The Health Insurance Portability and Accountability Act - HIPAA

1
The Health Insurance Portability and
Accountability Act - HIPAA

• Understanding HIPAAs Privacy Rule

2
What is HIPAA?

• HIPAA is a landmark federal law that is being
  implemented in stages.
• HIPAA addresses a broad spectrum of health care
  and impacts both health care providers and health
  plans.
• DHHS and its contractors that participate in the
  HMIS (HMIS participants) are considered health
  care providers because of the services DHHS
  provides to its clients and is the owner of the
  HMIS. HMIS participants must adhere to HIPAA
  since DHHS is a HIPAA covered entity and is the
  owner and lead HMIS agency.

3
Implemented in Stages

• 1997 HIPAA insurance portability regulations
  went into effect, protecting individuals in group
  health plans and permitting participants to keep
  their health insurance when they change jobs or
  become unemployed.
• April 2003 HIPAAs Privacy Rule went into effect
  to protect patient medical records and other
  health information.

4
Implemented in Stages

• October 2003 Regulations protecting health
  information sent electronically to Medicare,
  Medicaid and other insurers went into effect.
• April 2005 Security standards went into effect
  to protect health information maintained in
  electronic format. These standards apply to IT
  systems and policies.
• May 2007 National Provider Identifier
  regulations will require health care providers,
  both individuals and organizations, to use one
  permanent, unique identifier for all health care
  transactions.

5
What Does the Privacy Rule Do?

• Ensures that a uniform level of privacy
  protections are offered throughout the nation by
  limiting how health plans, pharmacies, hospitals
  and other entities can use a clients personal
  medical information.
• Ensures that individuals have access to their
  medical records and the ability to have any
  errors in those records amended.
• Ensures that clients understand how DHHS and the
  HMIS participants will use their personal health
  information.

6
Defining Health Care

• The definition of health care under HIPAA is very
  broad
• Includes any physical health, mental health or
  substance abuse treatment.
• Most doctors, dentists, pharmacists, hospitals,
  nursing homes, public health clinics, mental
  health or substance abuse clinics are subject to
  the Privacy Rule.
• Includes counseling and case management related
  to health, mental health or substance abuse.

7
Some Terms to Know

• Protected Health Information, often called
  PHI, is any information held by the HMIS that
• Identifies a client -name, address, social
  security, birth date or other identifying data
• and
• Relates to a clients past, present or future
  physical or mental health or which includes
  information about past, present or future payment
  for services.
• Includes information transmitted or maintained in
  any form written, electronic or verbal.

8
Some Terms to Know

• Treatment, Payment and Health Care Operations,
  often called TPO, refers to
• Treatment-the provision, coordination or
  management of health care by providers.
• Payment-activities to collect premiums, provide
  benefits or obtain reimbursement.
• Health Care Operations-activities related to
  health care administration, such as
  accreditation, quality assessment and evaluation.

9
Notice of Privacy Practices (NOPP)

• Explains to clients how we may use their
  protected health information.
• Each HMIS participant provider must develop a
  Notice of Privacy Practices.
• Notice must be posted prominently in each HMIS
  participants facilities.
• One signed copy must be kept in a clients
  permanent record, with copies available for the
  client to take.
• Notice is available in several languages.

10
When Can We Use or Disclose Protected Information?

• For treatment, payment and health care operations
  only.
• Most other uses require written authorization
  from the client or an authorized representative.
• Protected health information should be released
  only on a need to know basis.
• All uses must be limited to the minimum amount of
  information necessary.

11
How Does This Apply to Me?

• All members of the HHS and HMIS participants
  workforce - staff members, contractors, interns
  and volunteers - must take reasonable precautions
  to ensure that client health information is
  protected.
• HIPAA Privacy Rule requirements apply not just to
  staff who deal directly with clients, but to
  everyone.
• This includes staff whose jobs involve fiscal,
  administrative, technical and other duties.

12
All of Us May Handle Protected Health
Information! For example

• An administrative aide at a substance abuse
  clinic records names of clients in an appointment
  book.
• A therapist sends an e-mail to a colleague about
  a client referral. The e-mail contains a mental
  health diagnosis and other personal information
  about the client.
• A computer programmer accesses client
  immunization records as part of a
  database-building project.
• A fiscal assistant uses client treatment
  information in order to send a bill to Medicare.

13
How Do We Make Sure Health Information is
Protected?

• Ask for only the minimum information necessary to
  do your job!
• Share with the requesting party only the specific
  information relevant to the task at hand.
• Information should be provided based strictly on
  a legitimate need to know, and not merely based
  on interest or curiosity. It is rarely
  appropriate to request an entire record or chart.
• When handling personal health information, keep
  the following guidelines in mind..

14
Protecting Written Documents

• Do not leave client records, files and other
  written documents on your desk where they can be
  seen by others.
• Keep records in a locked desk or filing cabinet
  or in a locked room - even if you are leaving
  your office for a very short time.
• Use a locking briefcase in instances where
  records or notes are taken out of the office. If
  you are visiting several locations in a row, take
  only the records pertaining to each visit inside
  with you.

15
Protecting Written Documents

• Verify the fax number you plan to send protected
  documents to and use a cover sheet with a
  confidentiality statement.
• Keep identifying information on records (file
  names, etc.) concealed if you carry records
  through a public area.
• When disposing of documents that contain any
  client identifying information, be sure to shred
  them.

16
Protecting Electronic Documents

• Use a screen saver. (Directions are included in
  your training packet.)
• If you use a laptop, use a password to protect
  it.
• Do not share your password, or leave it on a note
  attached to your computer.

17
Protecting Electronic Documents

• If you must send client information via e-mail,
  do not include client information in the body of
  the e-mail. Send the client information in a
  password protected attachment.
• Do not remove electronic data from the office
  whether on disks, CDs or zip drives without prior
  supervisor permission. (Password protect if
  possible.)

18
Conversations Count!

• While on the elevator, in a hallway, or on the
  phone, remember that the Privacy Rule applies to
  personal health information shared verbally.
  Dont discuss client information where it may be
  overheard.
• Never leave confidential information on voice
  mail. Ask instead that the recipient return your
  call.

19
Conversations Count!

• If possible, use an interview room if you need to
  meet with a client.
• Keep voices down if you must talk with a client
  in an open area.

20
To Sum Up

• All members of the DHHS and HMIS participants
  workforce - employee, intern, or volunteer - must
  adhere to the HIPAA Privacy Rule by ensuring that
  client health information is protected.
• The Privacy Rule applies not just to direct
  service staff, but also to staff whose jobs
  include fiscal, administrative and technical
  duties.

21
Privacy is Every Clients Right

• There are other State and federal laws affecting
  how client information may be used including
• The Maryland Medical Records Act, which applies
  to health and mental health records
• Article 88A, the Annotated Code of Maryland,
  which applies to social service programs,
  including Adult and Child Protective Services
• FERPA which relates to student educational
  records
• COMAR, which includes confidentiality regulations
  for various programs and Federal laws (42CFR)
  related to the confidentiality of substance abuse
  records.

22
Privacy is Every Clients Right

• Ensuring every clients privacy is not only
  respectful of our clients, it is their right.
• It is your responsibility to know the Privacy
  Rule and the other confidentiality laws and
  regulations that apply to your clients.
• Ignoring the Privacy Rule carries substantial
  fines and penalties.
• In extreme cases, criminal charges can be filed.

23
Where Do We Go From Here?

• All DHHS and HMIS participant staff members are
  required by law to report events, situations or
  practices in the workplace that may be violations
  of the Privacy Rule. If you have such a concern,
  please contact your supervisor or the HIPAA
  Coordinator for your service area. (A list of
  current coordinators is on the HHS Intranet
  Website.)
• You may also call the HIPAA Hotline at
  240-777-1210 to anonymously report suspected
  HIPAA violations.

24
Where Do We Go From Here?

• HIPAA is not the only law that DHHS and HMIS
  participants must follow. Remember, its your
  responsibility to know which other State and
  federal laws and regulations affect client
  information. Ask your supervisor if you need
  further details.
• Still have questions?
• Please call Alex Wertheim, Homeless Programs
  Coordinator at 240-777-4125.