HIPAA • WHAT IS HIPAA? • WHO DOES IT AFFECT? • WHAT IS THE IMPACT OF HIPAA? • WHAT IS YOUR ROLE? • WHAT IS HITECH? • WHAT IS A HITECH BREACH?
WHAT IS HIPAA The Health Insurance Portability and Accountability Act (HIPAA) enacted by Congress in 1996. A Federal law that protects patient’s health coverage and information Regulations promulgated by the Department of Health and Human Services Guidelines implemented in April, 2003
TITLE I of HIPAA • Protects and provides ability to carry health insurance coverage for workers and their families when they change or lose their jobs • Limits restrictions that a group health plan can place on benefits for pre-existing conditions • Prohibits health plans from creating eligibility rules, assessing premiums for individuals in the plan based on health status, medical history, genetic information or disability
Title II of HIPAA • Known as the Administrative Simplification (AS) provisions, established national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
Title II of HIPAA • Defines numerous offenses relating to health care and sets civil and criminal penalties for infractions • The most significant provisions for providers are the Administrative Simplification rules. These rules apply to “covered entities” including health plans, health care clearing house such as billing services and community health information systems, and health care providers that transmit data in any way regulated by HIPAA
What information must you protect? • Information you create or receive in the course of providing treatment or obtaining payment for services or while engaged in teaching and research activities, including • Information related to the past, present, or future and/or mental health or condition of an individual • Information in ANY medium whether spoken, written or electronically stored including videos, photographs and x-rays. • This information is called PROTECTED HEALTH INFORMATION (PHI)
Title II of HIPAA The Department of Health and Human Services has established five rules within the Administration Simplification provisions • The Privacy Rule • The Security Rule • The Unique Identifiers Rule • The Transactions & Code Sets Rule • The Enforcement Rule
The Privacy Rule • Establishes regulations for the use and disclosure of Protected Health Information (PHI) • PHI is ANY information about health status, provision of health care or payment for health care that can be linked to an individual whether paper or electronic. Requires covered entities to: • Notify individuals of use of their PHI • Document privacy policies and procedures • Train all members of their workforce in procedures regarding PHI
The Privacy Rule • Establishes regulations for the use and disclosure of Protected Health Information (PHI) • PHI is ANY information about health status, provision of health care or payment for health care that can be linked to an individual
Notice of Privacy Practices This form describes how a facility may use and disclose the patient/resident’s PHI and advises the patient of his/her privacy rights • Most facilities will attempt to obtain a signature acknowledging receipt of the Notice, if patient/resident refuses then the reason must to be documented HIPAA Requirements for Authorization: Describe the PHI to be released Identify who may release the PHI Identify who may receive the PHI Describe the purpose of the disclosure Identify when the Authorization expires Be signed by the patient/patient representative
Patient Specific Rights • The right to request restriction of PHI uses and disclosures • The right to request confidential forms of communications • The right to access and receive a copy of one’s own PHI • The right to an accounting of the disclosures of PHI • The right to request amendments to the medical record Incidental uses and disclosures of PHI “Incidental” means a use or disclosure that cannot reasonably be prevented, is limited in nature and occurs as a by-product if an otherwise permitted use or disclosure. Examples: discussions during teaching rounds; calling out a patient’s name in the waiting room; sign in sheets. **Incidental uses and disclosures are permitted, so long as reasonable safeguards are used to protect PHI and minimum necessary standards are applied.
The Security Rule • Complements the Privacy Rule but deals specifically with Electronic Protected Health Information (EPHI) Identifies three types of security safeguards required for compliance: • Administrative Safeguards – Policies and procedures designed to clearly show how the entity will comply with the act • Physical Safeguards – Controlling physical access to protect against inappropriate access to protected data • Technical Safeguards – Controlling access and security to computer systems containing PHI
The Five Rules of Title II • The Unique Identifiers Rule – Covered entities, particularly third party payers, are assigned a National Provider Identifier (NPI) alphanumeric code for use in all electronic transactions • The Transactions and Code Sets Rule – Applies a unique code to health care claim and billing information, particularly for retail pharmacy chains.
The Enforcement Rule • Oversight of all HIPAA Rules falls under the Department of Health and Human Services (HHS) • Within HHS the responsibility of enforcement of the Privacy Rule by the Office of Civil Rights (OCR)
Protecting Your Patient’s PHI When preparing care plans or other course required documents take extra care to: • Identify the patient/client by initials only • Use other demographic data only to the extent necessary to identify the patient and his/her needs to the instructor • Protect the computer screen, PDA, clipboard, or notes from other individuals who do not have a ‘need to know’ • Protect your printer output from other who do not have a ‘need to know’ In the student role you are not to photocopy or fax patient documents in the process of working with your patient’s PHI. As an employee of an agency you must use the agencies’ security procedures to transmit PHI.
How HIPAA Affects Clinical Practice? • As an instructor or student no information including, but not limited to, the name, age, social security number, address, phone number, diagnosis, medial history, medications, observations of health or any other unique identifier can be discussed or disclosed outside of the clinical setting • Students may not discuss a client’s PHI in public places including, but not limited to, cafeterias, hallways, client’s rooms, elevators, etc. • No tape recorders, cell phones, text messages or cameras are permitted while in clinical areas
How HIPAA Affects Clinical Practice? • Instructors and students will follow the policies and procedures of MJCC and will be compliant with these rules (see Faculty and/or Student Handbook) • Under HIPAA students may use PHI in written assignments intended for the use of training to classroom or clinical instructors • Hospitals and other facilities providing health care may put client’s names outside their door for identification and clients may share rooms • The obligation and focus is to SAFEGUARD the individual’s health information and protect their privacy
HIPAA FINES & PENALTIES • HIPAA penalties can be Civil and/or Criminal • Under "General Penalty for Failure to Comply with Requirements and Standards, “The Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part • A person who knowingly uses or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person shall be fined not more than $50,000, imprisoned not more than 1 year, or both • If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both
HIPAA Do’s & Don’t • Treat all patient information as if you were the patient. Do not be careless or negligent with PHI in any form, whether spoken, written or electronically stored. • Shred or properly dispose of al documents containing PHI that are not apart of the official medical record. Don not take the medical record off facility or school property. • Use automatic locks on laptop computers and log off after each time you use a computer. Do not share passwords. • Use secure networks for e-mails with PHI and add a confidentiality disclaimer to the footer of such e-mails. • Set a protocol to provide for confidential sending and receipts of faxes that contain PHI and other confidential information. • Discuss PHI in secure environments, or in a low voice so that others do not overhear.
HITECH • Health Information Technology for Economic and Clinical Health Act (HITECH) • HITECH is a part of the American Recovery and Reinvestment Act of 2009 • It is a federal law that affects the healthcare industry • Act allocated ~$20 billion to health information technology projects, expanded the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law
HITECH-Breach Notification Provisions • One of the biggest changes in HITECH is the inclusion of a federal breach notification law for health information • Many states, have data breach laws that require entities to notify individuals • State laws typically only pertain to personal information (which does not necessarily include medical information) • The law requires covered entities and business associates to notify individuals, the Secretary of Health and Human Services and, in some cases, the media in the event of a breach of unsecured protected health information • The law applies to its participating physicians and clinicians, and employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of a facility to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to a facility, and would constitute a “business associate” of the facility if separately incorporated. • A business associate is a person or entity that performs certain functions or services for or to the facility involving the use and/or disclosure of PHI, but the person or entity is not part of the facility or its workforce (examples include law firms, transcription services and record copying companies).
HITECH-Breach Notification Provisions • Law applies to breaches of “unsecured protected health information” • Protected Health Information (PHI) • Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. • Is transmitted or maintained in any form (electronic, paper, or oral representation). • Identifies, or can be used to identify the individual. • Examples of PHI include • Health information with identifiers, such as name, address, name of employer, telephone number, or SSN • Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts • Unsecured • Information must be encrypted or destroyed in order to be considered “secured”
HITECH-What Constitutes a Breach Definition of “Breach” Was there an impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule? Examples include: • Laptop containing PHI is stolen • Receptionist who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment • Nurse gives discharge papers to the wrong individual • Billing statements containing PHI mailed or faxed to the wrong individual/entity
HITECH-What Constitutes a Breach Did the impermissible use or disclosure under the HIPAA Privacy Rule compromise the security or privacy of PHI? • Is there a significant risk of financial, reputational or other harm to the individual whose PHI was used or disclosed? • If the nature of the PHI does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach. • Example: if a covered entity improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule; but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information.
HITECH-What Constitutes a Breach Exceptions to a Breach • Unintentional acquisition, access, use or disclosure by a workforce member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate • Example: billing employee receives and opens an e-mail containing PHI about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices he is not the intended recipient, alerts the nurse of the e-mail and then deletes it. The billing employee unintentionally accessed PHI to which he was not authorized to have access. However, the billing employee’s use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
HITECH-What Constitutes a Breach(exceptions continued) • Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates • Example: A physician who has authority to use or disclose PHI at a hospital by virtue of participating in an organized health care arrangement (defined by HIPAA rules, clinically integrated care setting in which individuals typically receive health care from more than one health care provider. This includes, for example, a covered entity, such as a hospital, and the health care providers who have staff privileges at the hospital) with the hospital is similarly situated (authorized to access PHI) to a nurse or billing employee at the hospital. A physician is not similarly situated to an employee at the hospital who is not authorized to access PHI. • If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information • Example: EOBs are sent to the wrong individuals. A few of them are returned by the post office, unopened as undeliverable. It could be concluded that the improper addresses could not have reasonably retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.
HITECH-Breach Notification Obligations • If a breach has occurred, Tulane will be responsible for providing notice to • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach) • Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach) • Media (only required if 500 or more individuals of any one state are affected)
Disciplinary Actions • Civil Penalties • Covered entities and individuals who violate these standards will be subject to civil liability.
MJCC HIPAA Policy MIAMI-JACOBS CAREER COLLEGE Program of Practical Nurse Education HIPAA – Policy HIPAA regulations will require a number of changes in your work habits and in the accustomed culture of healthcare throughout this country. These HIPAA privacy requirements apply as much outside our institution, in parking lots, restaurants and homes. All students will complete the HIPAA training course before going to the clinical sites in TERM I. Additional HIPAA guidelines may be required by clinical facilities of the student throughout the program. The HIPAA course will include, but not limited to: • Overview and course objectives • Study of the Terminology • Watch the pp: HIPAA. • Study the Videotape / power point content review • Complete the learning activity • Complete the Post test. A copy of the HIPAA course Post Test will be kept in the student’s file with signatures of understanding the HIPAA guidelines for healthcare workers. In addition, no electronic devices are permitted in clinical settings. This includes, but in not limited to cell phones, tape recorders, or equipment for text messaging. Failure to follow the HIPAA guidelines is a serious event and will result in immediate dismissal from the program. Date: ________________________ Signature: __________________________ Printed Name: ______________________