Title: The Health Insurance Portability and Accountability Act - HIPAA
1The Health Insurance Portability and
Accountability Act - HIPAA
- Understanding HIPAAs Privacy Rule
2What is HIPAA?
- HIPAA is a landmark federal law that is being
implemented in stages. - HIPAA addresses a broad spectrum of health care
and impacts both health care providers and health
plans. - DHHS and its contractors that participate in the
HMIS (HMIS participants) are considered health
care providers because of the services DHHS
provides to its clients and is the owner of the
HMIS. HMIS participants must adhere to HIPAA
since DHHS is a HIPAA covered entity and is the
owner and lead HMIS agency.
3Implemented in Stages
- 1997 HIPAA insurance portability regulations
went into effect, protecting individuals in group
health plans and permitting participants to keep
their health insurance when they change jobs or
become unemployed. - April 2003 HIPAAs Privacy Rule went into effect
to protect patient medical records and other
health information.
4Implemented in Stages
- October 2003 Regulations protecting health
information sent electronically to Medicare,
Medicaid and other insurers went into effect. - April 2005 Security standards went into effect
to protect health information maintained in
electronic format. These standards apply to IT
systems and policies. - May 2007 National Provider Identifier
regulations will require health care providers,
both individuals and organizations, to use one
permanent, unique identifier for all health care
transactions.
5What Does the Privacy Rule Do?
- Ensures that a uniform level of privacy
protections are offered throughout the nation by
limiting how health plans, pharmacies, hospitals
and other entities can use a clients personal
medical information. - Ensures that individuals have access to their
medical records and the ability to have any
errors in those records amended. - Ensures that clients understand how DHHS and the
HMIS participants will use their personal health
information. -
6Defining Health Care
- The definition of health care under HIPAA is very
broad - Includes any physical health, mental health or
substance abuse treatment. - Most doctors, dentists, pharmacists, hospitals,
nursing homes, public health clinics, mental
health or substance abuse clinics are subject to
the Privacy Rule. - Includes counseling and case management related
to health, mental health or substance abuse.
7Some Terms to Know
- Protected Health Information, often called
PHI, is any information held by the HMIS that - Identifies a client -name, address, social
security, birth date or other identifying data - and
- Relates to a clients past, present or future
physical or mental health or which includes
information about past, present or future payment
for services. - Includes information transmitted or maintained in
any form written, electronic or verbal.
8Some Terms to Know
- Treatment, Payment and Health Care Operations,
often called TPO, refers to - Treatment-the provision, coordination or
management of health care by providers. - Payment-activities to collect premiums, provide
benefits or obtain reimbursement. - Health Care Operations-activities related to
health care administration, such as
accreditation, quality assessment and evaluation.
9Notice of Privacy Practices (NOPP)
- Explains to clients how we may use their
protected health information. - Each HMIS participant provider must develop a
Notice of Privacy Practices. - Notice must be posted prominently in each HMIS
participants facilities. - One signed copy must be kept in a clients
permanent record, with copies available for the
client to take. - Notice is available in several languages.
10When Can We Use or Disclose Protected Information?
- For treatment, payment and health care operations
only. - Most other uses require written authorization
from the client or an authorized representative. - Protected health information should be released
only on a need to know basis. - All uses must be limited to the minimum amount of
information necessary.
11How Does This Apply to Me?
- All members of the HHS and HMIS participants
workforce - staff members, contractors, interns
and volunteers - must take reasonable precautions
to ensure that client health information is
protected. - HIPAA Privacy Rule requirements apply not just to
staff who deal directly with clients, but to
everyone. - This includes staff whose jobs involve fiscal,
administrative, technical and other duties.
12All of Us May Handle Protected Health
Information! For example
- An administrative aide at a substance abuse
clinic records names of clients in an appointment
book. - A therapist sends an e-mail to a colleague about
a client referral. The e-mail contains a mental
health diagnosis and other personal information
about the client. - A computer programmer accesses client
immunization records as part of a
database-building project. - A fiscal assistant uses client treatment
information in order to send a bill to Medicare.
13How Do We Make Sure Health Information is
Protected?
- Ask for only the minimum information necessary to
do your job! - Share with the requesting party only the specific
information relevant to the task at hand. - Information should be provided based strictly on
a legitimate need to know, and not merely based
on interest or curiosity. It is rarely
appropriate to request an entire record or chart. - When handling personal health information, keep
the following guidelines in mind..
14Protecting Written Documents
- Do not leave client records, files and other
written documents on your desk where they can be
seen by others. - Keep records in a locked desk or filing cabinet
or in a locked room - even if you are leaving
your office for a very short time. - Use a locking briefcase in instances where
records or notes are taken out of the office. If
you are visiting several locations in a row, take
only the records pertaining to each visit inside
with you.
15Protecting Written Documents
- Verify the fax number you plan to send protected
documents to and use a cover sheet with a
confidentiality statement. - Keep identifying information on records (file
names, etc.) concealed if you carry records
through a public area. - When disposing of documents that contain any
client identifying information, be sure to shred
them.
16Protecting Electronic Documents
- Use a screen saver. (Directions are included in
your training packet.) - If you use a laptop, use a password to protect
it. - Do not share your password, or leave it on a note
attached to your computer.
17Protecting Electronic Documents
- If you must send client information via e-mail,
do not include client information in the body of
the e-mail. Send the client information in a
password protected attachment. - Do not remove electronic data from the office
whether on disks, CDs or zip drives without prior
supervisor permission. (Password protect if
possible.)
18Conversations Count!
- While on the elevator, in a hallway, or on the
phone, remember that the Privacy Rule applies to
personal health information shared verbally.
Dont discuss client information where it may be
overheard. - Never leave confidential information on voice
mail. Ask instead that the recipient return your
call.
19Conversations Count!
- If possible, use an interview room if you need to
meet with a client. - Keep voices down if you must talk with a client
in an open area.
20To Sum Up
- All members of the DHHS and HMIS participants
workforce - employee, intern, or volunteer - must
adhere to the HIPAA Privacy Rule by ensuring that
client health information is protected. - The Privacy Rule applies not just to direct
service staff, but also to staff whose jobs
include fiscal, administrative and technical
duties.
21Privacy is Every Clients Right
- There are other State and federal laws affecting
how client information may be used including - The Maryland Medical Records Act, which applies
to health and mental health records - Article 88A, the Annotated Code of Maryland,
which applies to social service programs,
including Adult and Child Protective Services - FERPA which relates to student educational
records - COMAR, which includes confidentiality regulations
for various programs and Federal laws (42CFR)
related to the confidentiality of substance abuse
records.
22Privacy is Every Clients Right
- Ensuring every clients privacy is not only
respectful of our clients, it is their right. - It is your responsibility to know the Privacy
Rule and the other confidentiality laws and
regulations that apply to your clients. - Ignoring the Privacy Rule carries substantial
fines and penalties. - In extreme cases, criminal charges can be filed.
23Where Do We Go From Here?
- All DHHS and HMIS participant staff members are
required by law to report events, situations or
practices in the workplace that may be violations
of the Privacy Rule. If you have such a concern,
please contact your supervisor or the HIPAA
Coordinator for your service area. (A list of
current coordinators is on the HHS Intranet
Website.) - You may also call the HIPAA Hotline at
240-777-1210 to anonymously report suspected
HIPAA violations.
24Where Do We Go From Here?
- HIPAA is not the only law that DHHS and HMIS
participants must follow. Remember, its your
responsibility to know which other State and
federal laws and regulations affect client
information. Ask your supervisor if you need
further details. - Still have questions?
- Please call Alex Wertheim, Homeless Programs
Coordinator at 240-777-4125.