Title: HIPAA Privacy Training - DAS
1HIPAA Privacy Training - DAS
- Keeping It To Ourselves!
- Protecting Client Confidentiality
2Introduction
- Vin Lombardo
- Henry Jovanelly
- Gene Shook (Keane)
- Purpose
- Comply with the training requirements of HIPAA
3Topics of Discussion
- What is HIPAA
- Privacy and Confidentiality Standards
4What This All Really Means
- Use or disclose health information that
identifies the individual for billing and
collection (Payment) purposes only - When you do that, disclose the minimum necessary
and know who you disclose to
5What is HIPAA?
- Health Insurance Portability and Accountability
Act of 1996 (August 21) Public Law 104 191 - Guarantees insurability of employees that change
jobs (Portability) - Reduces fraud and abuse of federal entitlement
programs (Accountability) - Improves efficiency through standardization of
electronic transactions and codes - Protects individuals private health information
- Establishes security standards for health care
information systems - National standards for unique health identifiers
6It came out of the failed health-care reform
effort of the Clinton administration. In the
early 1990s there was a lot of concern about
people who were restrained in moving from one
employer to another because they were afraid of
losing their health insurance due to pre-existing
conditions. So although the overall health-reform
efforts failed, one of the things that came out
of those efforts was this bill, which was aimed
at allowing the portability of health insurance
by preventing insurers from imposing requirements
about pre-existing conditions when you move from
one employer to another. At the time, employers
were concerned that this was going to lead to an
increase in health insurance costs. So there was
an effort made to reduce costs in the health-care
system as a way of offsetting the increased costs
caused by these portability requirements. People
quickly identified the amount of administrative
expense throughout the health-care system caused
by inefficient communications. For example, there
are more than 400 different transaction formats
in use throughout the country related to services
provided and payments made. So HIPAA contains
within it a set of provisions under its
administrative simplification section to
standardize to 10 transactions. Congress
recognized that this was going to result in
enhanced flow of individually identifiable health
information in electronic format. There was
concern that this would increase the risk of
private health information being improperly
disclosed. So part of the administrative
simplification rules deal with protective
measures that health-care providers and payers
have to take in order to protect the privacy and
security of this individually identifiable health
information.
7Time Line
Firm
Estimated (awaiting publication of Final Rules)
Security
Transactions Codes
Unique Identifiers
April2003
Oct 2003
April 2005
8Covered Entities
- Healthcare Payers (Plan)
- An individual or group plan that provides, or
pays the cost of medical care - Healthcare Clearinghouses (DAS Collections)
- An entity that processes/facilitates processing
of health information received from another
entity - Healthcare Providers
- Who transmit health information in electronic
format
9HIPAA
- 30 Billion in savings over 10 years in
administration costs (18 Billion implementation
cost) - Title 1 Insurability and Portability
- Title 3 Tax Implications
- Title 4 Group Health
- Title 5 Revenue
- Title 2 Administrative Simplification
10AdministrativeSimplification
Title II. Administrative Simplification
- Electronic Health Transaction Standards and Code
Sets - Privacy and Confidentiality Standards
- Security and Electronic Signature Standards
- Unique Identifiers
11AdministrativeSimplification
- Electronic Health Transactions Standards and Code
Sets - All payers, providers and clearinghouses using
- electronic healthcare transactions, must
use a - national standard format. The act
designates - standards for 10 specific transaction
sets. - (835 Payment, 837 Claim)
- Health organizations also must adopt a set
- of industry standard codes to be used with
- transactions. Various coding systems are
- already in use to identify
- diseases
- injuries
- other health problems (as well as their causes,
symptoms, and actions taken)
12AdministrativeSimplification
- 2. Privacy and Confidentiality
- This rule protects the privacy of information
related to an individual's health, treatment, or
healthcare payment. - Limits the use of individually identifiable
health information, sent or stored in any format
(electronic, paper, voice, etc) without patient
authorization - Business partners who receive, store or have
access to privately identifiable health
information must ensure the privacy of the
records - Patients may have access to their own medical
records
13AdministrativeSimplification
- 3. Security of Health Information Electronic
Signature Standards - A uniform level of security for all health
- information that is
- housed or transmitted electronically
- pertains to an individual
- Organizations who use Electronic Signatures will
- have to meet
- a standard ensuring message integrity
- user authentication, and
- non-repudiation
14AdministrativeSimplification
- 4. Unique Identifiers for Providers, Employers,
and Health Plans - The current system allows for multiple ID numbers
- assigned by different agencies and
insurers. HIPAA sees this as confusing, conducive
to error, and costly. - It is expected that standard identifiers will
reduce - problems.
- HIPAA sets a standard identifier for
- Providers
- Claims Payers
- Employers
- Identifier likely to be eliminated
- Unique Patient Identifier
15Privacy and ConfidentialityStandards (Policies
Procedures)Limits the use of Protected Health
Information (PHI)
- Minimum Necessary
- Verification Prior to Disclosure
- Administrative Requirements
- Business Associate Agreements
16Minimum Necessary
- Protected Health Information (PHI)
- Limit Access/Role Bases
- Disclosure of Minimum Necessary
- De-Identification
- Right to Request Privacy Protection/Confidential
Communication - Individuals Access
17Minimum Necessary
- Protected Health Information (PHI)
- Protected Health Information (PHI) is information
that identifies an individual and relates to the
persons physical or mental health or condition,
the provision of health care to that person, or
payment for the provision of health care to that
person. - DAS will limit the disclosure of Protected Health
Information (PHI) to the minimum amount necessary
to accomplish the intended purpose of the
authorized use, disclosure, or request.
18Some items that identify an individual are Name,
Address, Telephone or FAX , Email Address, Names
of Relatives, SS, Birth Date, Account Number,
Name of Employers, any other item that can ID a
person in a small sample
19Minimum Necessary
- Limit Access/Role Bases
- DAS will identify and make reasonable efforts to
limit the access - To those persons or classes of persons, as
appropriate, in its workforce who need access to
Protected Health Information (PHI) to carry out
their duties
20Minimum Necessary
- Disclosure of Minimum Necessary
- DAS will limit any request for Protected Health
Information (PHI) - To that which is reasonably necessary to
accomplish the purpose for which the authorized
request is made
21It just means that if a person needs a date from
a file, dont give them the whole file. Give
authorized individuals the minimum necessary to
get the job done.
22Minimum Necessary
- De-Identification
- DAS will de-identify Protected Health
Information (PHI) (eliminate or cross out,
identifiers of the individual or of relatives,
employers, or household members of the
individual), to limit the disclosure of Protected
Health Information (PHI) to the minimum amount
necessary to accomplish the intended purpose of
the authorized disclosure - This is not necessary for TPO (to carry out
Treatment, Payment or health care Operations)
23Minimum Necessary
- Right to Request Privacy Protection/Confidential
Communication - It is our policy that we respect the right of an
individual to request restrictions on uses and
disclosures of PHI and permit an individual to
request confidential communication of PHI at
alternative locations or by alternate means. - DAS will document the restriction and
termination of the restriction, should it occur. -
24Minimum Necessary
- The following will apply to requests for
alternative confidential communications - Request must be received in writing
- Determine how payment will be handled, if
necessary - Specification of an alternative address or other
method of contact is required - Request or denial will be documented.
- DAS will not require an explanation from the
individual - The uses and disclosures of PHI are then subject
to the agreed upon restriction and/or the
confidential communications requirements.
25Minimum Necessary
- Individuals Access
-
- DAS will give an individual the right to access
and inspect or obtain a copy of his/her PHI for
as long as DAS maintains the PHI. DAS will act
on a request for access no later than 30 days
after receipt of the request.
26Verification Prior toDisclosure
- ID Person and Authority
- Verification Methods
- Routine Communication
- Non-Routine Disclosures
- Recording of Uses and Disclosures
- Exercise of Professional Judgment
27Verification Prior toDisclosure
- ID Person and Authority
- DAS will verify the identity of a person
requesting Protected Health Information (PHI) and
the authority of any such person to have access
to the Protected Health Information (PHI)
28Verification Prior toDisclosure
- DAS is a Clearinghouse and only uses and
discloses healthcare information for Treatment,
Payment and Health Care Operations (TPO). The
Client Agencies for which it processes the data
have already obtained the appropriate
authorizations and consents.
29Verification Prior toDisclosure
- All employees are required to sign a
confidentiality agreement as a condition of
employment whereby they agree not to request, use
or disclose protected information unless
necessary to perform their job
30Verification Prior toDisclosure
- Verification Methods
- Verification is done when the identity of the
requestor is not known or when documentation is
required - Routine communication, where entity relationships
have been established, do not require special
verification procedures
31Verification Prior toDisclosure
- Verification Methods Examples
- Phone Caller ID if they are holding a
Statement, ask for identifying information off of
the statement if not, ask Social Security
Number, date-of-birth, - Letter Verify name and address
- Signed Authorization, Claim Number, Company Tax
ID Number, Letterhead, Callback, Copy of
Appointing Document, Identification Badge, other
official credentials warrant, subpoena, order,
or other legal process issued
32Verification Prior toDisclosure
- Non-Routine Disclosures
- Non-routine disclosures, not covered in the
Policies and Procedures, must be reviewed on an
individual basis by a Team Leader. Unresolved
issues are to be brought to the DAS HIPAA Privacy
Officer for resolution
33Verification Prior toDisclosure
- Recording of Uses and Disclosures
- A log for the recording of all non-routine
disclosures will be maintained. A copy going
back six years prior to request will be made
available to clients at their request for .50
per page to cover the cost of copying and mailing
34Verification Prior toDisclosure
- Recording of Uses and Disclosures
- Non-routine disclosures will be recorded on the
Avatar Admission Comments Screen, with-in 60
days. Items to be keyed in -
- Date of disclosure
- Name of entity or person who received the PHI
(address if known) - Brief description of PHI disclosed
- Brief statement of purpose of disclosure
35YES, where identity of requester is not known
(like an unrecognized voice on the phone)
36(No Transcript)
37(No Transcript)
38Verification Prior toDisclosure
- Exercise of Professional Judgment
- The verification requirements are met if DAS
relies on the exercise of professional judgment
or acts on a good faith belief in making a
disclosure
39Administrative Requirements
- Privacy Officer
- Training
- Safeguards
- Complaints to DAS
- Refraining from Intimidating or Retaliatory Acts
- Sanctions
- Policies and Procedures
40Administrative Requirements
- Privacy Officer
- DAS will create, document and maintain a position
of privacy official that is responsible for the
development, implementation and maintenance of
the policies and procedures of DAS - Responsible for receiving complaints regarding
privacy of Protected Health Information (PHI)
41Administrative Requirements
- Training
- DAS will train all members of its workforce on
the policies and procedures with respect to
Protected Health Information (PHI) as necessary
and appropriate for the members of the workforce
to carry out their functions within DAS
42Administrative Requirements
- Safeguards
- DAS will have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of Protected
Health Information (PHI).
43Administrative Requirements
- Safeguards
- Administrative
- Scalable confidentiality and security procedures,
designated security officer, sanctions for
violations, signed statement by all employees
regarding confidentiality of data
44Administrative Requirements
- Safeguards
- Technical
- Unique ID and Password, system stores password
encrypted, weak passwords not allowed, automatic
time logoff, system enforced password changes,
firewall, virus checking
45Administrative Requirements
- Safeguards
- Physical
- Secure computer room, secure access to displays
and printers, secure destruction of printouts,
other outputs and obsolete equipment, disaster
recovery plan in place and tested
46Administrative Requirements
- Complaints to DAS
- DAS will document all complaints received, and
their disposition, if any, in written or
electronic form. These documents must be
retained for a period no less than six years
47Administrative Requirements
- Refraining from Intimidating or Retaliatory Acts
- DAS will not intimidate, threaten, coerce,
discriminate against, or take other retaliatory
action against anyone making a Privacy complaint
48Administrative Requirements
- Sanctions
- Consistent application of sanctions for failure
to comply with privacy policies for all
individuals in the organizations workforce (can
result in dismissal, other disciplinary actions,
criminal prosecution and/or civil suit)
49Administrative Requirements
- Policies and Procedures
- DAS will implement Policies and Procedures with
respect to Protected Health Information (PHI)
that are designed to comply with the standards,
implementation specifications or other
requirements of the Health Insurance Portability
and Accountability Act of 1996
50Business AssociateAgreements
- Definitions
- Vendor Contracts
- Agreements
51Business AssociateAgreements
- What is a Business Associate?
- An organization or person who performs activities
on behalf of or in coordination with DAS that
involves the use or disclosure of individually
identifiable health information
52Business AssociateAgreements
- Contracts/Agreements
- DAS will ensure continued privacy protections of
health information by entering into a Business
Associate Contract - Business Associate agrees that it shall be
prohibited from using or disclosing the
information provided or made available by DAS for
any purpose other than as expressly permitted or
required by the Contract
53Business AssociateAgreements
- Business Associate Contract Covers
- Use and Disclosure
- Safeguards
- Subcontractors
- Right to Access/Amend
- Accounting of Disclosures
- Return of Information or Destruction
- Mitigation
- Sanctions
- Property Rights
- Termination
54Business AssociateAgreements
- Contracts/Agreements
- Business Associate Contract wording will be
included in every vendor contracts terms and
conditions for the state of Connecticut through
DAS Procurement Unit - MOU will be executed between DAS and our
partnering state agencies
55Penalties
- Fines up to 25,000 for multiple violations of
the same standard in a calendar year - Fines up to 250,000 and/or imprisonment up to 10
years for knowing misuse of individually
identifiable health information - Hot Water
56Real Life
- New York Times
- Answer Sorry, cant by law
- Police Officer (properly identified)
- Answer Yes, minimum necessary
- Billing and Collection
- Answer Yes (TPO)
57Real Life -Confidentiality - No Gossiping
- Neighbors name noticed on case
- Dont go home and tell your family
- Celebritys name noticed on case
- Dont gossip to friends/coworkers
58What This Means
- DAS will limit the disclosure of Protected Health
Information (PHI) to the minimum amount necessary
to accomplish the intended purpose of the
authorized use, disclosure, or request - DAS will verify the identity of a person
requesting Protected Health Information (PHI) and
the authority of any such person to have access
to the Protected Health Information (PHI)
59What This Really Means
- Use or disclose health information that
identifies the individual for billing and
collection (Payment) purposes only - When you do that, disclose the minimum necessary
and know who you disclose to
60It is all about information There is an
explosion of Health Information out there There
is an information explosion Just to give you a
perspective on information today The Internet
is doubling in content every 100 days. The
Sunday edition of the New York Times alone now
contains more information than all the written
information available in the 15th Century. There
are more than 300,000 books published every year.
When Columbus discovered America, the largest
library in the world was the Queens College
Library in Cambridge. It contained only 199
books. Most of us have more than that in our
homes today.
61Next Steps
- Be more aware of client privacy and
confidentiality - Exercise professional judgment/make reasonable
efforts
62The End