Presentation on theme: "HIPAA Health Insurance Portability and Accountability Act"— Presentation transcript:
1HIPAA Health Insurance Portability and Accountability Act Presented by theUMMC Office of Integrity and Compliance
2HIPAAAs stated in the “Compliance” module presentation, the Office of Integrity and Compliance is responsible for enforcing and overseeing the HIPAA privacy regulations for UMMC. While HIPAA privacy enforcement is just one of the many responsibilities of our office, the HIPAA privacy regulations are important to each workforce member at the UMMC and thus warrants the need for a separate training module. Whether you are an office worker, a member of our housekeeping staff, physical facilities, a student, or a clinician, it is YOUR responsibility to ensure patient privacy is protected.
3Rules and Regulations to Ensure Privacy The Health Insurance Portability and Accountability Act (HIPAA) set Federally recognized standards to ensure both Privacy and Security of patient health information.Both standards are overseen by the Office of Civil Rights.Within UMMC, standards are enforced byOffice of Integrity and Compliance, Privacy OfficerInformation Systems, Security Officer
4Policies and Procedures UMMC has created policies and procedures to facilitate compliance with all standards.These are to be followed by employees who come into contact with patient health information.The policies can be found on the UMMC Intranet or by clicking the following link:
5HIPAA Privacy Standards The Privacy Standards provide for the following:Boundaries for the uses and disclosures of protected health information;The implementation of administrative, technical and physical safeguards to help ensure health information remains confidential;More control of an individual's health information by the individual; andCivil and criminal penalties for violators of the standards.
6What information is protected by the regulations? The HIPAA Privacy Standards protect “individually identifiable health information”, which is collectively referred to as protected health information (PHI). Basically, PHI is clinical information, such as an individual’s diagnosis, in combination with some type of information that allows you to identify that individual. For instance, a diagnosis on a progress note that contains the patient’s name in right hand corner would be considered PHI. PHI can be transmitted or maintained in any form or medium, which includes PHI that is transmitted orally, stored or transmitted on paper and/or electronically.
7Examples of PHISome examples of confidential and protected health information:Documentation created by physicians, nurses, and other health care providers and assembled in medical records;Conversations about an individual's care or treatment between health care providers;Information about patients in UMMC’s computer system; andBilling information about an individual’s health care.
8Information that can be used to identify a patient can include: Health plan beneficiary number;Device identifiers or serial numbers;Biometric identifiers, including finger & voice prints;Full face photographic images or other images;Web Locators (URLs) or Internet Protocol (IP) addresses;Any other unique identifying number, characteristic, or code.Patient’s Name;Address or zip code;Month and date of service or other relevant date;Date of Birth;Telephone and/or fax number;address;Social Security Number;Medical Record or patient account numbers;Vehicle identifiers or serial numbers;
9Which Disclosures are Allowed Without Authorization? Except for psychotherapy notes, the privacy standards allow UMMC to disclose information without an authorization for the following purposes:To comply with the law, such as reporting communicable diseases to the Mississippi State Department of Health;For the treatment of the individual;To obtain payment for services rendered by UMMC; and/orTo carry out the healthcare operations of UMMC.
10Disclosures Allowed by Law There are many disclosures that UMMC makes because it is required by law and therefore, no authorization is required. Some of these include but are not limited to:Disclosures about victims of child abuseDisclosures for judicial proceedings, such as responding to a subpoenaDisclosures for Law Enforcement purposes
11What is Considered Treatment Under HIPAA? Treatment includes the management of healthcare and related services by one or more healthcare providers, including the coordination with a third party, such as a skilled nursing facility; consultations with other providers; or the referral of a patient from one provider to another. The following are examples of treatment activities:Healthcare staff orally coordinating services at the hospital nursing station.The teaching physician or dental instructor discussing a patient’s condition during training rounds.
12Examples of Treatment Continued A healthcare provider discussing lab test results with a patient or other provider in a joint treatment area.A dentist referring a patient to an orthodontist.Nurses or other health care providers discussing a patient’s condition over the phone with the patient, a provider, or a family member.
13PaymentThe billing department uses confidential information to bill patients or their insurance companies for the services they receive.
14What are Healthcare Operations? Healthcare operations are activities that UMMC performs on a day-to-day basis in order to stay in business.Examples of healthcare operations include:Utilization review activities;Compliance activities;Internal auditing activities;Teaching of students; and/orPerformance improvement activities
15Disclosures/Releases with Authorizations Disclosures, other than those previously listed, can be made by UMMC only if the patient signs an authorization. Authorizations, which are sometimes referred to as consents to release, must contain the necessary core elements and statements before the information can be released. Fulfilling an authorization that does not contain the required core elements and statements is a violation of this federal regulation. Only authorized employees can disclose patient information.
17Several Important Concepts: Concept #1 Need to Know- Only access patient information if you have been assigned some form of responsibility for the patient’s care. Share information about patients only with other individuals who have a “need to know”. Part of protecting our patient’s privacy is to ensure that employees access only that information which they “need to know” in order to perform their job duties. If an employee does not have a valid reason to know a patient’s information, they should refrain from accessing it.
18Several Important Concepts: Concept #2 Minimum Necessary- It is UMMC policy that each employee use and disclose only that information that is minimally necessary to fulfill a purpose or duty. Only access or view the minimum amount of patient health information necessary to complete your job duties.
19Several Important Concepts: Concept #3 Patients Rights- Under HIPAA, patients have several rights related to their PHI. Below is a comprehensive list of those rights. The next slide shows how you should respond to a patient if they have questions pertaining to those rights.Right to access and obtain a copy of their medical record;Right to request an amendment to their health information;Right to receive an accounting of disclosures;The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations;Right to file a complaint;Right to agree or object to being included in the hospital directory;Right to request confidential communications; andRight to a Notice of Privacy Practices
20Patient Right How to handle request Right to access and obtain a copy of their medical recordRefer requests to Release of Information of the respective areaRight to request an amendment to health informationRefer requests to the Office of Integrity and ComplianceRight to receive an accounting of disclosuresThe right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operationsRight to agree or object to being included in the hospital directoryRefer inquiries to RegistrationRight to request confidential communicationsRight to a Notice of Privacy PracticesRefer inquiries to the Office of Integrity and ComplianceRight to file a complaintRefer complaints to the Office of Integrity and Compliance
21Criminal PenaltiesPreviously, employees who inappropriately accessed, used, or disclosed a patients health information were not subject to criminal penalties. UMMC would “take the blame” and the responsible employee would only receive sanctions listed within the institution’s sanction policy.Now, if you inappropriately access, use, or disclose a patient’s health information, you can be charged with criminal penalties.
22Did You Know…The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a final rule, also known as the Omnibus Rule, on January 17, 2013 to enhance privacy and security of health information under HIPAA and the HITECH Act.
23Revisions to HIPAA and HITECH Act Among the changes and additions to the privacy laws include:Business Associate AccountabilityAuthorizationsUses/Disclosures of PHI for Marketing and FundraisingProtection of Decedent PHIBreach NotificationsAdditional Patient RightsRestrictions on Uses/Disclosures of PHIEnforcement and SecurityPrivacy with the Genetic Information
24Business Associate Accountability Defined by services such as creating, receiving, maintaining, or transmitting PHI for a Covered Entity.Include Patient Safety Organizations (PSOs), health information organizations (HIOs), and subcontractorsAccountable For the Following:Uses/disclosures of PHI which do not follow its agreement or the Privacy Rule;Failure to provide notification of a breach;Failure to provide an accounting of disclosures;Failure to report PHI to the Secretary;Failure to comply with the Security Rule.Held to the Minimum Necessary Standard.
25Authorizations Uses/Disclosures for marketing and the sale of PHI require an Authorization.Authorizations for research can combine conditioned and unconditioned Authorizations as long as the research elements are identified separately.Written Authorization is not required for disclosure of proof of immunization to schools.Authorizations for research can include authorization for future research as long as it is stated clearly.
26Uses/Disclosures of PHI for Marketing and Fundraising Limits are placed on communication considered to be health care operations if a Covered Entity receives financial remuneration (payment) in exchange for the communication for the third party.If financial remuneration is received, an Authorization for release of information is required by the Covered Entity.Exceptions:Prescription refill reminders, face to face communication, and promotional gifts of minimal value.FundraisingA Covered Entity must provide a recipient of fundraising communication the opportunity, without unnecessary burden, to opt out of receiving communications and ensure future communication is discontinued if the recipient chooses to opt out.
27Protection of Decedent PHI Identifiable information of a person who has been deceased for more than 50 years is no longer PHI.Disclosures of decedent information to family members are allowed, unless it is not consistent with known preferences expressed by the individual.
28Breach NotificationsPHI inappropriately released without authorization is assumed to be a breach unless the Covered Entity can prove that there is low probability the PHI was compromised through a risk assessment.Risk assessments identify the type of PHI involved, the persons involved, whether PHI was acquired or viewed, and the degree to which the risk to the PHI is reduced.Notification of all breaches involving less than 500 individuals must be reported no later than 60 days after the end of the calendar year in which the breach was detected.Limited data sets with dates or zip codes are no longer exempted from breach notification.
29Additional Patient Rights The right to request and receive, at a reasonable cost, their health information in electronic format if the information is maintained as an Electronic Health Record (EHR).The right to apply restrictions on disclosures made to Covered Entities for any item or service, for which the patient has paid the full cost out of pocket.The right to receive a full accounting of disclosures made by the Covered Entity or Business Associate involving treatment, payment, or health care operations during the previous three years.
30Restrictions on Uses/Disclosures When restrictions on uses/disclosures of PHI to a health plan are enacted, the Covered Entity must use some type of notification in the medical record to identify the restrictions placed.Patients are responsible for notifying other entities of requested restrictions on uses/disclosures of PHI to a health plan.
31Enforcement and Security HIPAA rules continue to preempt State law, unless the state law is more stringent.OCR will investigate and penalize violations due to willful neglect.Willful neglect defined as a conscious failure.Willful neglect included in civil money penalties.Organizations must evaluate and revise security measures to ensure protection of electronic PHI.
32Privacy with Genetic Information HIPAA Privacy Rule identifies genetic information as PHI which is in alignment with the Genetic Information Nondiscrimination Act (GINA).Most health plans cannot use or disclose genetic information for underwriting purposes.
33Brief PointersFamily and Friends- you should not access health information of family/friends if you do not have a need to know.VIPS- Do not access health information of individuals who are of public interest unless you have a need to know.Passwords- Do not share passwords- We audit and you will be held responsible. This includes portable devicesDisposing Patient Information- if in printed format, must be disposed- NEVER throw away in regular garbage without at least shredding by hand.Ongoing Monitoring- We perform ongoing monitoring of access into patient health information. Employee to Employee access.IF WE FIND YOU ARE NOT CONNECTED TO THE PATIENT’S CARE OR DO NOT HAVE THE APPROPRIATE “NEED TO KNOW” TO COMPLETE YOUR JOB DUTIES, YOU WILL BE HELD ACCOUNTABLE.
34More Information IF YOU HAVE QUESTIONS- See Policies and Procedures Online- UMMC IntranetContact the Office of Integrity and ComplianceIF YOU NEED TO REPORT A VIOLATION-Directly to your superiorCompliance HotlineCompliance Report Form
35Question 1 What does HIPAA stand for? Click on the correct lettera. Healthcare Information Policy and Assessmentb. Health Insurance Portability and Accountability Actc. Health Information Privacy Act and Association
36Question 1 CORRECT What does HIPAA stand for? a. Healthcare Information Policy and AssessmentClick here to go to next questionb. Health Insurance Portability and Accountability Actc. Health Information Privacy Act and Association
37Question 1 INCORRECT What does HIPAA stand for? a. Healthcare Information Policy and AssessmentClick here to go backb. Health Insurance Portability and Accountability Actc. Health Information Privacy Act and Association
38Question 2Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time CLICK ON THE CORRECT ANSWERTRUEFALSE
39Click here to go to next question CORRECTLucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any timeClick here to go to next questionTRUEFALSE
40Question 2 TRUE FALSE INCORRECT Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any timeClick here to go backTRUEFALSE
41Question 3UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations CLICK ON THE CORRECT ANSWERTRUEFALSE
42Click here to go to the end Question 3CORRECTUMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulationsClick here to go to the endTRUEFALSE
43Question 3 TRUE FALSE INCORRECT UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulationsClick here to go backTRUEFALSE
44The End of HIPAA Training Please close out of this presentation and proceed to the next training presentation