Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW) www.hipaacow.org  Copyright 2002 HIPAA COW.

Published byDeja Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW) www.hipaacow.org  Copyright 2002 HIPAA COW."— Presentation transcript:

1 1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW) www.hipaacow.org  Copyright 2002 HIPAA COW

2 2 This Training Module is Copyright  2002 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training Module. Therefore, this form may need to be modified in order to comply with Wisconsin law.  Copyright 2002 HIPAA COW

3 3 AGENDA History Purpose Compliance Dates Covered Entities Electronic Transactions & Code Sets Security Privacy Failure to Comply Implementation  Copyright 2002 HIPAA COW Press for Glossary

4 4 HISTORY HIPAA stands for “Health Insurance Portability & Accountability Act of 1996” HIPAA was passed in 1996 as part of a broad congressional attempt at healthcare reform What we’re now dealing with is Title II – Administrative Simplification  Copyright 2002 HIPAA COW Press for Glossary

5 5 HIPAA Title ITitle IITitle IIITitle IVTitle V n Health insurance access, portability and renewal n Fraud and Abuse n Medical Liability Reform n Administrative Simplification n Medical Savings Accounts n Tax deduction provisions n Group health plan provisions n Revenue offset provisions Electronic Transaction Standards (EDI) Security Standards Privacy Standards n For 9 key payor transactions n Includes clinical code sets n Includes key identifiers n For protecting electronic health information n To spell out permissible uses of patient identifiable healthcare information  Copyright 2002 HIPAA COW Press for Glossary

6 6 PURPOSE – TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health care system through: The electronic exchange of information The standardization of that information To enhance the security and privacy of Protected Health Information (PHI) throughout the entire health system  Copyright 2002 HIPAA COW Press for Glossary

7 7 THE NEED 1 in 6 patients will omit sensitive information when discussing medical history with their physician out of fear of misuse or mishandling. DHHS-Privacy Rule Preamble  Copyright 2002 HIPAA COW Press for Glossary

8 8 COMPLIANCE DATES Electronic Transactions Standards Standardized Code Sets – 10/16/02 or 10/16/03 if extension was filed. Unique Provider & Health Plan Identifiers – Final Rule not yet published Claims Attachments & 1 st Report of Injury – Final rule not yet published Privacy Standards – April 14, 2003 Security Standards – Final rule not yet published  Copyright 2002 HIPAA COW Press for Glossary

9 9 HIPAA APPLIES TO: Covered Entities: Health Plans (licensed insurers, ERISA plans, HMOS, Medicare, etc.) Providers (physicians, hospitals, home health, DME, pharmacy, chiropractic, dental, etc.) who conduct 1 or more of the HIPAA-defined transactions electronically Clearinghouses  Copyright 2002 HIPAA COW Press for Glossary

10 10 Electronic Transactions and Code Sets  Copyright 2002 HIPAA COW Press for Glossary

11 11 ELECTRONIC TRANSACTIONS Eligibility and Benefits Inquiry Claim Submission Claim Status Inquiry Receive Claim Payment / Advice Preauthorization or Referral Request Providers Eligibility and Benefits Response Claim Receipt Claim Status Response Claim Payment/Advice Preauthorization or Referral Response Enrollment and Termination of Enrollment Data Premium Payment and Advice Employers 270 271 837 276 835 820 834 278 277 Source: Phoenix Health Systems Payers  Copyright 2002 HIPAA COW Press for Glossary

12 12 ELECTRONIC TRANSACTIONS & CODE SETS Must use HIPAA standards for designated transactions Must use appropriate code sets in transactions Medical data code sets Non-medical data code sets  Copyright 2002 HIPAA COW Press for Glossary

13 13 Security Proposed Rule  Copyright 2002 HIPAA COW Press for Glossary

14 14 SECURITY Covered Entities must maintain reasonable & appropriate administrative, physical, & technical safeguards to: Ensure the integrity & confidentiality of PHI Protect against unauthorized access, use, or disclosures by employees or external parties Protect the availability of PHI in emergency and disaster situations Demonstrate compliance by officers and employees  Copyright 2002 HIPAA COW Press for Glossary

15 15 COMPONENTS OF PROPOSED SECURITY STANDARDS Administrative Security Procedures Physical Safeguards Technical Security Services Communications Security Electronic Signature  Copyright 2002 HIPAA COW Press for Glossary

16 16 ADMINISTRATIVE PROCEDURES Certification of Security Chain of Trust Agreements Contingency and Disaster Recovery Planning Information Access Control Internal Security Audit Procedures Personnel Security Transfers Termination procedures Management of authorization methods Personnel clearance procedures Training in security  Copyright 2002 HIPAA COW Press for Glossary

17 17 PHYSICAL SAFEGUARDS Assigned Security Responsibility Media Controls Physical Access Controls Secure Workstation Location  Copyright 2002 HIPAA COW Press for Glossary

18 18 TECHNICAL SECURITY SERVICES Access Controls Audit Controls Authorization Controls Data Authentication Entity Authentication  Copyright 2002 HIPAA COW Press for Glossary

19 19 COMMUNICATIONS SECURITY Integrity Controls Message Authentication Access Controls or Encryption Alarm Audit trail Entity Authentication Event Reporting  Copyright 2002 HIPAA COW Press for Glossary

20 20 Privacy  Copyright 2002 HIPAA COW Press for Glossary

21 21 PRIVACY: KEY FEATURES PHI Uses & Disclosures Consent Authorization Notice of Privacy Practices Minimum Necessary Patient Rights Business Associates Marketing, Fundraising, and Research Interaction with State privacy and confidentiality laws Administrative Requirements Penalties  Copyright 2002 HIPAA COW Press for Glossary

22 22 PRIVACY RULE: WHAT DOES IT DO? HIPAA regulates the use or disclosure of Protected Health Information (PHI).  Copyright 2002 HIPAA COW Press for Glossary

23 23 WHAT IS PHI? Health and demographic information about an individual that is transmitted or maintained in any medium where the information: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present, or future: Physical or mental health condition of an individual, or Provision of health care to an individual, or Payment for the provision of health care to an individual.  Copyright 2002 HIPAA COW Press for Glossary

24 24 INDIVIDUAL IDENTIFIERS 1. Name 2. Geographic subdivisions smaller than a State – Street Address – City – County – Precinct – Zip Code & their equivalent geocodes, except for the initial three digits 3. Dates, except year – Birth date – Admission date – Discharge date – Date of death 4. Telephone numbers 5. Fax number 6. E-Mail Address 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal resource locations (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code  Copyright 2002 HIPAA COW Press for Glossary

25 25 LIMITED DATA SET 1. Names 2. Postal Address, other than town, state, & zip 3. Telephone numbers 4. Fax numbers 5. E-mail addresses 6. Social Security Numbers 7. Medical Record numbers 8. Beneficiary numbers 9. Account numbers 10. Certificate/license numbers 11. Vehicle numbers 12. Device identifiers 13. URLs – web locators 14. Internet IP addresses 15. Biometric identifiers 16. Full face photographs For research, public health or health care operations:

26 26 PERMITTED USES & DISCLOSURES Covered entities are permitted to use and disclose PHI for: Treatment Payment Health Care Operations (These are referred to as “TPO”)  Copyright 2002 HIPAA COW Press for Glossary

27 27 PERMITTED USES & DISCLOSURES The final modifications permit covered entities to: Use or disclose PHI for its own TPO Disclose PHI to another entity for treatment, payment and health care operation activities. – Each entity has a current or prior relationship. – The disclosure is for “health care operations” – The disclosure is for fraud and abuse detection.

28 28 MANDATED USES & DISCLOSURES HIPAA mandates the disclosure of PHI for certain purposes such as: Health oversight activities Judicial and administrative proceedings Law enforcement purposes Organ donation All other uses or disclosures outside of TPO require an authorization.  Copyright 2002 HIPAA COW Press for Glossary

29 29 HEALTH CARE OPERATIONS Any of the following activities of a Covered Entity: Quality assessment and improvement and population- based activities Peer review and credentialing activities Underwriting, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance Medical review, legal services, and auditing Business planning and development Business management and general administrative activities  Copyright 2002 HIPAA COW Press for Glossary

30 30 CONSENT Consent is optional, prior to disclosing PHI for treatment, payment or health care operations. Covered entities must provide individuals with notice of their privacy practices. Providers required to keep the patients receipt acknowledgement on file.  Copyright 2002 HIPAA COW Press for Glossary

31 31 CONSENT Consent forms must: Be in plain language Inform individual of how information may be used for TPO Refer to notice of privacy practices Inform of the right to request restrictions Inform of the right to revoke consent Be signed and dated by the individual Consent forms are valid until revoked  Copyright 2002 HIPAA COW Press for Glossary This slide is optional

32 32 AUTHORIZATION Authorization must be obtained for ALL uses and disclosures other than TPO or those mandated under law. Authorizations must include: A description of the information to be disclosed The name of the person or entities to whom the information will be disclosed An expiration date Information regarding right to revoke Date and signature  Copyright 2002 HIPAA COW Press for Glossary

33 33 PRIVACY NOTICE Privacy Notices Must: Be in plain language Contain a description and example of TPO Contain a description and example of other uses and disclosures not requiring Authorization Include statements about an individual’s rights Include statements about the Covered Entity’s duties Describe the complaint process Provide other specific requirements  Copyright 2002 HIPAA COW Press for Glossary

34 34 MINIMUM NECESSARY The privacy rule requires covered entities to use or disclose only the “minimum necessary” PHI to accomplish the intended purpose of the use, disclosure, or request.  Copyright 2002 HIPAA COW Press for Glossary

35 35 MINIMUM NECESSARY Internal Requirements: Identify workforce who need to access PHI For each class, category or person identified, limit access based on need-to-know External Requirements: Limit access to what is needed to accomplish the purpose for which the request was made May “reasonably rely” that the requesting entity is asking for the “minimum necessary”.*  Copyright 2002 HIPAA COW Press for Glossary

36 36 BUSINESS ASSOCIATE A person or entity who either provides services on behalf of a Covered Entity, or to a Covered Entity which involves the use or disclosure of PHI NOT a member of your workforce Transition Period - an additional year to enter into Business Associate Agreements.  Copyright 2002 HIPAA COW Press for Glossary

37 37 MARKETING HIPAA defines “marketing” as a communication about a product or service to encourage a recipient to purchase or use that product or service. What is NOT marketing? Concerns health-related products and services of the covered entity, and the communication meets certain requirements. Is made for treatment of the individual Is made for case management or care coordination, or to direct alternative treatments, therapies, providers or care.  Copyright 2002 HIPAA COW Press for Glossary

38 38 MARKETING Authorization is not required to use or disclose PHI for marketing if the communication is: Face-to-face, made by the covered entity with the individual. A promotional gift of nominal value. Any other marketing requires an individual’s authorization.

39 39 FUNDRAISING PHI use and disclosure for a covered entity’s own fundraising purposes is permitted. Meets definition of Health Care Operations Consent required (to be removed under NPRM) Authorization not required PHI may also be disclosed to a business associate or institutionally-related foundation Must be for purpose of raising funds for covered entity Limited to demographic information and dates of health care provided Fundraising material must offer opt-out mechanism  Copyright 2002 HIPAA COW Press for Glossary

40 40 RESEARCH To use or disclose PHI for research purposes, without authorization, the covered entity must obtain one of the following: Approval from the Institutional Review Board (IRB) or Privacy Board Data Use Agreement. Agreement to use limited data sets. Preparatory to Research. PHI used to prepare research protocol. Research on PHI of Decedents.  Copyright 2002 HIPAA COW Press for Glossary

41 41 RESEARCH AUTHORIZATION Authorization requirements for the use and disclosure of PHI, for research purposes: Unlike other authorizations, the research authorization does not have to include an expiration date. Authorization may be combined with other research consent forms.  Copyright 2002 HIPAA COW Press for Glossary

42 42 INDIVIDUAL RIGHTS Individuals have the right to: Receive written notice of privacy practices Request restrictions on uses & disclosures Access, inspect & copy their PHI Request amendment or correction of their PHI Receive an accounting of disclosures of their PHI (except those related to treatment, payment, & operations)  Copyright 2002 HIPAA COW Press for Glossary

43 43 ADMINISTRATIVE REQUIREMENTS Designate a privacy officer with primary responsibility for ensuring compliance with the regulations Establish training programs for all members of the workforce Implement appropriate policies & procedures to prevent intentional and accidental disclosures of PHI  Copyright 2002 HIPAA COW Press for Glossary

44 44 ADMINISTRATIVE REQUIREMENTS Establish a system for receiving and responding to complaints regarding the Covered Entity’s privacy practices Implement appropriate sanctions for violations of the privacy guidelines Make reasonable efforts to limit information to minimum necessary to accomplish a person’s purpose/job  Copyright 2002 HIPAA COW Press for Glossary

45 45 ENFORCEMENT The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! Expect Class Action lawsuits. Office For Civil Rights (OCR). Designated the enforcement agency concerning privacy regulations. They will provide guidance and monitor compliance. Department of Justice (DOJ). Involved in criminal privacy violations. Fines, penalties & imprisonment.  Copyright 2002 HIPAA COW Press for Glossary

46 46 PENALTIES - FAILURE TO COMPLY Civil $100 per violation per person up to a maximum of $25,000 per person per year per standard violated Criminal Up to $50,000, 1 year in prison, or both, for inappropriate use of PHI Up to $100,000, 5 years in prison, or both for using PHI under false pretenses Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for commercial advantage, personal gain, or malicious harm  Copyright 2002 HIPAA COW Press for Glossary

47 47 HIPAA AT (INSERT YOUR ORGANIZATION’S NAME) (INSERT YOUR ORGANIZATION’S HIPAA STRUCTURE)  Copyright 2002 HIPAA COW Press for Glossary

48 48 HIPAA IMPLEMENTATION STEPS Provide Education & Awareness Training Establish an Implementation Team Develop Implementation Strategy Allocate Appropriate Resources Conduct Risk Assessment and Gap Analysis Establish Policies & Procedures Audit and Monitor Join HIPAA COW!  Copyright 2002 HIPAA COW Press for Glossary

49 49 RESOURCE WWW.HIPAACOW.ORG  Copyright 2002 HIPAA COW

50 50 REFERENCES This presentation has been adapted from Cathy Boelke’s presentation for Avanti. Karen Bauer Joan Benson, MBA, MT(ASCP)SH Catherine Boelke, MBA, CMPE Tony Cooper, FHFMA, CFE Terri Edgar, RN, BSN Renee Hinkel, RN, MSN William Jensen, MBA Jennifer Laughlin, RHIA Richard Reynolds, FHIMSS Beth Zallar, MS, RHIA

Download ppt "1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW) www.hipaacow.org  Copyright 2002 HIPAA COW."

Similar presentations

Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.

PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Yaseen HayajnehYaseen Hayajneh RN, MPH, PhD.

Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Yaseen HayajnehYaseen Hayajneh RN, MPH, PhD.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.

Similar presentations

Ads by Google