HIPAA TRAINING - PowerPoint PPT Presentation

1 / 54

About This Presentation

Title:

HIPAA TRAINING

Description:

It was recognized that this new protection would impose administrative burdens ... The National Provider System (NPS) will be the system used to assign unique ... – PowerPoint PPT presentation

Number of Views:7550

Avg rating:5.0/5.0

Slides: 55

Provided by: moore

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA TRAINING

1
HIPAA TRAINING
Presentation provided by Greater Columbia
Behavioral Health
2

HIPAA

We must follow HIPAA regulations to protect
consumers. The following slides will introduce
HIPAA, including the reasons for it and how it
impacts health care. At the end of the
presentation you will be asked to complete
several questions to assess your understanding of
HIPAA and its impact on day-to-day health care.
You must answer the questions in order to
complete your HIPAA training.

4
By the time

youve completed this slideshow, you will be
able to answer the following questions
What is HIPAA and to whom does it apply?
What is PHI and how is it protected?
When are additional authorizations required?
What are the penalties for violation?

5
The Primary Intent

and purpose of this law was to protect health
insurance coverage for workers and their families
when they changed or lost their jobs. It was
recognized that this new protection would impose
administrative burdens on health care providers,
payers, and clearinghouses, and therefore, the
law includes a section called Administrative
Simplification. This section was designed to
reduce the burden associated with the transfer of
health information between organizations. The
approach was to accelerate the move from
paper-based administrative and financial
transactions to electronic transactions through
the establishment of nationwide standards.

6
The Health Insurance Portability and
Accountability Act (HIPAA)

When HIPAA was passed by Congress in 1996.
In addition to its goal to reduce health care
costs nationwide by requiring use of electronic
data interchange (EDI) for routine health care
transactions.
Its goal was to protect the security and privacy
of the health records used in these EDI
transactions.

HIPAA contains Privacy Security rules
responding to health care concerns such as
Fears that once patients records are stored
electronically on networks, a couple of clicks
could transmit those records worldwide and
Loss of personal control over personal
information and
Anger at the constant barrage of marketing

8
HIPAA Security Privacy rules

Established federal mandated requirements for the
creation, transmission, and disclosure of
individually identifiable health information that
affect anyone who encounters patient information
HIPAA uses the term PHI Protected Health
Information

9
PHI is

Information relating to an identified
individuals past, present, or future
Physical or mental health or condition
Provision of health care services
Payment for provision of health care
45 CFR 164.501

10
PHI includes

Oral or recorded information, maintained or
transmitted in any form or medium.
The law refers to covered entities and the work
that they perform as covered functions.
Covered Entities are Health Plans, Clearing
Houses, and Providers.

11
HIPAA Business Associate (BA)

HIPAA extends beyond the walls of the covered
entity to Business Associates
Someone that contracts with the covered entity
will be subject to the same HIPAA regulations as
the covered entity. Examples are an entitys
shredding company, printing company, and other
contractors.

12
The Patient Consumer.

Is entitled to notice about how their PHI will be
used
Is entitled to expect that caregivers will be
careful with their PHI
Is entitled to a copy of their record
Is entitled to request correction of their record
Is entitled to Receive Confidential Communication
Is entitled to Complain about a disclosure of
their PHI
All requests or complaints regarding these
rights, should be directed to the HIPAA
Privacy/Security Officer at ______________.

13
HIPAA Requires that Patients Receive a Notice of
Privacy Practices (NPP) that

Advises the patient about the covered entitys
privacy practices.
Distribution of the NPP is usually done at the
first face-to-face meeting except in a major
emergency or due to an incapacitated patient.
Covered entities must try to get a patients
written acknowledgement of the receipt of the NPP
or make a written record of why this was not done.

14
Use and Disclosure of PHI

A covered entity is permitted by HIPAA to Use
(internal) and Disclosure (external) of PHI for
the purposes of
Treatment the provision of health care
Payment the provision of benefits premium
payment
Operations normal business activities
(reporting, data collection eligibility checks,
etc.)

15
The Minimum Necessary Rule

The amount of PHI used or disclosed is restricted
to the minimum amount of information necessary.
Healthcare providers and health plans must make
reasonable efforts not to use, disclose, or
request more than is necessary to accomplish a
task.
Exceptions are
Disclosure to a provider for treatment
Release to an individual of their own PHI
Disclosures required by law

16
Minimum Necessary and TPO

TPO is Treatment, Payment, and Operations.
Patients must provide consent for use of PHI in
treatment, payment, and healthcare operations.
Providers and health plans must distinguish
activities that fall outside TPO such as
research, fundraising, and marketing.

The minimum necessary rule does not restrict
the information used or disclosed in treatment.
The minimum necessary rule does apply to
payment and health care operations.

18
Besides for use in TPO, When should an entity
disclose PHI?...

A covered entity is required to disclose PHI to
An individual (their own PHI) when requested
The Secretary of the U.S. Department of Human and
Health Services for investigation of complaints
or to determine a covered entitys compliance.
A covered entity is permitted to disclose PHI
outside in special circumstances such as
required by law
court proceedings
to avert a serious threat to health or safety
emergencies
abuse/neglect
special government functions

A co-worker is on the phone discussing a
treatment-related issue. You inadvertently
overhear PHI about a patient.
What should you do?

If you see or hear anything that is private, keep
it to yourself.
Other ideas?

A co-worker calls you and asks for information
about a friends mental health encounter.
How do you respond?

Before looking at a consumers health
information, ask yourself one simple question
Do I need to know this to do my job?
Before sharing a consumers health information,
ask yourself
Does this person need to know this to do their
job?

You are advised that a visitor has arrived to see
you. You are currently busy completing a
work-related task. However, the visitor has come
by several times before and knows where you are
located.
Should the visitor be allowed to enter on their
own?

No
Have all visitors, including family and ex
employees escorted by an employee when entering
or exiting the facility.
You should also ensure that all PHI is obscured
from view, prior to the arrival of the visitor.

25
HIPAA Authorization

Is written authorization from a patient to use or
disclose PHI for specific purposes (such as
employment related, research or marketing and
also needed for psychotherapy notes)
An authorization can be revoked at any time in
writing.
It must include the name of the patient, the
purpose of the disclosure, an expiration date, a
signature and date and an explanation of how to
revoke the authorization.

26
Special Authorizations
27
Authorization to Disclose Psychotherapy Notes

Psych notes are recorded during a counseling
session. The notes are to be kept separate from
the rest of the patients record.
Psych notes exclude
Prescription info and monitoring
Session start stop times
Modalities frequencies of treatment
Results of clinical tests
Summaries of diagnosis, functional status,
treatment plan, symptoms, prognosis and progress
to date.

Psych notes are granted special protection under
HIPAA.
A separate disclosure is required to release
psych notes.
Exceptions
Use of notes by the originator for treatment
Use by the covered entity for training
Use in defense in a legal action
Disclosure to HHS for HIPAA enforcement
Use by a coroner or medical examiner

Unlike other health records, psychotherapy notes
are not subject to disclosure to the patient.

30
Other HIPAA Standards
31
What is the NPI?

The National Provider Identifier (NPI) is the
unique health identifier for health care
providers. The NPI is a 10-digit numeric
identifier with a check digit.
The National Provider System (NPS) will be the
system used to assign unique numbers to health
care providers.
Health Care Providers must obtain an NPI and use
it on standard transactions Health Plans and
Health Care Clearinghouses must use the NPI to
identify health care providers on standard
transactions where the health care providers
identifier is required.
Health Care Providers, Health Plans (except small
health plans), and Health Care Clearinghouses
must comply with the implementation no later
than May 23, 2007. Small Health Plans must comply
with the NPI implementation specifications no
later than May 23, 2008.

32
Code Sets

HIPAA requires every provider who does business
electronically to use the same health care
transactions, code sets, and identifiers. Code
sets are the codes used to identify specific
diagnosis and clinical procedures on claims and
encounter forms. The HCPCS, CPT-4 and ICD-9 codes
are examples of code sets for procedures and
diagnose.

33
Security
34

In the context of HIPAA, privacy determines who
should have access, what constitutes the
patients rights to confidentiality, and what
constitutes inappropriate access to health
records.
Confidentiality establishes how the records (or
the systems that hold those records) should be
protected from inappropriate access.
Security is the means by which you ensure privacy
and confidentiality.

Threats to health information security and
privacy include
Intentional misuse from internal
personnel
Malicious or criminal misuse from
internal personnel
Unauthorized physical intrusion of the
data system by an external person
Unauthorized intrusion of the data
system by an external person via information
networks.

HIPAA mandates that security standards be applied
in four main areas
Administrative Procedures
Physical Safeguards
Protection for Data Storage
Protection for Data in Transit

37
Administrative Procedures

Covered entities need to
Implement training programs
Have a contingency plan
Conduct a risk assessment
Create policies and procedures including a
password policy
Have a formal mechanism for processing records
Follow a termination process
Establish roles and responsibilities for security

38
Physical Safeguards

Covered entities need to
Secure physical access by locking doors,
escorting visitors, wearing IDs
Secure unattended workstations by using password
protected screensavers and locking computers when
unattended. You can manually lock your
workstation by holding down the Windows key
and the L key.
Store notebook computers, PDAs, jump drives and
any portable media in a secure place and password
protect them
Encrypt PHI on notebooks, PDAs, jump drives, and
on any portable media.

You are walking by a trash can and notice a pile
of consumer reports or other documents with PHI
have been laid on top of the trash.
Should you be concerned?

Consumer information should never be thrown away
in an unlocked bin unless it has been shredded or
destroyed.

41
Protection for Data Storage

Covered entities need to
Have a Data Back-up Plan
Have a Disaster Recovery Plan
Store Paper, Tapes, Disks securely
Dispose of Paper PHI securely

42
Protection for Data in Transit

Covered entities need to
Use Encryption for PHI
Use Audit Trails
Report adverse events
Use precautions when sending PHI on faxes

43
What can I do?... The Basics

Keep your work area free of PHI when not present
Lock your computer when you walk away
Log off at the end of the day
Double check the number youre calling before
faxing PHI and pick up your faxes A.S.A.P. Use
a cover page with a confidentiality statement.
Emails containing PHI may only be emailed to
others on the entitys domain. If transmitting
PHI with a provider, you must use the a VPN.
Dont share your password
Dispose of sensitive materials in shredders or
locked bins

44
What can I do? The BasicsContinued

If you have a Building or door code, dont share
it.
Wear your id
Escort your visitors
Talk quietly on the phone when it involves PHI or
close your door if needed
Dont access more PHI than you need to do your
job
Dont leave your notebook computer on the seat of
your car
Dont allow anyone at home to access your work
Report any security incidents immediately

45
When do I Report a Breach of PHI?...

Employees must report a breach to their
supervisor when PHI shared does not pertain to
Treatment
Payment
Operations
Consumer authorization
Uses and disclosures permissible under federal
and state law

You are at the fax machine or printer to pick up
a document. There is consumer PHI already in the
receiving bin.
What should you do?

Notify the Office manager or supervisor that
there is PHI on the fax machine. They will
deliver the document to the recipient and if you
see private information, keep it to yourself.
For PHI in the receiving bin of the printer,
notify the HIPAA Privacy/Security Officer.
Documents will be delivered to the recipient with
a reminder not to leave PHI unattended on the
printer.

48
Incidental Disclosures

Examples of incidental disclosures
A patient seen in a waiting area
A conversation between a provider and a patient
in a semi-private room heard by the other
occupant
Incidental Disclosures are not violations if the
covered entity has safeguards in place and they
are observed by the staff.

49
Sanctions

Covered entities are required to develop and
impose sanctions appropriate to the nature of the
HIPAA violations. The type of sanction applied
should vary depending on factors such as the
severity of the violation, whether the violation
was intentional or unintentional, and whether the
violation indicated a pattern or practice of
improper use or disclosure of PHI. Sanctions can
range from a warning to termination.

50
Penalties for Violations

Civil Penalties
Violations can result in civil monetary penalties
of 100 per violation, up to 25,000 per year.
Criminal Penalties
In June 2005, the U.S. Department of Justice
(DOJ) clarified who can be held criminally liable
under HIPAA. Covered entities and specified
individuals, whom "knowingly" obtain or disclose
individually identifiable health information in
violation of HIPAA regulations face a fine of up
to 50,000, as well as imprisonment up to 1 year.
Offenses committed under false pretenses allow
penalties to be increased to a 100,000 fine,
with up to 5 years in prison. Offenses committed
with the intent to sell, transfer, or use
individually identifiable health information for
commercial advantage, personal gain or malicious
harm permit fines of 250,000, and imprisonment
for up to 10 years.

51
Enforcement

The DHHS Office of Civil Rights (OCR) enforces
the privacy standards, while the Centers for
Medicare Medicaid (CMS) enforces both the
transaction and code set standards and the
security standards (65 FR 18895). Enforcement of
the civil monetary provisions has not yet been
tasked to an agency.

52
Of note

According to reports, the US government has not
imposed a single fine for violations of the
HIPAA.
There have been several complaints received by
the Bush Administration on HIPAA violations.
However, only two criminal cases have been
prosecuted to date.
June 6, 2006 HIPAA Compliance Journal

53
The R.S.N. (Regional Support Network) HIPAA
Policies Agreementsare available on their
website at www.gcbh.org