Greater Columbia Behavioral Health HIPAA TRAINING - PowerPoint PPT Presentation

1 / 54
About This Presentation

Greater Columbia Behavioral Health HIPAA TRAINING


Greater Columbia Behavioral Health HIPAA TRAINING * In the context of HIPAA, privacy determines who should have access, what constitutes the patient s rights to ... – PowerPoint PPT presentation

Number of Views:2181
Avg rating:3.0/5.0
Slides: 55
Provided by: moo93


Transcript and Presenter's Notes

Title: Greater Columbia Behavioral Health HIPAA TRAINING

Greater Columbia Behavioral Health HIPAA TRAINING

  • GCBH must follow HIPAA regulations to protect
    consumers. The following slides will introduce
    HIPAA, including the reasons for it and how it
    impacts health care. At the end of the
    presentation you will be asked to complete
    several questions to assess your understanding of
    HIPAA and its impact on day-to-day health care.
    You must answer the questions in order to
    complete your HIPAA training.

By the time
  • youve completed this slideshow, you will be
    able to answer the following questions
  • What is HIPAA and to whom does it apply?
  • What is PHI and how is it protected?
  • When are additional authorizations required?
  • What are the penalties for violation?

The Primary Intent
  • and purpose of this law was to protect health
    insurance coverage for workers and their families
    when they changed or lost their jobs. It was
    recognized that this new protection would impose
    administrative burdens on health care providers,
    payers, and clearinghouses, and therefore, the
    law includes a section called Administrative
    Simplification. This section was designed to
    reduce the burden associated with the transfer of
    health information between organizations. The
    approach was to accelerate the move from
    paper-based administrative and financial
    transactions to electronic transactions through
    the establishment of nationwide standards.

The Health Insurance Portability and
Accountability Act (HIPAA)
  • When HIPAA was passed by Congress in 1996.
  • In addition to its goal to reduce health care
    costs nationwide by requiring use of electronic
    data interchange (EDI) for routine health care
  • Its goal was to protect the security and privacy
    of the health records used in these EDI

  • HIPAA contains Privacy Security rules
    responding to health care concerns such as
  • Fears that once patients records are stored
    electronically on networks, a couple of clicks
    could transmit those records worldwide and
  • Loss of personal control over personal
    information and
  • Anger at the constant barrage of marketing

HIPAA Security Privacy rules
  • Established federal mandated requirements for the
    creation, transmission, and disclosure of
    individually identifiable health information that
    affect anyone who encounters patient information
  • HIPAA uses the term PHI Protected Health

PHI is
  • Information relating to an identified
    individuals past, present, or future
  • Physical or mental health or condition
  • Provision of health care services
  • Payment for provision of health care
  • 45 CFR 164.501

PHI includes
  • Oral or recorded information, maintained or
    transmitted in any form or medium.
  • The law refers to covered entities and the work
    that they perform as covered functions.
  • Covered Entities are Health Plans, Clearing
    Houses, and Providers.
  • GCBH is a Health Plan

HIPAA Business Associate (BA)
  • HIPAA extends beyond the walls of the covered
    entity to Business Associates
  • Someone that contracts with the covered entity
    will be subject to the same HIPAA regulations as
    the covered entity. Examples are our shredding
    company, our printing companies, and our other
    contractors contracted with under PSAs.

The Patient Consumer.
  • Is entitled to notice about how their PHI will be
  • Is entitled to expect that caregivers will be
    careful with their PHI
  • Is entitled to a copy of their record
  • Is entitled to request correction of their record
  • Is entitled to Receive Confidential Communication
  • Is entitled to Complain about a disclosure of
    their PHI
  • All requests or complaints regarding these
    rights, should be directed to the Ombuds Service
    at 1-800-257-0660 or HIPAA Privacy/Security
    Officer, John Bartholomew.

HIPAA Requires that Patients Receive a Notice of
Privacy Practices (NPP) that
  • Advises the patient about the covered entitys
    privacy practices.
  • Distribution of the NPP is usually done at the
    first face-to-face meeting except in a major
    emergency or due to an incapacitated patient.
  • Covered entities must try to get a patients
    written acknowledgement of the receipt of the NPP
    or make a written record of why this was not done.

Use and Disclosure of PHI
  • GCBH, as a health plan, is permitted by HIPAA to
    Use (internal) and Disclosure (external) of PHI
    for the purposes of
  • Treatment the provision of health care
  • Payment the provision of benefits premium
  • Operations normal business activities
    (reporting, data collection eligibility checks,

The Minimum Necessary Rule
  • The amount of PHI used or disclosed is restricted
    to the minimum amount of information necessary.
    Healthcare providers and health plans must make
    reasonable efforts not to use, disclose, or
    request more than is necessary to accomplish a
  • Exceptions are
  • Disclosure to a provider for treatment
  • Release to an individual of their own PHI
  • Disclosures required by law

Minimum Necessary and TPO
  • TPO is Treatment, Payment, and Operations.
  • Patients must provide consent for use of PHI in
    treatment, payment, and healthcare operations.
  • Providers and health plans must distinguish
    activities that fall outside TPO such as
    research, fundraising, and marketing.

  • The minimum necessary rule does not restrict
    the information used or disclosed in treatment.
  • The minimum necessary rule does apply to
    payment and health care operations.

Besides for use in TPO, When should GCBH
disclose PHI?...
  • GCBH is required to disclose PHI to
  • An individual (their own PHI) when requested
  • The Secretary of the U.S. Department of Human and
    Health Services for investigation of complaints
    or to determine a covered entitys compliance.
  • GCBH is permitted to disclose PHI outside in
    special circumstances such as
  • required by law
  • court proceedings
  • to avert a serious threat to health or safety
  • emergencies
  • abuse/neglect
  • special government functions

  • A co-worker is on the phone discussing a
    treatment-related issue. You inadvertently
    overhear PHI about a patient.
  • What should you do?

  • If you see or hear anything that is private, keep
    it to yourself.
  • Other ideas?

  • A co-worker calls you and asks for information
    about a friends mental health encounter.
  • How do you respond?

  • Before looking at a consumers health
    information, ask yourself one simple question
  • Do I need to know this to do my job?
  • Before sharing a consumers health information,
    ask yourself
  • Does this person need to know this to do their

  • You are advised that a visitor has arrived to see
    you. You are currently busy completing a
    work-related task. However, the visitor has come
    by several times before and knows where you are
  • Should the visitor be allowed to enter on their

  • No
  • Have all visitors, including family and ex
    employees escorted by an employee when entering
    or exiting the facility.
  • You should also ensure that all PHI is obscured
    from view, prior to the arrival of the visitor.

HIPAA Authorization
  • Is written authorization from a patient to use or
    disclose PHI for specific purposes (such as
    employment related, research or marketing and
    also needed for psychotherapy notes).
  • Is an authorization that can be revoked at any
    time in writing.
  • Must include the name of the patient, the purpose
    of the disclosure, an expiration date or event, a
    signature and date and an explanation of how to
    revoke the authorization.

Special Authorizations
Authorization to Disclose Psychotherapy Notes
  • Psych notes are recorded during a counseling
    session. The notes are to be kept separate from
    the rest of the patients record.
  • Psych notes exclude
  • Prescription info and monitoring
  • Session start stop times
  • Modalities frequencies of treatment
  • Results of clinical tests
  • Summaries of diagnosis, functional status,
    treatment plan, symptoms, prognosis and progress
    to date.

  • Psych notes are granted special protection under
  • A separate disclosure is required to release
    psych notes.
  • Exceptions
  • Use of notes by the originator for treatment
  • Use by the covered entity for training
  • Use in defense in a legal action
  • Disclosure to HHS for HIPAA enforcement
  • Use by a coroner or medical examiner

  • Unlike other health records, psychotherapy notes
    are not subject to disclosure to the patient.

Other HIPAA Standards
What is the NPI?
  • The National Provider Identifier (NPI) is the
    unique health identifier for health care
    providers. The NPI is a 10-digit numeric
    identifier with a check digit.
  • The National Provider System (NPS) will be the
    system used to assign unique numbers to health
    care providers.
  • Health Care Providers must obtain an NPI and use
    it on standard transactions Health Plans and
    Health Care Clearinghouses must use the NPI to
    identify health care providers on standard
    transactions where the health care providers
    identifier is required.
  • Health Care Providers, Health Plans (except small
    health plans), and Health Care Clearinghouses
    must comply with the implementation no later
    than May 23, 2007. Small Health Plans must comply
    with the NPI implementation specifications no
    later than May 23, 2008.

Code Sets
  • HIPAA requires every provider who does business
    electronically to use the same health care
    transactions, code sets, and identifiers.  Code
    sets are the codes used to identify specific
    diagnosis and clinical procedures on claims and
    encounter forms. The HCPCS, CPT-4 and ICD-9 codes
    are examples of code sets for procedures and

  • In the context of HIPAA, privacy determines who
    should have access, what constitutes the
    patients rights to confidentiality, and what
    constitutes inappropriate access to health
  • Confidentiality establishes how the records (or
    the systems that hold those records) should be
    protected from inappropriate access.
  • Security is the means by which you ensure privacy
    and confidentiality.

  • Threats to health information security and
    privacy include
  •         Intentional misuse from internal
  •         Malicious or criminal misuse from
    internal personnel
  •         Unauthorized physical intrusion of the
    data system by an external person
  •         Unauthorized intrusion of the data
    system by an external person via information

  • HIPAA Mandates that security standards be applied
    in four main areas
  • Administrative Procedures
  • Physical Safeguards
  • Protection for Data Storage
  • Protection for Data in Transit

Administrative Procedures
  • Covered entities need to
  • Implement training programs
  • Have a contingency plan
  • Conduct a risk assessment
  • Create policies and procedures including a
    password policy
  • Have a formal mechanism for processing records
  • Follow a termination process
  • Establish roles and responsibilities for security

Physical Safeguards
  • Covered entities need to
  • Secure physical access by locking doors,
    escorting visitors, wearing IDs
  • Secure unattended workstations by using password
    protected screensavers and locking computers when
    unattended. You can manually lock your
    workstation by holding down the Windows key
    and the L key.
  • Store notebook computers, PDAs, jump drives and
    any portable media in a secure place and password
    protect them
  • Encrypt PHI on notebooks, PDAs, jump drives, and
    on any portable media.

  • You are walking by a trash can and notice a pile
    of consumer reports or other documents with PHI
    have been laid on top of the trash.
  • Should you be concerned?

  • Consumer information should never be thrown away
    in an unlocked bin unless it has been shredded or

Protection for Data Storage
  • Covered entities need to
  • Have a Data Back-up Plan
  • Have a Disaster Recovery Plan
  • Store Paper, Tapes, Disks securely
  • Dispose of Paper PHI securely

Protection for Data in Transit
  • Covered entities need to
  • Use Encryption for PHI
  • Use Audit Trails
  • Report adverse events
  • Use precautions when sending PHI on faxes

What can I do?... The Basics
  • Keep your work area free of PHI when not present
  • Lock your computer when you walk away
  • Log off at the end of the day
  • Double check the number youre calling before
    faxing PHI and pick up your faxes A.S.A.P. Use
    a cover page with the GCBH confidentiality
  • Emails containing PHI may only be emailed to
    others on the GCBH domain. If transmitting PHI
    with a provider, you must use the GCBH VPN.
  • Dont share your password
  • Dispose of sensitive materials in shredders or
    locked bins

What can I do? The BasicsContinued
  • Dont tell anyone your building code
  • Wear your badge
  • Escort your visitors
  • Talk quietly on the phone when it involves PHI or
    close your door if needed
  • Dont access more PHI than you need to do your
  • Dont leave your notebook computer on the seat of
    your car
  • Dont allow anyone at home to access your work
  • Report any security incidents immediately

When do I Report a Breach of PHI?...
  • Employees must report a breach to their
    supervisor when PHI shared does not pertain to
  • Treatment
  • Payment
  • Operations
  • Consumer authorization
  • Uses and disclosures permissible under federal
    and state law

  • You are at the fax machine or printer to pick up
    a document. There is consumer PHI already in the
    receiving bin.
  • What should you do?

  • Notify the Front Office staff there is PHI on the
    fax machine. They will deliver the document to
    the recipient and if you see private information,
    keep it to yourself.
  • For PHI in the receiving bin of the printer,
    notify the HIPAA Privacy/Security Officer.
    Documents will be delivered to the recipient with
    a reminder not to leave PHI unattended on the

Incidental Disclosures
  • Examples of incidental disclosures
  • A patient seen in a waiting area
  • A conversation between a provider and a patient
    in a semi-private room heard by the other
  • Incidental Disclosures are not violations if the
    covered entity has safeguards in place and they
    are observed by the staff.

  • Covered entities are required to develop and
    impose sanctions appropriate to the nature of the
    HIPAA violations. The type of sanction applied
    should vary depending on factors such as the
    severity of the violation, whether the violation
    was intentional or unintentional, and whether the
    violation indicated a pattern or practice of
    improper use or disclosure of PHI. Sanctions can
    range from a warning to termination.

Penalties for Violations
  • Civil Penalties
  • Violations can result in civil monetary penalties
    of 100 per violation, up to 25,000 per year.
  • Criminal Penalties
  • In June 2005, the U.S. Department of Justice
    (DOJ) clarified who can be held criminally liable
    under HIPAA. Covered entities and specified
    individuals, whom "knowingly" obtain or disclose
    individually identifiable health information in
    violation of HIPAA regulations face a fine of up
    to 50,000, as well as imprisonment up to 1 year.
    Offenses committed under false pretenses allow
    penalties to be increased to a 100,000 fine,
    with up to 5 years in prison. Offenses committed
    with the intent to sell, transfer, or use
    individually identifiable health information for
    commercial advantage, personal gain or malicious
    harm permit fines of 250,000, and imprisonment
    for up to 10 years.

  • The DHHS Office of Civil Rights (OCR) enforces
    the privacy standards, while the Centers for
    Medicare Medicaid (CMS) enforces both the
    transaction and code set standards and the
    security standards (65 FR 18895). Enforcement of
    the civil monetary provisions has not yet been
    tasked to an agency.

Of note
  • According to reports, the US government has not
    imposed a single fine for violations of the
  • There have been several complaints received by
    the Bush Administration on HIPAA violations.
    However, only two criminal cases have been
    prosecuted to date.
  • June 6, 2006 HIPAA Compliance Journal

GCBH HIPAA Policies Agreementsavailable on our
website at
  • Designated Record Set
  • Administrative Requirements for Implementation of
  • Administrative Requirements Documentation
  • Business Associate Addendum
  • Confidentiality and Security Agreement
  • Computer and Information Security
  • Computer and Information Security Agreement
  • Workstation Use and Portable Computer
  • Remote Access
  • Password Protection
  • Consumer Protected Health information Rights
  • Confidentially, use and Disclosure of Protected
    Health Information

GCBH HIPAA Policies Agreements (Continued)
  • E-mail and Internet Security
  • FAX
  • HIPAA Complaint
  • Information Systems Security Checklist Onsite
  • Sources of PHI Inventory and Location
  • Privacy officer Job Responsibilities
  • Sanction
  • HIPAA Training
  • Staff Training Plan for Privacy and Security
  • Virus Protection
  • HIPAA Administrative Simplification Definitions
  • Privacy and Security Plan
  • GCBH Privacy Notice
Write a Comment
User Comments (0)