1. Are you ready for HIPPO???
Welcome to HIPAA
What is HIPAA? HIPAA is the Healthcare Insurance Portability and Accountability Act. HIPAA is federal law managed and enforced by the Center for Medicare and Medicaid Services (CMS).
HIPAA creates a framework for managing patient health information in verbal, paper, and electronic form. HIPAA also provides standards for electronic transactions, and covers building security.
Who does it apply to? HIPAA affects nearly everyone in healthcare: providers, payers, pharmaceutical companies, and hospitals. HIPAA affects all employees and operations of a “covered entity”, as well as business vendors and suppliers who provide services and products.
v. 05/15/2014

2. the Privacy Rule Protected Health Information (PHI)
PHI is any information about the past, present or future, physical or mental health of a patient, AND which individually identifies that individual. Examples of individual identifiers include name, address, SSN, family members’ names, insurance numbers, etc.
PHI may exist in any form: on paper, in verbal conversations, or in electronic form.
Can you identify PHI at your facility?
v. 05/15/2014

3. How do we manage PHI?
HIPAA places few restrictions on the use or disclosure of PHI in treatment, payment or healthcare operations (TPO). HIPAA recognizes that providers and employees of a covered entity need wide access to PHI to deliver quality healthcare efficiently.
TREATMENT includes the provision of healthcare services, and also
consulting between providers about a patient
referring a patient to another provider
PAYMENT includes interaction with insurance companies & other payers
Eligibility determination
billing, claims, reimbursement
Preauthorization
utilization review
HEALTHCARE OPERATIONS include activities such as:
·         quality assessments | outcome evaluations |  internal business planning
v. 05/15/2014

4. Minimum Necessary Standard
For any internal use of PHI, everyone must make a reasonable, good faith effort to share only the minimum amount of PHI necessary to accomplish the intended purpose.
Be aware that many purposes, such as treatment, may well require extensive use of PHI.
Exception – does not apply to disclosures of PHI made to other healthcare providers
v. 05/15/2014

5. Applying the Minumum Necessary Standard
Restrict amount of PHI used
Is ALL this PHI needed now?
Restrict physical access to PHI
Is the PHI secure ?
Restrict access to certain persons
Does everyone need to see this?
Remember - PHI exists in verbal, paper, and electronic form
v. 05/15/2014

6. Notice of Privacy Practices (NPP)
The NPP is a document required by HIPAA that explains patient rights regarding their PHI. The NPP explains how we will use PHI for treatment, payment and healthcare operations. It also describes patients’ right to …
Inspect their PHI (medical record)
Make copies of their PHI
Request changes to their PHI
Request an accounting of non-TPO disclosures of PHI
The NPP must be given to the patient, or their legal representative, at the first encounter for healthcare services. You must make a good faith effort to obtain a signed acknowledgement of the patient’s receipt of the NPP. Keep this acknowledgement form.
v. 05/15/2014

7. Authorization Form
An Authorization Form is required for disclosures of PHI which are not part of treatment, payment, or healthcare operations. An example would be a release of PHI to a law firm.
The Authorization Form must include a specific description of the PHI to be disclosed, must identify the recipient of the PHI, and must include the dates which the Authorization covers.
A log must be kept of all disclosures made under the Authorization.
A patient may refuse to sign the Authorization.
v. 05/15/2014

8. Business Associates
Other individuals and organizations, who are NOT healthcare providers, may also have access to PHI. Examples include medical records storage companies, technical support vendors, etc.
Note that other healthcare providers are not Business Associates. This would include hospital and clinical labs.
All Business Associates must sign an Agreement promising to protect and safeguard PHI in same manner as the covered entity.
v. 05/15/2014

9. HIPAA Security
HIPAA Security focuses on PHI which is in electronic format, including computer systems, fax machines, answering machines, internet, CDs, medical equipment, etc. Security also focuses on building security for the protection of PHI.
Use special care when handling PHI in electronic format. Do not throw away PHI in electronic format.
Do not share passwords, keys, or other means of access with other employees.
Be aware of building security regarding physical access, visitors, and emergency procedures.
Report all suspected violations of Security policy to immediate supervisor or the Privacy Officer.
v. 05/15/2014

10. HIPAA Enforcement
HIPAA enforcement comes under CMS and Office of Civil Rights. For the most part, enforcement actions are complaint-driven. An individual patient generally has no private right to sue under HIPAA.
There is no regular HIPAA audit program, but that is changing.
All a provider’s employees and Business Associates are responsible for HIPAA and are thus subject to enforcement actions.
There are civil penalties, usually fines, associated with HIPAA violations.
v. 05/10/2012

11. Are you HIPPO compliant ??
HIPAA in a Nutshell
Always protect and safeguard PHI. Help to create an atmosphere of privacy and professionalism when using PHI.
Honor the rights of patients regarding their PHI. Use the proper forms as required under HIPAA.
Remember that persons and organizations outside Jones Clinic may also access PHI and know the rules which govern this use.
Remember that most violations of HIPAA are not intentional but are due to carelessness or sloppy work habits.
Ask the Privacy Officer or your management team if you have questions about HIPAA. Report all violations of HIPAA as instructed.
v. 05/15/2014