HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff

HIPAA BASICS HIPAA stands for Health Insurance Portability and Accountability Act The law sets standards for the transmission of information in order to provide uniformity between the many healthcare systems The law also sets strong privacy protections to protect the consumer’s health information

Enforcement Responsibility Centers for Medicare and Medicaid (CMS) is responsible for the security standards The Department of Health and Human Service’s Office of Civil Rights is responsible for the privacy rules.

Penalties for Noncompliance The Federal government holds the agency liable for violations. Agency Penalties: $100 - $50,000 per violation up to 1.5 million per year; Exclusion from participating with Medicare/Medicaid and possible prison time. Entitities contracted with Pines: $50,000 per violation up to 1.5 million per year; Exclusion from participating with Medicare/Medicaid (loss of contract with Pines) and possible prison time. Staff Sanctions: Disciplinary up to and including termination per policy.

Who is Subject to HIPAA? You are if: You transmit health information (bills) electronically You receive third party reimbursement You bill Medicare or Medicaid You receive money from Pines who is a covered entity and subject to HIPAA rules If you receive faxes with health information that may have been computer generated If you serve even 1 consumer affected by the above, you are liable to comply with HIPAA regulations

Three Parts to HIPAA Privacy Rule: Establishes standards to protect the confidentiality of personal health information (PHI) Transaction Rule: Requires compliance to standards for electronic transmission of health information (ie. standard billing formats) Security Rule: Sets standards related to the safeguard of health information.

Privacy Rules Requires staff training on privacy rules Requires the designation of a privacy officer Requires that all consumers know the agency’s disclosure of health information (Privacy Notices) Requires a clear protocol for handling complaints regarding HIPAA compliance Requires a “need to know” limit – only that information that is needed to be known can be released to only those people that need to know with proper consent (authorization). Allows consumers to request an amendment to their records.

HIPAA vs. Mental Health Code and/or Public Health Code The federal government allows state law to pre-empt HIPAA regulations if the state laws are more stringent than HIPAA. In many cases, the mental health code and/or public health code for substance abuse is more stringent than HIPAA.

HIV Information Be very careful regarding releasing HIV information. Michigan highly regulates the confidentiality of HIV information. A person’s HIV status (positive or negative) cannot be disclosed without their express, written permission unless a medical personnel is exposed to their blood in an emergency situation. Be just as concerned about accidental disclosure as you are with accidental transmission.

Transactions Rules Applies to agencies that transmit insurance bills/claims electronically or uses billing services. Organizations must use HIPAA compliant software and test transactions with third party payors.

Security Rules Covers every type of storage or transmission of public health information that might take place. Requires a risk assessment to be undertaken Requires policies and procedures to address the security of records Requires the staff responsibility for security policies and procedures (Security Officer) Requires technology security such as data backups, passwords that expire frequently, monitoring of computer network activity Requires limits on physical access to equipment or locations to assure security of information: Location of fax machine Screen protectors needed on computers Shred receptacles available

Practical Security Steps Control the physical access to your building. Visitors should not be allowed to access areas in which confidential information is kept. Conversations involving sensitive information should not occur where it can be overheard Sensitive documents should not be left in view Sensitive telephone conversations should not be conducted where they can be overheard Processes should be in place to assure that faxes coming in are safeguarded Computers should be positioned so that confidential information cannot be seen by others. Passwords are meant to secure information. They should be hard to guess and not shared. Portable computers (laptops, flash drives, PDAs, etc.) should be kept secure. Avoid keeping sensitive information on them if they need to leave the office. is not under your control once you push send. Make sure messages have a confidential information at the end, and rule of thumb should be never include sensitive information in the if using the internet.

Common Breaches ing consumer names or other protected health information across the internet Giving out more information than minimally necessary Discussing consumer information where others can hear *New regulations regarding breaching information created for citizen protection – see next slide

HITECH – Expansion of HIPAA American Recovery and Reinvestment Act (Stimulus Pkg): HIPAA Breach Notification Rule Breach: the acquisition, access, use or disclosure of unsecured PHI Determine a breach based on assessment of financial, reputational or other harm risk to individual If determined a breach, must notify individual within 60 days. If more than one, you may need to notify the media Annually, breach logs must go to HHS, and a client may ask to view their personal disclosure log All disclosures of PHI must be tracked and provided upon request to a client

Documenting and Reporting HIPAA complaints Staff: Report to the Pines Recipient Rights Officer (Norma Wojack) or Report to the Privacy Officer (Cathie Sutton) Providers: Report to your supervisor or other internal personnel that would be responsible for ensuring compliance to HIPAA