HIPAA AND PRIVACY RULE

TRAINING

WHAT IS HIPAA? The Health Insurance Portability and

Accountability Act of 1996. Federal Law designed to protect

sensitive information. HIPAA violations are enforced by the

Department of Health and Human Services.

WHAT INFORMATION IS COVERED UNDER HIPAA?

Virtually ALL health information, or protected health information (PHI) in any format, to include:PaperElectronicOral

EXAMPLES OF SENSITIVE INFORMATION. Social Security number Credit Card numbers Driver’s License Research data Computer passwords Individual identifiable health information Personal information

NOTICE OF PRIVACY PRACTICES Health care providers provide them to

patients. They describe how the HIPAA-covered

entity uses and discloses health information.

WHAT IS THE PRIVACY RULE? The Standards for Privacy of Individually

Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information.

The U.S Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)Addresses the use and disclosure of individuals

health information called “PHI” (protected health information) by covered entities subject to the Privacy Rule.

WHAT IS A COVERED ENTITY? A covered entity is any person or

organization that furnishes, bills or is paid for health care services in the normal course of the business.

Pursuant to HIPAA, individually identifiable health information collected or created in a covered entity is considered “protected health information” (PHI)

A COVERED ENTITY IS ONE OF THE FOLLOWING… Health Care Provider Health Plan Health Care Clearinghouse

HEALTH CARE PROVIDER This includes providers such as..

DoctorsClinicsPsychologistsDentistsChiropractorsNursing HomesPharmacies ...but only if they transmit any information

in an electronic form in connection with a transaction for which HHS has adopted a standard.

A HEALTH PLAN This includes…

Health insurance companiesHMOsCompany health plansGovernment programs that pay for health

care, such as Medicare, Medicaid, and the military and veterans health care programs

HEALTH CARE CLEARING HOUSE This includes entities that process

nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

PHI DEFINED Protected Health information. Any information that can be used to

identify a patient (whether living or deceased) and which relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and the payment for those services.

IDENTIFIERS UNDER HIPAA Patient name Telephone number Social Security number Fax number Vehicle identification

number Email address Web URL’s Dates Names of relatives Full face photograph or

images

Health care record number

Account number Biometric identifier Device identifier Health plan beneficiary

number Certificate or license

number Any other unique

number, code, or characteristic that can be linked to an individual.

BASIC PRINCIPLE OF PRIVACY RULE To define and limit the circumstances in

which an individual’s PHI may be used or disclosed by covered entities.

A covered entity may not use or disclose protected health information, except either:as the Privacy Rule permits or requires.as the individual who is the subject of the

information (or the individual’s personal representative) authorizes in writing.

ACCESS MUST BE AUTHORIZEDAn employee may only access or disclose a patient’s PHI when this access is part of the employee’s job duties.

UNAUTHORIZED ACCESS It is never acceptable for an employer to

look at PHI “just out of curiosity” even if no harm is intended.

All information is entitled to the same protection whether it may be from a close friend or family and must be kept private.

AUTHORIZATIONS Covered entity may use/disclose PHI to

carry out essential health care functions. TreatmentPaymentHealth care operations

Disclosures for other purposes usually require a specific, written authorization from the individual of the information.

TREATMENT

Treatment means the provision, coordination, or management of health care by one or more health care providers, including:

Consultation between health care providers; or

Patient referrals

PAYMENT

Payment means activities of:Health care providers to obtain payment or

be reimbursed for their services. Health plans to obtain premiums, fulfill

coverage responsibilities, or provide reimbursement for the provision of health care.

HEALTH CARE OPERATIONS Health care operations are

administrative, financial, legal and quality improvement activities

Necessary to run business and to support core functions of treatment and payment

Quality assessment and improvement activities

Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance

Fraud and abuse detection

MINIMUM NECESSARY Only members of the workforce who

need protected health information may have access to it.

You should only have access to the “minimum necessary” amount of PHI to do their job.

VERIFICATION You can disclose PHI to a person

authorized to have the PHI. You may need to verify that the

individual really is who they claim to be.

BREACHES A breach occurs when information that by

law must be protected is:Lost, stolen, or improperly disposed of (i.e.

paper or device upon which the information is recorded cannot be accounted for

Hacked into by people or mechanized programs that are not authorized to have access

Communicated or sent to others who have no official need to receive it (for example, gossip from information learned of a medical record)

WHAT DOES ALL THIS MEAN TO YOU. Do not share PHI of your client with

anybody who does not need to know, such as your family and friends.

Do not save PHI of your client to your laptop, flash drive or other electronic media unless you are required to do so.

Do not leave PHI out for everyone to see. Do not leave PHI in a voicemail message. Do not put PHI in a trash or recycle bin, but make sure it is shredded.

REMEMBER! HIPAA is a Federal Law. HIPAA mistakes can have the same

types of consequences as any mistakes you may make at work.

Purposely disclosing PHI to unauthorized individuals is a criminal offense.

Spot the HIPAA violation (8min)http://www.youtube.com/watch?v=HuEoKsN6RKU

The Omnibus Rule (3min)http://www.youtube.com/watch?v=mX-QL9PoePU

HIPAA Training for Caregivers (23min)http://www.youtube.com/watch?v=VpxkRKH60fk