Presentation is loading. Please wait.

Presentation is loading. Please wait.

Health Insurance Portability and Accountability Act

Published byTianna Rodney Modified over 9 years ago

Similar presentations

Presentation on theme: "Health Insurance Portability and Accountability Act"— Presentation transcript:

1 Health Insurance Portability and Accountability Act
HIPAA Health Insurance Portability and Accountability Act HIPAA is a law that JIRDC staff must follow. This program will focus on the rights of people who live at JIRDC and their guardians. As a consumer of health care, you also have these rights. Click to go to the next slide.

2 The Health Insurance Portability and Accountability Act (HIPAA)
What is HIPAA? What does this mean to us at JIRDC? What are the six Privacy Rights? What is Protected Health Information (PHI)? What do we do with PHI? What changes must we make here at JIRDC? How long do we have and what if we don’t? These are the questions that will be answered in this program. Click to go to the next slide.

3 HIPAA - What is it? Congress passed a law – the Health Insurance Portability and Accountability Act (HIPAA) - in order to require insurance companies, hospitals, and other health care providers to protect people’s privacy. This program will focus on the rights of people who live at JIRDC and their guardians. As a consumer of health care, you also have these rights. JIRDC has been classified as a health care provider, so we must meet the requirements of this law. Click to go to the next slide.

4 What does it mean to us? People who live at JIRDC and their guardians have six Privacy Rights. We must understand what Protected Health Information (PHI) is. We must be very careful with PHI and learn to use “minimum necessary.” All staff must receive Privacy training. Since the people living at JIRDC all have a guardian who has been appointed, the guardian will be the person who exercises these rights. Click to go to the next slide.

5 Residents Have Six Privacy Rights
Please click to read each of the rights. The right to receive a copy of JIRDC’s Notice of Privacy Practices The right to inspect and receive a copy of information in files we keep The right to request a change in information The right to know who we have shared their information with The right to request restrictions on who we share information with The right to request an alternative method of contact These are the six rights under HIPAA. Each right will be discussed in detail. Because the people living at JIRDC each have a legal guardian, the guardian will be the person who exercises these rights. Click to go to the next slide.

6 Notice of JIRDC Privacy Practices
1 Notice of JIRDC Privacy Practices We have developed a detailed notice of JIRDC privacy practices explaining how Protected Health Information (PHI) is handled for treatment, payment, and health care operations and explaining the Privacy Rights. The social workers are responsible for sending a JIRDC Notice of Privacy Practices to each guardian. The social workers will send a JIRDC Notice of Privacy Practices to each guardian. Click to go to the next slide.

7 Access of Individuals to PHI
2 Access of Individuals to PHI JIRDC residents and their guardians have a right to inspect certain records that we keep. The request begins with the completion of a “Request for Consumer Access to Protected Information Form.” If we receive a request by an individual to view their record (all or part), we must act on the request within 30 days. JIRDC has designated certain records that may be accessed. The primary records are the record in the home and the record housed in the Resident Records Department. The log book is an example of records that may not been viewed because they contain information about more than one person. Staff should locate a form for the guardian to sign when they wish to see the records. This form will be given to the Social worker or Home Coordinator. Although we have 30 days to allow access, it should not take long to reply to a request. Click to go to the next slide.

8 Location of JIRDC Records
JIRDC has identified certain records that may be inspected. The primary records are: record in the home record housed in the Resident Records Department JIRDC has designated certain records that may be accessed. The primary records are the record in the home and the record housed in the Resident Records Department. The log book is an example of records that may not been viewed because they contain information about more than one person. Staff should locate a form for the guardian to sign when they wish to see the records. This form will be given to the Social worker or Home Coordinator. Although we have 30 days to allow access, it should not take long to reply to a request. The log book is an example of a record that may not be inspected because it contains information about more than one person. Click to go to the next slide.

9 Location of Request Form
Each guardian must sign a form when requesting to see the records. The Social Worker or Home Coordinator will have this form. Although we have 30 days to allow access, it should not take long to reply to a request. JIRDC has designated certain records that may be accessed. The primary records are the record in the home and the record housed in the Resident Records Department. The log book is an example of records that may not been viewed because they contain information about more than one person. Staff should locate a form for the guardian to sign when they wish to see the records. This form will be given to the Social worker or Home Coordinator. Although we have 30 days to allow access, it should not take long to reply to a request. Click to go to the next slide.

10 3 Amending PHI If a guardian feels that some information in the record is not correct, he may ask for a change to be made. Residents and their guardians have the right to request amendments to PHI by completing a “Request for Amendment of Health Care Information” form. We must respond to requests for amendment within 60 days. If we determine the PHI is accurate and complete, it does not have to be amended. If a guardian feels that some information in the record is not correct, he may ask for a change to be made. A form must be completed and JIRDC has 60 days to respond. Click to go to the next slide.

11 Accounting of Disclosures of PHI
4 Accounting of Disclosures of PHI A guardian may ask to see a record of individuals who have seen the resident’s chart for the 6 years prior to the request. This does not include disclosures for treatment, payment, or operations. This also does not include disclosures to the individual or guardian or to law enforcement. No information must be provided about disclosures that occurred prior to April 14, 2003. A guardian may ask to see a record of the individuals who have seen the chart. This record will begin April 14, 2003. Click to go to the next slide.

12 Requesting Restrictions on Disclosures of PHI
5 Requesting Restrictions on Disclosures of PHI Guardians may request that we limit the use and disclosure of health information about residents for the purposes of treatment, payment, and operations. We are not required to agree to their request to limit the number of people who view the record. If we do agree to it, we must follow the agreed restrictions (except for emergency treatment). If a guardian wishes to request additional restrictions on people who may view the record, they may do so. Click to go to the next slide.

13 Receiving PHI - Alternative Means or Alternative Locations
6 Receiving PHI - Alternative Means or Alternative Locations Guardians usually prefer that information be mailed to their home addresses and that phone calls be made to their home phones. However, a guardian may ask JIRDC to use a different address, phone number, , FAX, etc. Guardians usually prefer that information be mailed to their home address and that phone calls be made to the home phone. However, a guardian may ask JIRDC to use a different address, different phone number, , FAX, etc. JIRDC will use the method and location, if this is reasonable. Click to go to the next slide.

14 Receiving PHI - Alternative Means or Alternative Locations
6 Receiving PHI - Alternative Means or Alternative Locations We must provide our guardians with the opportunity to receive PHI communications by alternative means or at alternative locations (such as a work address instead of a home address). We must oblige all reasonable requests. Guardians usually prefer that information be mailed to their home address and that phone calls be made to the home phone. However, a guardian may ask JIRDC to use a different address, different phone number, , FAX, etc. JIRDC will use the method and location, if this is reasonable. Click to go to the next slide.

15 Refraining from Retaliation
Guardians who want to exercise their rights should not receive any negative responses from staff. JIRDC must not intimidate, threaten, coerce, discriminate, or retaliate against any person attempting to exercise their rights under the privacy regulations. All staff must “remain neutral” toward guardians choosing to exercise their rights. The Office of Civil Rights wants to insure that the person exercising their rights does not have negative consequences. Click to go to the next slide.

16 Protecting Confidential Information Learned at JIRDC
ALL information about a person who lives at JIRDC which is learned as a result of performing your job is confidential information. According to state law, all JIRDC employees are responsible for assuring confidentiality. If you don’t protect information about people who live at JIRDC, you can be fined, suspended, or dismissed from your job. The Federal HIPAA law focuses on Protected Health Information (PHI). HIPAA focuses on Protected Health Information, but ALL information about people who live at JIRDC is confidential. This is covered by state law. Click to go to the next slide.

17 What is Protected Health Information (PHI)?
Any health information that can be identified to a person is PHI. We are using a very liberal definition of “health information” that includes treatment, care, and demographic information. The fact that a person lives at JIRDC is PHI. PHI can be dates (except just year); record number; Social Security Number; full face photographic image; or any other unique, identifying information. It is important to know what is included in PHI. Click to go to the next slide.

18 Recognizing PHI When You See It
PHI is not just information in the resident record. PHI can look like anything. PHI can be spoken, such as a conversation or answering machine message. PHI is not just information in the resident record. PHI can be written, such as on a piece of paper, a computer monitor, or a chalkboard. Click to go to the next slide.

19 Recognizing PHI When You See It
PHI reveals something about a person’s past, present, or future health or condition. PHI is individually identifiable (gives a reasonable basis for determining a person’s identity). PHI is about a specific person. You may know the person if you hear their name or if you can guess who it is by the information that is provided. PHI is not just information in the resident record. Click to go to the next slide.

20 It can look like anything
Rule 1 It can look like anything Data appearing on computer monitors Lab test results Resident schedule boards A conversation about a resident’s health An appointment reminder left on a guardian’s answering machine File server backup tapes Financial records These are examples of PHI. Click to go to the next slide.

21 It reveals something about health
Rule 2 It reveals something about health It does not have to be present health It can also be past or future health. It does not have to be about bad health. “Joe is feeling fine” also qualifies as PHI. Since knowledge that a person lives at JIRDC strongly implies a “diagnosis” of mental retardation, this also qualifies as PHI. Click to go to the next slide.

22 It is individually identifiable
Rule 3 It is individually identifiable This means that someone seeing or hearing the health information can identify the person it’s about. The information must provide a “reasonable basis” for determining the person’s identity. When health information is paired with unique identifiers (like client number or a photograph) it is always PHI. Click to go to the next slide.

23 What do we do with PHI? Protect it! Keep it private by not leaving it lying around where it can be seen. Except for treatment reasons, provide the “minimum necessary” to meet the needs of the requestor. “Minimum necessary” means providing just enough information to meet the needs of the requestor and no more. Click to go to the next slide.

24 Some things we do to protect PHI
Pick up all meeting handouts and erase blackboards when meetings are done. Working on PHI? When you leave for lunch, cover it up AND lock it up. Talking PHI on the phone? Keep your voice low if you might be overheard. Avoid mentioning PHI at restaurants. Click to go to the next slide.

25 Dealing with PHI: Test Yourself
? ? ? ? ? ? ? ? ? Dealing with PHI: Test Yourself Five situations related to “minimum necessary” follow. Read each situation. Determine if each situation was handled correctly. Click to go to the next slide.

26 Dealing with PHI – Scenario #1
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #1 Mary is escorting four residents to a movie. As they are leaving, Mary’s supervisor tells her to make sure Phil gets to sit very close to the screen because he is having some vision problems stemming from developing cataracts. Was this situation handled correctly? Click to go to the next slide.

27 Dealing with PHI – Scenario #1
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #1 Since treatment of Phil’s cataracts was not involved, the “minimum necessary” rule applies here. It was appropriate for Mary’s supervisor to tell her to make sure Phil gets to sit very close to the screen because he is having some vision problems. It was not necessary to mention his cataracts. This is NOT “minimum necessary.” Click to go to the next slide.

28 Dealing with PHI – Scenario #2
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #2 Mary has been asked to drive Phil to a shoe store and help him purchase new shoes. Mary’s supervisor tells her to make sure Phil’s new shoes have good arch support because he has heel spurs. Was this situation handled correctly? Click to go to the next slide.

29 Dealing with PHI – Scenario #2
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #2 Selecting the proper shoes is a big part of the treatment of heel spurs. Communicating the fact that Phil has heel spurs was for treatment reasons, so the “minimum necessary” rule does not apply. It was appropriate for Mary’s supervisor to mention the heel spurs. It would also be appropriate for Mary to mention it to the store clerk. This is a treatment situation and “minimum necessary” does not apply. Click to go to the next slide.

30 Dealing with PHI – Scenario #3
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #3 A JIRDC advocate is interviewing Mary about a bruise that has appeared on Phil’s arm. Mary answers questions about the bruise, but decides not to tell the advocate about two other bruises on Phil’s leg since this information does not seem to meet the “minimum necessary” rule. Was this situation handled correctly? Click to go to the next slide.

31 Dealing with PHI – Scenario #3
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #3 The advocate’s investigation of possible abuse is a part of Phil’s treatment at JIRDC and the “minimum necessary” rule does not apply. Mary should have mentioned the leg bruises to the inquiring resident advocate. Advocates have the right to see all information. “Minimum necessary” does not apply. Click to go to the next slide.

32 Dealing with PHI – Scenario #4
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #4 Phil’s mother shows up unexpectedly with a copy of JIRDC’s Notice of Privacy Practices in her hand. She wants to examine Phil’s chart. Mary remembers this is a new right, takes her to the chart, and lets her examine it. Was this situation handled correctly? Click to go to the next slide.

33 Dealing with PHI – Scenario #4
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #4 Requests to examine records must be handled by the Home Coordinator. Mary should have helped Phil’s mother submit her request to the Home Coordinator in writing (required) and should not have allowed her to examine any records. A guardian must complete a written request to see the record. Click to go to the next slide.

34 Dealing with PHI – Scenario #5
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #5 Phil suddenly develops very shallow breathing and is taken to Grace Hospital’s emergency room. Staff take Phil’s resident record with them. The entire record is made available to emergency room physicians as they attempt to determine the cause of Phil’s shallow breathing. Was this situation handled correctly? Click to go to the next slide.

35 Dealing with PHI – Scenario #5
? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #5 The sharing of Phil’s PHI with the staff at Grace Hospital was for treatment reasons. The “minimum necessary” rule does not apply. This is a treatment situation and “minimum necessary” does not apply. Click to go to the next slide.

36 Rules We Must Follow at JIRDC
JIRDC staff have many rules regarding the handling of PHI. Many of the rules involve how computers are used. ALL of the rules involve common sense. Click to go to the next slide.

37 Some Rules We Must Follow
PHI must be secured when no one is in the area – no open log books. No PHI should be viewable in public areas. No PHI should be sent in (except password-protected attachments). No PHI should be left at copy machines, fax machines, or conference rooms. Discarded PHI must be shredded. Click to go to the next slide.

38 Computer Rules We Must Follow
Computer monitors showing PHI must be positioned for privacy. Computer passwords must not be shared and must be reasonably “un-guessable.” Computer passwords must not be left visible or hidden where they can be found. Computer users must log-off the network when leaving computers unattended. Click to go to the next slide.

39 More Rules We Must Follow
If you notice your login name has been changed while you were away from your computer, report it to Computer Services. If you see an “intruder lockout” message while logging into the network, report it to Computer Services. Pay attention to any unusual login names that show up on your computer. Report what you see to Computer Services. Click to go to the next slide.

40 Even More Rules We Must Follow
We must not discuss a resident within the hearing of other individuals or visitors. We must not leave keys unattended. When sharing resident health information, we must share the “minimum necessary” (except for treatment reasons). JIRDC must sanction staff for violations of the Privacy rules. Click to go to the next slide.

41 Security Awareness at JIRDC
All JIRDC staff are responsible for keeping data secure. Computer data should be kept safe by the person who created the disk, CD, or printout. All security incidents must be reported as soon as possible. Click to go to the next slide.

42 Security Awareness JIRDC data must be kept secure at all times. Staff who use computers and staff who do not use computers are responsible for protecting information. Information created on JIRDC computers is considered property of JIRDC and the State of NC regardless of how information is stored. Everyone is responsible for keeping data secure. Click to go to the next slide.

43 Security Awareness Continued
Computer printouts, floppy disks, or CDs which are found not under direct observation of a responsible data owner should be picked up by the person who finds them and turned in to their supervisor. Computer data should be kept safe by the person who created the disk, CD, or printout. Click to go to the next slide.

44 Security Awareness Continued
A security incident is a violation, or imminent threat of violation, of computer security policies Notify your supervisor or the JIRDC Computer Help Desk as soon as possible if you suspect a security incident has occurred. Report security incidents as soon as possible. Click to go to the next slide.

45 Workforce Privacy Sanctions
If staff break the rules, there are levels of violations and punishments. The 1st level is “accidental.” The 2nd level is “purposeful.” The 3rd level is “malicious.” Malicious violations are the most serious and can result in loss of jobs and criminal prosecution. Click to go to the next slide.

46 Workforce Privacy Sanctions - Accidental Violations -
This violation occurs when an employee unintentionally or carelessly accesses or reveals resident information to others without a legitimate need to know. Examples: Discussing a resident in a public area without discretion; sharing your network password. Sanctions include verbal counseling and training or written counseling and training. Click to go to the next slide.

47 Workforce Privacy Sanctions - Purposeful Violations -
This violation occurs when an employee accesses or discusses information about a resident for purposes other than the care of the resident or to perform one's specific job responsibilities. Examples: Using another employee’s login name and password; looking up resident information out of curiosity. Sanctions include written counseling and training or suspension and training. Click to go to the next slide.

48 Workforce Privacy Sanctions - Malicious Violations -
This violation occurs when an employee accesses or reveals resident information to others for personal gain or with malicious intent. Examples: Destroying or altering data intentionally; releasing information in an attempt to harm a resident or JIRDC. Sanctions include written counseling and training, termination, and prosecution. Click to go to the next slide.

49 Failure to Comply Penalties
JIRDC and the employee can be punished for violations. The following fine is for JIRDC: $100/violation/person, up to $25,000 per person per year per standard violated Click to go to the next slide.

50 Failure to Comply Penalties
The remaining fines and jail time apply to the employee: Up to $50,000 and 1 year in prison for inappropriate use of PHI Up to $100,000 and 5 years in prison for using PHI under false pretenses Up to $250,000 and 10 years for intent to sell or use PHI for personal gain or malicious harm Click to go to the next slide.

51 Let’s Review! Residents Have Six Privacy Rights
The right to receive a copy of JIRDC’s Notice of Privacy Practices The right to inspect and receive a copy of information in files we keep The right to request a change in information The right to know who we have shared their information with The right to request restrictions on who we share information with The right to request an alternative method of contact Click to go to the next slide.

52 Let’s Review! Three Rules for Recognizing PHI
PHI can look like anything. PHI reveals something about health. PHI can be identified to an individual. Click to go to the next slide.

53 Let’s Review! PHI Must be Protected
We must not leave it lying around where it can be seen. We must not post it in public places. We must be careful what we say when we can be overheard. Click to go to the next slide.

54 Let’s Review! What is “Minimum Necessary”?
Except for treatment reasons, when sharing health information about a resident you should share the minimum necessary amount of information. That means what it takes to get the job done and no more. There should be no gossiping about resident health matters. Click to go to the next slide.

55 Let’s Review! Violations MUST be Punished
Violations of HIPAA Privacy rules MUST be punished by JIRDC Administration. Minor violations will be viewed as training opportunities. There are some very severe penalties for violating the privacy rights of JIRDC residents. How severe? Up to 10 years in jail and a $250,000 fine. Click to go to the next slide.

56 How much have you learned?
You have finished the HIPAA slide show. Tell the LRC Instructor that you are ready to take the quiz. Click to end the slide show.

Download ppt "Health Insurance Portability and Accountability Act"

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.

WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.
Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
And the finer details of patient privacy TCH Confidential Understanding HIPAA.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.
The Health Insurance Portability and Accountability Act - HIPAA

The Health Insurance Portability and Accountability Act - HIPAA
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Training for the MDAA Preceptorship Program Health Insurance Portability and Accountability Act.

HIPAA Training for the MDAA Preceptorship Program Health Insurance Portability and Accountability Act.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
LMC 2005 1 WHAT IS HIPAA AND HOW TO COMPLY WITH IT? Health Insurance Portability and Accountability Act of 1996.

LMC WHAT IS HIPAA AND HOW TO COMPLY WITH IT? Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Page 1 of 16 DMC HIPAA Privacy and Security DMC’S COMMITMENT TO COMPLIANCE: HIPAA PRIVACY and SECURITY DMC Corporate Audit and Compliance Department Detroit.

Page 1 of 16 DMC HIPAA Privacy and Security DMC’S COMMITMENT TO COMPLIANCE: HIPAA PRIVACY and SECURITY DMC Corporate Audit and Compliance Department Detroit.
HIPAA Health Insurance Portability & Accountability Act.

HIPAA Health Insurance Portability & Accountability Act.
HIPAA 101 Education. WHAT IS HIPAA??? WHAT IS HIPAA? The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability.

HIPAA 101 Education. WHAT IS HIPAA??? WHAT IS HIPAA? The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

Similar presentations

Ads by Google