Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA The Health Insurance Portability and Accountability Act Southeastern Institute.

Published byMarshall Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "1 HIPAA The Health Insurance Portability and Accountability Act Southeastern Institute."— Presentation transcript:

1 1 HIPAA The Health Insurance Portability and Accountability Act Southeastern Institute

2 2 General HIPAA Information What is HIPAA, and why was it needed? What is HIPAA, and why was it needed? The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassenbaum Bill or Public Law 104- 191, was passed on August 21, 1996. The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassenbaum Bill or Public Law 104- 191, was passed on August 21, 1996. It was needed to create rules governing administrative activities making health care more efficient, the underwriting process of group coverage and standardizing electronic transmittal of billing and claims. It was needed to create rules governing administrative activities making health care more efficient, the underwriting process of group coverage and standardizing electronic transmittal of billing and claims.

3 3 General HIPAA Information A key part to the HIPPA act also increased and standardized confidentiality and security of health data. A key part to the HIPPA act also increased and standardized confidentiality and security of health data. HIPAA privacy regulations require that access to patient information be limited to only those authorized, and that only the information necessary for a task be visible to them. All personal health information must be protected and kept confidential. HIPAA privacy regulations require that access to patient information be limited to only those authorized, and that only the information necessary for a task be visible to them. All personal health information must be protected and kept confidential.

4 4 General HIPAA Information Prior to HIPAA, there was no uniformity: rules and regulations varied from state to state, even from one health care organization to another. Now HIPAA provides a uniform level of security and records privacy throughout the country. Prior to HIPAA, there was no uniformity: rules and regulations varied from state to state, even from one health care organization to another. Now HIPAA provides a uniform level of security and records privacy throughout the country. Compliance investigations relating to HIPAA are handled by the Office of Civil Rights which is an office within the U.S. Department of Health and Human Services. Compliance investigations relating to HIPAA are handled by the Office of Civil Rights which is an office within the U.S. Department of Health and Human Services.

5 5 General HIPAA Information Who must become HIPAA compliant? And what exactly is HIPAA compliance? Who must become HIPAA compliant? And what exactly is HIPAA compliance? All health providers who meet the definition “covered entities” must comply with the privacy and security regulations. The only exception is that mental health providers must follow special, more stringent rules. All health providers who meet the definition “covered entities” must comply with the privacy and security regulations. The only exception is that mental health providers must follow special, more stringent rules. No matter what, your healthcare firm along with all employees MUST follow privacy policies. No matter what, your healthcare firm along with all employees MUST follow privacy policies.

6 6 Important HIPAA Terms Protected Health Information: Protected Health Information: is data that includes references that specifically identify a patient and/or their relatives, employers, or household members. There are 19 items that constitute PHI: is data that includes references that specifically identify a patient and/or their relatives, employers, or household members. There are 19 items that constitute PHI: 1. Name 2. Address 3. Phone Numbers 4. Fax Numbers 5. Dates (birth, death, discharge) 6. Social Security Numbers

7 7 Important HIPAA Terms PHI Continuation: PHI Continuation: 7. E-Mail Address 7. E-Mail Address 8. Medical Records or Chart Numbers 8. Medical Records or Chart Numbers 9. Health Plan Beneficiary Numbers 9. Health Plan Beneficiary Numbers 10. Account Numbers 11. Certificate or License Numbers 12. Vehicle Identification Numbers 13. Device Identifiers 14. Web Universal Resource Locators (URL) 15. Internet Protocol (IP) Address Numbers 16. Finger or Voice prints 17. Full Face Photographic Images 18. Any unique identifying number, characteristic, code 19. Patient’s Medical History

8 8 Important HIPAA Terms Health Care Clearinghouse Health Care Clearinghouse Under HIPAA, this is “…a public or private entity that does either of the following: Under HIPAA, this is “…a public or private entity that does either of the following: Receives or processes information from an entity in either a standard (general information) or non-standard(special circumstances) content and then facilitates the information back into either a standard or non-standard data content for the receiving entity. Receives or processes information from an entity in either a standard (general information) or non-standard(special circumstances) content and then facilitates the information back into either a standard or non-standard data content for the receiving entity.

9 9 Important HIPAA Terms Health Care Provider: Health Care Provider: Anyone who provides “medical or health services”…..and who transmits health information in electronic form. Anyone who provides “medical or health services”…..and who transmits health information in electronic form. Minimum Necessary: Minimum Necessary: The HIPAA health insurance privacy rule also requires covered entities that disclose information to establish procedures to disclose, use or request only the minimum information necessary to accomplish the intended purpose. The HIPAA health insurance privacy rule also requires covered entities that disclose information to establish procedures to disclose, use or request only the minimum information necessary to accomplish the intended purpose.

10 10 Important HIPAA Terms Authorization: Authorization: An authorization is a customized document that gives covered entities permission to use specific personal health information for special purposes. An authorization is a customized document that gives covered entities permission to use specific personal health information for special purposes. An authorization form is detailed and specific to: An authorization form is detailed and specific to: 1. The permitted use and disclosures 2. The permitted recipient 3. The personal health information that may be shared. An authorization also has an expiration date, and in some cases may state the specific purpose for health information disclosure An authorization also has an expiration date, and in some cases may state the specific purpose for health information disclosure

11 11 Important HIPAA Terms Privacy Note/Notice of Privacy Policies: Privacy Note/Notice of Privacy Policies: Each covered entity must develop a health information notice to be made available at a patient’s request or posted in a prominent location in their office describing how it uses and distributes health care information. Each covered entity must develop a health information notice to be made available at a patient’s request or posted in a prominent location in their office describing how it uses and distributes health care information. The notice must also advise that patients have the right to request restrictions on the use or distribution of records. The notice must also advise that patients have the right to request restrictions on the use or distribution of records. All patients should receive a copy as well. All patients should receive a copy as well.

12 12 Important HIPAA Terms Disclosures: Disclosures: The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. There are several classification of disclosures: There are several classification of disclosures: 1. TPO (Treatment, Payment and Operations) Penalties: Civil penalties consist of $100 fine per compliance violation per client per year, with a maximum fine of $25,000 per year per client.

13 13 Important HIPAA Terms Criminal penalties for being non-compliant: Criminal penalties for being non-compliant: If you knowingly obtain protected health information in violation of the law, you can be fined up to $50,000 and sentenced up to one year in prison. If you knowingly obtain protected health information in violation of the law, you can be fined up to $50,000 and sentenced up to one year in prison. If you obtain information under “false pretenses”, it climbs to a fine of up to $100,00 and up to (5) years in prison. If you obtain information under “false pretenses”, it climbs to a fine of up to $100,00 and up to (5) years in prison. Someone who obtains health information with the intent to sell, transfer, use for commercial purposes, or personal gain they can be fined up to $250,000 and sentenced up to (10) years in prison. Someone who obtains health information with the intent to sell, transfer, use for commercial purposes, or personal gain they can be fined up to $250,000 and sentenced up to (10) years in prison.

14 14 Important HIPAA Terms Routine Disclosure: Routine Disclosure: These are disclosures for the use of treatment, Payment and firm Operations (TPO). These are disclosures for the use of treatment, Payment and firm Operations (TPO). Non-routine Disclosures: Non-routine Disclosures: Disclosures for reasons other than those for treatment, Payment and firm Operations. The client must sign an Authorization for release of protected health information for each non-routine disclosure. Disclosures for reasons other than those for treatment, Payment and firm Operations. The client must sign an Authorization for release of protected health information for each non-routine disclosure. Incidental Disclosures: Incidental Disclosures: These are minor disclosures that are simply a part of doing business, such as calling a person’s first name in a a waiting room to let them know you’re ready for them to come back. These are minor disclosures that are simply a part of doing business, such as calling a person’s first name in a a waiting room to let them know you’re ready for them to come back.

15 15 Important HIPAA Terms Permitted Disclosures: Permitted Disclosures: These are disclosures that covered entities are permitted, but not required, to continue without patient permission. These include: These are disclosures that covered entities are permitted, but not required, to continue without patient permission. These include: 1. Emergency circumstances 2. Identification of a deceased body 3. Public health needs 4. Judicial or administrative proceedings 5. Limited law enforcement activities 6. Activities related to national defense and security.

16 16 Important HIPAA Terms Erring on the side of caution: Erring on the side of caution: Since the patient data belongs to the patient and not to your office, it is best to always err on the side of caution when it comes to releasing or discussing patient information. Follow the Golden Rule of HIPAA: treat every person’s information with AT LEAST the same caution and respect you would want for your own information, if not more. Since the patient data belongs to the patient and not to your office, it is best to always err on the side of caution when it comes to releasing or discussing patient information. Follow the Golden Rule of HIPAA: treat every person’s information with AT LEAST the same caution and respect you would want for your own information, if not more.

17 17 Patient Acknowledgement of Receipt of the Notice of Privacy Practices Originally patient consent forms were required. They are no longer required. Originally patient consent forms were required. They are no longer required. HIPAA’s Privacy and Security provisions, medical offices are required to give their patients a copy of the Notice of Privacy Practices and must obtain a signed and dated copy of the Patient Acknowledgement of Receipt of the Notice of Privacy Practices. HIPAA’s Privacy and Security provisions, medical offices are required to give their patients a copy of the Notice of Privacy Practices and must obtain a signed and dated copy of the Patient Acknowledgement of Receipt of the Notice of Privacy Practices. This form is filed in the patient’s chart to show tangible proof of the compliance. It must also be kept for 6 years after their last effective use. This form is filed in the patient’s chart to show tangible proof of the compliance. It must also be kept for 6 years after their last effective use.

18 18 Termination Security In the event that an employee, who has had access to any form of protected health information is terminated, all items that the employee had access to must be collected and a security checklist must be signed by terminated employee. In the event that an employee, who has had access to any form of protected health information is terminated, all items that the employee had access to must be collected and a security checklist must be signed by terminated employee. The employee will also be asked to review and sign a notice reminding them that any confidential information that they had access to remains confidential. The employee will also be asked to review and sign a notice reminding them that any confidential information that they had access to remains confidential. Violation of these policies can result in serious consequences. Violation of these policies can result in serious consequences.

19 19 Patient Information Privacy Patient Information Privacy is the centerpiece of the HIPAA Privacy and Security regulations. Patient Information Privacy is the centerpiece of the HIPAA Privacy and Security regulations. Employees must not discuss or share protected patient data outside of the office. Employees must not discuss or share protected patient data outside of the office. Employees must not discuss or share protected patient data with employees not authorized to have access to that information. Employees must not discuss or share protected patient data with employees not authorized to have access to that information. Employees must not discuss protected patient information when unauthorized persons can overhear the conversation. Employees must not discuss protected patient information when unauthorized persons can overhear the conversation. Employees must not discuss any patient information with other patients. Employees must not discuss any patient information with other patients. Employees must not leave patients records unattended in public areas of the office. Employees must not leave patients records unattended in public areas of the office. Records waiting to be updated or filed must be protected. Records waiting to be updated or filed must be protected. All uncompleted work must be locked up at the close of a business day. All uncompleted work must be locked up at the close of a business day. Employees may access records for which they have a legitimate, assigned business need. Employees may access records for which they have a legitimate, assigned business need. Employees must not remove files or copies of files from the office. Employees must not remove files or copies of files from the office.

20 20 Oral Discussions Any verbal discussions with patients, relatives, or other medical personnel should be as private as possible. Any verbal discussions with patients, relatives, or other medical personnel should be as private as possible. Always be aware of anyone walking by, who may overhear part or all of your conversation. Always be aware of anyone walking by, who may overhear part or all of your conversation.

21 21 Disposal of Patient Data Patient Data that is no longer needed and/or is past the relevant storage period should be destroyed or overwritten to make certain that it is not possible for the information to be accessed again. Patient Data that is no longer needed and/or is past the relevant storage period should be destroyed or overwritten to make certain that it is not possible for the information to be accessed again. Handwritten notes such as phone messages and reminder slips containing protected data must be shredded as soon as they are no longer needed. Handwritten notes such as phone messages and reminder slips containing protected data must be shredded as soon as they are no longer needed. Dictation tapes containing protected information must be erased after the material is transcribed. Dictation tapes containing protected information must be erased after the material is transcribed. All unwanted paper containing protected information must be cross- shredded. All unwanted paper containing protected information must be cross- shredded. Diskettes containing protected health information or patient data must be reformatted when the data is no longer required. Diskettes containing protected health information or patient data must be reformatted when the data is no longer required. Hard drives must be reformatted when an office computer is sold, or when employees no longer use it to access protected patient data. Hard drives must be reformatted when an office computer is sold, or when employees no longer use it to access protected patient data. CD’S must also be destroyed if it contains protected information. This can be done by simply snapping it in half. CD’S must also be destroyed if it contains protected information. This can be done by simply snapping it in half.

22 22 Access Control Policy The Security Officer will be responsible for determining whether an employee may have access to patient data. The Security Officer will be responsible for determining whether an employee may have access to patient data. These employees must: These employees must: 1. Have a legitimate business need to access the data. 2. Are aware of, and agree to adhere to HIPAA privacy policies. 3. Have signed a confidentiality or chain of trust agreement. 4. Agree absolutely not to share their account access. Each person should have an individual password, to which their access level is tied. Each person should have an individual password, to which their access level is tied. The Security Office will also be responsible for modifying a user’s access to patient data. The Security Office will also be responsible for modifying a user’s access to patient data.

23 23 De-Identification De-Identification is the process by which identifying information is removed from a record to make it impossible for anyone seeing the data to match it to the patient to whom the data belongs. De-Identification is the process by which identifying information is removed from a record to make it impossible for anyone seeing the data to match it to the patient to whom the data belongs. Always ensure that all 19 required elements (PHI) Protected Health Information have been properly removed and that any remaining identifying elements cannot be used to directly retrieve patient data from any other available source. Always ensure that all 19 required elements (PHI) Protected Health Information have been properly removed and that any remaining identifying elements cannot be used to directly retrieve patient data from any other available source.

24 24 Records Processing All protected health information, in written or electronic form, will be logged in the Records Handling Log. All protected health information, in written or electronic form, will be logged in the Records Handling Log. Under no circumstances will ANY protected health information be transmitted without the appropriate Patient Consent form or Patient Authorization form on file, or unless the information has been de-identified. Under no circumstances will ANY protected health information be transmitted without the appropriate Patient Consent form or Patient Authorization form on file, or unless the information has been de-identified.

25 25 Information Requests All requests should be made and received in writing so that it can be placed in the appropriate file as documentation of the request. All requests should be made and received in writing so that it can be placed in the appropriate file as documentation of the request. Only respond to information requests when they have a properly completed and executed Patient Consent Form, Patient Authorization form for the specific information. Only respond to information requests when they have a properly completed and executed Patient Consent Form, Patient Authorization form for the specific information. Provide only the minimum information necessary to satisfy the specific request. Provide only the minimum information necessary to satisfy the specific request. Never release an entire medical record. Never release an entire medical record. Verify source of request and make appropriate and reasonable efforts to determine the true identity of the requestor. Verify source of request and make appropriate and reasonable efforts to determine the true identity of the requestor. “Document Everything” could be described as the second rule of HIPAA. Better to document and never need it, than not document it and need that proof later. “Document Everything” could be described as the second rule of HIPAA. Better to document and never need it, than not document it and need that proof later.

26 26 Patient Lists During the normal course of daily activities in a health care firm, patients lists are sometimes created. HIPAA requires a firm NOT to reveal the identities of any of the patients of the practice. Certain exception are possible. During the normal course of daily activities in a health care firm, patients lists are sometimes created. HIPAA requires a firm NOT to reveal the identities of any of the patients of the practice. Certain exception are possible. Any lists that are likely to be seen by those not authorized to view patient data must contain the minimum necessary amount of patient information. Any lists that are likely to be seen by those not authorized to view patient data must contain the minimum necessary amount of patient information. Covered entities, such as doctor’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. Covered entities, such as doctor’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.

27 27 Patient Records Amendments HIPAA says that a patient/client can amend his or her medical records. This request must be in writing, signed and dated to document the request. A legal guardian is also allowed to amend the medical record. HIPAA says that a patient/client can amend his or her medical records. This request must be in writing, signed and dated to document the request. A legal guardian is also allowed to amend the medical record. A decision regarding allowing the amendment shall be within business days. The practice must make a decision as to whether or not they will allow the amendment A decision regarding allowing the amendment shall be within business days. The practice must make a decision as to whether or not they will allow the amendment

28 28 Patient Records Access A patient can request to see or obtain a copy of his or her medical records. This request can not be denied by the practice. The firm may make a charge for providing a copy, but the request must be promptly carried out. A patient can request to see or obtain a copy of his or her medical records. This request can not be denied by the practice. The firm may make a charge for providing a copy, but the request must be promptly carried out. The request must be in writing and signed and dated by the patient or their legal guardian. The request must be in writing and signed and dated by the patient or their legal guardian. If the request is to see the record, patient may have immediate access within the office, business operations permitting. If the request is to see the record, patient may have immediate access within the office, business operations permitting. Patients will be provided a place to review the records away from other patients, but a staff member shall be present while the patient is reviewing records to ensure that the record remains intact and unaltered. Patients will be provided a place to review the records away from other patients, but a staff member shall be present while the patient is reviewing records to ensure that the record remains intact and unaltered. If a copy of the chart is requested, the copy can be picked up in person or mailed (return receipt requested) if the patient so request in writing. If a copy of the chart is requested, the copy can be picked up in person or mailed (return receipt requested) if the patient so request in writing.

29 29 Patient Record Storage and Access Current paper files must be stored in locked file cabinets or a locking file room if they contain protected healthcare information or patient data. Current paper files must be stored in locked file cabinets or a locking file room if they contain protected healthcare information or patient data. Archived patient records will not reside in a general storage area except in locked file cabinets. Archived patient records will not reside in a general storage area except in locked file cabinets. Patient information stored in computers will be password protected. Patient information stored in computers will be password protected. Backup media that contains patient information must be stored in a locked cabinets. Backup media that contains patient information must be stored in a locked cabinets. Charts for incoming patients will be kept behind desks, away from patients and visitors. Charts for incoming patients will be kept behind desks, away from patients and visitors. Computer screens displaying patient data will be turned away from public areas so as not to be visible to patients or others in public areas. Computer screens displaying patient data will be turned away from public areas so as not to be visible to patients or others in public areas.

Download ppt "1 HIPAA The Health Insurance Portability and Accountability Act Southeastern Institute."

Similar presentations

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA 101 Education. WHAT IS HIPAA??? WHAT IS HIPAA? The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability.

HIPAA 101 Education. WHAT IS HIPAA??? WHAT IS HIPAA? The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

Similar presentations

Ads by Google