CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join the meeting remotely: 1. Open a web browser and enter URL: Enter participant access code: www.readytalk.com 2. Phone in for the audio portion of the conference: then enter the access code: MEETING HANDOUTS:
CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM HIPAA GUIDELINES AND UPDATES Kara Kohn, RN, MBA MEETING HANDOUTS:
HIPAA 2013 Omnibus Rules and Updates
What is HIPAA? Health Insurance Portability and Accountability Act was enacted in1996 Protects health insurance coverage when there is a change or loss of jobs for workers and their families
What is HIPAA? Required national standards for electronic health care transactions Gave rights to individuals for their own privacy (including from parents) Enacted privacy standards for PHI (Protected Health Information)
Key Terms and Definitions Privacy: Patient’s right over the use and disclosure of their own protected health information Security: Specific measures a Covered Entity (your practice) must take to secure protected health information from unauthorized breaches of privacy Protected Health Information (PHI): Any identifiable information which relates to an individuals past, present or future physical health or condition for which there is a reasonable cause to believe it can be used to identify that individual
Protected Health Information (PHI) Name Zip Code Birth Date Telephone Number Fax Number Account Number Address Social Security Number Medical Record Number Health Plan Numbers Certificate/license number Vehicle Identifiers and Serial Numbers Device Identifiers and Serial Numbers IP and URL address numbers Biometric Identifiers (finger or voice prints) Full Face Photos Images Any other unique identifying number, characteristic or code
What is New? Requests for electronic medical charts Request to not share information with health plans Immunization information allowed to be shared Restrictions for marketing, fundraising and sale of PHI Genetic information and insurance Business associates compliance New notices of Privacy Practices
Chart Requests Patients can ask for copies of their medical information in electronic format Patients can still ask for medical information via paper format 30 days to produce this information No more 30 day extensions
Request by Patients If all services are paid in full, in person, during a visit, a request can be made to not share information with their health plans This includes the treatments that were received during that specific visit
Immunization Records If a parent or guardian gives written permission, your office can provide immunization information to a school This is for schools that are required by law to have it This process is more streamlined, making it easier for both parents and practices
Marketing, Fundraising and Genetic Information Increased restrictions how patients information is used and disclosed to third parties for the use of marketing and fundraising Patients can not have their personal information sold to outside parties with out a written consent from them to do so Insurance companies cannot use genetic information for coverage and cost determinations
Business Associate All Business Associates must now adhere to all HIPAA rules and regulations when in possession of PHI A Business Associate is anyone that works in association with your practice and has access to patient information Does not include doctor-to-doctor business, healthcare providers, insurance companies or pharmacies
Who is a Business Associate Health Information Organizations E-prescribing Gateways Data Transmission Services (personal health record vendors) Labs Confirmation Services Collection Agencies Software Companies IT Techs Consultants Sales Reps After Hours Services
Business Associates cont. Any new Business Associates to your practice should have a signed agreement by September 23, 2013 Existing Business Associates have until September 23, 2014 to sign the new agreement You are not required to train your Business Associates If they have a subcontractor assisting them, the Business Associates will need to have their own contract in place with their subcontractor
Increased Privacy Protection It is now considered a breach if there is any disclosure of any PHI examples This can include inadvertent release of PHI Any suspected or known breach must be reported Risk assessment must be completed and documented any time that a breach is reported Fines of $50,000 for each violation, up to a limit of $1.5 million annually
Examples of a Breach Any posting of pictures or patient identification onto social websites (Facebook, Twitter, Instagram, etc.) Conversations in the waiting room disclosing PHI Loss of office laptop containing patient information Paperwork given to the wrong patient Verbal communication via phone to someone who is not the patient or their parent/guardian
Examples of a Breach cont. Permission is asked to share patient information with parents/guardians in room (age dependent) Faxing patient information to the wrong number communication sent to the wrong address or group Computer screen with patient information that can be viewed by other patients/families Placing of PHI in a regular trash container
What Needs to Done in the Event of a Breach? No longer report only a “Significant Risk”. All presumed risks are considered a breach. Complete Breach Assessment Form Report via HHS Website Potentially contact patients with knowledge of suspected or confirmed breach
How to Prevent Any and all paperwork changing hands is verified that each and every page belongs to the patient it is handed to All patients are asked their permission to proceed speaking when there are visitors in the room that are not a parent/guardian/POA All conversations are held at a reasonable tone and appropriate venues in the patient care area. Do not discuss patient care in hallways, waiting rooms, or exam rooms with doors open
How to Prevent All fax numbers are verified before hitting send, and a fax cover sheet with a confidentiality statement is used at all times All charts are maintained securely away from public view All printouts with patient information are placed facedown when you step away from the desk Computer screens are locked when you step away, even momentarily Patient information is not thrown into a general trash can
Questions? Thank you