WHAT IS HIPAA? - PowerPoint PPT Presentation

1 / 67
About This Presentation
Title:

WHAT IS HIPAA?

Description:

WHAT IS HIPAA? (The Health Insurance Portability and Accountability Act of 1996) HIPAA Is a Federal Law; TRAINING REQUIREMENT Compliance with the HIPAA regulations is ... – PowerPoint PPT presentation

Number of Views:241
Avg rating:3.0/5.0
Slides: 68
Provided by: JulieM89
Category:

less

Transcript and Presenter's Notes

Title: WHAT IS HIPAA?


1
WHAT IS HIPAA?
  • (The Health Insurance Portability and
    Accountability Act of 1996)

2
HIPAA
  • Is a Federal Law
  • Creates uniform standards for certain
    payment-related transactions (e.g., claims
    submissions and eligibility verification and
  • Creates minimum standards for the privacy and
    security of patient information.

3
TRAINING REQUIREMENT
  • Compliance with the HIPAA regulations is the
    responsibility of the entire staff. This
    includes employees, medical staff, volunteers,
    residents, and students
  • Everyone must take steps to protect the
    confidentiality and privacy of patient
    information, and
  • Everyone is required to receive HIPAA training.
  • At the end of this presentation, you will be
    asked to sign a certification which says you have
    received this training and agree to abide by the
    Hospitals HIPAA policies.

4
HIPAA PRIVACY BASICSGENERAL PRIVACY RULE
  • You may not USE or DISCLOSE Protected Health
    Information (PHI) except as permitted by the
    privacy regulations.

5
WHAT IS PROTECTED HEALTH INFORMATION OR PHI?
  • PHI is any information relating to a persons
    health status, treatment or payment for health
    services which is created or received by the
    Hospital and which may identify the individual.
  • Includes Oral, written and electronic records
    and communications.

6
QUESTION
  • Which of the following is PHI?
  • A patients name
  • A patients address
  • A patients Medicaid number
  • A patients date of birth
  • All of the above

7
Answer
  • Each of those items is considered PHI, or
    Protected Health Information.

8
EXAMPLES OF WHERE YOU MIGHT ENCOUNTER PHI
  • A sign-in sheet that includes the patients name
    and reason for her visit
  • A code that documents a specific health procedure
    or test
  • A patient identification bracelet or band, or an
    insurance card
  • A conversation about a patients health over
    lunch with a colleague
  • An appointment reminder message left on an
    answering machine

9
MORE EXAMPLES OF PHI
  • Physician dictation that is yet to be transcribed
  • Patient status boards
  • A telephone call to verify health insurance
    coverage
  • The OR schedule
  • PAY CLOSE ATTENTION TO AREAS WHICH LEND
    THEMSELVES TO PRIVACY VIOLATIONS DO A
    WALK-THROUGH OF YOUR FLOOR/DEPARTMENT

10
PRIVACY NOTICE
  • Prior to providing services (except in an
    emergency or if the patient lacks capacity), the
    Hospital must provide each patient with a privacy
    notice and make a good faith effort to obtain a
    written acknowledgment from the patient that
    he/she has received the Hospitals privacy
    notice.
  • If the Hospital is unable to obtain the
    acknowledgment, it must document the attempt that
    was made, and the reasons why such attempt was
    not successful.
  • The acknowledgement should be kept for at least
    six years.

11
PRIVACY NOTICE
  • The Hospitals privacy notice describes
  • How the Hospital uses and discloses PHI
  • The patients rights concerning their PHI
  • How the patient can make complaints (both to the
    Hospital and to the Office of Civil Rights)
    concerning privacy or security issues
  • The Hospitals notice is a joint notice, and it
    covers the Hospital and its medical staff with
    regard to services rendered at the Hospital

12
PERMITTED DISCLOSURESFOR THE HOSPITALS USE
  • The Hospital may use and disclose PHI without
    obtaining a HIPAA-compliant authorization form
    for the Hospitals Treatment, Payment and Health
    Care Operations purposes.
  • Note You must still comply with other more
    stringent laws (e.g., NYS law, HIV law, mental
    health law, and drug and alcohol laws).

13

TREATMENT
  • The provision, coordination and/or management of
    health care and related services including
    consultations and referrals.
  • Examples
  • If a patient receives care at a Hospital, the
    Hospital may send the patients blood to a
    reference laboratory for analysis.
  • One physician may consult with another physician
    concerning the care of a particular patient.
  • Hospital discharge personnel may provide
    information to nursing homes/home health agencies
    who may subsequently treat the patient.

13
14
PAYMENT
  • The activities undertaken by a provider to obtain
    reimbursement for services provided.
  • Examples
  • The Admitting Office is permitted to contact an
    insurance company to determine if a
    patient has insurance coverage.
  • The Billing Department is permitted to send a
    bill to the patient or the patients third party
    payor.

15
HEALTH CAREOPERATIONS
  • The Hospitals routine activities such as quality
    assurance, case management, credentialing,
    accreditation, education of staff, business
    planning and customer service.
  • Examples
  • Presenting case studies at a performance
    improvement meeting
  • Sending incident reports to malpractice carriers
  • Training of staff, residents and interns
  • Participating in JCAHO accreditation

16
PERMITTED DISCLOSURESFOR THE USE OF OTHERS
  • In addition, the Hospital may disclose PHI
    without an authorization
  • For other providers Treatment, Payment purposes
    and certain Healthcare Operations
  • To DHHS
  • To a patients family and personal
    representatives
  • In a facility directory and
  • In all other situations authorized by HIPAA.

17
AUTHORIZATIONS
  • If the Hospital wants to use PHI for purposes
    other than treatment, payment or health care
    operations it must obtain a HIPAA-compliant
    authorization form.
  • Examples
  • Research
  • Marketing
  • Photographing patients
  • (for other than treatment purposes)
  • The authorization form must be signed by the
    patient or his/her legal representative
  • The authorization form must be detailed and
    specific to the use or disclosure.

18
QUESTION
A patient comes to a hospital. Which of the
following can be performed without written
authorization from the patient or his/her legal
representative?
  1. Doctors reviewing the treatment plan for elective
    surgery
  2. Billing for elective surgery
  3. Sending laboratory results to an outside lab
  4. Discussing the patients care at a quality
    assurance meeting
  5. All of the above

19
Answer
  • Each of those actions can be performed without
    written authorization from the patient or his/her
    legal representative.

20
MINIMUM NECESSARY RULE
  • You must limit the PHI which you use, disclose or
    request to the minimum necessary to accomplish
    your job responsibilities.

20
21
MINIMUM NECESSARY RULEEXAMPLES
  • Example 1 When PHI is disclosed in response to
    a request from a health plan, only the
    information requested should be sent rather than
    the entire medical record.
  • Example 2 When PHI is used by health care
    provider, such as a Physical Therapist to treat a
    patient, the therapist limits their use of the
    medical record to those portions that are
    essential to the treatment of the patient.

21
22
MINIMUM NECESSARY RULE EXCEPTIONS
  • The minimum necessary rule does not apply when
    PHI is disclosed to or requested by the patient
    himself, or by a provider in order to treat an
    individual.

22
23
MINIMUM NECESSARY RULE (Contd)
  • If you regularly receive reports containing PHI
    which you do not need to receive or if you have
    greater access to PHI than you need to perform
    your job, please contact
  • your Department Manager or
  • Terry Lillis, our Privacy Officer.

23
24
INDIRECT PROVIDERS
  • Deliver care based upon the orders of another
    health care provider
  • Transmit the results of these services directly
    to the provider who ordered the service (not to
    the patient)
  • Are not required to obtain a privacy notice
    acknowledgment prior to providing services and
  • Are not Business Associates.
  • EXAMPLES Laboratories, pathologists, radiologists

25
HIPAA HOT SPOT HIPAA AND OTHER LAWS
  • As the Hospital implements HIPAA, it must
    continue to follow current Hospital policy (which
    may be based upon other Federal and State law)
    unless the policy directly conflicts with HIPAA.
  • If HIPAA and State law address the same topic,
    HIPAA applies, unless the State law offers the
    patient greater rights.

26
HIPAA HOT SPOT HIPAA AND OTHER LAWS
  • EXAMPLES
  • The Hospital must still follow New York State law
    relating to patient authorization for release of
    HIV records, even though these rules may be more
    strict than HIPAA.
  • Although HIPAA does not require a HIPAA specific
    consent for permitted disclosures of PHI, the
    Hospital is still required to obtain other types
    of consents for health care purposes if required
    by law or Hospital policy (i.e., informed
    consents and consents for treatment).

27
PRIVACY OFFICER
  • Terry Lillis, at 663-2003,is the hospitals
    Privacy Officer and is responsible for ensuring
    compliance with the HIPAA Privacy Standards. If
    you have any questions or are aware of any HIPAA
    violations, contact her immediately.
  • Nick Casabona at 663-2370, as the Hospital's
    HIPAA Security Officer, is responsible for
    overseeing the technical aspects of the security
    of the electronic information.

27
28
COMPLAINTS
  • Jean Zebroski, Director of Patient Relations at
    663-2058 is responsible for responding to
    complaints regarding HIPAA violations.
  • Please refer any complaint relating to HIPAA
    directly to Jean.

29
HIPAA HOT SPOTPATIENT DIRECTORY INFORMATION
  • HIPAA allows Hospitals to provide directory
    information to the public, but patients may
    request to opt out of being included in such
    directory. If they opt out, our Secured Patient
    Policy will be used to safeguard all of their
    information.

29
30
PATIENT RIGHTS
  • Under HIPAA, patients have the following rights
  • To request that the Hospital limit its use and
    disclosure of their PHI
  • To receive communications by alternative means
    (e.g., e-mail or fax) or to alternative locations
    (the Hospital must accommodate all reasonable
    requests)
  • To access their PHI
  • To request amendments to their PHI, and
  • To receive an accounting of certain disclosures
    of their PHI.

31
IMPLEMENTING PATIENTS RIGHTS
  • Example A patient requests that PHI not be
    disclosed to any person other than his son.
  • The Hospital is not required to agree to such a
    request, but if it does, it must modify the uses
    and disclosures it and its staff typically make.

32
ACCOUNTINGS
  • HIPAA requires the Hospital to provide patients,
    upon request, with an accounting of certain
    disclosures of their PHI.
  • The following disclosures do not need to be
    included on the accounting if performed in
    accordance with the HIPAA regulations
  • Disclosures of PHI that were made for purposes of
    Treatment, Payment or Health Care Operations.
  • Disclosures to the patient requesting the
    accounting
  • Disclosures that are incidental to a permitted or
    required use of PHI

33
ACCOUNTINGS (Contd)
  • Disclosures pursuant to a valid HIPAA
    authorization
  • Disclosures to the Hospitals patient directory
  • Disclosures to persons involved in the patients
    care and notices to family members or friends
    regarding the patients location, general
    condition and/or death
  • Disclosures for national security or intelligence
    purposes
  • Disclosures to correctional institutions or law
    enforcement officials, if involving criminal
    conduct that occurred on the Hospitals premises
  • Disclosures of a limited data set and
  • Disclosures made prior to April 14, 2003.

33
34
ACCOUNTINGS (Contd)
  • The following are examples of disclosures that
    are required to be included in an accounting
  • Disclosures in response to a subpoena, without a
    HIPAA authorization
  • Infection control disclosures and
  • Disclosures to regulatory agencies such as the
    department of health.

34
35
DISCUSSIONS WITH PATIENTS FAMILY AND FRIENDS
  • In general, the Hospital may disclose to a family
    member, relative, or close personal friend of the
    patient, or any other person designated by the
    patient, patient information directly relevant to
    the persons involvement with or payment for the
    persons care (except HIV-related information,
    alcohol and/or substance abuse or mental health
    treatment).

36
DISCUSSIONS WITH PATIENTS FAMILY AND FRIENDS
(Contd)
  • If the patient is present, PHI may be disclosed
    with patients agreement. If the patient is given
    the opportunity to object and does not object or
    if the Hospital reasonably infers from the
    circumstances that the patient does not object to
    the disclosure, then Hospital may disclose the
    information to the family member or friend.
  • If the patient is not present, or the opportunity
    to agree or object cannot practically be provided
    (incapacity or emergency), the Hospital may
    determine disclosure is in the patients best
    interest.
  • Disclose only the information directly relevant
    to the persons involvement with the patients
    health care.

37
HIPAA HOT SPOTTHE MEDIA
  • Unless a patient requests otherwise, if a caller
    asks for information on a particular patient,
    HIPAA permits the Hospital to release one-word
    condition information and location information
    without obtaining prior authorization.
  • At Winthrop, ALL communication with the Media
    are to be directed to the Vice President of
    External Affairs.
  • REMEMBER Other laws may be more stringent
    (e.g., laws regarding HIV, mental hygiene, and
    substance abuse).

38
THE MEDIA (Contd)
  • The media should not contact patients directly
    they should request an interview through the
    External Affairs Department at ext. 663-2706.
    During off-hours, the operator will contact the
    Vice President of External Affairs for you.
  • The Hospital may deny the media access to the
    patient if it would aggravate the patients
    condition or interfere with patient care.

39
FINAL MEDIA TIPS
  • The following activities require written
    authorization from the patient
  • Drafting a detailed statement (i.e., anything
    beyond one-word condition) for approval by the
    patients legal representative
  • Taking photographs of patients
  • Interviewing patients
  • In general, if the patient is a minor, permission
    for any of these activities must be obtained from
    a parent or legally authorized representative.

40
HIPAA HOT SPOTFAXING
  • If you are faxing documents that contain PHI be
    sure to take the following steps
  • Include a fax cover sheet with the approved HIPAA
    confidentiality statement on it.
  • Perform random audits of sent faxes to ensure
    receipt by the correct party.
  • Pre-program fax numbers.
  • Routinely update fax number listings.
  • Maintain the fax machine in a secure location.

41
HIPAA HOT SPOTPUBLIC CONVERSATIONS
  • Avoid holding conversations about PHI in public
    areas such as lobbies, elevators, cafeterias and
    hallways. If you must do so, keep your voice low
    and be aware of people who may overhear your
    conversation.
  • Note Conversations between providers, and
    between providers and patients, are permissible,
    even if incidentally overheard, as long as
    reasonable precautions were taken.

42
HIPAA HOT SPOTSREASONABLE SAFEGUARDS
  • Do not leave PHI in public view (e.g., lying
    around on desks or nurses stations or unattended
    on a fax machine), and take care when disposing
    of PHI (e.g., shred paper when feasible or place
    paper in locked confidential waste baskets).

Never place PHI in an unsecured waste basket,
including the BLUE recycling bin.
43
MARKETING/FUNDRAISING
  • HIPAA allows the Hospital to use PHI for certain
    limited marketing and fundraising, provided that
    specific requirements are met. If you wish to
    use PHI for marketing or fundraising contact
  • John Broder,Vice President of External Affairs
  • at 663-2706 for guidance.

44
RESEARCH
  • There are several rules related to the use or
    disclosure of PHI for research purposes. These
    rules include
  • Creation of a Privacy Review Board (which can be
    the current IRB) to review all use or disclosure
    of PHI for research purposes
  • Use of HIPAA authorizations
  • Use of Limited Data Set/Data Use Agreements
  • De-identification of PHI
  • If you participate in research activities,
    contact the Director of IRB, at 663-2552 for a
    detailed description of HIPAA research
    requirements.

45
REMEMBER
  • When you
  • Limit your own use and disclosure of or requests
    for information to the minimum necessary to
    perform the assigned task and
  • Verify that information is being properly
    provided to an authorized person,
  • You will
  • Avoid the harmful effects of HIPAA violations.

46
HIPAA SECURITY BASICS
  • Security of PHI must be an ongoing and
    comprehensive process, not an event.

47
SECURITY RISKS
  1. Human error
  2. Nature (fire, earthquake, flood)
  3. Technology failures
  4. Deliberate security breaches (internal and
    external threats)

48
MANAGE YOUR PASSWORD
  • Use letters and numbers to create passwords
    (e.g., axw49).
  • Avoid common selections (e.g., your name, pets
    name, childs name, etc.).
  • Do not post your password on your computer or
    near your work area.
  • Do not share passwords. If you forget you
    password, call the HELP Desk (663-4357).

49
PROTECT YOUR WORK AREA
  • Avoid having PHI in public view.
  • Do not leave unattended PHI on your computer
    screen or work station.
  • Sign off when you are finished using a computer.
  • Turn computer screen away from public view.

50
BEWARE OF VIRUSES AND OTHER HARMFUL SOFTWARE
Viruses and other malicious software are a
serious threat to the Hospital. To protect
against them
  • Do not load information from outside on your
    computer without authorization
  • Do not download information from the Internet
    without the express authorization of your
    Department Manager
  • Do not open e-mails from unknown senders
  • The Hospital will send you routine alerts when
    threats of new viruses become known.

51
FOLLOW HOSPITAL POLICY REGARDING REMOVAL AND
INSTALLATION OF HARDWARE AND SOFTWARE
  • You may not install new hardware/software on the
    Hospital systems or remove hardware/software from
    the Hospital premises unless expressly authorized
    to do so by the Director of MIS or his designee.

51
52
REPORT INCIDENTS
  • It is your responsibility to report
  • Unauthorized successful or unsuccessful log-in to
    the system
  • Any breaches in the security of PHI of which you
    become aware
  • Sharing of passwords
  • Incidents can be reported to Nick Casabona, our
    Security Officer at 663- 2370.

53
QUESTION
  • Are any of the following HIPAA violations?
  • A social worker posts her password on the side of
    her computer.
  • Jane has a friend who forgot her password and
    wants Jane to lend her Janes password.
  • A physician is sitting at a computer terminal and
    reviewing a patients information. The physician
    then gets an emergency call to assist with a
    patient. The physician leaves the computer
    terminal on showing the information.

54
Answer
  • Answer Each of those actions would be a
    violation of HIPAA.

55
AUDIT TRAILS
  • The Hospital is required to maintain records and
    review its employees use and access to
    information on the Hospital computer network.

55
56
OTHER SUGGESTED SECURITY PRACTICES
  • ALWAYS wear your name tag.
  • Ensure that all vendors are properly supervised
    and log in and out of the Hospital.
  • Shred or discard PHI in secure trash bins.

57
HIPAA HOT SPOTE-MAIL
  • Communications sent over an open network (which
    includes e-mail over the internet) must have
    certain safeguards, which might include
    encryption. Review the Hospitals security
    policies to determine the steps that must be
    taken in relation to e-mail and the Hospital's
    policy on sending/receiving PHI by e-mail.

58
SUMMARY
Protection of PHI is everyones responsibility.
Here is a summary of a few topics that were
discussed in this presentation
  • Do not discuss patient information in public
    areas of the Hospital (e.g., cafeteria, lobby).
  • Do not discuss patient information at home or at
    social gatherings.
  • Do not share your password.
  • Do not leave PHI lying around unattended.
  • Do not send PHI over the internet unless
    authorized to do so.
  • Do inform the Privacy or Security Officer about
    any concerns you may have about release of PHI.

59
ELECTRONIC TRANSACTION STANDARDS GENERAL RULE
  • If a provider (either itself or through an agent,
    (e.g., billing company)), conducts a
    payment-related transaction electronically, the
    transaction must be conducted using the HIPAA
    format.
  • Note If a payor still accepts covered
    transactions in paper format (e.g., paper
    claims), then such paper transactions do not
    necessarily have to conform to the new HIPAA
    formats.

Those involved in Electronic Transaction
Standards will be contacted directly and trained
as appropriate.
60
WHAT DOES IT MEAN TO STANDARDIZE A TRANSACTION?
  • Standardized Formats
  • Standard Data Content A new Federal definition
    of clean claim.
  • Standard Codes ICD-9-CM, CPT-4, HCPCS, CDT-3,
    and HCPCS J codes.

61
HOW DOES HIPAA AFFECT YOUR RELATIONSHIP WITH THE
HOSPITAL
  • If you are an employee, student or volunteer
  • You are part of the Hospitals workforce
  • You must comply with the Hospitals HIPAA
    compliance program
  • Failure to comply will result in disciplinary
    action
  • Failure to comply could trigger individual
    liability with penalties

62
INTERNAL SANCTIONS
  • The Hospital is required to have policies
    regarding the disciplinary actions which may be
    taken if an employee fails to comply with these
    HIPAA policies.
  • An employee who violates the Hospitals HIPAA
    policies may be subject to various sanctions
    including written censure, suspension or
    termination.
  • Medical Staff Members who violate these HIPAA
    policies may be subject to disciplinary action
    under the Medical Staff By Laws.

63
FEDERAL SANCTIONS
  • Under HIPAA, violations may result in the
    Hospital and the employee being subject to civil
    monetary penalties and criminal actions,
    depending on the nature and extent of the HIPAA
    violation.


64
CIVIL FINES
  • Civil Fines of no more than 100 per violation
    with a maximum of 25,000 in each calendar year
    for violations of an identical requirement.
  • Enforcer Office of Civil Rights

65
CRIMINAL PENALTIES FOR KNOWING MISUSE OF PHI
- THREE DEGREES
  • Simple violations up to 50,000 plus up to 1
    year in prison.
  • Violation committed under false pretenses up to
    100,000 plus up to 5 years in prison.
  • Violation committed for gain or harm up to
    250,000 plus up to 10 years in prison.
  • Enforcer OIG/Department of Justice

66
DISCUSSION/QUESTIONS
67
REVIEW CODE OF CONDUCT AND SIGN YOUR TRAINING
ACKNOWLEDGEMENT FORM!
Write a Comment
User Comments (0)
About PowerShow.com