250 likes | 433 Vues
Greater Columbia Behavioral Health HIPAA TRAINING. HIPAA (1996) & HITECH Act (2009). By the end of this training. . . . you should be able to answer the following questions. (Hint: They will be asked at the end.) What is HIPAA and to whom does it apply? What is PHI/IIHI?
E N D
HIPAA (1996) & HITECH Act (2009)
By the end of this training . . . . . . you should be able to answer the following questions. (Hint: They will be asked at the end.) • What is HIPAA and to whom does it apply? • What is PHI/IIHI? • When are additional authorizations required? • Who is responsible for protecting PHI? • What are the penalties/sanctions for violation?
The Primary Intent… The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health of 2009 were created to: • Provide consistent coverage to people changing jobs • Provide for privacy of health information • Provide standardized data transfer methods • Encourage move to electronic medical records • Provide stiff penalties for improper disclosures
HIPAA contains Privacy & Security rules to address health care concerns such as: • Fears that once patients’ records are stored electronically on networks, a couple of clicks could transmit those records worldwide • Loss of personal control over personal information • Potential for undesired marketing
HIPAA Privacy & Security Rules Privacy rule – protects all PHI in any form or media, whether electronic, paper, or oral. Security rule – specifically protects PHI in electronic format, addressing confidentiality, integrity, and availability using administrative, physical, and technical safeguards
PHI is . . . IIHI Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 CFR 103 Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.
Organizations Bound by HIPAA • Covered Entities • Health Plans (GCBH) • Clearing Houses • Providers • Business Associates The law refers to Covered Entities (CE) and the work that they perform as covered functions. Covered functions can be outsourced.
HIPAA Business Associate (BA) Business Associate Test: • Are they performing a covered function for us on our behalf? • Are they a member of our workforce? • Do they use PHI to do their job? What is a covered function? Covered Functions - Those functions of a covered entity the performance of which makes the entity a . . . health plan . . . under the HIPAA Administrative Simplification Rules. HIPAA requirements are extended to Business Associates. Business Associate Agreements (BAAs) are required of the CE by HIPAA. HITECH applies CE penalties to BAs. It is not good practice to have BAAs when they are not required. BAAs require additional oversight due to HIPAA.
Use and Disclosure of PHI GCBH, as a health plan, is permitted by HIPAA to Use (internal) and Disclose (external) PHI for the purposes of (TPO): • Treatment – the provision of health care • Payment – the provision of benefits & premium payment • Healthcare Operations – normal business activities (reporting, data collection, eligibility checks, etc.)
HIPAA Authorizations Written authorization from a patient to use or disclose PHI for specific purposes other than TPO, including employment related inquiries, research or marketing. An authorization that can be revoked at any time in writing. Must include the name of the patient, the purpose of the disclosure, an expiration date or event, a signature and date and an explanation of how to revoke the authorization. Unlike other health records, psychotherapy notes are not subject to disclosure to the patient.
The Minimum Necessary Rule… The amount of PHI used or disclosed is restricted to the minimum amount of information necessary. Reasonable efforts must be made not to use, disclose, or request more than is necessary to accomplish a task. Exceptions are: • Disclosure to a provider for treatment • Release to an individual of their own PHI (psychotherapy notes are exempt from requests) • Disclosures required by law
The “minimum necessary” rule does not restrict the information used or disclosed in treatment. The “minimum necessary” rule does apply to payment and health care operations.
Hypothetically Speaking You are notified that a visitor has arrived to see you. You are currently busy; however, the visitor has come by several times before and knows where you are located. Should the visitor be allowed to enter on their own?
Breach Section 13400(1)(A) of the [HITECH] Act defines ‘‘breach’’ as the ‘‘unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’
Notification Requirements • > 500/yr. • Notify consumer • Notify HHS with list of affected consumers (will be posted on HHS Internet site) • Notify major media • < 500/yr. • Notify consumer • Notify HHS annually with list of affected consumers (will be posted on HHS Internet site) • Breaches affecting 500 or more individuals are listed here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Breach Penalties Civil penalties – four levels, up to $1.5M Criminal penalties – three levels, up to $250k and up to 10 years imprisonment
Some HIPAA Breach Trivia • During the first year of reporting breaches that involve 500 or more individuals’ PHI the results are as follows: -76% of breaches involve loss (15%), theft (56%), or improper disposal (5%) -17% are caused by unauthorized access or disclosure -6% are caused by hacking • Portable data, laptops, smart phones, and USB keys are the leaders for large breaches of PHI • Business Associates are a growing problem for breaches • Smaller breaches usually are results of misdirected faxes, emails, or hard copy communications.
Responsibility and Accountability • Privacy Officer and/or Security Officer are accountable • Everyone is responsible • Future changes coming as GCBH risk position is evaluated • Emailing PHI • Internet access • Data encryption • Analysis of addressable safeguards (20 required and 22 addressable)
What can I do?...The Basics • Lock your computer when you walk away • Don’t share your password • Keep your work area free of PHI when not present • Double check the number you’re dialing before faxing PHI and pick up your faxes A.S.A.P. Use a cover page with the GCBH confidentiality statement. • Emails containing PHI may only be emailed to GCBH employees’ work email addresses. If transmitting PHI to a provider, you must use the GCBH website. • Dispose of sensitive materials in shredders or locked bins • If sending a CID/P1 ID, nothing else may be sent – no dates, no initials, etc.
What can I do? – The BasicsContinued • Don’t tell anyone the building code • Escort all visitors – offer to help unescorted individuals • Keep the lobby doors that lead to offices closed during meeting days • If necessary, close your door when discussion involves PHI • Don’t access more PHI than you need to do your job • Do not take removable media offsite that contains PHI • Don’t allow anyone at home to access your work • Report any security incidents immediately • PRISM is only to be used by authorized users
Incidental Disclosures Examples of incidental disclosures: • A patient seen in a waiting area • A conversation between a provider and a patient in a semi-private room heard by the other occupant Incidental Disclosures are not violations if the covered entity has safeguards in place and they are observed by the staff.
Sanctions Covered Entities and Business Associates are required to develop and impose sanctions appropriate to the nature of the HIPAA violations. The type of sanction applied should vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of PHI. Sanctions can range from a warning to termination.
Review Now that you’ve endured these slides, you should be able to answer the following questions: • What is HIPAA and to whom does it apply? • Health Insurance Privacy and Accountability Act applies to Covered Entities and Business Associates • What is PHI/IIHI? • Anything that can be used to identify an individual directly or through statistics • When are additional authorizations required? • Any use or disclosure other than TPO • Who is responsible for protecting PHI? • Everyone • What are the penalties/sanctions for violation? • Up to 1.5M criminally, up to 250k and 10 years civilly/up to termination of employment