The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information security and privacy standards to support the increased use of electronic patient information. (Public Law )Signed August 21, 1996 WHAT IS HIPAA?
Who must comply with HIPAA? All health plans, all health care clearing houses, and health care providers that transmit standard transactions in electronic formats. These organizations are known as ‘covered entities’. (Standard transactions are: health care claim; health care eligibility/benefit inquiry; health care eligibility/benefit information; health care services review information; health claim status inquiry; health claim status response; benefit enrollment and maintenance; claim payment and remittance advice; premium payments; first report of injury; health claim attachments)
Is SHFC a Covered Entity? Does Shepherd’s Hand bill or receive payment for health care? NO Shepherd’s Hand is not a Covered entity. YES If YES the provider is considered a covered entity. Are any covered transactions sent electronically?
Legal Requirements for SHFC Although Shepherd’s Hand is under no legal requirement to be HIPAA compliant out of respect for our patients privacy and an obligation to secure patients health information all volunteers and staff will be responsible for knowing and understanding the Privacy and Security Policies of the clinic as guided by the HIPAA Privacy and Security Rule. Although Shepherd’s Hand is under no legal requirement to be HIPAA compliant out of respect for our patients privacy and an obligation to secure patients health information all volunteers and staff will be responsible for knowing and understanding the Privacy and Security Policies of the clinic as guided by the HIPAA Privacy and Security Rule. All volunteers will be required to sign a confidentiality agreement and an agreement to comply with SHFC policies. All volunteers will be required to sign a confidentiality agreement and an agreement to comply with SHFC policies.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HIPAA Privacy Rule
Protected Health Information (PHI) The privacy rule protects health information that is individually identifiable to an individual (i.e. name; address; phone numbers; SSN; DOB; etc) The privacy rule protects health information that is individually identifiable to an individual (i.e. name; address; phone numbers; SSN; DOB; etc) PHI is health information that relates to past, present, or future physical or mental health condition. PHI is health information that relates to past, present, or future physical or mental health condition.
SHFC Privacy Policy SHFC volunteers will operate under the ‘minimum necessary standard’ which expects people to use only the information they need to perform their role at the clinic. This includes face to face interaction as well as information contained in the individual’s medical record. SHFC volunteers will operate under the ‘minimum necessary standard’ which expects people to use only the information they need to perform their role at the clinic. This includes face to face interaction as well as information contained in the individual’s medical record. All face to face conversation with an individual that addresses PHI needs to happen in a private area. All face to face conversation with an individual that addresses PHI needs to happen in a private area. The hallway outside of the exam rooms and the area around the pharmacist and coordinator need to be clear of people waiting. The hallway outside of the exam rooms and the area around the pharmacist and coordinator need to be clear of people waiting.
SHFC Privacy Policy cont. Medical records need to be protected in the public clinic area by being placed face down – other people should never have access to someone’s medical record or our nightly logs. Medical records need to be protected in the public clinic area by being placed face down – other people should never have access to someone’s medical record or our nightly logs. All medical records will be stored in a locked area. All medical records will be stored in a locked area. All garbage with PHI will be shredded. All garbage with PHI will be shredded. PHI should not be disclosed over the phone unless talking to the individual or with permission to leave a message documented in the medical record. PHI should not be disclosed over the phone unless talking to the individual or with permission to leave a message documented in the medical record.
When can SHFC disclose PHI SHFC may use PHI for the purposes of treatment and health care operations. SHFC may use PHI for the purposes of treatment and health care operations. Treatment means the provision, coordination, or management of health care by one or more health care providers, including consultation between providers and patient referrals. Treatment means the provision, coordination, or management of health care by one or more health care providers, including consultation between providers and patient referrals. Health Care Operations are administrative, financial, legal and quality improvement activities Health Care Operations are administrative, financial, legal and quality improvement activities
When does SHFC need authorization from the patient? An authorization is a detailed document that gives SHFC permission to use PHI for specified purposes which are general other than treatment or health care operations or to disclose PHI to a third party specified by the individual. An authorization is a detailed document that gives SHFC permission to use PHI for specified purposes which are general other than treatment or health care operations or to disclose PHI to a third party specified by the individual.
What about friends and family? SHFC will release PHI to friends and family members only with the individuals verbal permission if asking the individual in person or in writing if the individual is not present. SHFC will release PHI to friends and family members only with the individuals verbal permission if asking the individual in person or in writing if the individual is not present. Any release of PHI to friends and family should be documented in the individuals health record. Any release of PHI to friends and family should be documented in the individuals health record.
Notice of Privacy Practices SHFC is not required by law to provide every patient with a notice of our privacy practices. SHFC is not required by law to provide every patient with a notice of our privacy practices. If a patient requests a copy of our privacy policy this should be provided. If a patient requests a copy of our privacy policy this should be provided.
The HIPAA Security Rule The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
SHFC Security Policy For SHFC the only electronic PHI is in the form of faxes, and links to hospitals electronic records accessed for laboratory and radiology results. For SHFC the only electronic PHI is in the form of faxes, and links to hospitals electronic records accessed for laboratory and radiology results. Only authorized people with personal passwords will be allowed to log on to North Valley Hospital and Kalispell Regional Medical Center sites to retrieve results Only authorized people with personal passwords will be allowed to log on to North Valley Hospital and Kalispell Regional Medical Center sites to retrieve results
SHFC Security Policy cont. All PHI information that is transmitted by FAX will include a cover sheet with the following statement: This transmission contains confidential information belonging to the sender that is legally privileged and confidential. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of the documents is strictly prohibited. If you received this transmission in error please notify the sender immediately. All PHI information that is transmitted by FAX will include a cover sheet with the following statement: This transmission contains confidential information belonging to the sender that is legally privileged and confidential. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of the documents is strictly prohibited. If you received this transmission in error please notify the sender immediately. Received FAXs will be removed in a prompt manner and placed in a secure area. Received FAXs will be removed in a prompt manner and placed in a secure area.
CONFIDENTIALITY As a volunteer of SHFC you will be expected to sign a confidentiality agreement and that you understand and agree to comply with our Security and Privacy Policies. The agreement is available for you to print out on the volunteer page of the website or you can get a copy at the clinic. We ask that you turn in your signed agreement so that we can keep it on file. This will be an annual process. Please contact Meg with questions or concerns.