HIPAA Privacy Training - DAS

1
HIPAA Privacy Training - DAS

• Keeping It To Ourselves!
• Protecting Client Confidentiality

2
Introduction

• Vin Lombardo
• Henry Jovanelly
• Gene Shook (Keane)
• Purpose
• Comply with the training requirements of HIPAA

3
Topics of Discussion

• What is HIPAA
• Privacy and Confidentiality Standards

4
What This All Really Means

• Use or disclose health information that
  identifies the individual for billing and
  collection (Payment) purposes only
• When you do that, disclose the minimum necessary
  and know who you disclose to

5
What is HIPAA?

• Health Insurance Portability and Accountability
  Act of 1996 (August 21) Public Law 104 191
• Guarantees insurability of employees that change
  jobs (Portability)
• Reduces fraud and abuse of federal entitlement
  programs (Accountability)
• Improves efficiency through standardization of
  electronic transactions and codes
• Protects individuals private health information
• Establishes security standards for health care
  information systems
• National standards for unique health identifiers

6
It came out of the failed health-care reform
effort of the Clinton administration. In the
early 1990s there was a lot of concern about
people who were restrained in moving from one
employer to another because they were afraid of
losing their health insurance due to pre-existing
conditions. So although the overall health-reform
efforts failed, one of the things that came out
of those efforts was this bill, which was aimed
at allowing the portability of health insurance
by preventing insurers from imposing requirements
about pre-existing conditions when you move from
one employer to another. At the time, employers
were concerned that this was going to lead to an
increase in health insurance costs. So there was
an effort made to reduce costs in the health-care
system as a way of offsetting the increased costs
caused by these portability requirements. People
quickly identified the amount of administrative
expense throughout the health-care system caused
by inefficient communications. For example, there
are more than 400 different transaction formats
in use throughout the country related to services
provided and payments made. So HIPAA contains
within it a set of provisions under its
administrative simplification section to
standardize to 10 transactions. Congress
recognized that this was going to result in
enhanced flow of individually identifiable health
information in electronic format. There was
concern that this would increase the risk of
private health information being improperly
disclosed. So part of the administrative
simplification rules deal with protective
measures that health-care providers and payers
have to take in order to protect the privacy and
security of this individually identifiable health
information.
7
Time Line

• Implementation Dates

Firm
Estimated (awaiting publication of Final Rules)
Security
Transactions Codes
Unique Identifiers
April2003
Oct 2003
April 2005
8
Covered Entities

• Healthcare Payers (Plan)
• An individual or group plan that provides, or
  pays the cost of medical care
• Healthcare Clearinghouses (DAS Collections)
• An entity that processes/facilitates processing
  of health information received from another
  entity
• Healthcare Providers
• Who transmit health information in electronic
  format

9
HIPAA

• 30 Billion in savings over 10 years in
  administration costs (18 Billion implementation
  cost)
• Title 1 Insurability and Portability
• Title 3 Tax Implications
• Title 4 Group Health
• Title 5 Revenue

• Title 2 Administrative Simplification

10
AdministrativeSimplification
Title II. Administrative Simplification

• Electronic Health Transaction Standards and Code
  Sets
• Privacy and Confidentiality Standards
• Security and Electronic Signature Standards
• Unique Identifiers

11
AdministrativeSimplification

• Electronic Health Transactions Standards and Code
  Sets
• All payers, providers and clearinghouses using
• electronic healthcare transactions, must
  use a
• national standard format. The act
  designates
• standards for 10 specific transaction
  sets.
• (835 Payment, 837 Claim)
• Health organizations also must adopt a set
• of industry standard codes to be used with
• transactions. Various coding systems are
• already in use to identify
• diseases
• injuries
• other health problems (as well as their causes,
  symptoms, and actions taken)

12
AdministrativeSimplification

• 2. Privacy and Confidentiality
• This rule protects the privacy of information
  related to an individual's health, treatment, or
  healthcare payment.
• Limits the use of individually identifiable
  health information, sent or stored in any format
  (electronic, paper, voice, etc) without patient
  authorization
• Business partners who receive, store or have
  access to privately identifiable health
  information must ensure the privacy of the
  records
• Patients may have access to their own medical
  records

13
AdministrativeSimplification

• 3. Security of Health Information Electronic
  Signature Standards
• A uniform level of security for all health
• information that is
• housed or transmitted electronically
• pertains to an individual
• Organizations who use Electronic Signatures will
• have to meet
• a standard ensuring message integrity
• user authentication, and
• non-repudiation

14
AdministrativeSimplification

• 4. Unique Identifiers for Providers, Employers,
  and Health Plans
• The current system allows for multiple ID numbers
• assigned by different agencies and
  insurers. HIPAA sees this as confusing, conducive
  to error, and costly.
• It is expected that standard identifiers will
  reduce
• problems.
• HIPAA sets a standard identifier for
• Providers
• Claims Payers
• Employers
• Identifier likely to be eliminated
• Unique Patient Identifier

15
Privacy and ConfidentialityStandards (Policies
Procedures)Limits the use of Protected Health
Information (PHI)

• Minimum Necessary
• Verification Prior to Disclosure
• Administrative Requirements
• Business Associate Agreements

16
Minimum Necessary

• Protected Health Information (PHI)
• Limit Access/Role Bases
• Disclosure of Minimum Necessary
• De-Identification
• Right to Request Privacy Protection/Confidential
  Communication
• Individuals Access

17
Minimum Necessary

• Protected Health Information (PHI)
• Protected Health Information (PHI) is information
  that identifies an individual and relates to the
  persons physical or mental health or condition,
  the provision of health care to that person, or
  payment for the provision of health care to that
  person.
• DAS will limit the disclosure of Protected Health
  Information (PHI) to the minimum amount necessary
  to accomplish the intended purpose of the
  authorized use, disclosure, or request.

18
Some items that identify an individual are Name,
Address, Telephone or FAX , Email Address, Names
of Relatives, SS, Birth Date, Account Number,
Name of Employers, any other item that can ID a
person in a small sample
19
Minimum Necessary

• Limit Access/Role Bases
• DAS will identify and make reasonable efforts to
  limit the access
• To those persons or classes of persons, as
  appropriate, in its workforce who need access to
  Protected Health Information (PHI) to carry out
  their duties

20
Minimum Necessary

• Disclosure of Minimum Necessary
• DAS will limit any request for Protected Health
  Information (PHI)
• To that which is reasonably necessary to
  accomplish the purpose for which the authorized
  request is made

21
It just means that if a person needs a date from
a file, dont give them the whole file. Give
authorized individuals the minimum necessary to
get the job done.
22
Minimum Necessary

• De-Identification
• DAS will de-identify Protected Health
  Information (PHI) (eliminate or cross out,
  identifiers of the individual or of relatives,
  employers, or household members of the
  individual), to limit the disclosure of Protected
  Health Information (PHI) to the minimum amount
  necessary to accomplish the intended purpose of
  the authorized disclosure
• This is not necessary for TPO (to carry out
  Treatment, Payment or health care Operations)

23
Minimum Necessary

• Right to Request Privacy Protection/Confidential
  Communication
• It is our policy that we respect the right of an
  individual to request restrictions on uses and
  disclosures of PHI and permit an individual to
  request confidential communication of PHI at
  alternative locations or by alternate means.
• DAS will document the restriction and
  termination of the restriction, should it occur.

24
Minimum Necessary

• The following will apply to requests for
  alternative confidential communications
• Request must be received in writing
• Determine how payment will be handled, if
  necessary
• Specification of an alternative address or other
  method of contact is required
• Request or denial will be documented.
• DAS will not require an explanation from the
  individual
• The uses and disclosures of PHI are then subject
  to the agreed upon restriction and/or the
  confidential communications requirements.

25
Minimum Necessary

• Individuals Access
• DAS will give an individual the right to access
  and inspect or obtain a copy of his/her PHI for
  as long as DAS maintains the PHI. DAS will act
  on a request for access no later than 30 days
  after receipt of the request.

26
Verification Prior toDisclosure

• ID Person and Authority
• Verification Methods
• Routine Communication
• Non-Routine Disclosures
• Recording of Uses and Disclosures
• Exercise of Professional Judgment

27
Verification Prior toDisclosure

• ID Person and Authority
• DAS will verify the identity of a person
  requesting Protected Health Information (PHI) and
  the authority of any such person to have access
  to the Protected Health Information (PHI)

28
Verification Prior toDisclosure

• DAS is a Clearinghouse and only uses and
  discloses healthcare information for Treatment,
  Payment and Health Care Operations (TPO). The
  Client Agencies for which it processes the data
  have already obtained the appropriate
  authorizations and consents.

29
Verification Prior toDisclosure

• All employees are required to sign a
  confidentiality agreement as a condition of
  employment whereby they agree not to request, use
  or disclose protected information unless
  necessary to perform their job

30
Verification Prior toDisclosure

• Verification Methods
• Verification is done when the identity of the
  requestor is not known or when documentation is
  required
• Routine communication, where entity relationships
  have been established, do not require special
  verification procedures

31
Verification Prior toDisclosure

• Verification Methods Examples
• Phone Caller ID if they are holding a
  Statement, ask for identifying information off of
  the statement if not, ask Social Security
  Number, date-of-birth,
• Letter Verify name and address
• Signed Authorization, Claim Number, Company Tax
  ID Number, Letterhead, Callback, Copy of
  Appointing Document, Identification Badge, other
  official credentials warrant, subpoena, order,
  or other legal process issued

32
Verification Prior toDisclosure

• Non-Routine Disclosures
• Non-routine disclosures, not covered in the
  Policies and Procedures, must be reviewed on an
  individual basis by a Team Leader. Unresolved
  issues are to be brought to the DAS HIPAA Privacy
  Officer for resolution

33
Verification Prior toDisclosure

• Recording of Uses and Disclosures
• A log for the recording of all non-routine
  disclosures will be maintained. A copy going
  back six years prior to request will be made
  available to clients at their request for .50
  per page to cover the cost of copying and mailing
  

34
Verification Prior toDisclosure

• Recording of Uses and Disclosures
• Non-routine disclosures will be recorded on the
  Avatar Admission Comments Screen, with-in 60
  days. Items to be keyed in
•  
• Date of disclosure
• Name of entity or person who received the PHI
  (address if known)
• Brief description of PHI disclosed
• Brief statement of purpose of disclosure

35

YES, where identity of requester is not known
(like an unrecognized voice on the phone)
36
(No Transcript)
37
(No Transcript)
38
Verification Prior toDisclosure

• Exercise of Professional Judgment
• The verification requirements are met if DAS
  relies on the exercise of professional judgment
  or acts on a good faith belief in making a
  disclosure

39
Administrative Requirements

• Privacy Officer
• Training
• Safeguards
• Complaints to DAS
• Refraining from Intimidating or Retaliatory Acts
• Sanctions
• Policies and Procedures

40
Administrative Requirements

• Privacy Officer
• DAS will create, document and maintain a position
  of privacy official that is responsible for the
  development, implementation and maintenance of
  the policies and procedures of DAS
• Responsible for receiving complaints regarding
  privacy of Protected Health Information (PHI)

41
Administrative Requirements

• Training
• DAS will train all members of its workforce on
  the policies and procedures with respect to
  Protected Health Information (PHI) as necessary
  and appropriate for the members of the workforce
  to carry out their functions within DAS

42
Administrative Requirements

• Safeguards
• DAS will have in place appropriate
  administrative, technical, and physical
  safeguards to protect the privacy of Protected
  Health Information (PHI).

43
Administrative Requirements

• Safeguards
• Administrative
• Scalable confidentiality and security procedures,
  designated security officer, sanctions for
  violations, signed statement by all employees
  regarding confidentiality of data

44
Administrative Requirements

• Safeguards
• Technical
• Unique ID and Password, system stores password
  encrypted, weak passwords not allowed, automatic
  time logoff, system enforced password changes,
  firewall, virus checking

45
Administrative Requirements

• Safeguards
• Physical
• Secure computer room, secure access to displays
  and printers, secure destruction of printouts,
  other outputs and obsolete equipment, disaster
  recovery plan in place and tested

46
Administrative Requirements

• Complaints to DAS
• DAS will document all complaints received, and
  their disposition, if any, in written or
  electronic form. These documents must be
  retained for a period no less than six years

47
Administrative Requirements

• Refraining from Intimidating or Retaliatory Acts
• DAS will not intimidate, threaten, coerce,
  discriminate against, or take other retaliatory
  action against anyone making a Privacy complaint

48
Administrative Requirements

• Sanctions
• Consistent application of sanctions for failure
  to comply with privacy policies for all
  individuals in the organizations workforce (can
  result in dismissal, other disciplinary actions,
  criminal prosecution and/or civil suit)

49
Administrative Requirements

• Policies and Procedures
• DAS will implement Policies and Procedures with
  respect to Protected Health Information (PHI)
  that are designed to comply with the standards,
  implementation specifications or other
  requirements of the Health Insurance Portability
  and Accountability Act of 1996

50
Business AssociateAgreements

• Definitions
• Vendor Contracts
• Agreements

51
Business AssociateAgreements

• What is a Business Associate?
• An organization or person who performs activities
  on behalf of or in coordination with DAS that
  involves the use or disclosure of individually
  identifiable health information

52
Business AssociateAgreements

• Contracts/Agreements
• DAS will ensure continued privacy protections of
  health information by entering into a Business
  Associate Contract
• Business Associate agrees that it shall be
  prohibited from using or disclosing the
  information provided or made available by DAS for
  any purpose other than as expressly permitted or
  required by the Contract

53
Business AssociateAgreements

• Business Associate Contract Covers
• Use and Disclosure
• Safeguards
• Subcontractors
• Right to Access/Amend
• Accounting of Disclosures
• Return of Information or Destruction
• Mitigation
• Sanctions
• Property Rights
• Termination

54
Business AssociateAgreements

• Contracts/Agreements
• Business Associate Contract wording will be
  included in every vendor contracts terms and
  conditions for the state of Connecticut through
  DAS Procurement Unit
• MOU will be executed between DAS and our
  partnering state agencies

55
Penalties

• Fines up to 25,000 for multiple violations of
  the same standard in a calendar year
• Fines up to 250,000 and/or imprisonment up to 10
  years for knowing misuse of individually
  identifiable health information
• Hot Water

56
Real Life

• New York Times
• Answer Sorry, cant by law
• Police Officer (properly identified)
• Answer Yes, minimum necessary
• Billing and Collection
• Answer Yes (TPO)

57
Real Life -Confidentiality - No Gossiping

• Neighbors name noticed on case
• Dont go home and tell your family
• Celebritys name noticed on case
• Dont gossip to friends/coworkers

58
What This Means

• DAS will limit the disclosure of Protected Health
  Information (PHI) to the minimum amount necessary
  to accomplish the intended purpose of the
  authorized use, disclosure, or request
• DAS will verify the identity of a person
  requesting Protected Health Information (PHI) and
  the authority of any such person to have access
  to the Protected Health Information (PHI)

59
What This Really Means

• Use or disclose health information that
  identifies the individual for billing and
  collection (Payment) purposes only
• When you do that, disclose the minimum necessary
  and know who you disclose to

60
It is all about information There is an
explosion of Health Information out there There
is an information explosion Just to give you a
perspective on information today The Internet
is doubling in content every 100 days. The
Sunday edition of the New York Times alone now
contains more information than all the written
information available in the 15th Century. There
are more than 300,000 books published every year.
When Columbus discovered America, the largest
library in the world was the Queens College
Library in Cambridge. It contained only 199
books. Most of us have more than that in our
homes today.
61
Next Steps

• Be more aware of client privacy and
  confidentiality
• Exercise professional judgment/make reasonable
  efforts

62
The End