Presentation is loading. Please wait.

Presentation is loading. Please wait.

How DHHS Privacy Policies Affect You

Published byMaryann Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "How DHHS Privacy Policies Affect You"— Presentation transcript:

1 How DHHS Privacy Policies Affect You
PRIVACY TRAINING How DHHS Privacy Policies Affect You Prepared by: NC DHHS HIPAA Office April 2003 NC DHHS

2 Training Goals To increase your knowledge and understanding of privacy and individually identifiable health information (IIHI), where IIHI could be found in this agency, what threats may exist to privacy in this agency, and why information you access must be kept private. To promote awareness of your role in helping this agency follow Privacy Procedures implemented according to DHHS Privacy Policies. To provide information about to whom you can go with questions about privacy. To inform you about your reporting responsibilities when privacy violations occur. To alert you to the possible penalties for violation of agency Privacy Procedures and DHHS Privacy Policies for both you and this agency. To understand that privacy also protects you. Slide NC DHHS HIPAA Office

3 BACKGROUND NC DHHS

4 HIPAA Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law Is a Federal Law That Provides Health Insurance Portability - Guarantees health insurance when employees change jobs. Accountability - Protects health data integrity, confidentiality, and availability. Reduces fraud and abuse. Gives patients more control over their health information. Administrative Simplification - Reduces paperwork and associated administrative costs. Data Standardization - Establishes standards for transmission of electronic transactions (EDI, Code Sets, and Identifiers). Privacy and Security - Requires reasonable measures to protect individuals’ health information. Slide NC DHHS HIPAA Office

5 HIPAA HIPAA Is Comprised of Five Titles (Sections).
This Training Addresses One of the Components of Title II - Administrative Simplification. Slide NC DHHS HIPAA Office

6 HIPAA HIPAA Administrative Simplification Contains Seven Components, or Regulation Areas - This Training Focuses on the Privacy Regulation. Slide NC DHHS HIPAA Office

7 HIPAA Who Must Comply? Covered Entities
Health Care Providers that conduct standard transactions electronically (e.g., DMH/DD/SAS, DMA, DPH) Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs) Excludes government funded programs whose primary mission is not providing for or paying the cost of medical care (e.g., Willie M. and Thomas S.) Clearinghouses DHHS has been determined to be a hybrid entity, which means that only specific programs of the agency are covered. These covered programs are known as Covered Health Care Components (HCCs). Trading Partners who electronically exchange IIHI with covered entities. Business Associates who perform covered functions or activities for or on behalf of a covered entity that involves the use of IIHI. Slide NC DHHS HIPAA Office

8 HIPAA HIPAA Privacy Rule
For the first time, provides national standards to protect individuals’ medical records and other personal health information. Clients have more control over their health information. Sets boundaries on use and disclosure of health information. Establishes appropriate safeguards to protect health information. Holds violators accountable. Strikes a balance between privacy of health information and the public’s need to know (e.g., reporting of communicable diseases). Slide NC DHHS HIPAA Office NC DHHS

9 HIPAA Why HIPAA? Why Now? Promotes public trust.
Comes at a time when technology can meet the requirements. Monitors the use of health information. Establishes a floor for acceptable privacy and security standards for health care information. However, stricter state laws will preempt HIPAA. Slide NC DHHS HIPAA Office NC DHHS

10 HIPAA Why Comply with HIPAA?
Organizations can continue business relationships within the health care community. Avoid denied claims or delayed payments from health plans. Organizations and individuals avoid severe criminal and civil penalties for non-compliance. DHHS staff avoid being subjected to personnel sanctions (e.g., disciplinary actions, loss of employment). Slide NC DHHS HIPAA Office NC DHHS

11 HIPAA Penalties for Failure to Comply with HIPAA CIVIL CRIMINAL
$100 fine per person per violation $25,000 fine per year for multiple violations $25,000 fine cap per year per requirement CRIMINAL Knowingly or wrongfully disclosing or receiving IIHI protected by HIPAA: $50,000 fine and/or one year prison time Commit offense under false pretenses: $100,000 fine and/or five years prison time Intent to sell IIHI protected by HIPAA or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time Slide NC DHHS HIPAA Office NC DHHS

12 HIPAA Enforcement Centers for Medicare and Medicaid Services (CMS) is the designated enforcement agency for the HIPAA Transactions, Code Sets, Identifiers, and Security Standards. US HHS Office for Civil Rights (OCR) is the designated enforcement agency for the HIPAA Privacy Regulation. US Department of Justice (DOJ) will be involved in criminal privacy violations. This agency will issue penalties such as fines and imprisonment. The HIPAA Enforcement Regulation Will Provide More Information When Finalized. Slide NC DHHS HIPAA Office NC DHHS

13 FOR MORE HIPAA INFORMATION
More Information About HIPAA Is Available on the Following Web Sites. US Department of Health and Human Services - HIPAA Administration Simplification Office of Civil Rights (Privacy Information) Centers for Medicare and Medicaid Services (Transactions, Code Sets, Identifiers and Security Information) DHHS HIPAA Web Site Slide NC DHHS HIPAA Office NC DHHS

14 DHHS HIPAA INITIATIVE DHHS HIPAA Office Established in June 2000.
Identified DHHS HCCs and Internal Business Associates (those within DHHS) and External Business Associates (outside DHHS). Conducted Assessments for: Transactions and Code Sets Privacy Preliminary Security Develops DHHS Privacy Policies to Comply with HIPAA Privacy Requirements. Provides Guidance for HIPAA Activities in DHHS Agencies (e.g., DMA, DMH/DD/SAS, DIRM). Slide NC DHHS HIPAA Office NC DHHS

15 DHHS HIPAA INITIATIVE DHHS Agencies
Designated HIPAA Coordinators and Privacy Officials. Formed agency HIPAA implementation teams. Identified initial security risks. Remediates systems and updating business processes impacted by Transactions and Code Sets and Privacy Rules. Creates/updates procedures to implement the DHHS Privacy Policies. Provides training on updated systems, business processes, and privacy policies/procedures. Slide NC DHHS HIPAA Office NC DHHS

16 AGENCY HIPAA EFFORTS What Does HIPAA Mean for Our Agency? We Must
Remediate systems and business processes for transaction, code sets, and identifier requirements. Identify privacy practices. Remediate systems and processes for privacy requirements. Develop clear privacy procedures to safeguard IIHI. Provide training for staff regarding agency privacy procedures (this and any other subsequent training). Provide appropriate safeguards for all forms of IIHI. Slide NC DHHS HIPAA Office NC DHHS

17 PRIVACY AND YOU NC DHHS

18 WHAT IS PRIVACY? Definition Related Privacy Terms
Privacy is the right of the individual to have his/her individual health information protected from unauthorized use and disclosure. Related Privacy Terms Individually Identifiable Health Information (IIHI) is health information that contains specific elements or details by which a person can be identified (e.g., address, facial photograph, Social Security Number). A Business Associate is a person or entity that performs a function that requires the creation, use, or disclosure of IIHI on behalf of or for a covered health care component, but is not considered part of the covered component’s workforce. A DHHS agency that performs a covered function or activity for another DHHS agency is called an Internal Business Associate. A business associate that is not part of DHHS (e.g., a state government agency outside of DHHS or a private vendor) is called an External Business Associate. Slide NC DHHS HIPAA Office NC DHHS

19 WHAT IS PRIVACY? Related Privacy Terms - (cont’d)
Authorization is a client’s permission for the use and disclosure of his/her health information for a specific purpose. Minimum Necessary means making reasonable efforts to limit the use of health information to only that needed to accomplish the intended purpose of the use, disclosure, or request. To Use IIHI means to share, employ, apply, utilize, examine, or analyze health information within the organization that maintains such information. To Disclose IIHI means to release, divulge, transfer, or provide access to health information to persons or organizations outside of the organization holding the information. Slide NC DHHS HIPAA Office NC DHHS

20 WHY IS PRIVACY IMPORTANT?
Individuals Will Know That Their Sensitive Health Information Will Be Protected from Inappropriate Disclosures. Individuals Will Be More Open With Health Care Providers Concerning Their Health Information. Morally and Ethically the Right Thing to Do. Removes Fear of Discrimination Based on Health Information. Slide NC DHHS HIPAA Office NC DHHS

21 WHY IS PRIVACY IMPORTANT?
Improper Use and Disclosure of IIHI Could Impact your health care A 13-year old daughter of a hospital employee had access to a list of patient names and phone numbers when visiting her mother at work. As a joke, the girl called the patients and informed them that they had been diagnosed with HIV. Impact your personal life A hospital clerk took the treatment records of three patients to a local bar where he discussed the records with others. The patients’ confidentiality was breached and they were awarded $2.3 million by a jury. Impact your professional life A historically good employee was fired after his employer learned of the employee’s positive test for a genetic illness that could lead to lost work time and increased insurance costs. Impact your financial status A banker who also served on his county’s health board cross referenced his banking customers with patient information. He called due mortgages of anyone suffering from cancer. Slide NC DHHS HIPAA Office NC DHHS

22 INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI)
What and Where NC DHHS

23 WHAT IS IIHI? Individually Identifiable Health Information (IIHI) Is
Health information that contains specific elements or details by which a person (living or dead) can be identified. IIHI Can Exist or Be Transmitted Via Paper Oral Communication Electronic Information system applications Internet, intranet, extranet, , faxes Computer screens Storage devices - magnetic tapes, floppy disks, CDs, optical devices Slide NC DHHS HIPAA Office NC DHHS

24 EXAMPLES OF IIHI Health Information Associated With Any Of the Following Individual Identifiers For a Client, a Client’s Relatives, Employer, or Other Household Members Of That Client Is IIHI. Names Addresses (including zip code) Dates (birth and death dates, admission/discharge dates, etc.) Telephone and Fax Numbers Addresses Social Security Number (SSN) Medical Record Number Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle Identifiers, Serial, and License Plate Numbers Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers (finger prints, voice print, etc.) Full Face Photographic Images or Comparable Images Any Other Identifying Number, Characteristic, or Code Slide NC DHHS HIPAA Office NC DHHS

25 WHERE IS IIHI IN THIS AGENCY?
IIHI Could Be Found In the Following Locations Paper Based Medical Record Departments Nursing Stations Client Accounting Departments Admissions Utilization Review Risk Management Radiology Clinical Laboratory Outpatient Clinics Other areas where health information is routinely stored Electronic Media Computer applications and systems Computer Screens Local drives on computers (files, Temp files, databases, etc.) Magnetic tapes, floppy diskettes, CDs, etc. Faxes Slide NC DHHS HIPAA Office NC DHHS

26 PRIVACY POLICIES AND PROCEDURES
DHHS Privacy Policies Agency Privacy Procedures Sanctions and Mitigation Who to Contact NC DHHS

27 DHHS PRIVACY POLICIES The DHHS HIPAA Oversight Committee Is Adopting Departmental Privacy Policies that Comply With the HIPAA Privacy Requirements. Policies are drafted by the DHHS HIPAA Office. Policies are reviewed and approved by DHHS Agency Privacy Officials DHHS HIPAA Coordinators HIPAA Attorney in the NC Office of the Attorney General Policies are published online at Slide NC DHHS HIPAA Office NC DHHS

28 DHHS PRIVACY POLICIES The DHHS Privacy Policies Are
Privacy Protections Privacy Official Workforce Safeguards Privacy Complaints Business Associates Legal Occurrences Authorizations Use and Disclosure Accounting of Disclosures De-identification of PHI Minimum Necessary Research Marketing and Fundraising Notice of Privacy Practices Client Privacy Rights Personal Representatives Designated Record Sets Slide NC DHHS HIPAA Office NC DHHS

29 POLICY: PRIVACY PROTECTIONS
The DHHS Privacy Protections Policy Requires DHHS To develop privacy policies based on the HIPAA Privacy Rule as well as state and other federal laws. To determine agencies that must comply with each policy. Agencies within the scope of each DHHS Privacy Policy to develop agency-specific procedures to implement the departmental policy. Slide NC DHHS HIPAA Office NC DHHS

30 POLICY: PRIVACY OFFICIAL
The DHHS Privacy Official Policy Requires HCCs and Internal Business Associates To appoint an Agency Privacy Official who is responsible for the following privacy activities. Serve as primary agency contact for privacy issues and concerns regarding the use and disclosure of health information and for client rights regarding health information. Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities. Coordinate, facilitate, and assist in agency efforts to develop and implement privacy compliance activities such as Procedures development Training Monitoring agency practices Contact for questions and complaints. Slide NC DHHS HIPAA Office NC DHHS

31 POLICY: WORKFORCE The DHHS Workforce Policy Requires All DHHS Agencies That Maintain IIHI To provide privacy training to all staff (permanent employees, contractors, temps, volunteers, etc.). To obtain signed Confidentiality Agreements from all agency staff. To develop and issue appropriate sanctions if staff do not comply with agency privacy procedures and DHHS Privacy Policies. To not discriminate against, intimidate, threaten, coerce, or take any retaliatory actions against staff who report questionable privacy activities. To properly identify staff, as appropriate to the agency. Slide NC DHHS HIPAA Office NC DHHS

32 POLICY: SAFEGUARDS The DHHS Safeguards Policy Requires All DHHS Agencies That Maintain IIHI To identify and develop appropriate safeguards that protect the IIHI that is maintained by the agency. To implement reasonable measures to safeguard IIHI from intentional or unintentional use or disclosure. To provide training to ensure staff are made aware of acceptable practices and procedures that safeguard information to which staff have access. To monitor and document any violations of the agency’s safeguard procedures. Slide NC DHHS HIPAA Office NC DHHS

33 POLICY: SAFEGUARDS How to Safeguard IIHI - Examples
Don’t discuss IIHI in public areas. Ensure unescorted visitors do not enter areas designated for staff use only. Position you computer monitor so that it cannot be viewed by someone walking past your work area. Keep your passwords private. Don’t store IIHI on personal computers. Log out of applications containing IIHI when you leave your computer. Lock all portable electronic media containing IIHI (tapes, floppy disks, CDs, etc.) in a locked room, filing cabinet ,or drawer when not in use. Lock all paper IIHI in a room or filing cabinet when not in use. Don’t post paper containing IIHI in public areas such as hallways or conference rooms. Pick up all printed/faxed IIHI immediately. Dispose of paper based IIHI by shredding or placing in locked shred bins. Slide NC DHHS HIPAA Office NC DHHS

34 POLICY: PRIVACY COMPLAINTS
The DHHS Privacy Complaints Policy Requires All DHHS Agencies That Maintain IIHI To designate a contact person to resolve complaints concerning agency privacy practices. To forward all documentation related to complaints to CARE-LINE. CARE-LINE, in the Office of Citizen’s Affairs, has been designated to receive/document all privacy complaints received by DHHS. Any complaint that cannot be resolved by the agency or CARE-LINE must be forwarded to the DHHS Privacy Officer Slide NC DHHS HIPAA Office NC DHHS

35 POLICY: PRIVACY COMPLAINTS
DHHS Privacy Complaints Policy (cont’d) CARE-LINE contact information Telephone Voice (English or Español) North Carolina Only: Local & Out of State: (919) Dedicated Text Telephone (TTY) for Hearing Impaired: TTY Local: (919) TTY Toll-Free: FAX (919) Postal Address 2012 Mail Service Center Raleigh, NC Slide NC DHHS HIPAA Office NC DHHS

36 POLICY: BUSINESS ASSOCIATES
The DHHS Business Associate Policy Requires HCCs and Internal Business Associates To identify Business Associates Internal Business Associates (other agencies within DHHS) External Business Associates (Non DHHS NC State Government Agencies and the private sector) Note: The Guidance for Identifying Business Associates and Business Associate Questionnaires tools can assist you with this task. These are available at To develop Business Associate Addenda to be attached to DHHS contracts or Memoranda of Understanding that identifies privacy protection requirements for External Business Associates The Business Associate MOU/Contract Addenda are available at Slide NC DHHS HIPAA Office NC DHHS

37 POLICY: LEGAL OCCURRENCES
The DHHS Legal Occurrences Policy Identifies Instances when IIHI MAY BE Disclosed, According to Legal Requirements: Judicial and Administrative Proceedings Court Order Subpoena Protective Order Law Enforcement Purposes Required in N C Statutes Victims of Crime Decedents Reporting Crime in Emergency Slide NC DHHS HIPAA Office

38 POLICY: AUTHORIZATIONS
The DHHS Authorizations Policy Requires DHHS Agencies That Serve Clients To disclose IIHI only upon authorization by the client (or personal representative), unless state or federal law allows for specific exceptions. Authorizations obtained or received for disclosure of IIHI must contain all the elements in the DHHS Authorizations Form (available at Note that an authorization permits, but does not require, a DHHS agency to disclose IIHI. Slide NC DHHS HIPAA Office NC DHHS

39 POLICY: USE AND DISCLOSURE
The DHHS Use and Disclosure Policy Identifies The Following Permitted Uses and Disclosures of IIHI: With and without authorization For treatment purposes When included in psychotherapy notes When state or federal Law is more stringent For oversight/exception to oversight purposes For decedents For public health activities When specified for specialized government functions Within/outside the agency To a client Slide NC DHHS HIPAA Office NC DHHS

40 POLICY: ACCOUTING OF DISCLOSURES
The DHHS Accounting of Disclosures Policy Requires HCCs and Internal Business Associates To document certain disclosures of IIHI. To provide the client with an accounting of disclosures of the client’s IIHI made by the agency or a business associate of the agency upon client request. To maintain accountings of disclosures for a duration of six years prior to the request date. To develop a process for determining charges for providing the accounting of disclosures. Slide NC DHHS HIPAA Office

41 POLICY: DE-IDENTIFICATION OF PHI
The DHHS De-identification of Health Information and Limited Data Sets Policy Requires HCCs and Internal Business Associates To ensure staff are aware of specific elements that are considered identifying elements. To evaluate appropriate IIHI for use or disclosure to determine if the individual identifiers should be eliminated (i.e., the data should be de-identified). To identify those instances when a Limited Data Set, which contains limited identifying elements, may be appropriate for use/disclosure. Slide NC DHHS HIPAA Office NC DHHS

42 POLICY: DE-IDENTIFICATION OF PHI
DHHS De-identification of Health Information and Limited Data Sets Policy (cont’d) Limited Data Sets can contain the following identifiers for the client, employer, relatives or other household members of that client State, County, City or Town, Zip Code Birth date, admission date, discharge date, date of death Age An unique identifying number, characteristic, or code exclusive of identifiers that is not a Social Security Number, account number, medical record number, health plan beneficiary number, certificate/license number, vehicle identification number/serial number or license plate number, device identifiers or serial numbers, IP addresses, or telephone number. Data Use Agreements must be based on the DHHS Data Use Agreement template (available at Slide NC DHHS HIPAA Office NC DHHS

43 POLICY: MINIMUM NECESSARY
The DHHS Minimum Necessary Policy Requires All DHHS Agencies That Maintain IIHI To make reasonable efforts to limit IIHI to only that which is necessary to accomplish the intended purpose of the use, disclosure, or request for information. To evaluate current practices to limit inappropriate or unnecessary use of disclosure of IIHI by Determining what health information is the minimum necessary to accomplish each job/role in the agency. Requesting modifications to existing computer applications to support User/Role-based security (i.e., access controls) as needed. Ensure staff have access to only the health information required to perform their job duties. Slide NC DHHS HIPAA Office NC DHHS

44 POLICY: MINIMUM NECESSARY
DHHS Minimum Necessary Policy (cont’d) Minimum necessary does not apply to Disclosures to or requests by a health care provider for treatment. Uses or disclosures made to a client to whom the information applies. Uses or disclosures authorized by the client (or the client’s personal representative). The Secretary of the United States Department of Health and Human Services for compliance enforcement. Uses or disclosures required by law. Uses or disclosures required for compliance with the HIPAA Privacy Rule. Slide NC DHHS HIPAA Office NC DHHS

45 POLICY: RESEARCH The DHHS Research Policy Requires HCCs and Internal Business Associates To disclose IIHI only after the client has signed an authorization for this type of disclosure. If research includes treatment, the researcher may condition the provision of the treatment on the receipt written client authorization client for use and disclosure of IIHI for such research. De-identified data must be used wherever possible. Similarly, use of a Limited Data Set must be considered as well. Use of Limited Data Sets requires a Data Use Agreement between the DHHS agencies disclosing the data and the researcher. Slide NC DHHS HIPAA Office

46 POLICY: MARKETING AND FUNDRAISING
The DHHS Marketing and Fundraising Policy Provides Guidelines to HCCs and Internal Business Associates Concerning These Activities. Marketing Making a communication about a product or service for the purpose of encouraging recipients of the communication to purchase or use the product or service. What is not marketing Communications about government-sponsored programs (Medicare, Medicaid, or NC Health Choice). Communications about health products/services provided by or covered by the HCC’s health plan. Case Management and Care Coordination. Slide NC DHHS HIPAA Office

47 POLICY: MARKETING AND FUNDRAISING
DHHS Marketing and Fundraising Policy (cont’d) A written authorization must be obtained from the client prior to Disclosing IIHI to Business Associates or third parties for the marketing purposes of the party receiving the IIHI. Selling of client/enrollee lists to a third party for the marketing purposes of the party buying the IIHI. HCCs may use IIHI to market their own or third-party health products/services if the marketing Discloses that the HCC is the source of the marketing. Discloses any payment/benefit received from the third party whose products/services are being marketed. Contains information on how to ‘opt out’ of receiving future marketing, unless the marketing is part of a general communication such as a newsletter HCCs can use Business Associates to send marketing for the HCC, provided that the Business Associate Agreement specifies that the IIHI will be used by the Business Associate only for the HCC communication. Slide NC DHHS HIPAA Office

48 POLICY: MARKETING AND FUNDRAISING
DHHS Marketing and Fundraising Policy (con’td) Fundraising Solicitation for the purpose of raising funds to benefit a HCC or Internal Business Associate. HCCs must obtain a written authorization from a client prior to using the client’s health status as a basis for targeting that client for fundraising activities. HCCs may disclose the following IIHI without client authorization to Business Associates and institutionally related foundations for the purposes of fundraising on behalf of the HCC. Demographic information Dates health care was provided to the client Fundraising materials must contain information on how the recipient can ‘opt out’ of future fundraising communications. HCCs must make reasonable efforts to comply with opt out requests. Slide NC DHHS HIPAA Office

49 POLICY: NOTICE OF PRIVACY PRACTICES
The DHHS Notice of Privacy Practices Policy Requires HCCs To develop an agency Notices of Privacy Practices using the DHHS Notice template (located at to describe the uses and disclosures of IIHI that may be made by the agency, and that notifies individuals of their rights and the agency’s legal duties with respect to IIHI. To provide the Notice to clients (except inmates) applying for or receiving agency services. Electronic Notices may be sent, as long as the individual receives a paper copy upon request. To provide the Notice to any individual upon request, even if the individual is not an agency client. To post the Notice in a prominent locations where it will be viewed by clients and on public agency web sites. Slide NC DHHS HIPAA Office

50 POLICY: CLIENT PRIVACY RIGHTS
The DHHS Client Rights Policy Requires HCCs and Internal Business Associates That Serve Clients To Establish and Implement Procedures That Ensure the Following Rights of Clients Right to confidential communications of IIHI, including the right of the client to request alternative locations and methods for communications Right to adequate notice of use and disclosure of IIHI. Right to obtain paper Notice after receiving an electronic copy. Right to request access (inspect, copy) to IIHI within a Designated Record Set as defined by the HCC. Right to request amendment (changing, adding, deleting) of IIHI within a Designated Record Set as defined by the HCC. Right to request privacy restrictions for IIHI. Right to access a contact person concerning privacy complaints. Slide NC DHHS HIPAA Office NC DHHS

51 POLICY: PERSONAL REPRESENTATIVES
The DHHS Personal Representatives Policy Requires that HCCs and Internal Business Associates To recognize individuals authorized by the courts or by state or federal law to act on behalf of DHHS clients regarding their IIHI. Slide NC DHHS HIPAA Office NC DHHS

52 POLICY: DESIGNATED RECORD SETS
The DHHS Designated Record Sets Policy Requires HCCs and Internal Business Associates To define the records to which DHHS clients can request access or amendment. Designated Records Sets can include Client medical and billing records maintained by or for a covered health care provider Employee health records that are maintained separately from personnel records The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan Categories of records that are used, in whole or in part, to make decisions about clients. Records created by Business Associates must be considered when defining Designated Record Sets. Slide NC DHHS HIPAA Office NC DHHS

53 AGENCY PRIVACY PROCEDURES
Training on Individual Privacy Policies and Agency Privacy Procedures Will Be Provided As Necessary. Slide NC DHHS HIPAA Office NC DHHS

54 NON COMPLIANCE WITH PRIVACY
What Should You Do If You Notice a Co-worker Not Following a DHHS Privacy Policy? Contact your Supervisor immediately! If your Supervisor is not available, contact your agency Privacy Official or the DHHS Privacy Officer. Slide NC DHHS HIPAA Office NC DHHS

55 PRIVACY IMPACTS TO APPLICATIONS/SYSTEMS
What To Do When You Receive a Request for a New System or System Enhancement NC DHHS

56 PRIVACY IMPACTS TO SYSTEMS
Privacy Requirements Also Impact How You Approach Requests for New and System Enhancements. The Requirements Definition Guide for Applications with IIHI (coming soon, to be posted at will assist you in identifying privacy impacts to enhancement/new system requests for systems containing IIHI. Slide NC DHHS HIPAA Office NC DHHS

57 PRIVACY IMPACTS TO SYSTEMS
The Requirements Definition Guide for Applications with IIHI Will Guide You Through the Following Steps Identifying requests for systems that contain IIHI. Identifying existing application-level privacy capabilities and related security features. Identifying network or infrastructure-level privacy features that provide application privacy protection. Identifying user requirements to be developed for user/role access standards. Identifying application screen views, files, and report outputs to contain IIHI that will be accessed by users. Slide NC DHHS HIPAA Office NC DHHS

58 PRIVACY IMPACTS TO SYSTEMS
Requirements Definition Guide for Applications with IIHI Steps (cont’d) Performing Gap Analysis of current/proposed privacy/security features with the HIPAA Privacy requirements. Based on Gap Analysis results, identifying additional application-level privacy capabilities and related security features that will be needed to comply with the HIPAA Privacy requirements. Conducting Risk Assessment by identifying risks, prioritizing, and making a cost/benefit determination that will assist your business client in prioritizing HIPAA changes to the system/enhancement request. Slide NC DHHS HIPAA Office NC DHHS

59 QUESTIONS NC DHHS

60 QUESTIONS? What Should You Do If You Have Questions Concerning Privacy or Agency Privacy Procedures? Consult the Agency Privacy Procedures. Consult the DHHS Privacy Policies, published at Ask your Supervisor. Ask the Agency Privacy Official. Slide NC DHHS HIPAA Office NC DHHS

61 TEST YOUR PRIVACY KNOWLEDGE
NC DHHS

62 Please Print and Take the Attached Privacy Test.
PRIVACY TRAINING TEST Please Print and Take the Attached Privacy Test. Return Your Completed and Signed Test To Your Supervisor. Your Test Results Will Be Maintained By the Agency Privacy Official. Slide NC DHHS HIPAA Office NC DHHS

63 CONFIDENTIALITY AGREEMENT
Please Print and Sign the Attached Confidentiality Agreement and Give to Your Supervisor. Your Signed Confidentiality Agreement Will Be Kept in Your Employee File. Slide NC DHHS HIPAA Office NC DHHS

Download ppt "How DHHS Privacy Policies Affect You"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training

Similar presentations

Ads by Google