HIPAAHealth Insurance Portability and Accountability Act Presented by the UMMC Office of Integrity and Compliance
HIPAA As stated in the “Compliance” module presentation, the Office of Integrity and Compliance is responsible for enforcing and overseeing the HIPAA privacy regulations for UMMC. While HIPAA privacy enforcement is just one of the many responsibilities of our office, the HIPAA privacy regulations are important to each workforce member at the UMMC and thus warrants the need for a separate training module. Whether you are an office worker, a member of our housekeeping staff, physical facilities, a student, or a clinician, it is YOUR responsibility to ensure patient privacy is protected.
Rules and Regulations to Ensure Privacy • The Health Insurance Portability and Accountability Act (HIPAA) set Federally recognized standards to ensure both Privacy and Security of patient health information. • Both standards are overseen by the Office of Civil Rights. • Within UMMC, standards are enforced by • Office of Integrity and Compliance, Privacy Officer • Information Systems, Security Officer
Policies and Procedures • UMMC has created policies and procedures to facilitate compliance with all standards. • These are to be followed by employees who come into contact with patient health information. • The policies can be found on the UMMC Intranet or by clicking the following link: http://www.umc.edu/compliance/
HIPAA Privacy Standards The Privacy Standards provide for the following: • Boundaries for the uses and disclosures of protected health information; • The implementation of administrative, technical and physical safeguards to help ensure health information remains confidential; • More control of an individual's health information by the individual; and • Civil and criminal penalties for violators of the standards.
What information is protected by the regulations? The HIPAA Privacy Standards protect “individually identifiable health information”, which is collectively referred to as protected health information (PHI). Basically, PHI is clinical information, such as an individual’s diagnosis, in combination with some type of information that allows you to identify that individual. For instance, a diagnosis on a progress note that contains the patient’s name in right hand corner would be considered PHI. PHI can be transmitted or maintained in any form or medium, which includes PHI that is transmitted orally, stored or transmitted on paper and/or electronically.
Examples of PHI Some examples of confidential and protected health information: • Documentation created by physicians, nurses, and other health care providers and assembled in medical records; • Conversations about an individual's care or treatment between health care providers; • Information about patients in UMMC’s computer system; and • Billing information about an individual’s health care.
Information that can be used to identify a patient can include: • Patient’s Name; • Address or zip code; • Month and date of service or other relevant date; • Date of Birth; • Telephone and/or fax number; • E-mail address; • Social Security Number; • Medical Record or patient account numbers; • Vehicle identifiers or serial numbers; • Health plan beneficiary number; • Device identifiers or serial numbers; • Biometric identifiers, including finger & voice prints; • Full face photographic images or other images; • Web Locators (URLs) or Internet Protocol (IP) addresses; • Any other unique identifying number, characteristic, or code.
Which Disclosures are Allowed Without Authorization? Except for psychotherapy notes, the privacy standards allow UMMC to disclose information without an authorization for the following purposes: • To comply with the law, such as reporting communicable diseases to the Mississippi State Department of Health; • For the treatment of the individual; • To obtain payment for services rendered by UMMC; and/or • To carry out the healthcare operations of UMMC.
Disclosures Allowed by Law There are many disclosures that UMMC makes because it is required by law and therefore, no authorization is required. Some of these include but are not limited to: • Disclosures about victims of child abuse • Disclosures for judicial proceedings, such as responding to a subpoena • Disclosures for Law Enforcement purposes
What is Considered Treatment Under HIPAA? • Treatment includes the management of healthcare and related services by one or more healthcare providers, including the coordination with a third party, such as a skilled nursing facility; consultations with other providers; or the referral of a patient from one provider to another. The following are examples of treatment activities: • Healthcare staff orally coordinating services at the hospital nursing station. • The teaching physician or dental instructor discussing a patient’s condition during training rounds.
Examples of Treatment Continued • A healthcare provider discussing lab test results with a patient or other provider in a joint treatment area. • A dentist referring a patient to an orthodontist. • Nurses or other health care providers discussing a patient’s condition over the phone with the patient, a provider, or a family member.
Payment The billing department uses confidential information to bill patients or their insurance companies for the services they receive.
What are Healthcare Operations? • Healthcare operations are activities that UMMC performs on a day-to-day basis in order to stay in business. Examples of healthcare operations include: • Utilization review activities; • Compliance activities; • Internal auditing activities; • Teaching of students; and/or • Performance improvement activities
Disclosures/Releases with Authorizations Disclosures, other than those previously listed, can be made by UMMC only if the patient signs an authorization. Authorizations, which are sometimes referred to as consents to release, must contain the necessary core elements and statements before the information can be released. Fulfilling an authorization that does not contain the required core elements and statements is a violation of this federal regulation. Only authorized employees can disclose patient information.
Several Important Concepts: Concept #1 Need to Know- Only access patient information if you have been assigned some form of responsibility for the patient’s care. Share information about patients only with other individuals who have a “need to know”. Part of protecting our patient’s privacy is to ensure that employees access only that information which they “need to know” in order to perform their job duties. If an employee does not have a valid reason to know a patient’s information, they should refrain from accessing it.
Several Important Concepts: Concept #2 Minimum Necessary- It is UMMC policy that each employee use and disclose only that information that is minimally necessary to fulfill a purpose or duty.Only access or view the minimum amount of patient health information necessary to complete your job duties.
Several Important Concepts: Concept #3 Patients Rights- Under HIPAA, patients have several rights related to their PHI. Below is a comprehensive list of those rights. The next slide shows how you should respond to a patient if they have questions pertaining to those rights. • Right to access and obtain a copy of their medical record; • Right to request an amendment to their health information; • Right to receive an accounting of disclosures; • The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations; • Right to file a complaint; • Right to agree or object to being included in the hospital directory; • Right to request confidential communications; and • Right to a Notice of Privacy Practices
Patient Right How to handle request
Criminal Penalties • Previously, employees who inappropriately accessed, used, or disclosed a patients health information were not subject to criminal penalties. UMMC would “take the blame” and the responsible employee would only receive sanctions listed within the institution’s sanction policy. • Now, if you inappropriately access, use, or disclose a patient’s health information, you can be charged with criminal penalties.
Did You Know… • The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a final rule, also known as the Omnibus Rule, on January 17, 2013 to enhance privacy and security of health information under HIPAA and the HITECH Act.
Revisions to HIPAA and HITECH Act • Among the changes and additions to the privacy laws include: • Business Associate Accountability • Authorizations • Uses/Disclosures of PHI for Marketing and Fundraising • Protection of Decedent PHI • Breach Notifications • Additional Patient Rights • Restrictions on Uses/Disclosures of PHI • Enforcement and Security • Privacy with the Genetic Information
Business Associate Accountability • Defined by services such as creating, receiving, maintaining, or transmitting PHI for a Covered Entity. • Include Patient Safety Organizations (PSOs), health information organizations (HIOs), and subcontractors • Accountable For the Following: • Uses/disclosures of PHI which do not follow its agreement or the Privacy Rule; • Failure to provide notification of a breach; • Failure to provide an accounting of disclosures; • Failure to report PHI to the Secretary; • Failure to comply with the Security Rule. • Held to the Minimum Necessary Standard.
Authorizations • Uses/Disclosures for marketing and the sale of PHI require an Authorization. • Authorizations for research can combine conditioned and unconditioned Authorizations as long as the research elements are identified separately. • Written Authorization is not required for disclosure of proof of immunization to schools. • Authorizations for research can include authorization for future research as long as it is stated clearly.
Uses/Disclosures of PHI for Marketing and Fundraising • Marketing • Limits are placed on communication considered to be health care operations if a Covered Entity receives financial remuneration (payment) in exchange for the communication for the third party. • If financial remuneration is received, an Authorization for release of information is required by the Covered Entity. • Exceptions: • Prescription refill reminders, face to face communication, and promotional gifts of minimal value. • Fundraising • A Covered Entity must provide a recipient of fundraising communication the opportunity, without unnecessary burden, to opt out of receiving communications and ensure future communication is discontinued if the recipient chooses to opt out.
Protection of Decedent PHI • Identifiable information of a person who has been deceased for more than 50 years is no longer PHI. • Disclosures of decedent information to family members are allowed, unless it is not consistent with known preferences expressed by the individual.
Breach Notifications • PHI inappropriately released without authorization is assumed to be a breach unless the Covered Entity can prove that there is low probability the PHI was compromised through a risk assessment. • Risk assessments identify the type of PHI involved, the persons involved, whether PHI was acquired or viewed, and the degree to which the risk to the PHI is reduced. • Notification of all breaches involving less than 500 individuals must be reported no later than 60 days after the end of the calendar year in which the breach was detected. • Limited data sets with dates or zip codes are no longer exempted from breach notification.
Additional Patient Rights • The right to request and receive, at a reasonable cost, their health information in electronic format if the information is maintained as an Electronic Health Record (EHR). • The right to apply restrictions on disclosures made to Covered Entities for any item or service, for which the patient has paid the full cost out of pocket. • The right to receive a full accounting of disclosures made by the Covered Entity or Business Associate involving treatment, payment, or health care operations during the previous three years.
Restrictions on Uses/Disclosures • When restrictions on uses/disclosures of PHI to a health plan are enacted, the Covered Entity must use some type of notification in the medical record to identify the restrictions placed. • Patients are responsible for notifying other entities of requested restrictions on uses/disclosures of PHI to a health plan.
Enforcement and Security • HIPAA rules continue to preempt State law, unless the state law is more stringent. • OCR will investigate and penalize violations due to willful neglect. • Willful neglect defined as a conscious failure. • Willful neglect included in civil money penalties. • Organizations must evaluate and revise security measures to ensure protection of electronic PHI.
Privacy with Genetic Information • HIPAA Privacy Rule identifies genetic information as PHI which is in alignment with the Genetic Information Nondiscrimination Act (GINA). • Most health plans cannot use or disclose genetic information for underwriting purposes.
Brief Pointers • Family and Friends- you should not access health information of family/friends if you do not have a need to know. • VIPS- Do not access health information of individuals who are of public interest unless you have a need to know. • Passwords- Do not share passwords- We audit and you will be held responsible. This includes portable devices • Disposing Patient Information- if in printed format, must be disposed- NEVER throw away in regular garbage without at least shredding by hand. • Ongoing Monitoring- We perform ongoing monitoring of access into patient health information. Employee to Employee access. • IF WE FIND YOU ARE NOT CONNECTED TO THE PATIENT’S CARE OR DO NOT HAVE THE APPROPRIATE “NEED TO KNOW” TO COMPLETE YOUR JOB DUTIES, YOU WILL BE HELD ACCOUNTABLE.
More Information • IF YOU HAVE QUESTIONS- • See Policies and Procedures Online- UMMC Intranet • Contact the Office of Integrity and Compliance • IF YOU NEED TO REPORT A VIOLATION- • Directly to your superior • Compliance Hotline • Compliance Report Form • Contact the Office of Integrity and Compliance
Question 1 What does HIPAA stand for? Click on the correct letter a. Healthcare Information Policy and Assessment b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association
Question 1 What does HIPAA stand for? CORRECT a. Healthcare Information Policy and Assessment Click here to go to next question b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association
Question 1 What does HIPAA stand for? INCORRECT a. Healthcare Information Policy and Assessment Click here to go back b. Health Insurance Portability and Accountability Act c. Health Information Privacy Act and Association
Question 2 Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time CLICK ON THE CORRECT ANSWER TRUE FALSE
Question 2 CORRECT Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time Click here to go to next question TRUE FALSE
Question 2 INCORRECT Lucy’s friend was admitted into the ICU for care. Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time Click here to go back TRUE FALSE
Question 3 UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations CLICK ON THE CORRECT ANSWER TRUE FALSE
Question 3 CORRECT UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations Click here to go to the end TRUE FALSE
Question 3 INCORRECT UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA privacy regulations Click here to go back TRUE FALSE
The End of HIPAA Training Please close out of this presentation and proceed to the next training presentation