Download presentation
Presentation is loading. Please wait.
Published byDerick Powell Modified over 6 years ago
1
HIPAA Training Abigail Fallen, RHIA, CHDA 8/7/2014
2
Agenda HIPAA Overview Title II Accidental vs Intentional Violations
Sanctions Best Practices Use Case Examples Adjourn
3
What is HIPAA? Health Insurance Portability and Accountability Act
Enacted to improve the efficiency and effectiveness of the healthcare system Title I: Healthcare Access, Portability, and Renewability Title II: Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform Signed by President Clinton in 1996 There are two main titles to HIPAA Title I: Protects health insurance coverage for workers and their families when they change jobs or lose their jobs Our topic of conversation today centers around Title II
4
HIPAA - Title II Draft rules aimed at increasing the efficiency of the healthcare system by creating standards for the use and dissemination of healthcare information Spoken, printed, electronic Five (5) Rules in Place 1. Privacy Rule 2. Transactions and Code Sets Rule 3. Security Rule 4. Unique Identifiers Rule 5. Enforcement Rule Title II applies to covered entities which we will address on the next slide Notice that these rules include all forms of communication of health care information- not just written HIPAA has constructed 5 rules under Title II to protect health care information. Although all rules for HIPAA are important, the ones that you will be most involved with include: Privacy Rule Security Rule Potentially, though hopefully not, the Enforcement Rule
5
What is a Covered Entity?
Hospitals Physician Offices Health Plans Employers Public Health Authorities Life Insurers Clearing Houses Billing Agencies Information System Vendors Service Organizations Patients A covered entity is a person, place, and/or thing that is responsible for the re-disclosure of data. Covered entities are expected to behave in ways that protect the patient’s privacy when it comes to their healthcare data.
6
Protected Health Information (PHI)
Any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual Eighteen (18) identifiers (including but not limited to) Names Geographical identifiers smaller than 5-digit zip code Dates related to an individual Phone/fax numbers SSN Medical Record Numbers Facial images or comparative images Any other unique identifying characteristic EXERCISE: Let’s see if we can name all 18 identifiers: Presenters – please poll the audience and see how many your group can come up with before disclosing them. Names Geographic data All elements of dates Telephone numbers FAX numbers addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plates Device identifiers and serial numbers Web URLs Internet protocol addresses Biometric identifiers (i.e. retinal scan, fingerprints )Full face photos and comparable images Any unique identifying number, characteristic or code You notice that some of these identifiers are very “obvious” while others are not. Remember, if there is anything that could relate back to a patient, consider it protected. It’s better to air on the side of caution.
7
Rule #1 - Privacy Rule Regulates the use and disclosure of PHI
Minimum Necessary Rule Treatment, Payment, Operations (TPO) Required by law Public health Written Authorization Must disclose within 30 days of request Disclose the minimum necessary to achieve the purpose Covered entities are required to track disclosures The Privacy rule relates to the disclosure of patient data. There are two types of authorization for disclosing data. Some instances do NOT require additional authorization or agreement from the patient to have their information released. These are known as TPO: Treatment: a covered entity that has or has had a relationship with the patient; the established relationship allows the covered entitity to view health information or share information – but only what is minimally necessary Payment: in order to submit bills to healthcare insurers and be paid for them, the insurance needs to know why Operations: quality improvements, population-based health activities to improve public health and reduce healthcare costs, evaluation performance Law: is there is proper legal documentation to request the disclosure of health care information, the patient does not have to give consent. Public health: is the information about the patient’s health could create a public health issue (such as potential TB exposure) that data can be shared with the public health agency without consent., This is to prevent the spread of communicable illnesses. Written authorizations are those that fall outside of this scope and will require a signature from a patient to release them. The facility or entity that “owns” the information is required to disclose it within 30 days of the initial request. However, the patient must be specific in their request, such as what information they want disclosed, and the entity needs to do a thorough job of releasing the minimum necessary documentation to fulfill the request. Covered entities are required by law to track disclosures of data. A patient has the right to ask for a list of facilities that have received their data, both as non-written and written authorizations. A covered entity should be doing this for each patient throughout the life of the patient’s data at their facility, not waiting until the time of the request.
8
Rule #3 - Security Rule Complements the existing Privacy Rule
Pertains specifically to electronic protected health information (ePHI) Administrative, technical, and physical safeguards Physical Safeguards Access to equipment should be carefully controlled and monitored Laptops, cell phones, iPads The Security rule specifically highlights the area of electronic health information in terms of sharing and redisclosures. Three types of safeguards – we are concerned most with physical safeguards for the purposes of your work. Physical safeguards include securing actual equipment. We’ll talk more about what you should do to keep data safe in a later slide.
9
Accidental vs Intentional Violations
Forgetting to log off your computer before leaving your workstation Discussing patient information in what you believe to be a private area, but realizing others could potentially hear you Sending encrypted data to a “bad” address or a “bad” fax number No malicious intent Accidental violations are still serious and important, but there was no malicious intent. In these instances, typically the individual disclosing the information has taken necessary precautions to keep the data secure and an unknown variable took place.
10
Accidental vs Intentional Violations
Giving medical records or any PHI to others who do not have permission to see them Sharing PHI with your family members, friends, and newspapers who have no legal right to it Copying PHI and taking it home Making changes in the patient info on the computer that you do not have permission to make Sharing your computer password with coworkers or others Looking at info in paper or electronic medical records that you do not have permission to see Intentional Violations are those meant to do harm or with willful intent. The following are a few examples of intentional HIPAA violations
11
Rule #5 - Sanctions - Civil
Type of Violation Civil Penalty (Min) Civil Penalty (Max) Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations There are two types of sanctions that can be imposed for violations of HIPAA. Civil Criminal Each sanction has a subset of severity of violations, each carrying their own penalties. You will notice in the next two slides that the type of violation is based on intent (willful neglect) and reasonable cause (why was HIPAA violated?) You will notice that all the willful neglect, or intention increases, so does the monetary penalty. A penalty can be imposed on any covered entity, which can also choose to punish the individuals responsible for the violation.
12
Rule #5 - Sanctions - Civil
Type of Violation Civil Penalty (Min) Civil Penalty (Max) HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1,000,000 Sanctions (continued)
13
Rule #5 - Sanctions - Criminal
Type of Violation Criminal Penalty Covered entities and specified individuals who "knowingly" obtain or disclose individually identifiable health information A fine of up to $50,00 Imprisonment up to 1 year Offenses committed under false pretenses A fine of up to $100,000 Imprisonment up to 5 year Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm A fine of up to $250,000 Imprisonment up to 10 years Criminal sanctions can be put into effect for violations as well. These can be imposed directly onto the individuals who committed the violation. Not every HIPAA violation is a criminal matter. These violations imply that person who committed the crime did it knowingly, purposefully, and/or to cause farm. Commonly, we hear about HIPAA violations when VIP individuals are seeking care at a facility. An individual releases the information to the news, etc and received a kickback in return. At the end of the day, if you are not sure about releasing or sharing information – don’t! Check with your supervisor before you do so. It’s better to be more protected about patient’s information.
14
Best Practices Report any activity to your direct supervisor that you feel may be a violation of HIPAA Internal or external Educate your patients Remember the Minimum Necessary Rule Keep your equipment safe Encrypt s Taking phone calls Sending faxes Handling paper records Obtain patient consent before accessing the HIE Body Language Environmental Awareness If you feel as though you may have encountered a HIPAA violation or your patient may have had a HIPAA violation, notify your supervisor immediately. Be specific about the details of the event that took place. This could be a violation in the office or outside of the office when you are accompanying your patients to various appointments. Remember to educate your patients on the importance of sharing their information for care coordination, but reminding them of the instances they have a right to protect their information Minimum Necessary – only look at what you need to know. Only share what needs to be shared if warranted. Keep your equipment safe! Do NOT leave your , trackvia, and or the HIE opened. Despite the programs auto-logging you out, there is still an opportunity for others to see it. Do NOT leave laptops, iPads, cellphones, etc unattended. PLEASE do NOT leave these items in your vehicle at any time. Make sure you have cleared the copier before you walk away. Did you remember to shred anything with PHI that you don’t need anymore? Does the include PHI – then encrypt it! If you’re going to fax – make sure you have the correct fax number and a disclosure on your cover sheet. If you receive a phone call from a family member, you should first confirm that they are allowed to be spoken to about the patient by checking any consent documentation. If you’re speaking to someone else about a patient and are allowed to do so, make sure you are in an area that others can not hear your conversation. Body Language – if you are working or accessing a chart, do your best to be in a private place. In areas where others could see your screen, position yourself in a way that keeps the screen AWAY from the eyes of other. Environmental Awareness – Pay attention to your surroundings. Are you in a public place? If you answer, “yes”, then patient information should not be discussed. You never know who is walking the same street as you, or riding the same elevator. They may know the patient you are talking about.
15
HIPAA Examples Are the following scenarios HIPAA violations?
You and your colleague are walking to Cooper when your cell phone rings. It’s the patient’s caseworker calling to ask a question about a recent PCP appointment. Can you disclose this information? While accompanying your patient to an appointment, the security guard stops you to ask you where you are going and why you are here. Are you allowed to share this information? No. At the moment, you are in what is considered a public place. The caseworker has the right to ask and know the minimum necessary information under TPO, but because you are in a public place you should not be disclosing this information. It would be best to find a private area to call the caseworker back and discuss. In this instance, the security guard has a right to know WHY you are there, but again, the minimum necessity replies. They may ask who you are and who the patient is, which for their security purposes they can. They however can not ask nor be told the reason you are there in terms of clinical purposes – such as diagnoses. Remember the minimum necessary rule.
16
HIPAA Examples Are the following scenarios HIPAA violations?
Your co-worker is logged into the HIE viewing a patient’s chart. Through conversation, you find out the patient is a family member of your co-worker. Is this a HIPAA violation? A patient enters the emergency room unconscious and in critical condition. The provider does not have a treatment relationship with the patient. Can the provider access the patient’s medical records? This is in fact a HIPAA violation. A family member, friend, co-worker, etc can not view patient’s information without the consent of the patient. Even in a potential acceptable workflow (i.e. the nurse is related to the patient), the individual with the family member connection should notify their supervisor of a potential conflict of interest. The covered entity can make the discretion that best matches their policies and procedures as to whether or not remove the individual from working with this patient. If you find out through your work that you are assigned a patient that you may know personally, please contact your supervisor. 2. In this instance, the provider has the right to view the information. Although the doctor has not yet had a treatment relationship with the patient, this constitutes an emergent situation. The fact that the patient can not speak and is in critical condition allows the provider the right to make an exception to HIPAA. Once the patient becomes stables and coherent, the covered entity would still get further consent for use and disclosure of health information.
17
HIPAA Examples Are the following scenarios HIPAA violations?
A family member calls you to ask about a patient you are working with. What should you do? Disclosure to friends and family-We can discuss PHI with family and relatives, if a) the patient agrees that PHI may be disclosed, b) Patient has had the chance to object and does not, c) it is reasonable to think that the patient does not object, such as when a patient brings a spouse into the treatment room.
18
Questions?
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.