Are you ready for HIPPO??? Welcome to HIPAA What is HIPAA? HIPAA is the Healthcare Insurance Portability and Accountability Act. HIPAA is federal law managed and enforced by the Center for Medicare and Medicaid Services (CMS). HIPAA creates a framework for managing patient health information in verbal, paper, and electronic form. HIPAA also provides standards for electronic transactions, and covers building security. Who does it apply to? HIPAA affects nearly everyone in healthcare: providers, payers, pharmaceutical companies, and hospitals. HIPAA affects all employees and operations of a “covered entity”, as well as business vendors and suppliers who provide services and products. v. 05/15/2014
the Privacy Rule Protected Health Information (PHI) PHI is any information about the past, present or future, physical or mental health of a patient, AND which individually identifies that individual. Examples of individual identifiers include name, address, SSN, family members’ names, insurance numbers, etc. PHI may exist in any form: on paper, in verbal conversations, or in electronic form. Can you identify PHI at your facility? v. 05/15/2014
How do we manage PHI? HIPAA places few restrictions on the use or disclosure of PHI in treatment, payment or healthcare operations (TPO). HIPAA recognizes that providers and employees of a covered entity need wide access to PHI to deliver quality healthcare efficiently. TREATMENT includes the provision of healthcare services, and also consulting between providers about a patient referring a patient to another provider PAYMENT includes interaction with insurance companies & other payers Eligibility determination billing, claims, reimbursement Preauthorization utilization review HEALTHCARE OPERATIONS include activities such as: · quality assessments | outcome evaluations | internal business planning v. 05/15/2014
Minimum Necessary Standard For any internal use of PHI, everyone must make a reasonable, good faith effort to share only the minimum amount of PHI necessary to accomplish the intended purpose. Be aware that many purposes, such as treatment, may well require extensive use of PHI. Exception – does not apply to disclosures of PHI made to other healthcare providers v. 05/15/2014
Applying the Minumum Necessary Standard Restrict amount of PHI used Is ALL this PHI needed now? Restrict physical access to PHI Is the PHI secure ? Restrict access to certain persons Does everyone need to see this? Remember - PHI exists in verbal, paper, and electronic form v. 05/15/2014
Notice of Privacy Practices (NPP) The NPP is a document required by HIPAA that explains patient rights regarding their PHI. The NPP explains how we will use PHI for treatment, payment and healthcare operations. It also describes patients’ right to … Inspect their PHI (medical record) Make copies of their PHI Request changes to their PHI Request an accounting of non-TPO disclosures of PHI The NPP must be given to the patient, or their legal representative, at the first encounter for healthcare services. You must make a good faith effort to obtain a signed acknowledgement of the patient’s receipt of the NPP. Keep this acknowledgement form. v. 05/15/2014
Authorization Form An Authorization Form is required for disclosures of PHI which are not part of treatment, payment, or healthcare operations. An example would be a release of PHI to a law firm. The Authorization Form must include a specific description of the PHI to be disclosed, must identify the recipient of the PHI, and must include the dates which the Authorization covers. A log must be kept of all disclosures made under the Authorization. A patient may refuse to sign the Authorization. v. 05/15/2014
Business Associates Other individuals and organizations, who are NOT healthcare providers, may also have access to PHI. Examples include medical records storage companies, technical support vendors, etc. Note that other healthcare providers are not Business Associates. This would include hospital and clinical labs. All Business Associates must sign an Agreement promising to protect and safeguard PHI in same manner as the covered entity. v. 05/15/2014
HIPAA Security HIPAA Security focuses on PHI which is in electronic format, including computer systems, fax machines, answering machines, internet, CDs, medical equipment, etc. Security also focuses on building security for the protection of PHI. Use special care when handling PHI in electronic format. Do not throw away PHI in electronic format. Do not share passwords, keys, or other means of access with other employees. Be aware of building security regarding physical access, visitors, and emergency procedures. Report all suspected violations of Security policy to immediate supervisor or the Privacy Officer. v. 05/15/2014
HIPAA Enforcement HIPAA enforcement comes under CMS and Office of Civil Rights. For the most part, enforcement actions are complaint-driven. An individual patient generally has no private right to sue under HIPAA. There is no regular HIPAA audit program, but that is changing. All a provider’s employees and Business Associates are responsible for HIPAA and are thus subject to enforcement actions. There are civil penalties, usually fines, associated with HIPAA violations. v. 05/10/2012
Are you HIPPO compliant ?? HIPAA in a Nutshell Always protect and safeguard PHI. Help to create an atmosphere of privacy and professionalism when using PHI. Honor the rights of patients regarding their PHI. Use the proper forms as required under HIPAA. Remember that persons and organizations outside Jones Clinic may also access PHI and know the rules which govern this use. Remember that most violations of HIPAA are not intentional but are due to carelessness or sloppy work habits. Ask the Privacy Officer or your management team if you have questions about HIPAA. Report all violations of HIPAA as instructed. v. 05/15/2014