, respond, repair)

Procedures that address staff responsibilities for protecting data


Security safeguards that protect physical computer systems and
related buildings and equipment from fire and other
environmental hazards, as well as intrusion
The use of locks, keys, and administrative measures used to
control access to computer systems and facilities are also
included
24
Maintain the following documentation for six years, unless a
longer period applies:

All necessary policies and procedures. Ensure changes to
policies and procedures are not implemented until
documented and appropriate persons are notified.

Business Associate Agreements

Patient Acknowledgement of Privacy Policies
25

Authorization forms

Notices and amended notices

Training of employees

Patient/employee complaints and their disposition (this must
be documented on the complaint form and forwarded to FCSRMC)
Your organization must cooperate with an OCR investigation or
compliance review should these occur.
26
In accordance with Section 112.0455, Florida Statutes, Drug-Free
Workplace Act), drug screen results are confidential and exempt
from disclosure under the public records law. However, the
Americans with Disabilities Act (ADA) and HIPAA require that all
medical documents be filed separately from personnel records.
Medical information should be kept confidential and away from
personnel records even if the company does not fall under ADA or
HIPAA regulations. Medical paperwork that should be filed
separately includes the following:







Reports from pre-employment physicals
Drug and alcohol testing results
Workers' compensation paperwork
Medical leave of absence forms
Disability paperwork
Insurance applications that reveal pre-existing conditions
Anything that identifies a medical issue
27




Impermissible use/disclosure of PHI which poses significant risk
or harm such as financial, reputational, or other harm.
A Covered Entity (CE) that accesses, maintains, retains, modifies,
records, stores, destroys or otherwise holds, uses or discloses
unsecured PHI must notify each individual whose unsecured PHI
has been, or is reasonably believed to have been, accessed,
acquired or disclosed due to a breach.
It is not a breach if there is good faith belief that the disclosure
was to an unauthorized person who would not be able to retain
the PHI.
It is not a breach it if is unintentional acquisition or use in good
faith in the course and scope of employment to someone
authorized to access PHI.
28
Improper use or disclosure of PHI can result in the following
fines and/or imprisonment, as set forth under HIPAA:
•
•
•
•
If offender did not know, and by exercising reasonable diligence would not have known
that he/she violated the law: $100 - $50,000/violation for identical violations.
If the violation was due to reasonable cause and not willful neglect: $1,000 $50,000/violation for identical violations.
If the violation was due to willful neglect but was corrected: $10,000 $50,000/violation, and imprisonment up to 5 years.
If the violation was due to willful neglect and was not corrected: $50,000 and
imprisonment up to 10 years.
Maximum for all violations of a single standard in a year: $1,500,000.
29
If records are placed in the wrong hands, it can negatively
impact your personal safety, job security, or relationships.
•
•
•
Do not share Personal Health Information without prior
consent or authorization. Always ensure that the information
is being sent to the correct person by never releasing
information without referring to the consent or authorization.
Use and disclose the minimum necessary to protect patient
privacy.
Remember, privacy is everyone's business. HIPAA is a federal
law that all must abide by.
30



Identify systems/areas that have covered data (paper and
electronic)
Secure your PHI (paper and electronic)
Ensure your HIPAA policies and procedures are updated and
that the location is known by all applicable staff

Assign internal roles and responsibilities

Encrypt data at rest / in transit
31



Provide initial training at hire and annually thereafter. Use
the group attendance log as documentation.
Maintain a separate employee health file.
Keep all protected information in a limited access area and
under lock and key.
32

Manage your password – Do not write password anywhere and do not
share with anyone

Use workstations properly

Know FCSRMC’s sanction policies

Learn and follow the college’s policies and procedures

Don’t leave information open and unattended

Lock computer, desk and file cabinets when you leave

Use the shredder when destroying information
33
34