HIPAA Workforce Training - PowerPoint PPT Presentation

About This Presentation

HIPAA Workforce Training


HIPAA Workforce Training PRIVACY and HIPAA MANDATORY Completion of training is mandatory under HIPAA for the entire workforce of the MHRB Including volunteers, like ... – PowerPoint PPT presentation

Number of Views:1369
Avg rating:3.0/5.0
Slides: 50
Provided by: DianeD159


Transcript and Presenter's Notes

Title: HIPAA Workforce Training

HIPAA Workforce Training

  • Completion of training is mandatory under
  • HIPAA for the entire workforce of the MHRB
  • Including volunteers, like yourselves.

What is HIPPA?
  • In 1996 President Clinton signed the Health
    Insurance Portability and Accountability Act
    (HIPAA). This new law was enacted as part of a
    broad congressional attempt at incremental
    healthcare reform.
  • HIPAA has two primary purposes. One is to
    provide continuous insurance coverage for workers
    who change jobs, and the other is to reduce the
    costs and administrative burdens of health care
    by making possible the standardized, electronic
    transmission of many administrative and financial
    transactions that are currently carried out
    manually on paper.

HIPAA Workforce Training
  • HIPAA requires that the MHRB create HIPAA
    policies and procedures that may affect your work
    as a Board member.

This HIPAA Training Program will answer
  • What does HIPAA do?
  • Who has to follow the HIPAA law?
  • What is Protected Health Information?
  • When do we start?
  • How does HIPAA affect you?
  • Why is HIPAA important?

What does HIPPA do?
  • HIPAA is the Health Insurance Portability and
    Accountability Act of 1996. It is a federal law
  • Protects the privacy of a clients personal and
    health information
  • Provides for electronic and physical security of
    personal and health information
  • Simplifies billing and other transactions

An Overview of the Law
  • HIPAA regulations are the minimum starting point
    for protecting health information and do not
    supersede any rules, regulations, or standards
    that are more stringent. For example, if ODMH
    rules are more stringent than HIPAA rules, we
    must follow the ODMH rule.

Organizational and Administrative Requirements
  • A Privacy Officer must be appointed to implement
    and develop privacy policies and procedures for
    the agency.
  • Must train all employees (current and new) on
    privacy policies and procedures.
  • Must amend all business associate contracts to
    establish the permitted and required uses and
    disclosures of PHI.
  • Must verify the identity and authority of person
    requesting PHI.

Organizational and Administrative Requirements
  • Must disseminate a notice of our privacy
    practices to existing clients and all new clients
    and within 60 days of any material revision.
  • Must notify clients every 3 years of the
    availability of the notice.
  • A covered entity with a website must post their
    notice on the web.

Organizational and Administrative Requirements
  • Must document compliance with notice requirements
    and keep copies of notices issued.
  • Must document who is responsible for receiving
    and processing client inquiries regarding his/her

Organizational and Administrative Requirements
  • Must provide a process for individuals to make
    complaints and document such complaints and their
  • Must develop anti-retaliation policy.

Who has to follow HIPAA?
Who Is Impacted?
  • Health care providers A provider of medical,
    psychiatric, or other health services, and any
    other person or entity furnishing health care
    services or supplies.
  • Health plans an individual or group health plan
    that provides or pays the cost of medical care.
  • Clearinghouses A public or private entity that
    processes or facilitates the processing of
    non-standard data elements of health information
    into standard data elements and who transmits any
    health information in electronic form in
    connection with a transaction covered in the
  • Business Associates and Trading Partners

Business Associate
  • A person or entity to whom a covered entity
    discloses protected health information, to
    perform a function on behalf of or to provide
    services to a covered entity.
  • Includes lawyers, accountants, consultants, and
    accrediting agencies.
  • Must have a contract obligating them to safeguard
    protected health information.

Business Associate Contracts
  • Must establish the permitted and required uses
    and disclosures of protected health information
    by the business associate and may not authorize
    further disclosure in violation of the
  • If the covered entity knows of a practice or
    pattern of activity that constitutes a material
    breach of the business associates obligations
    under the contract, the covered entity must take
    reasonable steps to ensure cure of the breach or
    terminate the contract or report the problem to
    the Secretary of Health and Human Services.

Business Associate Obligations
  • Must not use or disclose protected health
    information in violation of the law or contract.
  • Implement safeguards against improper use or
  • Ensure that any agents or subcontractors agree to
    fulfill contractual and legal obligations.
  • Afford individual access to records make
    available records for amendment by the
    individual account to the individual for use or
    disclosure other than for payment, treatment, or
  • At termination of the contract, return or destroy
    protected health information.

What Is Impacted?
  • A transaction is the exchange of information
    between two parties to carry out financial and
    administrative activities related to health care.
    It includes
  • Health claims or encounter information,
  • Health care payment and Explanation of Benefits

What Is Impacted?Transactions Continued
  • Coordination of benefits,
  • Enrollment/disenrollment in a health plan,
  • Eligibility for a health plan,
  • Health plan premium payments,
  • Referral certification and authorization,
  • First report of injury, and
  • Health claims attachments.

What Is Impacted?
  • Protected Health Information is defined as any
    information, whether oral or recorded, in any
    form or medium, that-
  • Is created or received by a provider, health
    plan, public health authority, employer, life
    insurer, school, or clearinghouse and
  • Relates to the past, present or future physical
    or mental health or condition of an individual,
    the provision of health care to an individual, or
    the past, present, or future payment for the
    provision of health care to an individual.

What is considered Protected Health Information?
  • A persons name, address, birth date, age, phone
    and fax numbers, e-mail address
  • Medical records, diagnosis, x-rays, photos,
    prescriptions, lab work, test results
  • Billing records, claim data, referral
    authorizations, explanation of benefits
  • Research records

The Board may create, use and share a persons
PHI for
  • Treatment
  • Billing and Payment
  • Agency Business Management and Operations
  • Disclosures Required by Law
  • Public Health and Other Governmental Reporting

PHI Consent
  • Some uses and disclosures of PHI do not require
  • The use and disclosure of protected health
    information relating to treatment, payment, or
    health care operations does not require prior
    written consent.

Minimum Necessary Rule
  • When using or disclosing Protected Health
    Information (PHI) or when requesting PHI from
    another covered entity, The Board must make
    reasonable efforts to limit PHI to the minimum
    necessary to accomplish the intended purpose of
    the use, disclosure, or request, unless an
    exception applies.

Minimum Necessary RuleExceptions
  • The minimum necessary requirement does not apply
    in the following instances
  • Disclosures to or requests by a health care
    entity for purposes of treatment.
  • Uses or disclosures made to the individual who is
    the subject of the PHI.
  • Uses or disclosures made pursuant to a valid
    authorization initiated by the individual.
  • Disclosures to the secretary of the Department of
    Health and Human Services (HHS).
  • Uses or disclosures that are required by law.
  • Uses or disclosures required for compliance under
    HIPAA, including compliance with the
    implementation specifications for conducting
    standard data transactions.

Requests for Disclosure
  • The Board may rely on a request for disclosure as
    the minimum necessary for the stated purpose
  • Making permitted disclosures to public officials,
    if the public official represents that the
    information is the minimum necessary for the
    stated purpose(s).
  • The information is requested by another covered
  • The information is requested by a professional
    who is a member of The Boards workforce or is a
    business associate of Board for the purpose of
    providing professional services to The Board if
    the professional represents that the information
    requested is the minimum necessary for the stated
  • The information is requested for research
    purposes and the person requesting the
    information has provided documentation or
    representations to The Board verifying such
    intended purpose.

Using and Disclosing PHIWithout Consent
  • For workers' compensation purposes.
  • Appointment reminders and health-related
    benefits or services.
  • For fundraising activities, public health
    activities, organ donations, and for research
  • When a disclosure is required by federal, state,
    or local law, judicial or administrative
    proceedings, or law enforcement.
  • Disclosure without your consent can occur in
    certain emergency treatment situations.
  • To avoid harm.
  • For specific government functions.

  • In certain instances, as permitted or required by
    law, The Board can or must disclose an
    individuals PHI, even where there is no specific
    consent or authorization from the individual to
    do so.
  • No PHI will be disclosed without precautions
    being made to assure that the identity of the
    person requesting PHI information is verified and
    that they have the authority to have access to
    the information requested.

Verification of Identity
  • When the identity of the person seeking
    disclosure of an individuals PHI is not known to
    The Board, verification of the persons identity
    is as follows
  • If the request is made in person, presentation of
    an agency identification badge, other official
    credentials, or other proof of government status.
  • If the request is in writing, the request is on
    the appropriate government letterhead
  • or other accepted proof of identity is
  • If the disclosure is to a person acting on behalf
    of a public official, a written statement on
    appropriate government letterhead that the person
    is acting under the governments authority or
    other evidence or documentation of agency, such
    as a contract for services, memorandum of
    understanding, or purchase order, that
    establishes that the person is acting on behalf
    of the public official.

Verification of Authority
  • To verify the authority of a public official, The
    Board may rely on any of the following
  • A written statement of the legal authority under
    which the information is requested or,
  • 2. if a written statement is impracticable, an
    oral statement of such legal authority,
  • 3. If a request is made pursuant to legal
    process, a warrant, subpoena, order, or other
    legal process issued by a grand jury or a
    judicial or administrative tribunal will be
    presumed to constitute legal authority.

Privacy Notice
  • Every client is provided with a Notice of Privacy
    Practices upon enrollment at a contract agency
    The Notice describes
  • How the MHRB can use and share protected health
    information, and
  • Every clients privacy rights
  • The privacy notice is also published on the
    MHRBs web page.
  • Copies of the Notice of Privacy are available
    from the Privacy Officer or Secretary.

Clients PHI Rights
  • One of the purposes of the new HIPAA rule is to
    give clients more control over their PHI. Such
  • The right to request limits on uses and
    disclosures of their PHI.
  • The right to choose how the agency sends PHI to
  • The right to view and obtain copies of their PHI.
  • The right to correct or update their PHI.

How do clients exercise these rights?
  • Special forms to request changes, corrections,
    copies, etc. are available from the Privacy

What client information must be protected?
  • We must protect a clients personal and health
    information that
  • Is created, kept, filed, used or shared
  • Is written, spoken, electronic or digital
  • As already stated HIPAA defines client personal
    and health information as Protected Health
    Information or PHI for short.

When do we start?
How will HIPAA affect your duties?
  • If you currently see, use, share and/or create a
    persons protected health information as part of
    your job or duties, HIPAA will change the way you
  • You must protect the privacy of the client and
    MHRBs workforce protected health information.

When can you use PHI?
  • ONLY to do your job or duties!
  • At all other times, protect a clients
    information as if it were your own information!

How can you use PHI?
  • You may look at a persons
  • PHI only if you need it to do
  • your job or duties.
  • You may use a persons PHI
  • only if you need it to do your job or duties.
  • You may give a persons PHI to
  • others when it is necessary for them to do their
  • You may talk to others about a persons PHI only
    if it is necessary to do your job or duties.

Why is HIPAA important?
  • Protecting privacy is important!
  • We all want our PHI to be private
  • Our clients want their PHI to be private
  • Its the right thing to do
  • Its the law

What can happen if we dont follow HIPAA?
  • Someone who does not protect a persons personal
    and/or health care privacy could
  • Lose his/her job
  • Pay fines
  • Go to jail

  • Fines range
  • from 50,000 to
  • 250,000 per
  • incident

  • Jail terms
  • can be up to
  • 10 years
  • per incident

Did you know.?
  • The Board must protect your personal health
    information with as much diligence and security
    as we protect clients PHI.

When do we have to protect PHI?
HIPAA Stories
  • Please read the following two HIPAA stories
    carefully as you will be asked to discuss them
  • on the quiz.

HIPAA Story 1 Annie
After serving on the clients rights appeal
committee, I ran into the customer Annie, who
filed the appeal at the grocery store. She came
up to me and started talking about her appeal,
the medications she was placed on and how she was
not feeling any better. I told her I could not
discuss her appeal that it was confidential, and
that it takes time for some medications to work.
Did I do the right thing?
HIPAA Story 2 Barry
I happened to be using the copier in the MHRB
office when a fax arrived. I did not read any of
the details but recognized the client name on the
incident report. I did not do anything with the
information and kept it to myself. Did I do the
right thing?
Where to Find Out More About HIPAA
  • The Privacy Notice is on the agencys Internet
    Website www.whmhrb.org
  • Contact Kim Tapie, Compliance and Privacy Officer
    with questions and/or concerns
  • Review HIPAA materials in the Boards Operations

The End!
Congratulations! You have completed The HIPAA
Privacy Training .
Write a Comment
User Comments (0)
About PowerShow.com