HIPAA Boot Camp - Know the Basics

1
HIPAA Boot Camp
The Basics of Exactly What You Need to Know
Conference Panel Mark R. Brengelman, JD,
MA Attorney at Law Frankfort, Kentucky
by
2
About Mark R. Brengelman

• Holds Bachelor's and Master's Degrees in
  Philosophy from Emory University, Atlanta,
  Georgia
• Earned a Juris Doctorate from the University of
  Kentucky College of Law, Lexington, Kentucky
• Served out a successful twenty year career with
  state government in Kentucky, including. now in
  private practice since 2012
• Was a former Assistant Attorney General assigned
  to multiple state licensure boards in health
  care and other professions General Counsel and
  Prosecuting Attorney
• Has presented Continuing Education for over 50
  national and state organizations and private
  companies, including the Kentucky Office of the
  Attorney General, the Kentucky Bar Association,
  the National Attorneys General Training and
  Research Institute, and the Federation of
  Associations of Regulatory Boards and eight of
  its member associations in psychology, physical
  therapy, dentistry, nursing, veterinary
  medicine, emergency medical services, state
  licensed contractors, and athletic trainers
• Has represented all three branches of state
  government and now a local municipality in
  governmental ethics and now a state licensure
  board

3
HIPAA Boot Camp

• Based upon the content of this program, you will
  be able effectively to identify
• Basics of HIPAA laws
• How HIPAA and state laws intertwine
• Examples of state licensure laws on
  confidentiality for health care practitioners
• HIPAA training requirements for initial and
  continued education
• Fundamental HIPAA mandates that all new health
  care employees must know
• Elements of HIPAA compliance for the new health
  care practitioner

4
HIPAA Boot Camp

• Disclaimer! Goals of the content of this program
  what this does and does not cover
• Does provide a broad overview of federal HIPAA
  laws in health care
• Does not cover everything about federal HIPAA
  laws or everything about how these apply to any
  specific health care entity (i.e., hospital,
  clinic) or health care practitioner (i.e.,
  dentist, physician)
• Does educate the person attending to ask the
  right questions in their own profession/health
  care entity about compliance with federal law
  implicating medical records confidentiality

5
HIPAA Boot Camp

• Disclaimer! Goals of the content of this program
  what this does and does not cover
• Additional disclaimers
• I do not prosecute or defend HIPAA violations,
  investigations, or cases
• I do work in health care regulatory law and
  professional licensure where there are legal
  standards applicable to the health care
  practitioner for professional licensure,
  including confidentiality
• This presentation is best suited for the
  individual health care practitioner, i.e., solo
  practitioner
• Health care entities will have full-time
  employees as resources, such as Information
  Technology (IT) departments not so much for the
  solo practitioner

6
HIPAA Boot Camp

• Basics of HIPAA the importance of this federal
  law
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) (not HIPPA that is on
  Wikipedia!)(see also, Twitter account for false
  HIPPA information)
• A United States Act of Congress enacted by the
  104th U.S. Congress and signed into law by
  President Bill Clinton
• Objectives modernized the flow of healthcare
  information (applied originally only to those who
  submitted payment electronically) governs how
  personally identifiable information (protected
  health information) is maintained by the health
  care and insurance industries (to protect from
  fraud and theft)

7
HIPAA Boot Camp

• Basics of HIPAA the importance of this federal
  law, continued
• Outcomes generally prohibits health care
  providers and health care businesses (covered
  entities) from disclosing protected information
  to anyone other than a patient and the patient's
  authorized representatives without their consent
• However it does not restrict patients from
  receiving information about themselves (but see
  state laws) or from patients voluntarily sharing
  their health information (posting your
  radiographs on Facebook)
• Note beware of even the patient posting
  information on social media with the health care
  professional see
• past webinar on social media violations by health
  care employees

8
HIPAA Boot Camp

• Basics of HIPAA the importance of this federal
  law, continued
• Practical concerns For highly skilled medical
  practitioners and other workers of any kind in
  todays health care world, employers often
  grapple with the initial training and
  implementation of HIPAA mandates for medical
  records privacy, and practitioners and employees
  must learn them
• HIPAA laws cover all sorts of Protected Health
  Information for which there is a federal right of
  privacy
• Even while purporting to protect the legitimate
  privacy interests of the patient, HIPAA has many
  exceptions that may apply as such, new health
  care practitioners and new health care employees
  must know the basics of HIPAA laws and
  requirements

9
HIPAA Boot Camp

• Basics of HIPAA the importance of this federal
  law, continued
• State laws protect patient privacy, and state
  licensure laws for health care professionals
  especially cover patient privacy in many ways,
  including vast schemes of laws in mental health
  these state licensure laws mesh with and
  compliment health care privacy already mandated
  by HIPAA
• HIPAA training requirements HIPAA mandates
  initial training of health care workers and
  regular training thereafter either annually,
  or when new HIPAA laws become effective, or when
  new medical records systems are implemented
• HIPAA applies not only to health care
  practitioners, but to health care workers (who
  have access to medical records) and to business
  associates
• Examples therapist and their laptop PC repair
  health care employee who did (or did not) have
  access to medical records but posted patient
  information on social media (the teenage driver
  should have worn her seatbelt) or (the
  teenager in the ATV accident was a mess I dont
  think hes gonna make it)

10
HIPAA Boot Camp

• How HIPAA and state laws intertwine
• State laws also protect privacy rights beyond
  HIPAA, i.e., California laws on medical privacy
• State laws also protect certain privacy rights as
  a business regulation example state financial
  laws that mandate how credit card information is
  stored securely, and how paper credit card
  receipts are to be shredded by a business (to
  eliminate the liability and risk of thief
  dumpster-diving for documentation)
• Confidentiality versus privacy medical records
  may be private, but may be relevant and used in
  legal proceedings, where such medical records
  are used as evidence but kept under seal in the
  courthouse
• State rules of evidence govern what is admissible
  as evidence in a legal proceeding or is exempt as
  privileged, i.e., things you say in confidence
  to your spouse, your attorney, your
  priest/minister/rabbi, or to your doctor
  (therapist, counselor) why? Society values these
  relationships over the truth
• Biggest source of patient confidentiality is in
  state licensure laws for health care professionals

11
HIPAA Boot Camp

• Fundamental HIPAA mandates that health care
  employees must know HIPAA Privacy Rule
• The Privacy Rule standards address the use and
  disclosure of individuals health information,
  i.e., protected health information by those
  subject to the Privacy Rule (covered entities)
• Includes standards for individuals' privacy
  rights to understand and control how their
  information is used
• Federal Health and Human Services, Office of
  Civil Rights, has responsibility for implementing
  and enforcing the Privacy Rule
• Main goal to assure that individuals health
  information is properly protected while allowing
  the flow of health information needed to provide
  and promote high quality health care and to
  protect the public's health and well being
• Strikes a balance that permits important uses of
  information, while protecting the privacy of
  people who seek care and healing

12
HIPAA Boot Camp

• Fundamental HIPAA mandates that health care
  employees must know HIPAA Privacy Rule,
  continued
• Covers
• Who is Covered by the Privacy Rule
• Business Associates
• What Information is Protected
• General Principle for Uses and Disclosures
• Permitted Uses and Disclosures
• Authorized Uses and Disclosures
• Limiting Uses and Disclosures to the Minimum
  Necessary

13
HIPAA Boot Camp

• Fundamental HIPAA mandates that health care
  employees must know HIPAA Security Rule
• Covers
• Generally pretty technical consult your
  Information Technology employees
• Or, if a solo practitioner, use a
  commercially-available electronic health records
  software there is software out there for each
  kind of health care practitioner
• Beware Covid emergency relaxation of security
  standards have ended under state and federal laws
• Example In March 2020, therapists started using
  televideo to practice remotely (in my state at
  least, that was always allowed, but whether you
  got paid for it by health insurance was another
  issue applied to private-pay clients) use
  HIPAA compliant televideo (its out there) and
  medical records software (usually in the cloud
  and if so, what protections?) Issue of changing
  password when therapist separates from
  employment turn in the office key versus
  changing the software passwords and getting back
  the medical offices laptop PC

Whole other issues of remote work, security,
privacy, and work-from-home equals practice from
home
14
HIPAA Boot Camp

• Fundamental HIPAA mandates that health care
  employees must know HIPAA Breach Notification
  Rule
• Covers
• Covered entities and their business associates
  must provide notification following a breach of
  unsecured protected health information similar
  rules are enforced by the Federal Trade
  Commission
• A breach is, generally, an impermissible use or
  disclosure under the Privacy Rule that
  compromises the security or privacy of the
  protected health information. An impermissible
  use or disclosure of protected health
  information is presumed to be a breach unless the
  covered entity or business associate, as
  applicable, demonstrates there is a low
  probability that the protected health information
  has been compromised
• based on a risk assessment of at least the
  following factors
• The nature and extent of the protected health
  information involved, including the types of
  identifiers and the likelihood of
  re-identification
• The unauthorized person who used the protected
  health information or to whom the disclosure was
  made
• Whether the protected health information was
  actually acquired or viewed and
• The extent to which the risk to the protected
  health information has been mitigated

15
HIPAA Boot Camp

• Summary and tips for avoiding liability and risk
• For individual health care practitioners
• Read and understand your professions practice
  act and know what current practice standards are
  and current confidentiality standards
• Follow the appropriate confidentiality standards
  (they do change over time note the problem of
  rules being more simple versus more complex)
• Document your health record accurately
• Use commercially-available medical records
  software for therapists for example, if it says
  HIPAA compliant, I would assume that it is
• Note HIPAA compliant telephone a what? See
  also, faxing

16
HIPAA Boot Camp

• Summary and tips for avoiding liability and risk
• For health care facilities
• Designate a Privacy Officer
• Instill a culture of confidentiality
• Employ an Information Technology department with
  HIPAA-experienced employees
• Conduct initial training and regular training,
  and include all health care workers implement
  confidentiality standards into your Human
  Resources training so you can fire the them
• Example hospital employee who signed
  Confidentiality Agreement as part of HR fire
  violating HIPAA with social media posting was or
  was not outside the scope of employment (jury
  trial)?

17
HIPAA Boot Camp

• Did we cover it all?
• Basics of HIPAA laws
• How HIPAA and state laws intertwine
• Examples of state licensure laws on
  confidentiality for health care practitioners
• HIPAA training requirements for initial and
  continued education
• Fundamental HIPAA mandates that all new health
  care employees must know
• Elements of HIPAA compliance for the new health
  care practitioner

18
Register Now
19
(No Transcript)