Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Published byBrook Knight Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc."— Presentation transcript:

1 HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

2 Today’s Topics  Minimum Necessary – A real challenge!  Authorizations or How to make something really complicated!  Access to Protected Health Information – The Defense Industry is going to have nothing on us!

3  A Covered Entity must make a reasonable effort to use, disclose or request only the minimum amount of information necessary for its purpose.  Policies and procedures identifying persons or classes of persons needing access to PHI and the conditions that would apply  Polices and procedures limiting identified persons or classes of persons to needed access Minimum Necessary

4  Defined routine and non-routine disclosures  Disclosures made on a routine basis must have policies and procedures limiting disclosure to minimum necessary (with an exception for treatment).  Non-routine disclosures – must have policies and procedures for determining and limiting information to the minimum necessary (case by case basis)  Business Associates – polices and procedures describing routine disclosures Minimum Necessary

5  Disclosure of the entire medical record not permitted unless specifically justified in a policy Minimum Necessary

6  How are you going to identify users requiring access?  How do you identify what they need access to?  What are the conditions under which they need access?  How do you inform the gate keepers about who should have access and who should not have access? Who Needs What and Why?

7  Option #1: Minimum Necessary Matrix –Pros Basis for Access Authorization Log for Security Regulation Easy for gatekeepers to determine if request is appropriate Can be used for electronic systems as well as paper –Cons Will probably require an employee survey or review of job descriptions Will require maintenance Handout: Minimum Necessary Matrix Some Options

8  Option #2: Staff training and procedures requiring employees to verify access for any questionable requests –Pros Less work to implement Modifications of Job Description is logical –Cons Someone must be given the responsibility of fielding calls and responding quickly Changes to job descriptions to document access/level More difficult to audit. Some Options

9  First minimum necessary does not apply to: –Providers for treatment purposes –To the individual –Pursuant to an Authorization –To the secretary of DHHS –To comply with the transaction standards  How do we identify routine disclosures? Handouts: Minimum Necessary Policy Identifying Routine Uses and Disclosures

10  Option # 1: Survey by job title –Pros You find out if job descriptions really reflect what employees are doing. This should help in determining the conditions under which an employee will require access. –Cons This is time consuming to do Some Options

11  Option # 2: Departments/Programs management documents what should be routine. –Pros Easier because not as many people involved Easier to document this limited set of routine disclosures –Cons You may miss something and then it will need to be handled on a case-by-case basis until policies are changed. Some Options

12  Managing non-routine uses, disclosures and requests (remember that word reasonable) –How do we establish a consistent process for determining the reasonableness of a request? –How do we document due diligence? Non-Routine Uses and Disclosures

13  Criteria for reasonableness –Is the request specific with a clear purpose –Could the disclosure potentially harm the patient –Is the disclosure necessary to provide quality care or obtain reimbursement –Could the disclosure impact the organization legally –How many people would be provided access to the information –How much information is being requested –Could de-identified data meet the needs of the requestor –Technology available to limit use/disclosure –The cost of limiting the use or disclosure Handout: Evaluating Non-Routing Uses and Disclosures What’s Reasonable?

14 Time for a BREAK!

15 Authorizations  Definitions –Informed Consent = consent to receive treatment (retention 7 years) –Consent = written permission to use or disclose PHI, with the exception of psychotherapy notes, to carry out treatment, payment or heath care operations - general consent (retention 6 years) –Authorization = allows the use and disclosure of PHI for purposes other than treatment, payment or health care operations – must be specific and is required to use or disclose psychotherapy notes (retention 6 years)

16 Authorizations  Required elements –Everything that California Requires Plus Statement – May Not Condition Treatment on Authorization (some exceptions) Statement “Right to revoke” Termination date Potential for further disclosure – California prohibits  New conditions –Must provide copy –May not combine with other authorizations (again some exceptions)

17 Now What?  Actions –Identify forms that meet the definition of a HIPAA Authorization (look at consents and authorizations) –Evaluate it against the Authorization Checklist –Make necessary changes –To Printer Handout: Authorization Checklist

18 Authorizations just became complicated.  Procedures –Procedures to receive a revocation –To notify interested parties within the organization of a revocation –To notify business associates of a revocation –To retain all documentation related to an authorization for 6 years.

19 Access to Protected Health Information  Verification of Identity and Authority or Do I know you? –Must verify the identity of a person requesting protected health information and the authority of such person to have access to protected health information, if the identity or any such authority of such person is not known to the covered entity; and –Obtain any documentation, statements or representations (oral or written) from the person requesting the protected health information when such documentation is a condition of disclosure

20 Verification of Identity and Authority  Who are we talking about here? –Health oversight auditors –Public health authorities –Law enforcement –Personal representatives –Next of kin –Others

21 Verification Procedures  Require completion of a request form. –Identity Check drivers licenses, badges, or other official documentary proof of who they are. If the request is in writing is it on government letterhead –Authority Documented on government letterhead Court order or other legal document Legal documentation of personal representation Proof of executorships or beneficiary  Obtain copies – retain 6 years Handout: Example Request for Access

22 Accounting of Disclosures  An individual has the right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested. Note: The disclosure may be oral, written, printed, electronic, etc. but still must be recorded.

23 Accounting of Disclosures  What doesn’t have to be recorded: –Disclosures for treatment, payment or health care operations –To the individual –Incidental disclosures –Pursuant to authorization –National security or intelligence purposes –Correctional institutions or custodial situations –If part of a limited data set Handout: Accounting of Disclosures

24 What will we have to do?  Keep a disclosure history on each patient Date of disclosure Name of Organization or individual who received the information Description of information disclosed Reason for disclosure Copy of an individual’s authorization  Be able to provide a copy when requested.  All documentation related to the request must be retained for 6 years (including information provided)

25 The Clock is Ticking!

Download ppt "HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA Minimum Necessary: Use/Disclosure & Role-based Access  Charlene Dunbar Madonna Rehabilitation Hospital  Sheila Wrobel Nebraska Health System.

HIPAA Minimum Necessary: Use/Disclosure & Role-based Access  Charlene Dunbar Madonna Rehabilitation Hospital  Sheila Wrobel Nebraska Health System.
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Similar presentations

Ads by Google