Health Insurance Portability and Accountability Act of 1996 HIPAA Health Insurance Portability and Accountability Act of 1996

Definition HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs

PHI Protected Health Information PHI protects all individually identifiable health information whether paper, oral or electronic Person’s: Past, present or future physical or mental care provided to the person The provision of health care to the individual, or The past, present, or future payment for the provision of health care to the individual

Basic Principles – Office of Civil Rights (OCR) “A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: 1) as the Privacy Rule permits or requires; or 2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”

Required Disclosures “A covered entity must disclose protected health information in only two situations: a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and b) to HHS when it is undertaking a compliance investigation or review or enforcement action.”

Treatment/Payment Treatment is the provision, coordination or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Healthcare Operations Health care operations are any of the following activities: a) quality assessment and improvement activities, including case management and care coordination; b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; d) specified insurance functions, such as underwriting, risk rating and reinsuring risk; e) business planning, development, management and administration; and f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.

Consent Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. REMEMBER: Most uses and disclosures of psychotherapy notes for treatment, payment and health care operations purposes require authorization.

Safeguarding Information Papers over clipboards Computers facing away from those seeking information Tinted screens for computers so that only person directly in front can see Keeping people in line far enough away from desk not to overhear Staff talking as quietly as possible Taking patients to another area to ask questions Faxing to correct numbers Passwords for those who need access on computers Data wall for all behavioral health information

Encryption is NOT enough! Encryption does not cover an organization. According to government health IT, “Encryption involves using ‘an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key… and such confidential process or key that might enable decryption has not been breached.”

How to File a Complaint Requirements are: Complaint must be filed in writing Name of the covered entity or business associate you believe made the violation Must be listed as well as a description of what you believe was shared. Lastly, the complaint must be filed within 180 days, time may be extended if you

Anyone can file a complaint! HIPAA rule prohibits a covered entity to retaliate against your for filing a complaint You can file complaint in a variety of methods A covered entity has the responsibility to self-report an information breach

Violations and Fines The “HIPAA” police, or the department that investigates the complaints and reports is the OCR or Office of Civil Rights The American Recovery and Reinvestment Act of 2009 created a tiered penalty ladder for violations Fine for 1st time violation by someone who did not realize that they did it could be as low as $100 or as high as $50,000 The fine for willful neglect, but corrected within the required time period is from $10,000 to $50,000 The fine when the willful neglect is not corrected increases tom $10,000 to $50,000

A privacy violation is considered criminal and may lead to prosecution by the Department of Justice If you shared information on purpose - $50,000 fine and up to 1 year in jail If the violation was committed through deception, the fine is $100,000 and up to 5 years in jail If there was any personal gain through the sharing of PHI, the fine goes to $250,000 and 10 years in Prison