Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Health Insurance Portability and Accountability Act

Published byJayson Corey Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Health Insurance Portability and Accountability Act"— Presentation transcript:

1 HIPAA Health Insurance Portability and Accountability Act
Presented by the UMMC Office of Integrity and Compliance

2 HIPAA As stated in the “Compliance” module presentation, the Office of Integrity and Compliance is responsible for enforcing and overseeing the HIPAA privacy regulations for UMMC. While HIPAA privacy enforcement is just one of the many responsibilities of our office, the HIPAA privacy regulations are important to each workforce member at the UMMC and thus warrants the need for a separate training module. Whether you are an office worker, a member of our housekeeping staff, physical facilities, a student, or a clinician, it is YOUR responsibility to ensure patient privacy is protected.

3 Rules and Regulations to Ensure Privacy
The Health Insurance Portability and Accountability Act (HIPAA) set Federally recognized standards to ensure both Privacy and Security of patient health information. Both standards are overseen by the Office of Civil Rights. Within UMMC, standards are enforced by Office of Integrity and Compliance, Privacy Officer Information Systems, Security Officer

4 Policies and Procedures
UMMC has created policies and procedures to facilitate compliance with all standards. These are to be followed by employees who come into contact with patient health information. The policies can be found on the UMMC Intranet or by clicking the following link:

5 HIPAA Privacy Standards
The Privacy Standards provide for the following: Boundaries for the uses and disclosures of protected health information; The implementation of administrative, technical and physical safeguards to help ensure health information remains confidential; More control of an individual's health information by the individual; and Civil and criminal penalties for violators of the standards.

6 What information is protected by the regulations?
The HIPAA Privacy Standards protect “individually identifiable health information”, which is collectively referred to as protected health information (PHI). Basically, PHI is clinical information, such as an individual’s diagnosis, in combination with some type of information that allows you to identify that individual. For instance, a diagnosis on a progress note that contains the patient’s name in right hand corner would be considered PHI. PHI can be transmitted or maintained in any form or medium, which includes PHI that is transmitted orally, stored or transmitted on paper and/or electronically.

7 Examples of PHI Some examples of confidential and protected health information: Documentation created by physicians, nurses, and other health care providers and assembled in medical records; Conversations about an individual's care or treatment between health care providers; Information about patients in UMMC’s computer system; and Billing information about an individual’s health care.

8 Information that can be used to identify a patient can include:
Health plan beneficiary number; Device identifiers or serial numbers; Biometric identifiers, including finger & voice prints; Full face photographic images or other images; Web Locators (URLs) or Internet Protocol (IP) addresses; Any other unique identifying number, characteristic, or code. Patient’s Name; Address or zip code; Month and date of service or other relevant date; Date of Birth; Telephone and/or fax number; address; Social Security Number; Medical Record or patient account numbers; Vehicle identifiers or serial numbers;

9 Which Disclosures are Allowed Without Authorization?
Except for psychotherapy notes, the privacy standards allow UMMC to disclose information without an authorization for the following purposes: To comply with the law, such as reporting communicable diseases to the Mississippi State Department of Health; For the treatment of the individual; To obtain payment for services rendered by UMMC; and/or To carry out the healthcare operations of UMMC.

10 Disclosures Allowed by Law
There are many disclosures that UMMC makes because it is required by law and therefore, no authorization is required. Some of these include but are not limited to: Disclosures about victims of child abuse Disclosures for judicial proceedings, such as responding to a subpoena Disclosures for Law Enforcement purposes

11 What is Considered Treatment Under HIPAA?
Treatment includes the management of healthcare and related services by one or more healthcare providers, including the coordination with a third party, such as a skilled nursing facility; consultations with other providers; or the referral of a patient from one provider to another. The following are examples of treatment activities: Healthcare staff orally coordinating services at the hospital nursing station. The teaching physician or dental instructor discussing a patient’s condition during training rounds.

12 Examples of Treatment Continued
A healthcare provider discussing lab test results with a patient or other provider in a joint treatment area. A dentist referring a patient to an orthodontist. Nurses or other health care providers discussing a patient’s condition over the phone with the patient, a provider, or a family member.

13 Payment The billing department uses confidential information to bill patients or their insurance companies for the services they receive.

14 What are Healthcare Operations?
Healthcare operations are activities that UMMC performs on a day-to-day basis in order to stay in business. Examples of healthcare operations include: Utilization review activities; Compliance activities; Internal auditing activities; Teaching of students; and/or Performance improvement activities

15 Disclosures/Releases with Authorizations
Disclosures, other than those previously listed, can be made by UMMC only if the patient signs an authorization. Authorizations, which are sometimes referred to as consents to release, must contain the necessary core elements and statements before the information can be released. Fulfilling an authorization that does not contain the required core elements and statements is a violation of this federal regulation. Only authorized employees can disclose patient information.

16 What YOU Need to Know About HIPAA Privacy

17 Several Important Concepts: Concept #1
Need to Know- Only access patient information if you have been assigned some form of responsibility for the patient’s care. Share information about patients only with other individuals who have a “need to know”. Part of protecting our patient’s privacy is to ensure that employees access only that information which they “need to know” in order to perform their job duties. If an employee does not have a valid reason to know a patient’s information, they should refrain from accessing it.

18 Several Important Concepts: Concept #2
Minimum Necessary- It is UMMC policy that each employee use and disclose only that information that is minimally necessary to fulfill a purpose or duty. Only access or view the minimum amount of patient health information necessary to complete your job duties.

19 Several Important Concepts: Concept #3
Patients Rights- Under HIPAA, patients have several rights related to their PHI. Below is a comprehensive list of those rights. The next slide shows how you should respond to a patient if they have questions pertaining to those rights. Right to access and obtain a copy of their medical record; Right to request an amendment to their health information; Right to receive an accounting of disclosures; The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations; Right to file a complaint; Right to agree or object to being included in the hospital directory; Right to request confidential communications; and Right to a Notice of Privacy Practices

20 Patient Right How to handle request
Right to access and obtain a copy of their medical record Refer requests to Release of Information of the respective area Right to request an amendment to health information Refer requests to the Office of Integrity and Compliance Right to receive an accounting of disclosures The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations Right to agree or object to being included in the hospital directory Refer inquiries to Registration Right to request confidential communications Right to a Notice of Privacy Practices Refer inquiries to the Office of Integrity and Compliance Right to file a complaint Refer complaints to the Office of Integrity and Compliance

21 Criminal Penalties Previously, employees who inappropriately accessed, used, or disclosed a patients health information were not subject to criminal penalties. UMMC would “take the blame” and the responsible employee would only receive sanctions listed within the institution’s sanction policy. Now, if you inappropriately access, use, or disclose a patient’s health information, you can be charged with criminal penalties.

22 Did You Know… The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a final rule, also known as the Omnibus Rule, on January 17, 2013 to enhance privacy and security of health information under HIPAA and the HITECH Act.

23 Revisions to HIPAA and HITECH Act
Among the changes and additions to the privacy laws include: Business Associate Accountability Authorizations Uses/Disclosures of PHI for Marketing and Fundraising Protection of Decedent PHI Breach Notifications Additional Patient Rights Restrictions on Uses/Disclosures of PHI Enforcement and Security Privacy with the Genetic Information

24 Business Associate Accountability
Defined by services such as creating, receiving, maintaining, or transmitting PHI for a Covered Entity. Include Patient Safety Organizations (PSOs), health information organizations (HIOs), and subcontractors Accountable For the Following: Uses/disclosures of PHI which do not follow its agreement or the Privacy Rule; Failure to provide notification of a breach; Failure to provide an accounting of disclosures; Failure to report PHI to the Secretary; Failure to comply with the Security Rule. Held to the Minimum Necessary Standard.

25 Authorizations Uses/Disclosures for marketing and the sale of PHI
require an Authorization. Authorizations for research can combine conditioned and unconditioned Authorizations as long as the research elements are identified separately. Written Authorization is not required for disclosure of proof of immunization to schools. Authorizations for research can include authorization for future research as long as it is stated clearly.

26 Uses/Disclosures of PHI for Marketing and Fundraising
Limits are placed on communication considered to be health care operations if a Covered Entity receives financial remuneration (payment) in exchange for the communication for the third party. If financial remuneration is received, an Authorization for release of information is required by the Covered Entity. Exceptions: Prescription refill reminders, face to face communication, and promotional gifts of minimal value. Fundraising A Covered Entity must provide a recipient of fundraising communication the opportunity, without unnecessary burden, to opt out of receiving communications and ensure future communication is discontinued if the recipient chooses to opt out.

27 Protection of Decedent PHI
Identifiable information of a person who has been deceased for more than 50 years is no longer PHI. Disclosures of decedent information to family members are allowed, unless it is not consistent with known preferences expressed by the individual.

28 Breach Notifications PHI inappropriately released without authorization is assumed to be a breach unless the Covered Entity can prove that there is low probability the PHI was compromised through a risk assessment. Risk assessments identify the type of PHI involved, the persons involved, whether PHI was acquired or viewed, and the degree to which the risk to the PHI is reduced. Notification of all breaches involving less than 500 individuals must be reported no later than 60 days after the end of the calendar year in which the breach was detected. Limited data sets with dates or zip codes are no longer exempted from breach notification.

29 Additional Patient Rights
The right to request and receive, at a reasonable cost, their health information in electronic format if the information is maintained as an Electronic Health Record (EHR). The right to apply restrictions on disclosures made to Covered Entities for any item or service, for which the patient has paid the full cost out of pocket. The right to receive a full accounting of disclosures made by the Covered Entity or Business Associate involving treatment, payment, or health care operations during the previous three years.

30 Restrictions on Uses/Disclosures
When restrictions on uses/disclosures of PHI to a health plan are enacted, the Covered Entity must use some type of notification in the medical record to identify the restrictions placed. Patients are responsible for notifying other entities of requested restrictions on uses/disclosures of PHI to a health plan.

31 Enforcement and Security
HIPAA rules continue to preempt State law, unless the state law is more stringent. OCR will investigate and penalize violations due to willful neglect. Willful neglect defined as a conscious failure. Willful neglect included in civil money penalties. Organizations must evaluate and revise security measures to ensure protection of electronic PHI.

32 Privacy with Genetic Information
HIPAA Privacy Rule identifies genetic information as PHI which is in alignment with the Genetic Information Nondiscrimination Act (GINA). Most health plans cannot use or disclose genetic information for underwriting purposes.

33 Brief Pointers Family and Friends- you should not access health information of family/friends if you do not have a need to know. VIPS- Do not access health information of individuals who are of public interest unless you have a need to know. Passwords- Do not share passwords- We audit and you will be held responsible. This includes portable devices Disposing Patient Information- if in printed format, must be disposed- NEVER throw away in regular garbage without at least shredding by hand. Ongoing Monitoring- We perform ongoing monitoring of access into patient health information. Employee to Employee access. IF WE FIND YOU ARE NOT CONNECTED TO THE PATIENT’S CARE OR DO NOT HAVE THE APPROPRIATE “NEED TO KNOW” TO COMPLETE YOUR JOB DUTIES, YOU WILL BE HELD ACCOUNTABLE.

34 More Information IF YOU HAVE QUESTIONS-
See Policies and Procedures Online- UMMC Intranet Contact the Office of Integrity and Compliance IF YOU NEED TO REPORT A VIOLATION- Directly to your superior Compliance Hotline Compliance Report Form

35 Question 1 What does HIPAA stand for?
Click on the correct letter a. Healthcare Information Policy and Assessment b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association

36 Question 1 CORRECT What does HIPAA stand for?
a. Healthcare Information Policy and Assessment Click here to go to next question b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association

37 Question 1 INCORRECT What does HIPAA stand for?
a. Healthcare Information Policy and Assessment Click here to go back b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association

38 Question 2 Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time CLICK ON THE CORRECT ANSWER TRUE FALSE

39 Click here to go to next question
CORRECT Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time Click here to go to next question TRUE FALSE

40 Question 2 TRUE FALSE INCORRECT
Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time Click here to go back TRUE FALSE

41 Question 3 UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations CLICK ON THE CORRECT ANSWER TRUE FALSE

42 Click here to go to the end
Question 3 CORRECT UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations Click here to go to the end TRUE FALSE

43 Question 3 TRUE FALSE INCORRECT
UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations Click here to go back TRUE FALSE

44 The End of HIPAA Training
Please close out of this presentation and proceed to the next training presentation

Download ppt "HIPAA Health Insurance Portability and Accountability Act"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Similar presentations

Ads by Google