HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule...
-
Upload
liberty-pawl -
Category
Documents
-
view
222 -
download
1
Transcript of HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule...
![Page 1: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/1.jpg)
HIPAA Overview (Health Insurance Portability and
Accountability Act 1996)
PCS HIPAA Privacy Rule Training - 04/18/23
![Page 2: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/2.jpg)
What is HIPAA?Health Insurance Portability & Accountability
Act of 1996 Public Law 104-191 Sponsored by - Kennedy & Kassebaum
Five Titles: Title 1: Insurability and Portability Title 2: Administrative Simplification Title 3: Tax Implications Title 4: Group Health Title 5: Revenue
![Page 3: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/3.jpg)
What is the purpose of HIPAA ?
Reduce health care costs/fraud/abuse Control use/disclosure of “protected health
information” (PHI) Identify provider responsibilities and
accountability Increase consumer’s rights - PHI Regulate how PHI is transferred/managed by
technology, individuals, and agencies Provide consistent standards Assure privacy and security of confidential
protected healthcare information (PHI)
![Page 4: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/4.jpg)
Administrative Simplification HIPAA Regulations and Deadlines
Privacy Regulations - Identifies what health care information is protected. Deadline April 14, 2003
Electronic Transaction/Code Sets - Sets uniform standards. Deadline: October 2003 with Extension
Security Regulations - Identifies how information is to
be protected. Deadline: April 21, 2005
Identifier Standards - Employer, Payer, National.
Deadline: Employer ID finalized/Others Pending
![Page 5: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/5.jpg)
HIPAA Definitions
The nuts and bolts!
![Page 6: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/6.jpg)
Healthcare Operations
Includes “general administrative and business
functions” necessary for a covered entity to
remain a viable business (i.e., audits, quality
improvement functions, assessments)
![Page 7: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/7.jpg)
Health Information Any information recorded in any form ormedium which:
Is created/received by a Covered Entity that creates, receives, uses, or transmits PHI;
Relates to the past, present, or future
physical/mental health condition of an
individual, their participation in, or payment for
such services, and
Identifies the individual.
![Page 8: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/8.jpg)
Protected Health Information (PHI)
All individually identifiable health care data or information collected, maintained, or transferred by a Covered Entity
![Page 9: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/9.jpg)
Protected Health Information (PHI) Examples
Name Address Social Security # Birth Date Demographic
info. (some) Email address
Health Plan # License/Certificate # Vehicle identifiers Bio-metric identifiers Telephone numbers Place of employment Account numbers
![Page 10: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/10.jpg)
Privacy Notice Written document in plain language Posted & shared with consumers at
intake Explains how their PHI will be
used/disclosed by agency Identifies consumer’s rights Lists agency/provider duties to protect
PHI, abide by the Privacy Notice Identifies how changes in notice will be
communicated
![Page 11: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/11.jpg)
Designated Record Set
A group of records maintained by or for a covered entity/agency
Includes any records used, in whole or in part, to make decisions, about the consumer’s treatment (medical record, billing, etc.)
PCS Clinical Records Policy
![Page 12: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/12.jpg)
Use vs. DisclosureUse
Sharing, utilization,
examination, &
analysis of PHI
maintained internally
within the agency
Disclosure
Release, transfer,
access to, or sharing
in any manner PHI
outside the agency
maintaining the
information
![Page 13: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/13.jpg)
Minimum Necessary Rule
Rule applies to Uses/Disclosures
Covered Entities must make reasonable efforts to
limit use, disclosure, & requests for PHI to the
“minimum necessary” in order to accomplish the
intended purpose except when an authorization is
obtained
![Page 14: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/14.jpg)
Minimum Necessary Rule Amount of information needed to achieve the purpose
Applies to all forms of communication Use - Requires policies & procedures classifying staff by
role/position and the PHI to which they may have access Disclosure - Requires policies & procedures addressing criteria to
limit disclosure & reviewing of requests Must limit requests to that which is necessary Does not apply to consumer requests/authorizations, disclosures
required by law or healthcare provider for treatment purposes
![Page 15: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/15.jpg)
Access to PHI (Protected Health Information)
Opportunity to approach, inspect, review,
and make use of data or information
Actions by a consumer or healthcare
provider with appropriate
authorization
![Page 16: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/16.jpg)
HIPAA’s Privacy Rule
![Page 17: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/17.jpg)
Privacy Rule Applies to all protected healthcare
information (PHI)
Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within the agency
Written Acknowledgement required
![Page 18: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/18.jpg)
Privacy Rule Highlights Protects privacy of medical records and covers:
Electronic records & printouts of records Written records Oral communications
Consumer acknowledgement that PHI may be used for
routine purposes (TPO)
Privacy Notice - Documents consumer’s rights and the
agency’s responsibilities to protect and manage PHI
![Page 19: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/19.jpg)
Consumers’ Rights under HIPAAConsumers may:
Inspect/copy their medical record information Request to amend information if they believe it to
be inaccurate or incomplete
Request must to be in writing Agency must respond within 15 days (VA law) If request is denied - consumer may appeal this
decision to the CSB or federal government
![Page 20: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/20.jpg)
Consumer’s Rights under HIPAA
Request a Disclosure History
Request confidential communications through alternative addresses/phone numbers
Have access to a designated individual or Office of Civil Rights at Health & Human Services to report violations of their rights
Request restriction on use/disclosure of their PHI
Consumers may:
![Page 21: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/21.jpg)
Privacy Regulations
Allow flow of PHI for treatment, payment, & related health care operations (TPO)
Prohibit flow of PHI unless voluntarily authorized by the consumer
Allow consumer to know who is accessing their PHI outside of TPO use
Allow consumers to obtain access to their records & request amendment of records if the consumer feels they are inaccurate or incomplete
![Page 22: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/22.jpg)
Provider Responsibilities
Provide formal complaint handling system Allow use of de-identified data Follow “minimum necessary” requirements Establish Business Associate Agreements Duty to mitigate damage if violations occur Establish sanctions for HIPAA violations
![Page 23: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/23.jpg)
Privacy Penalties Wrongful Disclosure Offense: $50,000 fine,imprisonment of not more than one year,or both.
Offense Under False Pretenses: $100,000,imprisonment, or not more than 5 years, or both.
Offense with Intent to Sell Information:$250,000 fine, imprisonment of not more than 10 years, or both.
![Page 24: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/24.jpg)
Uses/Disclosures not requiring Authorization
To the consumer or legally authorized representative of the consumer
To health oversight agencies To the Department of Health & Human Services for
investigation and enforcement purposes By court order (as outlined in CFR 42 - strictest)
![Page 25: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/25.jpg)
Uses/Disclosures not requiring Authorization
To U.S. Public Health Authorities - to prevent or control disease, injury, or disability
In following disclosure procedures for deceased consumers as outlined in VA law
To consumers exposed to communicable disease or at risk of contracting or spreading disease - under law & public health intervention/investigation
![Page 26: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/26.jpg)
Uses/Disclosures not requiring Authorization
For reports of suspected child abuse or neglect to
the appropriate authority For reports about an adult victim of abuse, neglect, or domestic violence
State’s mandatory reporting laws Inform the individual of the report Seek the individual’s agreement when possible Can report without the individual’s agreement
![Page 27: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/27.jpg)
Uses/Disclosures not requiring Authorization
Healthcare Oversight Activities Authorized by Law:
• Audits• Investigations (as permitted by CFR 42)• Inspections (i.e., Health Inspection of facilities)• Civil/criminal/administrative proceeding/action by a
properly executed court order (CFR 42)• Other appropriate oversight actions:
Government regulatory programsGovernment benefit programs - for eligibility
![Page 28: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/28.jpg)
Privacy Preemption
HIPAA Will preempt
other federal or state laws relating
to PHI
(Except for those more stringent
than HIPAA)
![Page 29: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/29.jpg)
HIPAA is not added red tape but...
Applying BEST PRACTICES to protect Mr. Hipp’s confidential healthcare information in a world where inappropriate sharing of PHI could result in: Identity theft Loss of privacy and control over
healthcare information Possible discrimination practices Consumer Rights violations
![Page 30: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/30.jpg)
How does the Privacy Rule affect Piedmont CSB?
![Page 31: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/31.jpg)
New HIPAA Forms & Policies Privacy Notice Right to Access Policy Request For Amendment Policy Minimum Necessary Policy & Procedure Tele-facsimile Policy Email Policy Business Associates Agreement Authorization to Release Information
![Page 32: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/32.jpg)
Privacy Notice
Replaces the “Your Rights” Form Describes use and disclosure of health
information. Special circumstances for disclosure. Other uses and disclosure only with
authorizations. Describes revisions to policy. Lists, Privacy Officer, Regional Advocate and
Office of Health & Human Services contact numbers.
MUST BE POSTED AT ALL SERVICE SITES
![Page 33: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/33.jpg)
Right to Access PHI
All individuals and/or legally appointed representatives have a right to inspect and/or obtain a copy of their medical record.
Exceptions Use in civil, criminal proceeding Inmate of correctional facility and if could jeopardize health &
safety Involved in research that includes treatment he/she agreed not to
have access to the information. The individuals psychiatrist or psychologist has determined that
the information could be injurious to the individuals mental or physical well-being.
Procedures outlined in policy
![Page 34: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/34.jpg)
Request to Amend Medical Record
All consumer have a right to request an amendment to his/her medical record.
Must be requested in writing to the primary clinician.
PCS has 60 days to respond to the request. Can request an extension of 30 days.
![Page 35: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/35.jpg)
Denial of Request to Amend
a. May deny the request if the information was not created by the agency;
b. May deny the request if the individual who created the information that the individual served wants amended is no longer an employee of the agency;
c. May deny the request if the information in the record is currently accurate and complete.
![Page 36: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/36.jpg)
Amendment Approved a. The agency shall make the amendment. The minimum amendment
accepted is identifying the information to be amended then providing a link to the amended information.
b. Inform the individual served that the amendment(s) is accepted.
c. Obtain from the individual served the names and addresses of individuals who need to have the amended information.
d. Attempt to reach those individuals who need to have the amended information.
e. Attempt to contact other persons or business associates regarding the amended information if the information was detrimental to the client.
![Page 37: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/37.jpg)
Minimum Necessary Policy
Privacy Rule requires that covered entities take reasonable steps to limit the use and disclosure of PHI.
Only the information necessary to meet the request is to be released.
The medical record in it’s entirety will not routinely be released.
All release of information must be approved by the lead clinician.
![Page 38: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/38.jpg)
Fax Policy
All personnel must strictly observe fax policies.
May be faxed under certain circumstances
May not be faxed under certain circumstances
Protocol for faxing PHI. Security of PHI when faxing.
![Page 39: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/39.jpg)
Email Policy
The e-mail system and all messages generated or handled by PCS’s equipment is considered part of business operations.
PCS reserves the right to monitor, audit, delete email messages.
It is not the policy of PCS to routinely monitor the contents of email. Only when a situation warrants such an action.
All emails containing PHI MUST BE encrypted before sending.
Email encryption procedures will be forthcoming. Until then, no PHI should be sent via email.
![Page 40: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/40.jpg)
Business Associates Agreement
Business Associates - An entity that does things on our behalf and with whom we share/give access to PHI
Business Associate Agreement - Establishes permitted uses, disclosures, and safeguards for PHI
Examples: CSB Attorney, CARF, social services, auditors…
![Page 41: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/41.jpg)
Authorization to Release Info Changes made to the disclaimer
statement.
Authorizations must be on file before any information can be released.
All releases of information must be recorded and made available to consumers upon request.
![Page 42: HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 4/28/2015.](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649c985503460f94954be0/html5/thumbnails/42.jpg)
Frequently Asked Questions Documentation on PCS Intranet.
Other questions, contact Kippy Cassell
HIPAA is basically instituting best practices to protect the consumers privacy and confidentially.