HIPAA Privacy: HOW IT AFFECTS YOU

1
HIPAA Privacy HOW IT AFFECTS YOU !!!
2
Goals of Training

• To increase your knowledge understanding of
  what protected health information (PHI) is in
  this facility, and what threats may exist to its
  privacy and its security
• To enhance your awareness of your role in helping
  this facility follow HIPAA rules
• To provide information about to whom you can go
  with questions about privacy, and about security
• To inform you about your reporting
  responsibilities when HIPAA violations occur
• To alert you to the possible penalties for
  violation of HIPAA law for both you and this
  facility
• To protect the confidentiality of our consumer's
  Protected Health Information (PHI) in support of
  one of our values -- dignity, self-worth and
  individual rights.  It's the right thing to do!
• To Understand that this same law also protects
  you as a consumer of health care.

3
Privacy Regulations

• April 2003

IMPLEMENTATION DATE
Security Regulations (To Be Announced)
4
What is HIPAA?

• Health Insurance Portability and Accountability
  Act of 1996 a Federal Law

• Portability
• Administrative Simplification
• Data Standardization
• Security
• Privacy

5
What is HIPAA?

• Portability Protects and guarantees health
  insurance coverage when an employee changes job
• Accountability Protects health data integrity,
  confidentiality and availability
• Reduces Fraud and Abuse
• Makes fraud prosecution easier (Medicare/Medicaid)
  
• Reduces Paperwork

6
What is HIPAA?

• Data Standardization
• Establishes National Standards for Electronic
  Data Transmission Portability
• Transactions (Enrollment, Eligibility, Claims,
  Payment and others), Codesets and Identifiers.
• Establishes Standards for Protection of Health
  Information
• Privacy (Operational, Consumer Control,
  Administration)
• Security (Administrative, Physical, Technical,
  Network)

7
WHY COMPLY WITH HIPAA ?

• Avoid denied and or delayed reimbursements
• DHHS agencies process claims bringing in more
  than 550 million in receipts annually.
• Annual Medicaid disbursements totaling more than
  4.6 billion.
• May risk Accreditation. (e.g. Joint Commission on
  Accreditation on HealthCare Organizations
• Public relations and business risk issues
• Benefit from long term healthcare cost reductions
• Impose severe penalties for non-compliance

8
DEFINITION PRIVACY

• Privacy is the right of an individual to keep
  his/her individual health information from being
  disclosed.

9
HIPAA KEY TERMS as they relate to privacy of
Protected Health Information (PHI)

• Privacy
• Use
• Disclose
• Authorization
• PHI
• Minimum Necessary

10
HIPAA KEY TERMS Defined

• Use - means, with respect to individually
  identifiable health information, the sharing,
  employment, application, utilization,
  examination, or analysis of such information
  within an entity that maintains such information.
  (Also see Part II, 45 CFR 164.50)
• Disclose - Release or divulgence of information
  by an entity to persons or organizations outside
  of that entity. (Also see Part II, 45 CFR
  164.501)
• Authorization - The mechanism for obtaining
  consent from a patient for the use and disclosure
  of health information for a purpose that is not
  treatment, payment or health care operations.
  For example, Protected Health Information (PHI)
  released for special Olympics activity.
• PHI (Protected Health Information) - All
  Individually Identifiable Health Information and
  other information on treatment and care that is
  transmitted or maintained in any form or medium
  (electronic, paper, oral, etc)
• Minimum Necessary - When using any PHI, a covered
  entity must generally make reasonable efforts to
  limit itself to "the minimum necessary to
  accomplish the intended purpose of the use,
  disclosure, or request.

11
PrivacyWhy the concern?
12
HIPAA Enforcement

• CIVIL PENALTIES for failure to comply
• 100 fine per person per violation
• 25,000 fine per year for multiple violations
• 25,000 fine cap per year per requirement.
• You can be personally liable!

13
HIPAA Enforcement

• CRIMINAL PENALTIES for failure to comply
• Knowingly or wrongfully disclosing or receiving
  PHI 50,000 fine and/or one year prison time
• Commit offense under false pretenses
• 100,000 fine and/or five years prison time
• Intent to sell PHI or client lists for personal
  gain or malicious harm
• 250,000 fine and/or ten years prison time.
• Again, you can be personally liable!

14
HIPAA Enforcement Continued

• These penalties apply to oral, paper and
  electronic Protected Health Information (PHI).

15
HIPAA Requires DMH to..

• Establish or Appoint
• Policies and procedures to safeguard PHI
• Privacy Officer
• Security Officer
• Privacy Officer and the Security Officer work
  with each facilitys HIPAA core team
• Disciplinary actions policy
• Provide HIPAA training to the workforce
• As necessary and appropriate on Privacy Policies
  and Procedures

16
What is PHI ?

• Protected Health Information - All Individually
  Identifiable Health Information and other
  information on treatment and care that is
  transmitted or maintained in any form or medium
  (electronic, paper, oral, etc)

17
Where do we find PHI?

• 1.
• 2.
• 3.
• 4.
• 5.
• 6.
• 7.

18
Where do we find PHI?

• Medical records and billing records
• Insurance/Benefit Enrollment and Payment
• Claims adjudication
• Case or medical management records
• (Note---it exists both on paper and
  electronically)

19
Examples of PHI

• 1. Name
• 2.
• 3.
• 4.
• 5.
• 6
• 7
• 8
• 9

20
Examples of PHI

• Names
• All geographic subdivisions smaller than a State,
  including street address, city, county, precinct,
  zip code.
• All elements of dates (except year) for dates
  directly related to an individual, including
  birth date, admission date, discharge date, date
  of death..
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security Numbers
• Medical record numbers
• Health plan beneficiary numbers

• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images..
• Any other unique identifying number,
  characteristic..

21
HIPAA Requires DMH to..

• Identify PHI Uses and Disclosures
• WHO
• People who routinely use or disclose (or receive
  requests to) PHI in our Institutions/Facilities
• WHAT
• Individually identifiable health information
• HOW
• Written, oral, electronic communication
• HOW MUCH
• Minimum necessary to accomplish purpose

22
PHI Does Not Include..

• Education records
• Workmans comp Records
• Health information in your personnel record
• Psychotherapy notes (Treatment/Counseling by
  mental health professionals)
• Kept separate from the medical record, usually in
  a clinicians own file and not made part of the
  individuals medical record.

23
Psychotherapy Notes ARE NOT

• The following are not considered psychotherapy
  notes and therefore are PHI
• Medication prescription and monitoring
• Counseling session start and stop times, the
  modalities and frequencies of treatment furnished
• Clinical test results
• Any summary of the following items diagnosis
  functional status, the treatment plan, symptoms
  prognosis, and progress to date

24
WHO IS AFFECTED?

• Employees who handle/use/know individuals
  Protected Health Information (PHI)
• Health Care Providers (Health departments,
  hospitals, doctors offices, any agency that
  transmits PHI electronically)
• Health Plans that provide or pay the cost of
  medical care (e.g., Medicaid, Medicare, Champus,
  BC/BS, HMOs)
• Trading Partners - Electronically Exchange
  Protected Health Information
• Business Associates - Perform services on your
  behalf
• HIPAA also applies to you as a consumer of
  healthcare!

25
Case Scenario Presentations

• How would we handle the following situations?

26
Challenge for DMH

• If you do NOT know what or where PHI is,
• and who uses or asks for it,
• You will be hard pressed to protect it.

27
How Do Individual Staff Protect PHI? (Your List)

• 1.
• 2.
• 3.
• 4.
• 5.
• 6.
• 7.

28
How Individual Staff Protect PHI

• Close doors or draw privacy curtains/screens
• Conduct discussions so that others may not
  overhear them
• Dont leave medical records where others can see
  them or access them
• Keep medical test results private
• PHI info should NOT be shared or viewable in
  public areas
• Dont leave copies of PHI at copy machines,
  printers, or fax machines.
• Dont leave PHI exposed in mail boxes or
  conference rooms.
• Dont share computer passwords or leave them
  visible
• Dont leave computer files open when leaving
  unlocked or shared work area
• Secure PHI when no one is in the area, lock file
  cabinets and office doors
• Safeguard PHI when records are in your possession
• Return medical records to appropriate location
• Dispose of paper containing PHI properly
• Fax only if according to Center policy

29
How Individual Staff Protect PHI
Don't ....

• .Email with individuals identifiable
  information (1st name, last initial ok)
• .Leave PHI in any public wall file trays
  unless enclosed in an interoffice
  envelope
• .Discuss an individual in front of other
  individuals or visitors
• .Leave diskette boxes containing PHI in
  unlocked areas
• .Leave PHI for shredding in unlocked/undesignat
  ed area
• .Place individuals full names on desk
  blotters
• .Leave Rolodex files containing PHI accessible
• .Leave individual/employee PHI lists publicly
  posted
• .Leave records opened and unattended
• .Bring personal computers for use at a Health
  Center
• .Leave Center keys unattended
• .Leave Rolodex files containing PHI accessible
• WHETHER A HEALTH or FINANCIAL INTERVIEW,
• OBSERVE THESE GUIDELINES !!!

30
Need to Know Principles

• Necessary for your job
• How much do you need to know?
• How much do other people need to know?

31
How Does Need to Know Translate into HIPAA?

• HIPAAs Minimum Necessary rules
• Must provide only PHI
• in the minimum necessary amount
• to accomplish the purpose for which use or
  disclosure is sought
• Minimum necessary does not apply when patient
  provides a valid, signed authorization for
  release of PHI
• De-identified Information De-identified
  information is PHI with all HIPAA identifiers
  removed.
• Exceptions
• Disclosure to a health care provider for
  treatment
• permissible uses or disclosures made by the
  patient.
• Uses or disclosures made based on patients
  signed authorization.
• Uses or disclosures required for HIPAA compliance
• Use for legal proceedings, law enforcement, et.

32
HIPAA Requires

• Notice of Privacy Practices
• Purpose to provide consumer with adequate notice
  of uses or disclosures of PHI
• Must be written in plain language
• Must be provided at the time of first service or
  assessment for eligibility
• Has to provide Privacy Officer contact information

33
HIPAA Consumer Protections

• Amendment
• Consumers may request to amend PHI in medical
  records
• That request may be referred to the facility
  Privacy Official
• DMH facility may either grant OR deny the request

34
HIPAA Consumer Protections

• Restrictions
• Consumers may request that the facility restrict
  how it uses/discloses their PHI
• Facility is NOT required to accept the request
• If restriction is accepted, then follow it
• Dont deviate or depart from that restriction!

35
HIPAA Consumer Protections

• Access
• Consumers can access PHI
• Inspect
• Copy
• Request for access MUST be in writing
• Facility Must - Respond to request within 60
  days
• May recover cost-based fee for copy, explanation,
  or summary of records
• If access is denied, reason for that denial will
  determine if the consumer can appeal
• Consumer must appeal to facility Privacy Official

36
HIPAA Consumer Protections

• Accounting of Disclosures
• Consumers have a right for an accounting of
  disclosures
• Time frame 6-year period
• Clock starts April 14, 2003
• Applies to both written and oral disclosure
• Specific to times, places, beneficiaries and
  content disclosures

37
HIPAA Consumer Protections

• Verification
• Facility must verify that
• Person or agency requesting the PHI
• Is who they say they are
• Facility must document the verification.

38
HIPAA Consumer Protections

• Complaint Procedure
• HIPAA requirement
• Allows a consumer to file a complaint if they
  believe we have improperly used or disclosed
  their PHI

39
HIPAA PHI Protections

• Staff Access to PHI
• Purpose to guide staff in keeping PHI
  confidential
• Inappropriate access/use/disclosure of consumer
  PHI results in disciplinary action, possible
  other penalties.

40
HIPAA Disclosure Protections

• Authorization
• Required to disclose PHI to person or agency
  outside the facility
• Must be specific
• What PHI is to be shared
• With whom
• For what purpose
• May be revoked

41
When No Authorization Is Needed

• Key examples
• Child abuse/neglect reports
• Judicial/administrative proceeding
• Law enforcement
• To avert serious threat to health or safety
• Audits
• Management and Financial
• When required by US DHHS
• Program monitoring and evaluation
• Certification of facilities and individuals

42
PRIVACY REGULATIONS RELATING TO RESEARCH,
MARKETING, FUND RAISING
WHAT ELSE DOES HIPAA REQUIRE?

• For Research, Marketing and Fund Raising
  purposes, all PHI must be De-identified
  Information. (De-identified information is PHI
  with all HIPAA identifiers removed.)
• HIPAA still allows research to be conducted
• Proper authorizations must be in place

43
What Else Does HIPAA Require?

• Preemption of state law
• Privacy Rule overrides any other state law unless
  that state law provides more protection for the
  consumer

44
WAIVER OF RIGHTS

• Waiver Covered entities may not require
  individuals to waive their rights as a condition
  of
• Treatment
• Payment
• Enrollment
• Eligibility

45
REFRAIN FROM INTIMIDATING OR RETALITORY ACTS

• Protection for individuals exercising their
  rights or whistleblowers
• Covered entities may not
• Intimidate
• Threaten
• Coerce
• Discriminate against
• Take any other retaliatory action

46
QUESTIONS?
Privacy

• If you are ever in doubt, always ask your Privacy
  Officer or their designee!
• Remember, that person is your first line of
  response to privacy questions.

47
Key Things to Remember about Privacy

• We must safeguard consumer records
• Share only information necessary to do the work
• Consumers have the right to ask about use and
  disclosure of PHI
• DMH has Policies on HIPAA and you need to know
  them and follow them

48
PRIVACY Vs. SECURITY

• Privacy is the right of an individual to keep
  his/her individual health information from being
  disclosed.
• Security is how we protect PHI from accidental or
  intentional disclosure, alteration, destruction
  or loss.

49
SAFEGUARDS

• NCSCC must have appropriate safeguards in place
• Administrative
• Technical
• Physical
• Exceptions for preemption of state laws as agreed
  to by the US DHHS Secretary
• More stringent
• Public health investigation/intervention
• Audits management financial
• Program monitoring and evaluation
• Certification of facilities and individuals

50
Required Training Topics

• Security Issues that Impact Privacy
• General Security Awareness
• System Access
• Password Management

51
Purpose of Security

• To protect the system and information from
  unauthorized access
• To protect the system and information from
  unauthorized use

52
General Security Awareness

• Security (protecting the system and the
  information it contains) includes
• protecting against unauthorized access from
  outside and misuse from within
• hardware and software (Physical Computer Systems)
• personnel policies
• information practice policies
• develop disaster/intrusion/response and recovery
  plans
• designate security responsibilities
• develop protocols regarding activities and
  security at personnel and work station level
• Safeguards from fire, natural and environmental
  hazards and intrusions

53
General Security Awareness

• Two Types of Security in HIPAA
• Building\Physical Security
• Computer\Electronic Security

54
General Security Awareness

• Building\Physical Security
• Building\Work Area Access
• Locks and Keys
• Badges\ID
• Security Officer
• Printers\Copy\Fax Machines

55
General Security Awareness

• Building\Work Area Access
• Sign into building
• Show ID\Visitors Badge
• Patient\Client Area Entry

56
General Security Awareness

• Computer\Electronic Security
• Computers
• Location of PCs
• Passwords\Log On
• E-mail
• Faxes

57
Things to Know about System Access

• Dont share the session
• Report Discrepancies
• Be aware that disciplinary action may result
• Termination of Access

58
PC and System Protection

• Be aware of potential harm
• Follow the e-mail policy
• Dont download non-DMH approved programs
• Report unknown or suspicious e-mail, attachments

59
Password Management

• What is Password Security?
• Dont tell anyone your password.
• Dont write your password down anywhere
• Change password if others know it
• Enter your password in private

60
Password Management

• Guidelines for good passwords
• Dont
• Choose password with more than 8 characters
• Choose password that can be found in a dictionary
• Choose password that uses public information such
  as SSN, Credit Card or ATM , Birthday, date,
  etc.
• Reuse old passwords or any variation
• Use user id or any variation

61
Password Management

• Guidelines for good passwords
• Do
• No clear link to you personally
• Six to 8 characters
• Minimum of 2 alpha and 1 numeric
• Use upper and lower case characters
• Change to a completely new password
• Memorize your password

62
Application Role in Security

• Role will dictate access
• Only access to what you need in order to do the
  job

63
Key Things to Remember about Security

• Security impacts privacy
• Both building and computer security are important
• Fundamentals of good password management

64
TOP 10 PRIVACY SECURITY PRACTICES
1. When in doubt, dont give information out 2.
Log off before you walk off from your computer 3.
Double check fax numbers before sending 4. Do
not send e-mails or use the internet unless the
connection is secure and approved. 5.
Identity of the caller before releasing
confidential information. 6. Never share your
password with anyone. 7. Maintain the security
of all patient information in all its medium
like paper, electronic and oral. 8. Discuss
patient information in private locations 9.
Access information on a need to know basis, only
to do your job. 10. Dispose of confidential
information according to proper procedures (ie.
Locked Shred Bins)
65
SUMMARY -1

• HIPAA - A Health Care Paradigm
• Affects clearinghouses, patients.
• Requires changes to business processes and
  applications, staffing plans, facilities and
  Information systems applications
• Provides patients with rights
• Shifts power in provider/consumer
  relationships
• Introduces new legal liabilities
• Conveys severe civil and criminal penalties
  payers, providers, employers, medical
  manufacturers, Pharmaceutical companies,
  employees

66
SUMMARY -2

• HIPAA - is not going away
• Healthcare industry wants standardization
• Consumers want health information to be
  protected
• HIPAA is not an option
• HIPAA is doing business in the New
  Millennium
• Implementation cost is short term
• Operational benefit is long term

67
Where To Go For More Information
US Department of Health and Human Services -
www.aspe.os.shhs.gov Center for Medicare and
Medical Aid Services - www.cms/gov Workgroup for
Electronic Data Interchange (WEDI) -
www.wedi.org Washington Publishing Company -
www.wpc-edi.com North Carolina Division of
Medical Assistance - www.dhhs.state.nc.us/dms/ N
C DHHS HIPAA Web Site -http//dirm.state.nc.us/hi
paa/
68
Any Questions?
69
IMPLEMENTATION DATE

• April 2003