1 / 34

HIPAA Training

HIPAA Training. Community Mental Health and Substance Abuse S ervices of St Joseph County. HIPAA. Stands for Health Insurance Portability and Accountability Act of 1996. Background.

seth
Télécharger la présentation

HIPAA Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Training Community Mental Health and Substance Abuse Services of St Joseph County

  2. HIPAA Stands for Health Insurance Portability and Accountability Act of 1996

  3. Background HIPAA was enacted in 1996, implemented for most facilities on April 14, 2003 and implemented in smaller organizations by April 14, 2004 HIPAA regulations were designed to protect individuals’ rights to privacy and confidentiality while ensuring the security of electronic transfer of personal information.

  4. HIPAA was intended to: • give patients more control over their health information. • set boundaries on the use and disclosure of health records • establish safeguards for people providing healthcare to ensure they honor patients’ rights to privacy of their PHI • Hold violators accountable through identified civil and criminal penalties

  5. 1996 • Congress passed HIPAA to require national standards for containing and controlling the use and disclosure of protected patient health information. • One section of HIPAA established electronic submission guidelines for claims and other forms (HIPAA Transaction Rule), • Another section addressed the security of patient information, such as encryption (HIPAA Security Rule)

  6. 2009 • Congress amended HIPAA under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA) • HITECH aimed to strengthen HIPAA by widening the scope of privacy and security protections. • HITECH contains incentives related to health care information technology in general and contains specific incentives designed to accelerate the adoption of electronic health records (EHR). • HITECH also provided tougher sanctions for violations of the rules, increases potential legal liability for non-compliance and provides for more enforcement.

  7. HITECH Amended Section 1176(b) • Striking the ban on imposition of penalties if the entity did not know and within the exercise of reasonable diligence would not have known of the violation. • Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30 day period as long as the violation was not due to willful neglect.

  8. 2013 • In January 2013 HIPAA was expanded and reinforced with the release of the HIPAA mega rule, also called the final rule. • The biggest modifications to HIPAA since its enactment in 1996, it set more stringent enforcement actions, set new limits on use and disclosure of PHI, added individual rights and protections, and broadened the scope of HIPAA to include both monitoring and tracking. • The Final Rule became effective March 26, 2013, with a compliance deadline of September 23, 2013.

  9. Recap 3 General parts of HIPAA include • The Privacy Rule • The Transaction Rule • The Security Rule Enforcement HIPAA is enforced by the US Department of Health and Human Services, Office for Civil Rights

  10. HIPAA Terms • PHI is any information that could reveal the identity of a patient, such as name, date of birth, address, phone number, social security number, email address, account number, diagnosis, test results, photo, etc. • Covered entity is an insurance company/health plan, healthcare provider (at any level of service), an agency that processes billing claims, And any agency or company that serves as a subcontractor of a provider. • An AOD is the ‘Accounting of Disclosure,’ which an individual has a right to for their PHI. • BAs are Business Associates, entities that perform business functions on behalf of a healthcare provider or plan. These include billing services, accountants, lawyers and answering services.

  11. HIPAA Terms • Authorization is used under HIPAA for a specific form that the patient/customer signs as agreement to disclose their PHI. • Consent is used under other laws and can include written and verbal consent to use or disclose PHI. • Permission is used to mean authorization or consent to use or disclose PHI.

  12. Covered Information • HIPAA covers virtually all health information in all formats. • Paper • Electronic • Verbal • PHI includes that a patient is deceased. • PHI includes any information that can be used to identify an individual, such as:

  13. Covered Information • Date of Birth (DOB) • Social Security Number • Driver’s License number • Diagnosis • Treatment Plan • Progress Notes • Test results

  14. Patient Rights under HIPAA • To receive notice of an agency’s privacy practices • To know an agency will use its PHI for treatment, payment, operations, permitted uses and any uses required by law. • To consent and control the use and disclosure of their PHI. • To have access to their PHI, with certain limitations (such as psychotherapy notes). • To request an amendment or addendum to their PHI. • To receive listing of disclosures made for the previous 6 years. • To file privacy complaints to an officer of the agency.

  15. 4 Factors of Informed Consent • Capacity of the individual to make rational, informed decisions. • Information is disclosed in a manner the individual can comprehend. • The individual must be making a voluntary decision. • Informed consent, or authorization, should be documented.

  16. HIPAA Penalties • There are 4 tiers of monetary penalty for HIPAA violations: • 1) $100-50,000 where the violator did not know or would not have known about the violation. • 2) $1,000-50,000 where the violation was due to reasonable cause and not willful neglect. • 3) $10,000-50,000 where the violation was due to willful neglect and was corrected within 30 days of discovery (or 30 days of the date the violator should have known about the violation).

  17. HIPAA Penalties • 4) $50,000 where the violation was due to willful neglect and was not corrected within 30 days of discovery (or the date the violator should have known about the violation). • HHS may not impose a fine of greater than $1.5 million for identical violations by a person or entity within a calendar year. • HHS can impose a fine even when you did not know about the violation or the violation was due to reasonable cause, such as a mistake.

  18. HIPAA Penalties • Non-monetary penalties may be either civil or criminal and can include imprisonment. • Criminal penalties may result in 1 year of incarceration for certain offenses, up to 5 years if offenses are committed under false pretenses, or 10 years if the information is found to be used for commercial advantage, personal gain or malicious harm.

  19. Types of Violations There are 2 basic types of HIPAA violation, Negligent and Purposeful. Negligent Violations include: • Not properly verifying individuals by phone, in person or in writing • Improper disposal of PHI • Improper protection of client records or PHI • Not accounting for disclosures outside of treatment, payment or operations • Failure to provide a private environment for discussing PHI • Failure to properly safeguard or store PHI • Careless handling of user names or passwords

  20. Types of Violations • Inadequate information security training procedures. • Inadequate internet security practices, such as connecting to external networks without boundary protections or exposure to outside systems. • Purposeful Violations include: • Accessing a person’s PHI without having a legitimate need to do so. • Allowing another employee to utilize any systems via your password. • Disclosure of PHI to an unauthorized individual. • Disclosing PHI without a need to know by the other party. • Sale of PHI to any source. • Any use or disclosure that could cause harm to the individual.

  21. Types of Violations • Failure to secure confidential information. • Compromising physical security measures. • Misuse of confidential patient information for personal use. • Deliberately compromising electronic record security measures.

  22. Notification Requirement • HIPAA/HITECH requires that an individual be notified for unauthorized uses and/or disclosures of unsecured PHI. • This is similar to state laws related to personally identifiable information (banking and credit card data) • If a breach impacts 500 patients or more then HHS must be notified. This will trigger a posting of the breaching entity’s name on the HHS website.

  23. Exceptions • Under certain circumstances HIPAA allows disclosure without patient authorization when the “greater good” outweighs the patient right to privacy. • When the individual’s identity is ‘de-identified’ or disguised to remove any identifying features (as in statistical reporting) • As requires by state law to report child abuse and neglect, keeping in mind that reporting laws vary between states.

  24. Exceptions • As required to report abuse or suspected abuse of an elder or dependent adult. • Duty to Warn in cases of potential danger of physical harm to another person. • Under court order.

  25. Practical Application How do we apply HIPAA rules to our everyday work practices? • Never identify a person you serve to another person unless authorized by them or necessary to coordinate services. (Especially in the checkout line at Meijer) • Never seek information about a person you know is served by your agency but not assigned to you. • Never share information such as passwords, security codes, ID badges, voice mail access code or other methods of access to PHI.

  26. Practical Application • When in public with a consumer/customer/client always call them by first name only. • Always talk to consumers about their care in a private area, never in a waiting room or hallway. • Do not post schedules for appointments or activities with resident/consumer names where they can be seen by anyone other than staff. • Always use a fax cover sheet indicating you are sending confidential information and provide a number where you can be reached if the information is received by an unintended person.

  27. Practical Application • Always obtain authorization to disclose information when you are in doubt. • Notify a supervisor or compliance officer if you believe you or another person have disclosed information without permission. • Document when you disclose information with authorization. • Never transport PHI without some type of security, such as an envelope, secure brief case, or zipped bag. • Never leave a work issued computer in an unlocked car.

  28. Practical Application • Never leave papers with PHI out of a folder or file where they can be found by another. • Do not leave computers with PHI on display open or where another person may access them. And consider applying film to the screen to make it more difficult for someone else to view while you need to have a page open. • All paper with PHI should be in a locked cabinet in a room with a locked drawer when not in use, not left out overnight. • Never discuss customers/residents on social media.

  29. Practical Application • All conversations about consumers/customers should take place behind closed doors and out of the hearing range of others, even when identifiable aspects are not part of the discussion. • Always, always confirm the identity of the person whose PHI is being disclosed and the identity of the party to whom it is being disclosed. • Any paper containing PHI which is to be discarded needs to be shredded, not placed in the trash or recycling in readable form. • If a computer, cell phone or paper containing PHI is lost or stolen notify your supervisor immediately!!

  30. Post-Test 1. HIPAA stands for: 2. The acronym for the 2009 Act that modified HIPAA is: 3. Name the 3 general parts of HIPAA: • ______________ Rule • ______________ Rule • ______________ Rule

  31. Post test continued 4. PHI stands for : 5. Name 5 identifying factors for PHI: • _________________ • _________________ • _________________ • _________________ • _________________ 6. There are never any exceptions to requiring authorization to release PHI. ___true or ___false

  32. Post Test Continued 7. Penalties for HIPAA violations may include both jail/prison time and fines. ___ true or ___ false 8. A disclosure of PHI is not considered a HIPAA violation if the individual whose information is disclosed never finds out about it. ___true or ___false 9. Protecting the identity and health information of the people we serve is the responsibility of a. The privacy officer only ___ b. Everyone ___

  33. References/Resources • Code of Regulations- Title 42: Public Health • Health Insurance Portability and Accountability Act (HIPAA) of 1996. • HIPAA Survival Guide @ http://www.hipaasurvivalguide.com/hitech-act-summary.php

  34. References/Resources • Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notifications Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Non-discrimination Act; Other Modifications to the HIPAA Rules, Fed. Reg. 2013-0107345. CFR Parts 160 and 164 (2013)@ www.federalregister.gov, search “HIPAA Modifications”

More Related