Health Insurance Portability and Accountability Act HIPAA Patient Privacy - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Health Insurance Portability and Accountability Act HIPAA Patient Privacy

Description:

Health Insurance Portability and Accountability Act HIPAA Patient Privacy & Security Allison Martin & Kimberly Segal Barbara Ann Karmanos Cancer Center – PowerPoint PPT presentation

Number of Views:510
Avg rating:3.0/5.0
Slides: 23
Provided by: Administra110
Category:

less

Transcript and Presenter's Notes

Title: Health Insurance Portability and Accountability Act HIPAA Patient Privacy


1
Health Insurance Portability and Accountability
Act HIPAAPatient Privacy Security
Allison Martin Kimberly Segal Barbara Ann
Karmanos Cancer Center June, 2012
2
HIPAA Module Objectives
  • After completing this training module, you should
    be able to
  • Understand key HIPAA terms.
  • Apply general HIPAA rules that apply to your
    every day work at Karmanos.
  • Know where to turn for help if you have questions
    or concerns to report regarding patient privacy.

3
Karmanos Commitment to Protecting our Patients
Privacy Under HIPAA
  • HIPAA stands for the Health Insurance Portability
    and Accountability Act.
  • HIPAA is a federal law that sets standards
    regarding protection of confidential patient
    data.
  • Who is responsible to comply with HIPAA?
  • Covered Entities health care provider, health
    plan, or a clearing house that submits bills
    electronically.
  • All Covered Entities along with their Business
    Associates (that use or access patient
    information on the Covered Entitys behalf)
  • Karmanos is committed to protecting the
    confidential and private information of our
    patients.
  • Remember that employees, friends and family
    members who are treated at Karmanos are our
    patients too! If you have had testing or
    treatment at Karmanos, you were a patient! These
    records may only be accessed as a part of your
    routine job duties.
  • Protecting the privacy of our patients is
    EVERYONES job.

4
Protected Health Information (PHI) Includes the
Following Identifiers
  • Name
  • Street Address, City, County, Zip Code
  • Dates
  • Birth
  • Admission
  • Discharge
  • Death
  • Numbers
  • Social Security
  • Medical Record
  • Account (FIN)
  • Health Plan Beneficiary
  • License
  • Vehicle Identification
  • Telephone or Fax

5
Protected Health Information
  • Protected Health Information (PHI) includes
    information
  • On paper
  • In a computer
  • Orally communicated
  • In any other form
  • Electronically Protected Health Information
    (EPHI) includes information
  • On your computer hard drive
  • On floppy disks, CDs or magnetic tapes
  • Sent via the Internet
  • By e-mail
  • Other means

6
PHI Use Under HIPAA
  • Treatment, Payment Operations (TPO)
  • Treatment Various activities related to
    patient care.
  • Payment Various activities related to paying
    for or getting paid for health care services.
  • Operations Generally refers to day-to-day
    activities of a covered entity, such as
    planning, management, training,
    quality-improvement, education.
  • Note Research is not considered TPO. Written
    patient authorization is required to access PHI
    for research.

7
Notice of Privacy Practices (NPP)
  • As a Covered Entity under HIPAA, Karmanos has
    developed a Notice of
  • Privacy Practices (NPP) for distribution to our
    patients.
  • The NPP states Karmanos practices for use of
    personal health information.
  • The NPP allows patients to be informed of their
    privacy rights with respect to their personal
    health information.
  • The NPP provides a detailed description of the
    uses and disclosures of PHI that are permissible
    without obtaining a patients authorization.
  • The NPP is intended to focus individuals on
    privacy issues and concerns, and to prompt them
    to have discussions with their health care
    providers.

8
Business Associate Agreement (BAA)
  • Business Associates are usually vendors who
    perform some function or service for Karmanos
    that requires them to have access to our
    patients information.
  • A Business Associate Agreement (BAA) is a signed
    agreement promising to keep PHI confidential in
    accordance with HIPAA.
  • Karmanos, a Covered Entity under HIPAA, is
    required to sign Business Associate Agreements
    with certain organizations and individuals to
    whom they share Protected Health Information
    (PHI).
  • If you are working with a vendor and are not sure
    if you need a BAA, you may contact Materials
    Management or the Compliance Department at
    hipaahelp_at_karmanos.org.

9
Authorization (Release of Information)
  • Authorization to Release Information is signed
    permission allowing Karmanos to use or disclose a
    patients PHI for reasons generally not related
    to Treatment, Payment or Healthcare Operations
    (TPO).
  • The Authorization must include a detailed
    description of the PHI to be disclosed, who will
    make the disclosure, to whom the disclosure will
    be made, expiration date, and the purpose of the
    disclosure.
  • See Policy HIM020, Release of Information
  • Contact Health Information Management (HIM) to
    determine the appropriate authorization form
    needed for your purpose.

10
Highly Confidential Information
  • Michigan law provides even more protection than
    HIPAA in some cases. This applies to highly
    confidential areas which include
  • Mental Health and Substance Abuse
  • HIV/AIDS Testing or Treatment
  • Psychotherapy Notes (which are not part of the
    medical record)
  • If you have questions about handling highly
    confidential information
  • Ask your supervisor
  • Contact Health Information Management (HIM)
  • Email the Compliance Department at
    hipaahelp_at_karmanos.org

11
Types of Disclosures
  • No Authorization Required to disclose PHI to
    the patient, to use or disclose PHI for
    treatment, payment or healthcare operations (TPO)
    and certain other disclosures required by law
    (for example, public health reporting of
    diseases, abuse/neglect cases, etc)
  • No Authorization Required, BUT Must Offer
    Opportunity to Object a patient must be offered
    an opportunity to object BEFORE discussing PHI
    with a patients family or friends.
  • Authorization IS Required for research, and
    when conducting certain fundraising or marketing
    activities.

12
Incidental Disclosures
  • HIPAA recognizes that some disclosures are not
    completely avoidable. These are called
    Incidental Disclosures.
  • For example, visitors may overhear a clinical
    discussion as they are walking down the hallway
    of an inpatient unit or a visitor may hear a
    patients name called out in a waiting room.
  • HIPAA requires that reasonable safeguards be put
    in place to limit incidental disclosures.
  • Speak in soft tones when discussing PHI in open
    areas.
  • Do not discuss PHI in public hallways, elevators
    or other public locations
  • Only use the minimum amount of information
    necessary to carry out the intended purpose

13
Every Day Practices For Securing PHI
  • Do
  • log-off your computer when you will be away for a
    period of time.
  • position monitors out of view of the public eye.
  • change your password as defined in policy.
  • choose passwords that are not easily guessed.
  • use password protected screensavers and keyboard
    locks.
  • place disks or tapes in a secure location.
  • immediately report anyone outside of KCC asking
    for your password.

14
Every Day Practices For Securing PHI
  • Do not
  • share passwords or login ID.
  • write down passwords where others may access
    them.
  • open any unknown attachments, files or
    unrecognizable e-mails.
  • install unapproved software/hardware
  • use unapproved email, such as Hotmail, Yahoo,
    etc.

15
Every Day Practices For Securing PHI
  • Use caution and respect patients privacy when
    discussing protected health information in
    public.
  • Read and understand the policies and procedures
    relating to HIPAA Privacy Security.
  • When using or disclosing protected health
    information, limit the PHI to the minimum
    necessary to accomplish the intended use.
  • Workers should only access or use the PHI
    necessary to conduct their job responsibilities.
  • All electronic systems are audited a log of all
    accesses is maintained and is designed to protect
    patient privacy.
  • For Fax's
  • Double check fax number.
  • Use cover page which includes your contact
    information.
  • If fax is received by the wrong location, have
    the fax destroyed or returned to you.

16
Protecting your Computer PHI
  • Report any suspicious activity, such as new
    software or hardware appearing on your computer
    to the Help Desk.
  • Contact your supervisor or the Help Desk if you
    believe someone may have logged onto your
    computer.
  • Secure PDAs and Laptops
  • Always use a password protected screen saver.
  • Back-up data.
  • Install and use virus protection software.
  • Lock devices in a secure location when not in
    use.
  • If device is stolen, an incident report should be
    filed.

17
Email and PHI
  • Email to email transmission within the Karmanos
    Email System (yourid_at_karmanos.org) is secure
  • Email from the Karmanos email system to any other
    system is NOT considered secure unless encrypted
    (Note this includes DMC and WSU email addresses
    email sent from Karmanos is not secure unless
    encrypted)
  • Encryption can be forced for email containing PHI
    from a Karmanos email to a non-Karmanos email
    address by typing SECURE in the subject line
  • In all cases, use the minimum necessary PHI

18
Emergency Downtime
  • Karmanos Cancer Center has a contingency plan to
    address system access during power failures,
    disasters, weather hazards or other situations
    limiting access to patient data
  • Know the recovery plan as it relates to your job
  • Know the related policies
  • Know how to report emergencies
  • Know how the emergency may impact patient care

19
Penalties
  • Disciplinary action up to and including
    termination.
  • Exclusion from participation in Medicare and
    Medicaid programs.
  • NOTE Individuals (This Means You!) can be
    subject to criminal prosecution, fines and
    imprisonment.
  • HIPAA Specific
  • Up to one year / 50,000 for misuse of protected
    health information.
  • Up to five years / 100,000 for misuse of PHI
    under false pretenses.
  • Up to ten years / 250,000 for misuse with
    intent to sell, transfer or use PHI for
    commercial advantage, personal gain or malicious
    harm.

20
HIPAA Reporting
  • You are required to understand the law, and how
    it affects your job. Even an accidental
    disclosure could have consequences.
  • As a condition of employment, employees agree to
    read and abide by the policies and procedures
    covering HIPAA.
  • Individuals should immediately report any
    observed or suspected HIPAA breach to
  • Your supervisor
  • Compliance Office 1-877-857-6007
  • Compliance Hotline (Anonymous Reporting) at
    1-888-478-3555
  • Not Sure? Report It Anyway.
  • Too Late? Report It Anyway.
  • Already Told Us? Report It Again!
  • YOU CAN NEVER BE RETALIATED AGAINST FOR REPORTING
    A CONCERN!
  • Safeguarding PHI is everyones job.

21
HIPAA Resources
  • http//www.hhs.gov/ocr/privacy/
  • http//www.cms.hhs.gov/HIPAAGenInfo/

22
Summary
We hope this Computer Based Learning course has
been both informative and helpful. Feel free to
review this course until you are confident about
your knowledge of the material presented. Click
the Take Test button on the left side when you
are ready to complete the requirements for this
course. Click on the My Records button to
return to your CBL Courses to Complete list.
Click the Exit button on the left to close the
Student Interface.
Write a Comment
User Comments (0)
About PowerShow.com