We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byNeil Matkins
Modified about 1 year ago
HIPAA Privacy Rule Training
©SHRM Introduction The Employee Benefits Security Administration (EBSA) administers several health care laws under the Employee Retirement Income Security Act (ERISA). One of the health care laws is the Health Insurance Portability and Accountability Act (HIPAA) of HIPAA includes provisions that regulate portability and continuity of health insurance, health information privacy, administration of health insurance, medical savings accounts and long-term care insurance. This sample presentation addresses only health information privacy. It is intended for presentation to supervisors. It is designed to be presented by an individual who is knowledgeable about the HIPAA privacy rule and the employer’s own policies and practices. This is a sample presentation that must be customized to match state laws and the employer’s own culture, policies and practices.
©SHRM Objectives At the close of this session, you will be able to: Understand the HIPAA privacy rule Determine who enforces the HIPAA privacy rule Determine who must comply Understand employer roles and responsibilities Understand employee rights Understand the liability for HIPAA privacy violations
©SHRM What Is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of It is a federal law that regulates portability and continuity of health insurance, health information privacy, administration of health insurance, medical savings accounts and long-term care insurance. This presentation only addresses health information privacy under the HIPAA privacy rule.
©SHRM What Is the HIPAA Privacy Rule? The HIPAA privacy rule gives an individual rights over how their health information may be used or disclosed and protects the unauthorized disclosure of certain medical information known as protected health information (PHI). The HIPAA privacy rule requires covered entities to carefully handle PHI. It sets rules on who can view and receive your health information whether it is in in an electronic, written or oral form. The U.S. Department of Health and Human Services enforces the HIPAA privacy rule (http://www.hhs.gov).http://www.hhs.gov
©SHRM 2008 What Is Protected Health Information (PHI)? PHI: Relates to the physical or mental health condition of an individual, at any time, past, present or future. Identifies or can be used to identify an individual (e.g. name, address, birth date, Social Security number, account number). Is in the possession of or has been created by covered entities. 6
©SHRM 2008 What Is PHI? (cont.) PHI may be included in: Health care claims or encounter information. Health care payment and remittance advice. Coordination of benefits. Health care claim status. Enrollment or disenrollment in a health plan. Eligibility for a health plan. Health plan premium payments. Referral certification and authorization. 7
©SHRM 2008 Who Must Comply? Entities that must follow the HIPAA privacy rules are called covered entities. Covered entities include the following: Health Care Providers Those who transmit health information electronically either directly or through a business associate, including those who furnish, bill and are paid for health care services such as doctors, dentists, hospitals, nursing homes and pharmacies. Health Care Clearinghouses Health care management organizations that process nonstandard health information into a standard or vice versa such as billing services. Health Plans Health insurance companies, HMOs, Medicaid, Medicare and employer-sponsored health plans that have 50 or more participants or are administered by a third party (e.g. an insurance carrier) 8
©SHRM 2008 Who Must Comply? (cont.) An employer is not a covered entity based on being an employer alone. An employer must sponsor an Employment Retirement Income Security Act (ERISA) group health plan. > An ERISA group health plan is an employee welfare benefit plan that provides medical care to employees and/or their dependents/ spouse directly or through insurance, reimbursement or otherwise. The group health plan is the covered entity, but the employer may need to comply with the HIPAA privacy rules as the plan sponsor or administrator. An employer may be a covered entity if it operates in the capacity of a health care provider, health care clearinghouse or health plan (e.g., an employer may be a covered entity if it has an on-site health clinic for employees). 9
©SHRM 2008 Roles Think of the employer has having two different roles: Employer Plan Sponsor 10
©SHRM 2008 Employer Role Employers do not need to comply with the HIPAA privacy rule when acting in the employer role—for example: Employer requests a doctor’s note from an employee upon return from an absence consistent with the company’s policies or practices. Employer obtains medical information from employees to administer leave programs such as FMLA, requests for ADA accommodation, workers’ compensation, wellness programs and health insurance (e.g., employers may use health information that excludes PHI for amending plans or obtaining bids for health insurance). Employer includes employee names and injury information on OSHA logs. Employer obtains information from medical providers related to drug tests and fitness-for-duty-exams. 11
©SHRM 2008 Employer Role (cont.) More examples of employer role: Employer corresponds with workers’ compensation carriers and health care providers in the administration of a workers’ compensation claim. Employer shares summarized health information for purposes of amending plan benefits as long as all identifying information such as names, birth dates and Social Security numbers is removed. Employer discloses information related to the birth of a child or health condition of an employee if the information comes from an employee and not from a group health plan. 12
©SHRM 2008 Plan Sponsor Role When the covered entity is the group health plan, an employer may be obligated to comply with the HIPAA privacy rule in its role as the plan sponsor. Employers may be covered by the HIPAA privacy rule when they: Participate in the administration of a group health plan. Are active in the decision-making process of a group health plan. Participate in the operation or control of the provisions of a group health plan. 13
©SHRM 2008 Plan Sponsor Responsibilities Employers acting in a plan sponsor role may need to: Have written PHI procedures. Limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose. Designate a privacy officer. Require business associates to ensure confidentiality of PHI through written contracts or agreements. Establish administrative, technical and physical safeguards to protect the privacy of PHI. 14
©SHRM 2008 Plan Sponsor Responsibilities (cont.) Employers acting in a plan sponsor role may need to: Train employees on the HIPAA privacy rule. Provide a process for filing complaints. Ensure that PHI is not used for making employment or benefits decisions, marketing or fundraising. 15
©SHRM 2008 Employees’ Rights Employers acting in a plan sponsor role for a group health plan (covered entity) may not share employee PHI without written authorization unless it is shared: With the individual who is the subject of the PHI. For treatment and care coordination. To pay for employee health care services. With individuals who are designated by employees and who are involved with the employee’s health care or paying for health care bills. In public health situations. 16
©SHRM 2008 Employees’ Rights (cont.) Employers acting in a plan sponsor role for a group health plan (covered entity) may not share employee PHI without written authorization unless it is shared: For court and agency proceedings (e.g., workers’ compensation). Based on agency requirements (e.g., OSHA audit). Based on law enforcement requests or compliance. In emergencies. In identification of deceased individuals. In national security-related situations. 17
©SHRM 2008 Employees’ Rights (cont.) Employees have a right to: A copy of their medical records (a reasonable fee for copying and mailing records may be assessed). Restrict who can obtain their PHI. Change incorrect information in their medical records. A report of when and why PHI was used. Choose communication methods. File complaints. 18
©SHRM HIPAA Privacy Violations Violations of the HIPAA privacy rule may result in Civil penalties of $100 per violation. Maximum civil penalties of $25,000 per year, per person, per standard. Criminal penalties for willful offenses of $50,000 to $250,000 and imprisonment. Additional penalties under state law. Lawsuits.
©SHRM Summary Medical information maintained by employers is not always considered PHI. An employer must determine where the information was obtained and whether the information is maintained under the role of employer or plan sponsor of a group health plan, thereby making an employer a covered entity. Regardless of the role, employers should carefully handle all employee medical information.
©SHRM Questions? Comments?
©SHRM Course Evaluation Please be sure to complete and leave the evaluation sheet you received with your handouts Thank you for your attention and interest!
Protecting Patient Privacy: HIPAA Guidelines for Health Care Providers.
HIPAA Training: Ensuring Privacy for our Patients Privacy Training for Harvard Medical Students.
1 HIPAA Privacy Basics Presented by: Michele A. Masucci Harvey Z. Werblowsky McDermott, Will & Emery October 30, 2002.
Copyright Davis Wright Tremaine LLP - Jan Working with the HIPAA Privacy Manual and Forms --- HIPAA Summit West II Clark Stanton & Tom Jeffry Davis.
1 HIPAA Privacy Standards Health Insurance Portability and Accountability Act – HIPAA Privacy Standards Healthcare Provider Training Module Copyright 2003.
1 ON- LINE TRAINING EVENT HIPAA (Health Insurance Portability & Accountability Act) ENTER.
2011 Health Insurance Portability and Accountability Act (HIPAA) Volunteer Training 2011 Privacy & Security Protection of Public Health Patients Information.
Copyright 2008 The Regents of the University of California All Rights Reserved The Regents of the University of California accepts no liability for any.
Interplay of the ADA, FMLA, and Workers’ Compensation Training for Supervisors.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin 2003 Dechert LLP HIPAA Privacy Rule Basics.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
TRAINING FOR ALL MEDICAL SERVICE PROVIDERS HIPAA H ealth I nsurance P ortability and A ccountability A ct.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Americas Voice for Community Health Care The NACHC Mission To promote the provision of high quality, comprehensive and affordable health care that is.
HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA
HIPAA Privacy: Implementing Privacy for Government Health Plans Roberta M. Ward Senior Counsel, Privacy Officer California Department of Health Services.
Tulane Human Research Protection Program (“HRPP”) Present By: Wade Wootan Date: March 2010.
Thank You For Your Participation This Employer Webinar Series program is presented by Spencer Fane Britt & Browne.
The New Notice, and Old Consent, under HIPAA Interpretational and Administrative Issues Beth DeLair Michael F. Brown University of Wisconsin Hospital and.
Presented By: Cinde Warmington, Esq. Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord, NH
Learning Module #2 HIPAA and Compliance For Clinical Students and Instructors FVHCA Member Clinical Sites Reviewed
HIPAA Demystified: A Simple Approach to Building a HIPAA Compliance Program Including HITECH and TMPA. EPCC Health Career and Technical Education November.
Mississippi DOM Fraud, Waste, and Abuse (FWA) and HIPAA Training UPDATED 4/1/2014.
HR Best Practices: A guide to hiring, firing and everything in between Liz Speidel
1 Medical Assisting Chapter 15 PowerPoint ® to accompany Second Edition Ramutkowski Booth Pugh Thompson Whicker Copyright © The McGraw-Hill Companies,
1 HIPAA AWARENESS TRAINING ND Department of Health March 2003.
Information for Students MGH Institute of Health Professions Use your down arrow or click your mouse to advance through the presentation.
© 2016 SlidePlayer.com Inc. All rights reserved.