Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information.

Similar presentations

Presentation on theme: "HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information."— Presentation transcript:

1 HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information

2 Program Content Overview of Privacy and Security A Hypothetical Case History Using and Sharing Information The Notice of Privacy Practices Authorization Privacy Accounting Patient Access to Health Information Information Security Wrap-up

3 HIPAA Privacy & Security – Section 1 Overview of Privacy and Security How HIPAA views privacy and security … and threats to privacy and security

4 Privacy & Security Goals The goals of privacy— Patient control over sharing of information Disclosure of how information will be used The goals of security— Information available to those who need it Information not available to those who don’t

5 Key Concepts and Terms Protected Health Information Use and Disclosure Notice and Acknowledgement Authorization Business Associate Workforce Personal Representative Minimum necessary

6 Key Concepts and Terms Protected Health Information General definition Information that identifies an individual and describes his/her medical condition or treatment Specifically includes Clinical information Information on payment Basic demographic information Name, address, and telephone number Applies to written and electronic information

7 Key Concepts and Terms Use and Disclosure Information is used by members of our workforce for Collection of information by clinical staff Review of patient charts by clinical staff Completion of billing forms by clerical staff Accounting and bookkeeping entries Information is disclosed when it is shared with others Transmission of information to a health plan Transmission of information to a billing service Transmission of prescriptions to a pharmacy Consultation with an independent provider Reporting to government agencies

8 Key Concepts and Terms Notice and Acknowledgement Notice of Privacy Practices A statement given to each patient describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA Acknowledgement Written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it

9 Key Concepts and Terms Authorization Required for uses and disclosures other than for Treatment Payment Health care operations To comply with legal mandates Signed by the patient or patient’s personal representative

10 Key Concepts and Terms Workforce Members of the medical practice Employees of the medical practice Independent contractors we hire

11 Key Concepts and Terms Business Associate An entity that performs services for the practice Examples: Billing services Accreditation agencies Must give satisfactory assurances

12 Key Concepts and Terms Personal Representative A person who can act on behalf of the patient Must have legal authority to act on the patient’s behalf A personal representative may: Acknowledge the Notice of Privacy Practices Authorize use and disclosure of information Request and receive an accounting of use and disclosure Request amendment of health information

13 Key Concepts and Terms Minimum necessary HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose Examples: Any information requested for treatment Any information in a standard transaction Information required by administrative task Information specified in request from Law enforcement officials Regulatory officials Subpoena or court order

14 Quiz 1: Key Concepts Does protected health information includes the patient’s name, address, and basic demographic information? Do privacy protections apply to both information recorded on paper and information stored electronically? Can a family member or close personal friend act as the representative of the patient? Is a business associate contract required only for those business associates who create or process protected health information?

15 HIPAA Privacy & Security – Section 2 A Hypothetical Case History The privacy regulation in action: An overview

16 A Hypothetical Case History A patient calls for an appointment The patient arrives for first visit The patient is called by the nurse Care discussed with patient’s spouse Claim prepared and submitted to health plan Newsletter sent to practice’s patients Mailing list requested by local pharmacy Patient requests accounting of disclosures Patient asks for information from chart Patient requests correction of information

17 A Hypothetical Case History Making an appointment Collect basic patient information Name Telephone number Health plan Information is protected Does not violate privacy rules

18 A Hypothetical Case History Patient Arrival Patient is given the Notice Staff seek Acknowledgement of Notice

19 A Hypothetical Case History In the Waiting Room Disclosure of limited information Patients signature on “sign-in” sheet Staff call patient from waiting area Does not violate privacy rules

20 A Hypothetical Case History Discussion with patient’s spouse Information shared with family members Patient has opportunity to object Does not violate privacy rules

21 A Hypothetical Case History Claim Submission Disclosure of information to health plan Does not require patient authorization Does not violate privacy rules

22 A Hypothetical Case History Patient Newsletter Uses protected information Does not require authorization Does not violate privacy rules

23 A Hypothetical Case History Mailing lists Must have patient’s permission to sell or provide mailing lists to other organizations

24 A Hypothetical Case History Accounting for disclosures Must provide list of certain disclosures When requested by patient

25 A Hypothetical Case History Copying information from chart Must allow patients to inspect charts Must provide copies when requested

26 A Hypothetical Case History Correction of information Patients may request ‘corrections’ No obligation to make changes Must document request and any changes

27 HIPAA Privacy & Security – Section 3 Using & Sharing Information Who can have what information and under what circumstances?

28 Overview Uses and disclosures that… Do not require patient authorization Require specific patient authorization Disclosures to family members Incidental disclosures

29 Authorization not needed for… Treatment of the patient Obtaining payment Out day-to-day operations Legally mandated reporting or disclosure

30 Authorization not needed Use and Disclosure for Treatment Definition of treatment Collection of information Review of patient records and test results Consultation with other providers Referral to another provider Transmitting information to other providers No restriction on information sharing

31 Authorization not needed Use and Disclosure for Payment Definition of payment Eligibility inquiries Coverage determinations Submission of claims Claim status inquiries Remittance of payment Credit card and other payment methods Standard transaction data elements

32 Authorization not needed Use and Disclosure for Operations Health Care Operations include: Maintenance of medical records Maintenance of accounting records Quality assurance activities Staff credentialing and performance evaluation Conducting financial and management audits Investigating complaints Supporting legal activities Resolving grievances General business management Staff may use and disclose only the minimum necessary information

33 Authorization not needed Legally Mandated Disclosures Police and Law Enforcement Public Health Reporting Reportable infectious diseases Vital events (birth and death) Abuse and Neglect Reporting Licensing and regulatory oversight Legal proceedings

34 Disclosures to Family Members Disclosure is permitted… To spouses To parents and legal guardians To others involved in care Obtaining patient’s permission When patient is able to object When patient is not able to object Allows sharing of Information related to the patient’s care

35 Incidental Disclosures Examples of incidental disclosure An overheard conversation among staff members An overheard discussion between staff and patients An overheard telephone call to a patient Test results being filed in patient records Incidental disclosures are permitted… …but should be avoided Incidental disclosures need not be documented Try to minimize incidental disclosures! Conduct discussions in private areas Limit discussion when others are present

36 Quiz 2: Using & Sharing Information Are there any limits on the use or disclosure of patient information for the purpose of treatment? Does a patient have to authorize the disclosure of information to a health plan? Does a patient have to authorize disclosure of information to law enforcement agencies? Does HIPAA prevent us from complying with state- mandated disease reporting, e.g., for infectious diseases? Can we use patient information for any purpose without obtaining the patient’s authorization?

37 HIPAA Privacy & Security – Section 4 Notice of Privacy Practices Helping patients understand how their information will be used – and how their privacy is protected

38 What the Notice Tells Patients How their information will be used With whom their information will be shared When an authorization is needed How to request an accounting of uses and disclosures How to request access to information How to request changes in information

39 Review of the Notice Uses and disclosures that don’t require authorization Treatment Payment Health care operations Legally mandated disclosures Patient rights Request restrictions on use and disclosure Request confidential communications Obtain an accounting of uses and disclosures Review protected health information Request changes to information

40 Providing the Notice to Patients Responsibility of receptionist Provide during first patient visit Review key provisions Discuss and resolve requests for… Restrictions on use and disclosure Confidential communications

41 Acknowledgement By Patient Staff must try to obtain acknowledgement Documents that notice was given Required on first visit only Obtain prior to treatment Use of acknowledgement form Patient signature and date Document attempt if patient can’t acknowledge Emergency treatment exception Patient gets a copy of the acknowledgement Original filed with patient record

42 Quiz 3: Notice of Privacy Practices Does a patient have to be given a Notice prior to treatment? Does a patient have to be given a Notice on each visit? Does the patient have to sign the acknowledgement of the Notice? Do staff have to document a patient’s inability or refusal to sign an acknowledgement of the Notice? Can a patient restrict use and disclosure of protected health information?

43 HIPAA Privacy & Security – Section 5 Authorization Using and disclosing information for purposes not covered by the notice

44 When is authorization needed? Medical/clinical research Investigational treatment Research protocols Exception for “de-identified” data Marketing Promoting third-party products/services Providing mailing lists to others Other uses and disclosures except For treatment, payment, health care operations To comply with legal mandates

45 Content of Authorization Authorization must… Identify the information to be used or disclosed Identify users/persons to whom disclosed Identify purposes of use or disclosure Note the potential for redisclosure Conditioning treatment on authorization Treatment available only to research subjects Treatment requested by the patient for disclosure Authorization may signed by… Patient, or Patient representative

46 Obtaining Authorization Review authorization form with patient What information will be used What the information will be used for Who will use the information Note the potential for re-disclosure Obtain patient/representative signature File authorization form in records

47 Quiz 4: Authorization Is an authorization needed if a patient has signed a consent to participate in a research program? Does an authorization have to specify the information to be disclosed and the purpose of the disclosure? Does an authorization have to identify who will use or receive the information? Does a patient have to authorize disclosure of a camp or school physical? Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study? Does a patient have to authorize disclosure of information to himself or herself or to a spouse?

48 HIPAA Privacy & Security – Section 6 Privacy Accounting Informing patients of certain uses and disclosures of protected health information

49 Recording Uses/Disclosures The goal of the accounting Let patients know who has received their information – and why Facilitate amendment/correction when erroneous information has been disclosed Does not require tracking of… Uses and disclosures for purposes of treatment, payment, and health care operations Uses and disclosures covered by an authorization Bottom line: only requires tracking and disclosure of… Legally mandated disclosures Unauthorized disclosures

50 Requesting an Accounting Patients submit an accounting request Fees for accounting No charge for first accounting May charge for second and subsequent accountings in 12 month period

51 Content of the Accounting Identity of the person or organization to whom information was disclosed Description of the information disclosed Description of the purpose of the disclosure

52 Quiz 5: Accounting for Disclosures Do all uses and disclosures have to be included in an accounting? Do disclosures to health plans have to be included in an accounting? Do authorized disclosures have to included in an accounting? Do disclosures to police and law enforcement agencies have to be included in an accounting? Do disclosures to business associates have to be included in an accounting?

53 HIPAA Privacy & Security – Section 7 Patient Access to Information How patients can obtain and request changes in their medical information

54 Patient and Provider Rights HIPAA gives patients certain rights To review and copy their records To request changes in their records To have changes communicated to others HIPAA gives providers certain rights To charge for copies of health information To deny requested changes in patient records

55 Requesting Amendment Patients may request correction of information in their records Approving or denying requests Communicating corrections Documentation requirements

56 Quiz 6: Access and Amendment Can a patient examine his or her medical information? Can a patient obtain a copy of information in his or her medical chart? Do patients have to request information from their records in writing? Can patients change information in their medical records? Do corrections in patient information have to be transmitted to prior recipients of the incorrect information?

57 HIPAA Privacy & Security – Section 8 Information Security Staff responsibilities for keeping information secure

58 Overview The basic concepts of security The responsibility for security Threats to security Security protections What you can do

59 Security Basics Two aspects of security Preventing unauthorized access/disclosure Preventing loss of information Scope of security concerns Securing electronic information Securing paper records

60 Security is everybody’s business Information systems managers & staff Medical professionals Clerical and billing staff Managers and supervisors Consultants and contractors

61 Security Threats Loss of information Theft of information Unauthorized disclosures Accidental disclosures

62 Loss of Information Unintended destruction of information Human error Hardware failure Fires, floods, and power failures Computer viruses Response to the threat Staff training and procedures Backup procedures and system design Disaster and contingency plans Anti-virus software

63 Theft of Information How information is stolen Computer system penetration by hackers Disclosure caused by computer viruses Preventing theft Hardware/software firewalls Use of password protection User authentication Anti-virus software Encryption

64 Unauthorized Disclosures Intentional, but unauthorized, disclosure Failure to check credentials of requester Failure to check patient authorization Unintentional disclosure Breakdown of security during disasters

65 Accidental Disclosures Overheard conversations Among staff Between staff and patients Information left in public view Information displayed on computer screens Printed information left on desks Files accessible to public/passers-by

66 Security Protections Backup procedures Contingency plans Organizational safeguards Technical (hardware and software) safeguards

67 Guidelines for Computer Use Log on and log off our network Never let others use your user ID Choose a secure password Regularly update your password Never share your password Never write your password down Secure your workstation

68 Quiz 7: Security Measures Is the accidental destruction of information a security problem? What is the most serious threat to security? Should people ever let others use their computer ID or password? Should anti-virus software ever be turned off?

69 HIPAA Privacy & Security – Section 9 Security & Privacy Wrap-up What you can do to protect the privacy and safeguard the security of patient information

70 Privacy Wrap-up Five things you can do to protect privacy Store all patient information securely Discuss patient information in private Avoid unnecessary discussion of patient information Review restrictions on disclosure and communication before making disclosures Confirm credentials of recipients before disclosing protected health information

71 Security Wrap-up Five things you can do to safeguard security Log on and log off of your computer Never let others use your log-on Follow guidelines for password use Never disable anti-virus software Never install unapproved software

Download ppt "HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information."

Similar presentations

Ads by Google