Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROTECTING CLIENT DATA HIPAA, HITECH AND PIPA PART 1A 2014 DHS IT Security & Privacy Training 1.

Similar presentations


Presentation on theme: "PROTECTING CLIENT DATA HIPAA, HITECH AND PIPA PART 1A 2014 DHS IT Security & Privacy Training 1."— Presentation transcript:

1

2 PROTECTING CLIENT DATA HIPAA, HITECH AND PIPA PART 1A 2014 DHS IT Security & Privacy Training 1

3 MODULE #1A WILL COVER…. What is HIPAA? HIPAA & Privacy Security Rule Who does HIPAA apply to? HIPAA Terms Release of Information/Identity Verification Documenting Disclosure 2014 DHS IT Security & Privacy Training 2

4 TOPICS CONTINUED…. Safeguarding Protective Health Information(PHI) and Personally Identifying Information (PII) Breach Notification Enforcement under HITECH Act Arkansas Personal Information Protection Act State Law Act DHS IT Security & Privacy Training 3

5 WHAT IS HIPAA? HIPAA is a federal law named the Health Insurance Portability and Accountability Act. Its purpose is to provide a national standard for the protection of health information. State or other Federal laws may provide greater protections than HIPAA DHS IT Security & Privacy Training 4

6 WHAT IS HIPAA CONTINUED…. HIPAA applies to both: Privacy of confidential information Security of confidential information Privacy and Security of confidential information must work together. If you do not use one, the other will not work DHS IT Security & Privacy Training 5

7 HIPAA AND THE PRIVACY RULE Protects individual health care data Defines how PHI may be used or disclosed Gives clients privacy rights and the right to access their health information Outlines ways to safeguard PHI Works with PIPA or Act 1526 The HIPAA Security Rule works with the Privacy Rule protecting electronic forms of PHI 2014 DHS IT Security & Privacy Training 6

8 WHO DOES HIPAA APPLY TO? DHS is a hybrid entity – meaning it has both covered and non-covered functions under HIPAA. Health Plans (DMS/Medicaid) Providers (DAAS, DBHS, DDS, DYS) health care providers who conduct one or more of the HIPAA- defined transactions electronically Business Associates: contractors who work for the divisions listed above DHS IT Security & Privacy Training 7

9 IMPORTANT HIPAA TERMS Protected health information (PHI) is information which identifies an individual or offers a reasonable basis for identification and is created or received by a health plan or health care provider. It relates to past, present, or future physical or mental health, the provision of health care, or payment for health care DHS IT Security & Privacy Training 8

10 HIPAA TERMS CONTINUED….. Use: When you review or use PHI within your division -- for example: for internal audits, training, customer service, quality improvement; Disclosure: When you release or provide PHI to someone outside your division -- for example: giving data to OCC or to an outside attorney or to another provider DHS IT Security & Privacy Training 9

11 HIPAA TERMS CONTINUED…. Minimum Necessary: To use or disclose only the minimum necessary to accomplish the intended purposes of the use, disclosure or request. Employees must be given only the access to PHI needed to do their jobs; Outside organizations must only be given the PHI needed to accomplish the purpose for which the request was made; the exception is treatment requests DHS IT Security & Privacy Training 10

12 EXAMPLE Sally works in a DHS county office and sees one of her fellow caseworker’s file on the desk. She notices the name on the folder is her soon-to-be ex-husband’s girlfriend. Sally looks in the file and sees that she has applied for Medicaid and ARKids First. Sally is going through a bitter divorce along with a custody battle and thinks any information that she can give to her attorney will help her case. Sally makes copies of the file and takes it home with her and plans to show it to her attorney. Would this be a Permissible Use or Disclosure? 2014 DHS IT Security & Privacy Training 11

13 No – this is an impermissible disclosure under HIPAA. If you do not need PHI to do your job, then you should not access it. This is a HIPAA violation and may result in discipline and even termination. Never let anyone talk you into accessing information on a family member, friend, cousin, etc. If you are aware of someone who is accessing DHS data outside of the scope of their job, report it immediately. https://dhs.arkansas.gov/reporting https://dhs.arkansas.gov/reporting 2014 DHS IT Security & Privacy Training 12

14 WHERE IS PHI FOUND? PHI can in be found in: Client Folders Medical Records Invoices s Letters 2014 DHS IT Security & Privacy Training 13

15 YOU MAY BE ASKED TO DISCLOSE INFORMATION CONTAINING PHI…. Often, PHI must be redacted or blacked out so that it is not visible before disclosing it. How do you know what to redact? On the next two slides we will go over what is considered the PHI Identifiers. These elements need to be redacted before disclosing PHI DHS IT Security & Privacy Training 14

16 PHI IDENTIFIERS Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers 2014 DHS IT Security & Privacy Training 15

17 PHI IDENTIFIERS CONTINUED… Full-face photographic images and any comparable images Any dates related to any individual (date of birth, telephone numbers) Fax numbers addresses Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code that could reasonably be used to identify the owner of the PHI DHS IT Security & Privacy Training 16

18 WHAT IS DE-IDENTIFIED DATA? Under HIPAA's "safe harbor" standard, information is considered de-identified if all of the PHI Identifiers in the previous two slides have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person DHS IT Security & Privacy Training 17


Download ppt "PROTECTING CLIENT DATA HIPAA, HITECH AND PIPA PART 1A 2014 DHS IT Security & Privacy Training 1."

Similar presentations


Ads by Google