Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA/HITECH Training (Clinical Non - Patient Care Areas)

Published byZayne Holroyd Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA/HITECH Training (Clinical Non - Patient Care Areas)"— Presentation transcript:

1 HIPAA/HITECH Training (Clinical Non - Patient Care Areas)
HIPAA Job Specific Education

2 Objectives Participants will be able to:
Describe an overview of HIPAA and HITECH privacy key definitions and principles Describe how HIPAA and HITECH affect job duties List tips and guidance for applying privacy requirements This course is designed to Provide an overview of HIPAA and HITECH privacy key definitions and principles Describe how HIPAA and HITECH affect job duties Give tips and guidance for applying privacy requirements

3 HIPAA Terminology HIPAA: Health Insurance Portability and Accountability Act HITECH: Health Information Technology for Economic and Clinical Health Act PHI: Protected Health Information CE: Covered Entity (Hospital) ACE: Affiliated Covered Entity (Common ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) DRS: Designated Record Set (medical record and billing record) AOD: Accounting of Disclosures (patient’s right to receive) Directory: Hospital census list used by volunteers and operators with name and room

4 Hospitals are required by law to maintain the privacy of patients’ health information.
It is everyone's responsibility to ensure patient information is properly protected and safeguarded!

5 Facility Privacy Official (FPO)
What is a FPO? The FPO is the “go-to” person for any Potential patient privacy issues Questions on patient privacy matters Patient privacy complaints FPO for OU Medical Center Systems is Joan Crall FPO for OUMC-Edmond is Wanda Price FPO or Facility Privacy Official oversees the facility’s patient privacy program and is the “go-to” person for Any potential patient privacy issues Questions on patient privacy matters Patient privacy complaints. FPO also ensures work force members are properly trained.

6 HIPAA Definition & Purpose
What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Federal Law. What is the purpose of the law? Guarantee privacy and security of health information Protect health insurance coverage, improve access to healthcare Reduce fraud, abuse and administrative health care cost Improve quality of healthcare in general The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The purpose of the law: -Guarantee privacy and security of health information -Protect health insurance coverage and improve access to health care -Reduce fraud, abuse and administrative health care costs

7 HITECH Definition & Purpose
What is HITECH? The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law by the President on February 17, It is the part of the American Recovery and Reinvestment Act of 2009. It is a Federal Law. HITECH Act strengthens those patient privacy protections of HIPAA and places additional requirements on the healthcare community. What is the purpose of the law? Makes massive changes to existing privacy and security laws Increases penalties for privacy and security violations Creates a nationwide electronic health record The Health Information Technology for Economic and Clinical Health Act or also called HITECH was signed into law by the President on February 17, It is the part of the American Recovery and Reinvestment Act of 2009. The purpose of the law: - The HITECH Act makes massive changes to existing privacy and security laws, particularly the Administrative Simplification provisions of the HIPAA and its implementing regulations. In addition to changing existing HIPAA regulations, HITECH also rolls out sweeping new federal privacy and security laws. - Increases penalties for privacy and security violations - Creates a nationwide electronic health record HITECH Act strengthens those patient privacy protections of HIPAA and places additional requirements on the healthcare community. ( It is also important to note that individual states may have specific privacy laws that is more stringent than the federal privacy laws. In such case, the state law must be followed.)

8 Let’s look at some of the details of these changes.
HITECH Changes While there are many changes as a result of HITECH, some of the more substantial changes include: Requirements for notification when certain breaches of protected health information (PHI) occur Strengthened criminal provisions Additional audit capabilities by the Office of Civil Rights Changes to the patient's right to access his or her health information Let’s look at some of the details of these changes. While there are many changes as a result of HITECH, some of the more substantial changes include Strengthened criminal provisions Requirements for notification when certain breaches of protected health information (PHI) occur Additional audit capabilities by the Office of civil rights Changes to the patient's right to access his or her health information In the next few slides, we'll discuss some of these changes in detail.

9 Breach Notification A breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Certain breaches of protected health information can result in potential significant risk of harm to the patient and now require notification to: The patient The Department of Health and Human Services And in some situations, the media An unauthorized acquisition, use, access, or disclosure of unsecured PHI that poses a significant risk of financial, reputational, psychological and or emotional harm to the patient is considered a HITECH breach. We required by HITECH to notify the patient, the Department of Health and human Services and in some cases the media when these breaches occur.

10 Civil Monetary Penalties for Non-Compliance*
Violation Category Each Violation All such violations of an identical provision in a calendar year Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 Willful Neglect – Corrected $10,000-$50,000 Willful Neglect – Not Corrected $50,000 There are four categories of violations: - Did not know - Reasonable cause - Willful neglect that has been corrected - Willful neglect that has not been corrected. Each category has a range of civil monetary penalties associated with the type and that penalty can reach up to 1.5 million. Privacy violations can result in large fines from facilities and work force members that are non-compliant. it is everyone's responsibility to ensure patient information is properly protected and safeguarded. * As of 2/17/2009

11 Criminal Penalties for Non-Compliance
For health plans, providers, employees, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses can be assess penalties. These penalties can also apply to any “person”. up to $50,000 and one year in prison for obtaining or disclosing protected health information (PHI) up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses" up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm Penalties are higher for actions designed to generate monetary gain.

12 What is Protected Health Information (PHI)?
PHI is the information pertaining to healthcare that contains any of these identifiers. People often believe that if the patient's name is removed then the information is not PHI. That is not true. There are many types of patient identifying information. Name Address including street, county, zip code and equivalent geocodes Name of relatives Name of employers All elements of dates except year (DOB, admission/ discharge, expiration, etc. ) Telephone numbers Fax numbers addresses Social Security number Medical Record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web universal resource locator (URL) Internet protocol address (IP) Finger or voice prints Photographic images Any other unique identifying number, characteristic or code PHI is the information pertaining to healthcare that contains any of these identifiers. People often believe that if the patient's name is removed then the information is no PHI. That is not true. As you can see from this list there are many other data elements that make information identifiable.

13 How will HIPAA affect you?
Coversheets with confidential statement need to be used on all faxes. Screens will need to be placed out of public view and screensavers in use Patients will identify who their information can be discussed with, including family. All PHI will need to be placed in Shred-It containers (e.g., dietary slips) Patient information should only be accessed if there is a need to know and only the minimum necessary used Adhere to all Information Security Policies and Standards.

14 Minimum Necessary Only workforce members with a legitimate “NEED TO KNOW” may access, use or disclose PHI - Regardless of the extent of the access provided Only the minimum amount of PHI necessary may be used to accomplish the intended purpose of the access, use or disclosure Workforce members CANNOT access their own record - Contact HIM/medical records to request access Only workforce members with a legitimate “NEED TO KNOW” may access, use or disclose PHI regardless of the extent of the access provided. Workforce members must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Workforce members cannot access his/her own record; A workforce member should contact HIM/medical record to request his/her own PHI.

15 Notice of Privacy Practices (NOPP)
The patient receives NOPP at each registration. Patient privacy rights are outlined in the NOPP: Right to Access Right to Amend Confidential Communication Right to Restrict Right to Opt out of the Directory Right to Request an Accounting Disclosure Each patient receives Notice of Privacy Practices or NOPP at each registration. NOPP outlines the following information about patient’s Privacy Rights: Right to Access Right to Amend Confidential Communication Right to Restrict Right to Opt out of the Directory Right to Request an Accounting Disclosure The next slides will show these in detail.

16 Right to Privacy Restrictions
Patients have the right to request a privacy restriction of their PHI NEVER agree to a restriction that a patient may request. Always refer the individual to the FPO All requests must be made in writing and given to the FPO to make a decision on No request is so small that it should not be routed to the FPO

17 Accounting of Disclosures (AOD)
An individual has a right to receive an AOD of protected health information made by a covered entity for up to 6 years: Medical & Billing records All required state reporting Births and Deaths Tumor Registry reporting Domestic/Child Abuse suspect reporting Very complex to implement Due to HITECH, additional requirements are forthcoming

18 Patient Privacy Complaints
ALL privacy complaints must be routed to the FPO FPO maintains complaint log in accordance with the complaint process No retaliatory actions can be taken Disposition of the complaint must be consistent with the facility’s Sanctions for Privacy Violations The Meditech Risk Management module may be used for complaint tracking For More Information Review: Policy #: Patient Privacy – Privacy Complaint Process

19 Examples of Exposure Lack of knowledge regarding permitted uses of PHI
Discussions of patient information in public places such as elevators, hallways and cafeterias Inappropriate control or use of patient lists with PHI PHI in regular trash Records that are accessed without need to know in order to perform job duties

20 Examples of Exposure Cont.
Sharing passwords Using business agents without contracts and appropriate Business Associate Agreements Sharing PHI without an authorization when one is required Failure to act proactively to prevent, detect, or correct privacy or security breaches Discussing patient information on social networking sites (e.g., Facebook, Twitter)

21 For More Information Review:
Sanctions There is a sanctions policy to address privacy and information security violations Types of violations can include: Negligent (accidental or inadvertent) Intentional (purposeful) For specific information on sanctions policy contact FPO and/or review the facility’s policy For More Information Review: Policy #: Patient Privacy – Sanctions for Privacy and Information Security Violations

22 Patient Privacy Policies and Forms on the Intranet

23 Test Your Knowledge Do you know who your FPO is?
What kinds of privacy rights does the patient have? Can a patient amend their record? Do you know who to refer patient privacy questions or complaints to? What is an Accounting of Disclosures? When can you access, use or disclose the patient’s PHI? Where do you dispose of patient information?

24 The following are the policies related to the HIPAA/HITECH
The following are the policies related to the HIPAA/HITECH. Review them further as needed: 20-01: Patient Privacy – Community Clergy Access to Patient Listings Under HIPAA Privacy Standards 20-02: Patient Privacy – Designated Record Sets  20-03: Patient Privacy – Determination of, and Uses and Disclosures of De-Identified Information 20-04: Patient Privacy – Authorization for Uses and Disclosures of PHI 20-05: Patient Privacy – Hybrid Entity 20-06: Patient Privacy – Limited Data Set and Data Use Agreement  20-07: Patient Privacy – Marketing Under the HIPAA Privacy Standards/HITECH 20-08: Patient Privacy – Patient’s Right to Opt Out of Being Listed in Facility Directory  20-09: Patient Privacy – Privacy Complaint Process 20-10: Patient Privacy – Sanctions for Privacy and Information Security Violations 

25 Policy and Procedure Cont.
20-11: Patient Privacy – Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is not Required 20-12: Patient Privacy – Uses and Disclosures of Patient Health Information to Other Treatment Providers Under the HIPAA Privacy Standards  20-13: Uses and Disclosures of Patient Health Information to Patients’ Family Members or Friends for Patient Care Purposes 20-14: Patient Privacy – Uses and Disclosures Required by Law 20-15: Patient Privacy – Verification of External Requestors HIPAA and PHI 20-16: Patient Privacy – Electronic Incident Response 20-17: Patient Privacy – Confidential Patient Status 20-19: Patient Privacy – Photographing, Video Recording, Audio Recording, and Other Imaging of Patients, Visitors, and Workforce Members 20-20: Patients’ Right to Access

26 Thank you for your attention and for protecting our patient’s PHI
Thank you for your attention and for protecting our patient’s PHI. Every patient, every time!

Download ppt "HIPAA/HITECH Training (Clinical Non - Patient Care Areas)"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Keys to Success Education for Health Care Professionals.

HIPAA Privacy Keys to Success Education for Health Care Professionals.
Confidentiality and HIPAA

Confidentiality and HIPAA
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA Job Specific Education1 HIPAA Privacy Keys to Success Updated January 2010.

HIPAA Job Specific Education1 HIPAA Privacy Keys to Success Updated January 2010.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

Similar presentations

Ads by Google