1. Health Insurance Portability and Accountability Act of 1996
HIPAA
Health Insurance Portability and Accountability Act of 1996

2. Definition
HIPAA is the federal Health Insurance Portability and Accountability Act of The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs

3. PHI Protected Health Information
PHI protects all individually identifiable health information whether paper, oral or electronic
Person’s:
Past, present or future physical or mental care provided to the person
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to the individual

4. Basic Principles – Office of Civil Rights (OCR)
“A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be disclosed by covered entities.
A covered entity may not use or disclose protected health information, except either:
1) as the Privacy Rule permits or requires; or
2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”

5. Required Disclosures
“A covered entity must disclose protected health information in only two situations:
a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and
b) to HHS when it is undertaking a compliance investigation or review or enforcement action.”

6. Treatment/Payment
Treatment is the provision, coordination or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

7. Healthcare Operations
Health care operations are any of the following activities:
a) quality assessment and improvement activities, including case management and care coordination;
b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
d) specified insurance functions, such as underwriting, risk rating and reinsuring risk;
e) business planning, development, management and administration; and
f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.

8. Consent
Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment and health care operations) is optional under the Privacy Rule for all covered entities.
The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.
REMEMBER: Most uses and disclosures of psychotherapy notes for treatment, payment and health care operations purposes require authorization.

9. Safeguarding Information
Papers over clipboards
Computers facing away from those seeking information
Tinted screens for computers so that only person directly in front can see
Keeping people in line far enough away from desk not to overhear
Staff talking as quietly as possible
Taking patients to another area to ask questions
Faxing to correct numbers
Passwords for those who need access on computers
Data wall for all behavioral health information

10. Encryption is NOT enough!
Encryption does not cover an organization. According to government health IT, “Encryption involves using ‘an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key… and such confidential process or key that might enable decryption has not been breached.”

11. How to File a Complaint Requirements are:
Complaint must be filed in writing
Name of the covered entity or business associate you believe made the violation
Must be listed as well as a description of what you believe was shared.
Lastly, the complaint must be filed within 180 days, time may be extended if you

12. Anyone can file a complaint!
HIPAA rule prohibits a covered entity to retaliate against your for filing a complaint
You can file complaint in a variety of methods
A covered entity has the responsibility to self-report an information breach

13. Violations and Fines
The “HIPAA” police, or the department that investigates the complaints and reports is the OCR or Office of Civil Rights
The American Recovery and Reinvestment Act of 2009 created a tiered penalty ladder for violations
Fine for 1st time violation by someone who did not realize that they did it could be as low as $100 or as high as $50,000
The fine for willful neglect, but corrected within the required time period is from $10,000 to $50,000
The fine when the willful neglect is not corrected increases tom $10,000 to $50,000

14. A privacy violation is considered criminal and may lead to prosecution by the Department of Justice
If you shared information on purpose - $50,000 fine and up to 1 year in jail
If the violation was committed through deception, the fine is $100,000 and up to 5 years in jail
If there was any personal gain through the sharing of PHI, the fine goes to $250,000 and 10 years in Prison