1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006

2 Privacy and Confidentiality have always been important ethical considerations in any healthcare environment. Introduction

3 The U.S. Government has set laws in place to make sure that privacy and confidentiality are followed Privacy Confidentiality HIPAA

4 What is HIPAA? Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act –Law enacted in 1996 –Privacy Rule in 2003 –Security Rule in 2005 Health Plans, Clearing Houses Health Plans, Clearing Houses and Healthcare Providers must comply

5 Or else be hit with Federal penalties!!! Or else be hit with Federal penalties!!!

6 These penalties can be either civil ranging up to $25,000 or criminal ranging up to $250,000 or prison sentences up to 10 years

7 Patient Rights Under HIPAA Gives patients more control over their health information Gives patients more control over their health information Protects patients health information and any information that could identify the patient. Protects patients health information and any information that could identify the patient. Gives conditions on how health information may be released. Gives conditions on how health information may be released. Requires providers to safeguard health information whether it is verbal, written or electronic. Requires providers to safeguard health information whether it is verbal, written or electronic.

8 HIPAA defines patient information as Protected Health Information (PHI) Name Name Address Address Relatives Relatives Employers Employers Birth Date Birth Date Telephone Telephone Fax Number Fax Number Social Security # Social Security # License Number License Number Health Plan Number Health Plan Number Medical Record Number Medical Record Number Finger/Voice Prints Finger/Voice Prints Internet Address Internet Address Address Address Vehicle Serial Number Vehicle Serial Number

9 Privacy Principles What does HIPAA require Providers to do? What does HIPAA require Providers to do? –Develop policies and procedures –Educate employees –Give patients a copy of the Notice of Privacy Practices –Create a new authorization form –Develop “safeguards” for protecting information –Designate a Privacy Officer and Security Officer

10 Privacy Principles Notice of Privacy Practices (NPP) Notice of Privacy Practices (NPP) –Given to the patient upon registration –Describes how information may be used and disclosed –Responsibility to safeguard information –Patient should “acknowledge” the receipt of Notice –Outlines Patients Rights under HIPAA

11 Privacy Principles Patient’s Health Information Rights Patient’s Health Information Rights –Restrict use and disclosure –Inspect and copy the record –Add an amendment to the record –Know what information was released for other purposes –Complain about health information practices

12 Ways to Protect Confidentiality Confidential communications Confidential communications Guidelines for Telephone Use Guidelines for Telephone Use Fax policy Fax policy Using Records and Other Information Using Records and Other Information –Patient Authorization –T-P-O Treatment, Payment, Operations

13 Ways to Protect Confidentiality The Minimum Necessary Standard The Minimum Necessary Standard As a healthcare employee you should ask yourself…

14 …do I need to know this to do my job????? This is called the “Minimum Necessary”

15 The Minimum Necessary standard requires providers to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to. and disclosure of PHI. Providers should have a policy to limit how much PHI is used, disclosed, and requested for certain purposes. Policies must limit who has access to PHI, and under what conditions, based on individual job responsibilities and the nature of their business. Minimum Necessary Standard

16 This law DOES NOT interfere with your staff continuing to provide the Quality Care you have always provided!!! There is no Minimum Necessary requirement when it comes to treating a patient. For treatment purposes you are allowed to share information freely with other treatment personnel directly caring for the patient What HIPAA is NOT…

17 Scenario You have just had to deal with a very demanding customer and need to discuss your frustrations with someone. As you walk outside to get some air, you see a friend from another department. What do you do?

18 Protecting the Medical Record What do I need to know about releasing patient information? What do I need to know about releasing patient information? –Is this for T-P-O? –Is there an Authorization? –Did I ask the patient? –Are there adequate safeguards? –Did I use professional judgment?

19 The Security Regulation and Electronic Information Protecting Electronic Protected Health Information (ePHI) Protecting Electronic Protected Health Information (ePHI) –C-Confidentiality –I-Integrity –A- Availability Risk Assessment Risk Assessment Safeguards for Protecting Data Safeguards for Protecting Data

20 Helpful Hints When Working with Computers Never share your password Never share your password Always keep computer screens pointed away from the public Always keep computer screens pointed away from the public Never remove computer equipment, disks or software from the facility unless you have permission to do so Never remove computer equipment, disks or software from the facility unless you have permission to do so Only access the information that you need Only access the information that you need

21 Helpful Hints When Working with Computers Always double check the address line of an before you send it Always double check the address line of an before you send it Don’t leave your computer unattended. If you have to walk away, log off before you leave Don’t leave your computer unattended. If you have to walk away, log off before you leave Look out for suspicious activity to make Look out for suspicious activity to make sure no one else uses your account or password sure no one else uses your account or password

22 Exceptions to the Rule Reasons for releasing confidential information Reasons for releasing confidential information When reporting is required When reporting is required What happens if you accidentally release information? What happens if you accidentally release information?

23 Understanding Your Role Read the Privacy Notice Read the Privacy Notice Know your company’s policies and procedures Know your company’s policies and procedures Know when state regulation Know when state regulation “pre-empts” HIPAA “pre-empts” HIPAA Use appropriate safeguards Use appropriate safeguards Talk to your Privacy Officer Talk to your Privacy Officer

24 What is New with HIPAA? Transactions Claims attachment Enforcement Complaint Driven Monetary/Civil Penalties National Provider Identifier Assigned identifier to be used in all external electronic transactions (May 2007 effective date)

25