Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE HIPAA PRIVACY RULE Welcome participants.

Similar presentations

Presentation on theme: "THE HIPAA PRIVACY RULE Welcome participants."— Presentation transcript:

1 THE HIPAA PRIVACY RULE Welcome participants

2 What is HIPAA? Health Insurance Portability and Accountability Act
(Passed into law in 1996)

3 Four Parts of HIPAA 1. Standardized Electronic Data Interchange transactions and codes for all covered entities 2. Standards for security of data systems 3. Privacy protections for individual health information 4. Standard national identifiers for health care Includes health claims, health plan eligibility enrollment/disenrollment, payments for care & health plan premiums, etc. In the past, health providers and plans have used many different electronic formats to transact medical claims. Implementing a national standard is intended to result in the use of one format to simplify and improve transaction efficiency nationwide. Final Rule published in Feb Takes effect April Provides for uniform level of protection of all EPHI. Requires CE’s to ensure the confidentiality, integrity and availability of all EPHI the CE creates, receives, maintains or transmits. Establishes 1st set of basic national privacy standards and provides patients with a basic level of protection. In the past, healthcare organizations have used multiple identification formats when conducting business which was a costly & error-prone process. Standard identifiers are expected to reduce these problems. The standard adopts an employer’s identification # (EIN) or tax ID # as the standard for electronic transactions. Final standards have not been published.

4 The Privacy Rule… establishes a Federal floor of safeguards to protect the confidentiality of medical information allows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used took effect on April 14, 2003

5 What Does The Privacy Rule Protect?
Individually Identifiable Health Information, commonly referred to as “Protected Health Information” or “PHI”

6 1) Created or received by a covered entity;
PHI is information transmitted in any form, oral, written, or electronic that is: 1) Created or received by a covered entity; and 2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) There is a reasonable basis to believe the information can be used to identify the individual

7 Examples of PHI Name, address, telephone, fax, and other contact information Social security number Health plan beneficiary number Medical diagnoses Medical records and account numbers Certificate and license numbers Photographs and images As you can see, PHI, in a nutshell, covers demographic information for patients, their relatives, households and employers that was obtained during the course of medical treatment.

8 Who Must Comply with HIPAA?
Health Plans Health Care Clearinghouses Health Care Providers who conduct certain financial and administrative transactions electronically These entities are commonly known as Covered Entities (CE). HIPAA does not give HHS the right to regulate other types of private businesses or public agencies, such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits.

9 What must a covered entity do to be in compliance with HIPAA?
Notify patients about their privacy rights and how their information can be used Adopt and implement privacy procedures Train employees so they understand the privacy procedures Designate a Privacy Officer Secure patient records containing PHI

10 Vocabulary of HIPAA Protected Health Information (PHI) is individually identifiable health information that contains unique features or details by which the individual can be identified. Treatment, Payment and Health Care Operations (TPO) are common uses of PHI for which HIPAA does not require an authorization.

11 Vocabulary of HIPAA Disclosure means the release, transfer, provision of access to, or divulging of information outside the entity holding the information. Use means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity

12 Notice of Privacy Practices
Plain language Specified uniform header Description & at least one example of each type of use and disclosure made for TPO Description of each permitted or required use or disclosure without authorization Sufficient detail of each use and disclosure to put individual on notice Statement that all other uses or disclosures will only be made with the individual’s authorization Delineation of individual’s privacy rights

13 New Patient’s Rights Right to written Notice of Privacy Practices (NPP) that informs consumers how PHI will be used and to whom it is disclosed Right of timely access to see and copy records for reasonable fee Right to request amendment of record Right to restrict access and use Right to an accounting of disclosures Right to revoke authorization

14 Requests for Amendment
A patient may request, in writing, to have health information or a record about the patient amended. The CE does not have to agree to the amendment, however, the request to amend becomes a part of the patient’s medical record. Patients may request amendments to the information they find in the medical record. Although we do not have to agree to the amendment, we must review all requests to determine if an amendment is warranted. This is done in consultation with the treating physician.

15 Requests for Restrictions
Patients may request, in writing, a restriction or limitation on the health information that a CE uses or discloses. The CE is not required to agree to the restriction. Even though we do not have to agree to the restriction, we do have to review all requests and determine if they should be accepted. If they are accepted, the restriction must be communicated to all affected areas and it must be included in the medical record.

16 Accounting of Disclosures
Patients are entitled to request a list of people and organizations who have received their PHI. Patients must submit a written Request for Accounting of Disclosures. A CE must respond to a patient’s request for an accounting within 60 days of receipt of the request. The accounting does not include TPO disclosures.

17 The accounting of disclosures should include disclosures…
Required by law For public health activities About victims of abuse, neglect or domestic violence For health oversight activities For judicial and administrative proceedings For law enforcement purposes For research purposes (if authorization was waived) For specialized government functions For workers’ compensation

18 AUTHORIZATION… Is a detailed document that gives covered entities permission to use PHI for specified purposes. Is required for the use and disclosure of PHI not otherwise allowed by the Privacy Rule Does not apply to TPO Does not apply to uses and disclosures required by law May be revoked at any time in writing Required by law: Public Health Activities – reporting births and deaths or adverse events Abuse, Neglect of Domestic Violence Health Oversight Agency Judicial and Administrative Proceedings – criminal trials, litigation, subpoenas Law Enforcement Decedents Organ, Eye or Tissue Donation Aversion of Serious Threat Specialized Government Function Workers’ Compensation

19 Authorization Requirements
An authorization must describe: the PHI to be used and disclosed; the person authorized to make the use or disclosure; the person to whom the covered entity may make the disclosure; an expiration date; and the purpose for which the information may be used or disclosed.

20 Minimum Necessary Standard
HIPAA requires covered entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made (i.e. the minimum necessary amount of information).

21 Minimum Necessary Does Not Apply To:
Treatment Disclosures to the individual who is the subject of the PHI Uses or disclosures made pursuant to an individual’s authorization Uses or disclosures that are required by law

22 Do I need to know? Ask yourself:
Do I need this information to do my job and provide good patient care? What is the least amount of information I need to do my job? If the answer to the first question is no, you should not be accessing the PHI in question. Please take these question seriously and think about them as you come into contact with PHI.

23 Incidental Disclosure
A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure.

24 EXAMPLE Miguel shares a semi-private room with Victor. Dr. Nixon, Miguel’s doctor, comes in to talk to Miguel. Dr. Nixon draws the curtain between the two patients. During this bedside consult, Victor overhears Dr. Nixon say that Miguel needs a hernia operation. Is this a HIPAA privacy violation? No. It is a classic example of an incidental disclosure. Dr. Nixon is engaging in a permitted acitivity. The correct answer is that an incidental disclosure occurred and that it is allowed under HIPAA. Next Slide

25 Protecting Patient Privacy “Do’s”
Close curtains and speak softly when discussing treatments in semi-private rooms Log off of the computer when you are finished Dispose of patient information by shredding or storing in locked containers for destruction Clear patient information off of your desk when you leave your desk Since the ultimate goal of the Privacy Rule is to protect the privacy of our patients, here are some things to keep in mind when you are dealing with patient information.

26 Protecting Patient Privacy “Don’ts”
Tell anyone what you overhear about a patient Discuss a patient in public areas such as elevators, hallways, or cafeterias Look at information about a patient unless you need it to do your job

27 Rules for Using Computers
Keep your password a secret Do not log in using someone else’s password Log off of the computer when you are finished using it Turn the computer screen away from public view Do not remove equipment, disks, or software without permission Here are some basic guidelines for when you are using your computers. The Security Rule of HIPAA goes into affect in April Once that regulation is enacted, you will receive more detailed information.

28 Rules for Using Faxes Sending: Receiving:
Call the intended recipient before sending the fax Double-check the fax number before sending Use cover sheets for faxes Receiving: Tell the person faxing information to alert you when he/she is about to send the fax Take faxes off of the machine immediately Do not let faxed patient information lie around unattended There has been a lot of misconceptions about faxing PHI. Here are the rules for sending and receiving faxes.

29 Business Associate A person or entity that performs a function or activity on behalf of a CE that requires the creation, use or disclosure of PHI but who is not considered part of the CE’s workforce. BA functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management BA services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Exceptions to the BA standard: disclosures for treatment; persons/organizations those function does not involve the use or disclosure of PHI (janitorial service); person/organization acting merely as a conduit for PHI (US Postal Service)

30 Business Associates Must be helping the covered entity carry out its health care functions Must have a written contract or agreement with the covered entity that assures that they will appropriately safeguard any PHI they receive or create PHI cannot be disclosed to the BA for their own independent use or purpose. They must use the PHI only for the purposes for which their services were engaged. The usual method of obtaining satisfactory assurances is through a Business Associate Agreement that describes the permitted and required uses of PHI by the BA, provides that the BA will not use or further disclose PHI other than as permitted or required by the K or by law, and requires the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.

31 HIPAA’s Impact on Research Activities
NO ONE is permitted to use PHI for research without complying with the new HIPAA requirements These HIPAA requirements are entirely separate from the existing federal human subject research regulations. HIPAA requirements: Preparatory to Research, Authorization, Waiver of Authorization, or Limited Data Set Informed Consent is not authorization.

32 Please Note: The Privacy Policies and Procedures do not replace or override other rules or procedures established by the Institutional Review Board (“IRB”). Both must be complied with in order to conduct human subject research.

33 State Law vs. HIPAA If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient: Greater privacy rights, Greater access to information, or Greater privacy protections.

34 Penalties for Privacy Violations
Civil Penalties under HIPAA: Maximum fine of $25,000 per violation Criminal Penalties under HIPAA: Maximum of 10 years in jail and/or a $250,000 fine for serious offenses Organization Actions: Employee disciplinary actions including suspension or termination for violations of UNM’s policies and procedures Criminal sanctions may be imposed for offenses where there is intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.

35 The Privacy Rule Requirement
You may not retaliate against or intimidate an employee who files a HIPAA complaint.


37 CASE STUDY Lori, a nurse who works on 5-West, has a lot of access to PHI. Terri, a nurse who works on 4-North, learns that her friend and elderly neighbor, Ms. Pate, was admitted to 5-West. Terri is concerned and wants to help so she asks Lori to see Ms. Pate’s medical record. Together, they review and discuss their findings. Trainer Talking Point: Is this an appropriate disclosure? Lori should not have permitted Terri to have access to Ms. Pate’s medical record. No. Ms. Pate’s PHI has nothing to do with Terri’s job.

38 CASE STUDY In deep conversation, Drs. Andrews and Day enter a crowded elevator and continue discussing a code yellow. Their conversation is quite detailed and graphic, but never mentions the patient’s name. Engaged in their conversation, they do not notice the onlookers intently listening to their conversation. Trainer Talking Point: This is inappropriate behavior. Even though the patient’s name was not used, the situation was described in such detail that someone could possibly determine who the patient was that coded during that day. Additionally, a relative of that patient could have also been on the elevator and known that the doctors were discussing their family member. This conversation should be confined to areas where the chance of someone overhearing is minimized.

Download ppt "THE HIPAA PRIVACY RULE Welcome participants."

Similar presentations

Ads by Google