HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996

What is HIPAA? Enacted August 21, 1996 Enacted August 21, 1996 Title I Title I Protects people who lose insurance coverage, lose jobs, or change jobs and wish to continue health insurance coverage Protects people who lose insurance coverage, lose jobs, or change jobs and wish to continue health insurance coverage Title II Title II Protects health data privacy Protects health data privacy Established national standards for compliance Established national standards for compliance Protects against fraud Protects against fraud

Protected Health Information “The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.” “The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.” HHS, 2012 HHS, 2012

Why the need for privacy and security act????

The privacy provisions of the federal law, HIPAA apply to heath information created or maintained by health care providers who engage in certain electronic transactions, health plans and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation, “Standard for Privacy of Individually Identifiable Health Information” The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation

A health care provider who transmits health or mental health information in electronic transactions. For example, a physician who electronically bills for services. A health plan A health care clearinghouse Concorde is a Hybrid Entity A Hybrid Entity means a single legal entity that is a covered entity, performs business activities that include both covered and non- covered functions, and designates its health care components as provided in the Privacy Rule (45 C.F.R. § ).

Who uses Protected Health Information (PHI) at Concorde? Everyone who uses a computer or electronic device which store or transmits information Such as: Administrative staff that work with PHI Externship Clinics Campus Staff that work in Clinical areas Student that work with patients Accounting Payroll Staff Volunteers Almost everyone at one time or another

Confidentiality and Privacy Confidentiality and Privacy go hand-in-hand and patients have the right to control who sees their protected health information. Confidentiality and Privacy go hand-in-hand and patients have the right to control who sees their protected health information. Communications with and/or about patients protected health information will be kept private and limited to those who need to know information for payment, treatment and operations (PTO). Communications with and/or about patients protected health information will be kept private and limited to those who need to know information for payment, treatment and operations (PTO). These communication may be written, oral or in electronic form. These communication may be written, oral or in electronic form. Only those people with a need to know may have access to the protected information. Only those people with a need to know may have access to the protected information.

Protected Health Information PHI Protected Health Information is any information used to identify the patient such as… Protected Health Information is any information used to identify the patient such as… address address social security number social security number name name … it also includes information about the patients reason for being in the hospital, clinic, medications and treatments they are receiving and their complete health record

PHI is used to treat, to bill and receive payment for services and for internal controls of hospital/clinic operations. This is all outlined in the Notice of Privacy Practices (NOPP). Each patient is given a copy upon admission to any facility. PHI may only be shared with entities outside of the facility who already had a direct relationship with the patient. Such as their primary care provider, an ambulance company that transported the patient between facilities, and the insurance company who is on record and responsible for the bill. Beyond that, a valid authorization from the patient or the patients legal documented representative must be provided. Release of medical record information should be handled through the Health Information Management Department.

Who is authorized to see this information? Any physician who is treating the patient Any physician who is treating the patient Any care giver who needs the information to perform their job Any care giver who needs the information to perform their job This means “Need to Know” Only the portion of the chart that is needed for a specific job function with that patient may be accessed This means “Need to Know” Only the portion of the chart that is needed for a specific job function with that patient may be accessed

How to protect information? Be mindful when discussing patient information out in open areas Be mindful when discussing patient information out in open areas Sign off your computer when not in use and not at your desk Sign off your computer when not in use and not at your desk Knock on doors before entering a room Knock on doors before entering a room Keep patient information out of public view Keep patient information out of public view Keep medical records locked and away Keep medical records locked and away Treatments should be carried out in private areas Treatments should be carried out in private areas Discussions about patient financial information should be done in a private area Discussions about patient financial information should be done in a private area Never discuss patient information in elevators and public dining rooms Never discuss patient information in elevators and public dining rooms

cont. Do not release information without proper authorization to anyone unless covered by our NOPP Do not release information without proper authorization to anyone unless covered by our NOPP Contact the Facility Privacy Officer when ever you are in doubt and not sure of any privacy issue Contact the Facility Privacy Officer when ever you are in doubt and not sure of any privacy issue

HIPAA Violations Failure to comply with HIPAA standards may result in civil and criminal penalties Failure to comply with HIPAA standards may result in civil and criminal penalties

Civil Penalties The Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing civil penalties. The Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing civil penalties. Fines range from no more $100 for each violations and not more than $25,000. These are penalties against the covered entity

Criminal Penalties The Department of Justice (DOJ) is responsible for enforcing the criminal side and these fines imposed when a an entity knowingly discloses or obtains PHI. The Department of Justice (DOJ) is responsible for enforcing the criminal side and these fines imposed when a an entity knowingly discloses or obtains PHI. Fine $50,000 1 year prison Fine $50,000 1 year prison Knowingly obtain or disclose Knowingly obtain or disclose Fine $100,000 5 years prison Fine $100,000 5 years prison Obtain or disclose under false pretense Obtain or disclose under false pretense Fine $250, years prison Fine $250, years prison For profit, gain or harm obtain or disclose For profit, gain or harm obtain or disclose

Patient Authorization to Release A patient may sign an authorization for us to release their PHI for reason other than PTO A patient may sign an authorization for us to release their PHI for reason other than PTO The authorization must… The authorization must… * be signed and dated by patient or legally * be signed and dated by patient or legally authorized representative authorized representative * valid for 180 in the State of Texas * valid for 180 in the State of Texas * must provide reason for release * must provide reason for release * must state who information is to be released * must state who information is to be released to and address to and address * Can only be in writing and may be revoked by patient * Can only be in writing and may be revoked by patient In order to use a patient information to print in a newsletter, sell for marketing purposes or for research outside of our NOPP, we must obtain a valid written authorization Only the patient or legal representative may give this authorization, not their physician.

Privacy is everyone’s responsibility