hipaa overview health insurance portability and accountability act 1996 n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Overview (Health Insurance Portability and Accountability Act 1996) PowerPoint Presentation
Download Presentation
HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

127 Vues Download Presentation
Télécharger la présentation

HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HIPAA Overview(Health Insurance Portability and Accountability Act 1996) PCS HIPAA Privacy Rule Training - 11/2/2014

  2. What is HIPAA? Health Insurance Portability & Accountability Act of 1996 • Public Law 104-191 • Sponsored by - Kennedy & Kassebaum Five Titles: • Title 1: Insurability and Portability • Title 2: Administrative Simplification • Title 3: Tax Implications • Title 4: Group Health • Title 5: Revenue

  3. What is the purpose of HIPAA ? • Reduce health care costs/fraud/abuse • Control use/disclosure of “protected health information” (PHI) • Identify provider responsibilities and accountability • Increase consumer’s rights - PHI • Regulate how PHI is transferred/managed by technology, individuals, and agencies • Provide consistent standards • Assure privacy and security of confidential protected healthcare information (PHI)

  4. Administrative Simplification HIPAA Regulations and Deadlines • Privacy Regulations - Identifies what health care information is protected. Deadline April 14, 2003 • Electronic Transaction/Code Sets - Sets uniform standards. Deadline: October 2003 with Extension • Security Regulations - Identifies how information is to be protected. Deadline: April 21, 2005 • Identifier Standards - Employer, Payer, National. Deadline: Employer ID finalized/Others Pending

  5. HIPAA Definitions The nuts and bolts!

  6. Healthcare Operations Includes “general administrative and business functions” necessary for a covered entity to remain a viable business (i.e., audits, quality improvement functions, assessments)

  7. Health Information Any information recorded in any form or medium which: • Is created/received by a Covered Entity that creates, receives,uses, or transmits PHI; • Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and • Identifies the individual.

  8. Protected Health Information (PHI) All individually identifiable health care data or information collected, maintained, or transferred by a Covered Entity

  9. Name Address Social Security # Birth Date Demographic info. (some) Email address Health Plan # License/Certificate # Vehicle identifiers Bio-metric identifiers Telephone numbers Place of employment Account numbers Protected Health Information (PHI) Examples

  10. Privacy Notice • Written document in plain language • Posted & shared with consumersat intake • Explains how their PHI will be used/disclosed by agency • Identifies consumer’s rights • Lists agency/provider duties to protect PHI, abide by the Privacy Notice • Identifies how changes in notice will be communicated

  11. Designated Record Set • A group of records maintained by or for a covered entity/agency • Includes any records used, in whole or in part, to make decisions, about the consumer’s treatment (medical record, billing, etc.) • PCS Clinical Records Policy

  12. Use Sharing, utilization, examination, & analysis of PHI maintained internally within the agency Disclosure Release, transfer, access to, or sharing in any manner PHI outside the agency maintaining the information Use vs. Disclosure

  13. Minimum Necessary Rule Rule applies to Uses/Disclosures • Covered Entities must make reasonable efforts to limit use, disclosure, & requests for PHI to the “minimum necessary” in order to accomplish the intended purpose except when an authorization is obtained

  14. Minimum Necessary Rule • Amount of information needed to achieve the purpose • Applies to all forms of communication • Use- Requires policies & procedures classifying staff by role/position and the PHI to which they may have access • Disclosure- Requires policies & procedures addressing criteria to limit disclosure & reviewing of requests • Must limit requests to that which is necessary • Does not apply to consumer requests/authorizations, disclosures required by law or healthcare provider for treatment purposes

  15. Access to PHI (Protected Health Information) • Opportunity to approach, inspect, review, and make use of data or information • Actions by a consumer or healthcare provider with appropriate authorization

  16. HIPAA’s Privacy Rule

  17. Privacy Rule • Applies to all protected healthcare information (PHI) • Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within the agency • Written Acknowledgement required

  18. Privacy Rule Highlights Protects privacy of medical records and covers: • Electronic records & printouts of records • Written records • Oral communications Consumer acknowledgement that PHI may be used for routine purposes (TPO) Privacy Notice - Documents consumer’s rights and the agency’s responsibilities to protect and manage PHI

  19. Consumers’ Rights under HIPAA Consumers may: • Inspect/copy their medical record information • Request to amend information if they believe it to be inaccurate or incomplete • Request must to be in writing • Agency must respond within 15 days (VA law) • If request is denied - consumer may appeal this decision to the CSB or federal government

  20. Consumer’s Rights under HIPAA Consumers may: • Request a Disclosure History • Request confidential communications through alternative addresses/phone numbers • Have access to a designated individual or Office of Civil Rights at Health & Human Services to report violations of their rights • Request restriction on use/disclosure of their PHI

  21. Privacy Regulations • Allow flow of PHI for treatment, payment, & related health care operations (TPO) • Prohibit flow of PHI unless voluntarily authorized by the consumer • Allow consumer to know who is accessing their PHI outside of TPO use • Allow consumers to obtain access to their records & request amendment of records if the consumer feels they are inaccurate or incomplete

  22. Provider Responsibilities • Provide formal complaint handling system • Allow use of de-identified data • Follow “minimum necessary” requirements • Establish Business Associate Agreements • Duty to mitigate damage if violations occur • Establish sanctions for HIPAA violations

  23. Privacy Penalties Wrongful DisclosureOffense: $50,000 fine, imprisonment of not more than one year, or both. Offense Under False Pretenses: $100,000, imprisonment, or not more than 5 years, or both. Offense with Intent to Sell Information: $250,000 fine, imprisonment of not more than 10 years, or both.

  24. Uses/Disclosures not requiring Authorization • To the consumer or legally authorized representative of the consumer • To health oversight agencies • To the Department of Health & Human Services for investigation and enforcement purposes • By court order (as outlined in CFR 42 - strictest)

  25. Uses/Disclosures not requiring Authorization • To U.S. Public Health Authorities - to prevent or control disease, injury, or disability • In following disclosure procedures for deceased consumers as outlined in VA law • To consumers exposed to communicable disease or at risk of contracting or spreading disease - under law & public health intervention/investigation

  26. Uses/Disclosures not requiring Authorization • For reports of suspected child abuse or neglect to the appropriate authority • For reports about an adult victim of abuse, neglect, or domestic violence State’s mandatory reporting laws • Inform the individual of the report • Seek the individual’s agreement when possible • Can report without the individual’s agreement

  27. Uses/Disclosures not requiring Authorization Healthcare Oversight Activities Authorized by Law: • Audits • Investigations (as permitted by CFR 42) • Inspections (i.e., Health Inspection of facilities) • Civil/criminal/administrative proceeding/action by a properly executed court order (CFR 42) • Other appropriate oversight actions: • Government regulatory programs • Government benefit programs - for eligibility

  28. Privacy Preemption HIPAA Will preempt other federal or state laws relating to PHI (Except for those more stringent than HIPAA)

  29. HIPAA is not added red tape but... Applying BEST PRACTICES to protect Mr. Hipp’s confidential healthcare information in a world where inappropriate sharing of PHI could result in: • Identity theft • Loss of privacy and control over healthcare information • Possible discrimination practices • Consumer Rights violations

  30. How does the Privacy Rule affect Piedmont CSB?

  31. New HIPAA Forms & Policies • Privacy Notice • Right to Access Policy • Request For Amendment Policy • Minimum Necessary Policy & Procedure • Tele-facsimile Policy • Email Policy • Business Associates Agreement • Authorization to Release Information

  32. Privacy Notice • Replaces the “Your Rights” Form • Describes use and disclosure of health information. • Special circumstances for disclosure. • Other uses and disclosure only with authorizations. • Describes revisions to policy. • Lists, Privacy Officer, Regional Advocate and Office of Health & Human Services contact numbers. • MUST BE POSTED AT ALL SERVICE SITES

  33. Right to Access PHI • All individuals and/or legally appointed representatives have a right to inspect and/or obtain a copy of their medical record. • Exceptions • Use in civil, criminal proceeding • Inmate of correctional facility and if could jeopardize health & safety • Involved in research that includes treatment he/she agreed not to have access to the information. • The individuals psychiatrist or psychologist has determined that the information could be injurious to the individuals mental or physical well-being. • Procedures outlined in policy

  34. Request to Amend Medical Record • All consumer have a right to request an amendment to his/her medical record. • Must be requested in writing to the primary clinician. • PCS has 60 days to respond to the request. Can request an extension of 30 days.

  35. Denial of Request to Amend • a. May deny the request if the information was not created by the agency; • b. May deny the request if the individual who created the information that the individual served wants amended is no longer an employee of the agency; • c. May deny the request if the information in the record is currently accurate and complete.

  36. Amendment Approved • a. The agency shall make the amendment. The minimum amendment accepted is identifying the information to be amended then providing a link to the amended information. • b. Inform the individual served that the amendment(s) is accepted. • c. Obtain from the individual served the names and addresses of individuals who need to have the amended information. • d. Attempt to reach those individuals who need to have the amended information. • e. Attempt to contact other persons or business associates regarding the amended information if the information was detrimental to the client.

  37. Minimum Necessary Policy • Privacy Rule requires that covered entities take reasonable steps to limit the use and disclosure of PHI. • Only the information necessary to meet the request is to be released. • The medical record in it’s entirety will not routinely be released. • All release of information must be approved by the lead clinician.

  38. Fax Policy • All personnel must strictly observe fax policies. • May be faxed under certain circumstances • May not be faxed under certain circumstances • Protocol for faxing PHI. • Security of PHI when faxing.

  39. Email Policy • The e-mail system and all messages generated or handled by PCS’s equipment is considered part of business operations. • PCS reserves the right to monitor, audit, delete email messages. • It is not the policy of PCS to routinely monitor the contents of email. Only when a situation warrants such an action. • All emails containing PHI MUST BEencrypted before sending. • Email encryption procedures will be forthcoming. Until then, no PHI should be sent via email.

  40. Business Associates Agreement • Business Associates - An entity that does things on our behalf and with whom we share/give access to PHI • Business Associate Agreement - Establishes permitted uses, disclosures, and safeguards for PHI Examples: CSB Attorney, CARF, social services, auditors…

  41. Authorization to Release Info • Changes made to the disclaimer statement. • Authorizations must be on file before any information can be released. • All releases of information must be recorded and made available to consumers upon request.

  42. Frequently Asked Questions • Documentation on PCS Intranet. • Other questions, contact Kippy Cassell • HIPAA is basically instituting best practices to protect the consumers privacy and confidentially.