Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final” Privacy Rule published 7/06/01 Privacy Rule guidance issued.

Published byAugust Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final” Privacy Rule published 7/06/01 Privacy Rule guidance issued."— Presentation transcript:

1 HIPAA/Privacy: Our Responsibilities

2 2

3 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final” Privacy Rule published 7/06/01 Privacy Rule guidance issued 4/14/02 Privacy Rule effective date (postponed from Feb. 26) 8/14/02 Amended “Final” Rule published 12/3/02 Privacy Rule guidance issued 4/14/03 Privacy Rule compliance date 2/20/03 Final Security Rule published 4/20/05 Security Rule compliance date 2/16/06 Final Enforcement Rule published 2/17/09 HITECH Act enacted 4/17/09 Breach Notification guidance issued 8/24/09 Breach Notification Interim Final Regulation published 10/29/09 HITECH Act Enforcement Interim Final Rule published 1/25/13Final Omnibus Rule published 3 Copyright 2013 Merten/Ali

4 What is HIPAA? HIPAA: Health Insurance and Portability and Accountability Act Sets the standard for protecting health information Addresses uses and disclosures of Protected Health Information (PHI) As health care providers, we fall under this rule (Covered Entity) Balance between using the information to provide care and protecting privacy of those seeking care 4 Copyright 2013 Merten/Ali

5 HIPAA Basics Security Requirements for administrative, physical, and technical safeguards to assure data integrity, confidentiality and availability Privacy Rules Goal: Improve the efficiency and effectiveness of electronic information transfers used in the provision, management and financing of health care in the U.S. 5 Copyright 2013 Merten/Ali

6 Basic Rules A Covered Entity may not use or disclose protected health information (PHI), except as otherwise permitted or required –“Use” means any sharing, examination, employment or application of PHI within a Covered Entity –“Disclosure” means any transaction, provision of, access to, or divulging of PHI outside a Covered Entity 6 Copyright 2013 Merten/Ali

7 What is HITECH? Extends reach of HIPAA Privacy and Security Rules Effective 2/2010 – Applies directly to BAs Imposes breach notification requirements on Covered Entities and Business Associates Limits certain uses and disclosures of PHI Increases individuals’ rights related to PHI Increases enforcement and penalties for privacy and security violations Significant Harm Standard 7 Copyright 2013 Merten/Ali

8 The Final Omnibus Rule Increased liability for Business Associates Stronger limitations on the use/disclosure of PHI for marketing and fundraising purposes Patients have the right to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment when the patient is self pay Expansion of patient rights to be amended in Notice of Privacy Practices Changes to breach notification rule Flexibility with a decedent’s PHI 8 Copyright 2013 Merten/Ali

9 What is PHI? 18 Patient Identifiers 9Copyright 2013 Merten/Ali

10 Individually Identifiable Health Information PHI also includes anything that can be individually identifiable –Individual’s past, present, future physical or mental health condition –Past, present, future payment for the provision of health care –Anything that can reasonably identify the patient 10 Copyright 2013 Merten/Ali

11 Now that we know what PHI is… When can we actually use/disclose PHI?? 11

12 Permitted Uses and Disclosures To the individual Treatment, Payment, Operations Opportunity to agree or object i.e. Individual is incapacitated, emergency situations Exercise professional judgment as to the best interest of the individual Incidental use/disclosure Minimum necessary Public Interest (e.g., reporting child abuse) Limited Data Sets for research, public health, health care operations 12 Copyright 2013 Merten/Ali

13 Permitted Uses & Disclosures of PHI Basic rules: Must make “good faith” effort to obtain patient’s acknowledgement of Notice of Privacy Practices Must obtain Authorization for most other uses and disclosures Special rules to use PHI for research 14 Copyright 2013 Merten/Ali

14 Permitted Uses & Disclosures of PHI Disclosures permitted without Authorization: –Public health activities –Reporting child abuse –Reporting other abuse, neglect, domestic violence, etc. –Health oversight activities –Judicial and administrative proceedings –Law enforcement purposes –Otherwise required by law 15 Copyright 2013 Merten/Ali

15 Permitted Uses & Disclosures of PHI Disclosures permitted without Authorization (cont’d): Decedents - funeral directors, coroners, and medical examiners Cadaveric organ, eye, tissue donation Research - waiver of Authorization approved by IRB or a Privacy Board Serious threat to health or safety Government functions - Armed Forces, national security, correctional institutions Workers’ compensation 16 Copyright 2013 Merten/Ali

16 When Do You Need An Authorization? Psychotherapy Notes Marketing Fundraising 16 Copyright 2013 Merten/Ali

17 Minimum Information Necessary Covered Entity must reasonably ensure that it does not request, use or disclose more than the minimum amount of PHI necessary Generally may not disclose entire medical record, except to providers for treatment Develop criteria to limit disclosures Review requests for disclosures on an individual basis Use standard protocols for recurring requests Identify which members of work force require which items of PHI and limit access accordingly 18 Copyright 2013 Merten/Ali

18 Exceptions to Minimum Necessary Requirement Providers for treatment purposes (disclosure and request, but not use) Individual patient request Authorization Required by law HHS for compliance purposes 18 Copyright 2013 Merten/Ali

19 19 Copyright 2013 Merten/Ali

20 Disclosures for Use by Another Covered Entity Covered Entity is permitted to disclose PHI to a second Covered Entity: –For payment activities of second Covered Entity (in addition to treatment) –If both have a relationship (current or past) with the patient, may disclose PHI for certain health care operations (quality assessment and improvement, fraud and abuse detection, developing protocols, case management, evaluating performance, training, accreditation, credentialing, licensing, etc.) 20 Copyright 2013 Merten/Ali

21 Incidental Uses & Disclosures Uses and disclosures that are “incidental” to an otherwise permitted use or disclosure are permissible if the Covered Entity has: –Complied with the minimum necessary standard and –Adopted reasonable administrative, technical and physical safeguards 21 Copyright 2013 Merten/Ali

22 Incidental Uses & Disclosures An incidental use or disclosure is a secondary use or disclosure that Cannot reasonably be prevented, Is limited in nature and Occurs as a by-product of an otherwise permitted use or disclosure The following incidental uses and disclosures (assuming Covered Entity otherwise complies with Privacy Rule) would be permitted : Confidential communication between providers is overheard by an unauthorized person Discussion of lab results with a patient or other provider in a joint treatment room Oral coordination of services at a hospital nursing station 22 Copyright 2013 Merten/Ali

23 Incidental Uses & Disclosures Permissible incidental uses or disclosures do not include: Uses or disclosures that result from a failure to apply reasonable safeguards or the minimum necessary standard For example, using a waiting room sign-in sheet to obtain a patient’s health history Errors that result from mistake or neglect For example, posting a patient’s PHI erroneously on provider’s website or sending PHI to the wrong person by e-mail 23 Copyright 2013 Merten/Ali

24 Common HIPAA Issues Access of protected health information (PHI) for purposes other than treatment, payment or operations Inappropriate sharing of PHI Accidental disclosures Social Media 24 Copyright 2013 Merten/Ali

25 25

26 Misdirected Faxes Carefully check the fax number to make sure you have the correct number for the intended recipient. When you manually enter the number, check to see that it has been entered correctly before sending. Confirm the fax number with the intended recipient when faxing to this party for the first time or if the fax number is not regularly used. Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending. Update fax numbers promptly upon receipt of notification of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine. Locate fax machines in areas where access can be monitored and controlled and avoid leaving patient information on fax machines after sending. Have policies and procedures in place to safeguard PHI that is faxed, including processes to act promptly on (1) changes in fax numbers to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and take steps to prevent future incidents, including revising the organization’s policies and procedures. Train staff on the policies and procedures for the proper use of fax machines that your organization has put into place to safeguard PHI during faxing. Update the training periodically and be sure to train new staff. OCR Recommended Checklist 26 Copyright 2013 Merten/Ali

27 Common Misconceptions Misdirected faxes from one corporate site to another is NOT a breach –Remember Treatment, Payment, Operations Privacy Office should be notified of any potential breaches –Determine risk and level of harm 27 Copyright 2013 Merten/Ali

28 Patient Rights and HIPAA

29 Notice of Privacy Practices Individual has a right to adequate notice of the uses and disclosures of PHI Notice should describe individual’s rights and the covered entity’s legal duties with respect to PHI The covered entity must provide a notice that is written in plain language and that contains the following elements: Uses and disclosures Statements for certain uses or disclosures Individual rights Covered entity’s responsibilities Complaints, contact information and effective date State law preemptions 30 Copyright 2013 Merten/Ali

30 Patient Rights/Requests Access Accounting of disclosures Alternate/confidential communications Amendment Restrictions Filing a complaint 31 Copyright 2013 Merten/Ali

31 Access An individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set Except for: Psychotherapy notes; Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and PHI maintained by a covered entity that is: Subject to the Clinical Laboratory Improvements Amendments of 1988 A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution An individual’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment 32 Copyright 2013 Merten/Ali

32 Access Timely response The covered entity must respond to a request for access no later than 30 days after receipt If the request for access is for PHI that is not maintained or accessible to the covered entity on-site, the covered entity may request an extension by no later than 60 days from the receipt of such a request The covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: Copying, including the cost of supplies and labor of copying, whether in paper or electronic form; Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media Postage, when the individual has requested the copy, or the summary or explanation, be mailed Preparing an explanation or summary of the PHI, if agreed to by the individual Source: §164.524 33 Copyright 2013 Merten/Ali

33 Accounting of Disclosures An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To carry out treatment, payment and health care operations To individuals of PHI about themselves Incident to a use or disclosure otherwise permitted or required Pursuant to an authorization For the facility’s directory or to persons involved in the individual’s care For national security or intelligence purposes To correctional institutions As part of a limited data set That occurred prior to the compliance date for the covered entity 34 Copyright 2013 Merten/Ali

34 Accounting of Disclosures Timely response The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request If the covered entity is unable to provide the accounting within the time required, the covered entity may extend the time to provide the accounting by no more than 30 days Fees The covered entity must provide the first accounting to an individual in any 12 month period without charge Suspension of an accounting The covered entity must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official, if the agency or official provides a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities 34 Copyright 2013 Merten/Ali

35 Accounting of Disclosures The covered entity must provide the individual with a written accounting that meets the following requirements: The date of the disclosure The name of the entity or person who received the PHI and, if known, the address of such entity or person A brief description of the PHI disclosed; and A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or Source: §164.528 35 Copyright 2013 Merten/Ali

36 Alternate/Confidential Communications A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI from the covered health care provider by alternative means or at alternative locations A covered entity may require the individual to make a request in writing A covered health care provider may not require an explanation from the individual Source: §164.522(b) 36 Copyright 2013 Merten/Ali

37 Amendment An individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set A covered entity may deny an individual’s request for amendment, if it determines that the PHI: Was not created by the covered entity Is not part of the designated record set Would not be available for inspection Is accurate and complete Timely response The covered entity may require individuals to make requests for amendment in writing The covered entity must act on the individual’s request for an amendment no later than 60 days after receipt If the covered entity is unable to act on the amendment within the time, the covered entity may extend the time for such action by no more than 30 days Source: §164.526 37 Copyright 2013 Merten/Ali

38 Restrictions Existing Restriction requirements: A covered entity must permit an individual to request that the covered entity restrict: Uses or disclosures of PHI about the individual to carry out treatment, payment, or health care operations; and Uses and disclosures for involvement in the individual’s care and notification purposes A covered entity is not required to agree to a restriction A covered entity that agrees to a restriction may not use or disclose PHI in violation of such restriction If restricted PHI is disclosed to a health care provider for emergency treatment HITECH Restriction amendments: A covered entity must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if: The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and The PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full Source: §164.522(a) 38 Copyright 2013 Merten/Ali

39 Filing a Complaint A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures Methodologies Facilities Website Privacy Office Toll free number A covered entity must document all complaints received, and their disposition, if any A covered entity must refrain from intimidating or retaliatory acts against any individual for: Filing of a complaint with the covered entity Filing of a complaint with the Secretary of the DHHS Source: §164.530(g) 39 Copyright 2013 Merten/Ali

40 Uses & Disclosures Requiring Opportunity for Individual to Agree or Object “Opt-in; Opt-out” Facility directories Name, location in facility, general condition, religious affiliation Emergency exception Family members or others involved with the individual’s care or treatment If individual is present: inferences permitted If individual is not present: professional judgment as to best interest of patient 40 Copyright 2013 Merten/Ali

41 Contemporary Challenges Laptops Smartphones Email Texting 41

42 New & Emerging Technologies Social media A social networking website focuses on building online communities of people who usually share interests and/or activities Confidential/sensitive patient information Cloud Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid Public, private, hybrid Bring your own device (BYOD) Refers to employees who bring their own computing devices, such as smartphones, laptops or tablets, to the workplace for use and connectivity on the corporate network Segregation of data (personal vs. work) Texting 42 Copyright 2013 Merten/Ali

43 Now that we know what PHI is… What can we do to protect PHI?? 43

44 What is the Employee’s Role? Protect Patient Privacy Double check files Compare patient identifiers Minimum necessary Use low voices in hallways and reception area Protect Patient Rights NPPs, Restrictions, Disclosures, Access, Communications Social Media Awareness HIPAA Awareness Use resources Make good faith efforts Obtain authorizations Notify manager 44 Copyright 2013 Merten/Ali

45 What is the Role of the Privacy Office? To determine if breach exists and if there is significant harm To answer your questions To educate/train associates Create awareness 45 Copyright 2013 Merten/Ali

46 Elements of a Program – Best Practices Seven Elements of an Effective Compliance Program HIPAA Privacy Program Establish policies, procedures and controlsPolicies, procedures and governance Exercise effective oversightPrivacy Official/Office designation Exercise due diligence to avoid delegation of authority to unethical individuals Complaint processing Communicate and educate employees on the program Training and education Ensure consistent enforcement and discipline of violations Sanctions Monitor and audit compliance and effectiveness Internal audit and accounting of disclosures Respond appropriately to incidents and take steps to prevent future incidents Mitigation 46 Copyright 2013 Merten/Ali

47 Enforcement & Investigations The Office for Civil Rights (“OCR”) Oversees enforcement of the HIPAA privacy and security rules Tier threshold and fines were changed pursuant to HITECH Fines can be assessed on a daily basis until the violation is mitigated Each complaint received from OCR must be thoroughly investigated The covered entity is required to self report “breaches” OCR has stated that they will automatically investigate breaches that involve over 500 individuals State Attorneys General HITECH addresses the ability of State Attorneys General to investigate HIPAA violations The attorney general of the State may bring a civil action on behalf of residents of the State where there is reason to believe that one or more of the residents of that State has been or is threatened or adversely affected by a violation 47 Copyright 2013 Merten/Ali

48 HHS/OCR Enforcement Data From the HHS website, the top four issues in investigated cases closed with corrective action between 2004 – 2010 are: Impermissible Uses & Disclosures Safeguards Access Minimum Necessary 48 Copyright 2013 Merten/Ali

49 Best Practices – OCR Audits HITECH requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards Audit Protocol Program OCR HIPAA Audit program analyzes processes, controls, and policies of covered entities The protocol serves as a “best practices” for every covered entity and business associate http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto col.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto col.html 49 Copyright 2013 Merten/Ali

50 50

Download ppt "HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final” Privacy Rule published 7/06/01 Privacy Rule guidance issued."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google