Transcript HIPAA

HIPAA
Health Insurance Portability and
Accountability Act
Reviewed July 2016 [Mary Kaough RN, MSN Patricia Shanaberger FNP-C, RN, MSN]
WHAT IS HIPAA?
•Health
•Insurance
•Portability and
•Accountability
•Act
WHAT DOES HIPAA CONSIST OF?
• 1. Standardized Electronic Data Interchange
transactions and codes for all covered entities.
• 2.Standards for security of data systems.
• 3.Privacy protections for individual health
information.
• 4.Standard national identifiers for health care.
WHY WAS HIPAA CREATED?
• In 2000, many patients that were newly diagnosed with
depression received free samples of anti-depressant
medications in their mail.
• This left patients wondering how the pharmaceutical
companies were notified of their disease.
• After a long and thorough investigation, the Physician, the
Pharmaceutical company and a well-known pharmacy chain
were all indicted on breach of confidentiality charges.
• This is one of the many reasons the Federal Government
needed to step in and create guidelines to protect patient
privacy.
IMPORTANT HIPAA DEFINITIONS
• Privacy - state of being concealed; secret
• Confidentiality – containing private information (Ex. Medical
Record).
• Authorization – to give permission for; to grant power to.
• Breach Confidentiality – to break an agreement, to violate a
promise.
• Disclosure – means the release, transfer, provision of access to,
or divulging of information outside the entity holding the
information.
• Use – means the sharing, employment, application, utilization,
examination, or analysis of individually identifiable information
within an entity.
IMPORTANT HIPAA TERMINOLOGY;
PROTECTED HEALTH INFORMATION
• Protected Health Information [PHI] – is information that is
created or received by a covered entity that:
• Relates to the past, present, or future physical or mental
health of an individual.
• Identifies the individual or contains reasonable
information that can be used to identify the individual(s).
• Examples of Protected Health Information:
• Name, address, telephone, fax, email, social security
number, medical diagnoses, medical records, account
numbers and photographs or images.
IMPORTANT HIPAA TERMINOLOGY;
COVERED ENTITIES
• Covered Entities [CE] – are the individuals responsible for
implementing HIPAA rules and regulations. Some examples
are:
• Health Plans
• Health Care Clearinghouses
• Health Care Providers who conduct certain financial
and administrative transactions electronically.
IMPORTANT HIPAA TERMINOLOGY;
TREATMENT, PAYMENT AND HEALTH C ARE
OPERATIONS
• Treatment, Payment and Health Care Operations
[TPO] – are common uses of Protected Health
Information [PHI] for which HIPAA does not require
an authorization.
IMPORTANT HIPAA TERMINOLOGY;
NOTICE OF PRIVACY PRACTICE
• Notice of Privacy Practice [NPP]- a notice given to
patients concerning the use and disclosure of their
Protected Health Information [PHI]
WHO CARRIES OUT HIPAA RULES AND
REGULATIONS?
• Covered Entities are responsible for implementing
HIPAA rules and regulations.
• These are
• Health Plans
• Health Care Clearinghouses
• Health Care providers
WHAT MUST A COVERED ENTITY DO TO
BE IN COMPLIANCE WITH HIPAA?
• Notify patients about their privacy rights and how their
information can be used.
• Adopt and implement privacy procedures.
• Train employees so they understand the privacy
procedures.
• Designate a Privacy Officer.
• Secure patient records containing Protected Health
Information [PHI].
WHAT ARE A PATIENT’S RIGHTS UNDER
HIPAA?
• Right to written Notice of Privacy Practices [NPP] that
informs consumers how Protected Health Information
[PHI] will be used and to whom it is disclosed
• Right of timely access to see and copy records for a
reasonable fee
• Right to an amendment of records
• Right to restrict access and use
• Right to an accounting of disclosures
• Right to revoke authorization
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
THE JOINT COMMISSION STANDARDS
• Patient’s rights:
• Patients have a right to confidentiality of all information
that is provided to the healthcare professional and
institution.
• Health care professionals ensure that patient information
is secured at all times and if there are any complaints,
those complaints will be resolved in a timely manner.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
PRIVACY RULE
• The Privacy Rule:
• Establishes a Federal floor of safeguards to protect the
confidentiality of medical information.
• Allows patients to make informed choices when seeking care and
reimbursement for care based on how personal health information
may be used.
• This rule is used to protect Protected Health Information [PHI]
• This rule took effect on April 14, 2003.
• YOU MAY NOT RETALIATE AGAINST OR INTIMIDATE AN
EMPLOYEE WHO FILES A HIPAA COMPLAINT.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
REQUEST FOR AMENDMENT
• Request for Amendment is a patient’s right to request, in
writing, to have health information or a record about the
patient amended.
• The Covered Entity does not have to agree to the
amendment, however if the CE does agree, the request
to amend will become a part of the patients medical
record.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
REQUEST FOR RESTRICTIONS
• Request for Restrictions is a patient’s right to request, in
writing, a restriction or limitation on the health
information that a Covered Entity uses or disclosures.
• The Covered Entity is not required to agree to the
restriction.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
ACCOUNTING OF DISCLOSURES
• Accounting of Disclosures is the patient’s right to request a list of people and
organizations who have received their Protected Health Information [PHI].
• Patients must submit a written Request for Accounting of Disclosures.
• A Covered Entity [CE] must respond to a the patient’s request for an accounting
within 60 days of receipt of the request.
• Some Examples of Disclosures are disclosures that are:
• Required by law
• For public health activities
• About victims of abuse, neglect, or domestic violence
• For judicial and administrative proceedings
• For research activities
• For law enforcement activities
• For workers compensation
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
AUTHORIZATIONS
• An Authorization is a detailed document that gives covered entities
permission to use Protected Health Information [PHI] for specified
purposes.
• It is required for the use and disclosure of Protected Health
Information [PHI] not otherwise allowed by the Privacy Rule.
• Does not apply to Treatment, Payment and Health Care Operations
[TPO].
• Does not apply to uses and disclosures required by law.
• AN AUTHORIZATION MAY BE REVOKED AT ANY TIME IN
WRITING.
WHAT ARE THE REQUIREMENTS OF AN
AUTHORIZATION?
• An Authorization must include:
• The Protected Health Information [PHI] to be used and
disclosed;
• The person authorized to make the use or disclosure;
• The person to whom the Covered Entity may make the
disclosure;
• An expiration date; and
• The purpose for which the information may be used or
disclosed.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
MINIMUM NECESSARY STANDARD
• HIPAA requires Covered Entities to take reasonable steps to disclose
only the information that is necessary for the purpose for which the
disclosure is to be made [the minimum necessary amount of
information needed to perform the job].
• The Minimum Necessary DOES NOT APPLY TO:
• Treatment
• Disclosures to the individual who is the subject of the Protected
Health Information [PHI]
• Uses or disclosures made pursuant to an individual’s authorization
• Uses or disclosures that are required by law.
WHAT ARE THE HIPAA RULES AND
REGULATIONS THAT PROTECT THESE
RIGHTS?
RESEARCH ACTIVITIES
• NO ONE is permitted to use Protected Health
Information for research without complying with the new
HIPAA requirements.
• These HIPAA requirements are entirely separate from the
existing federal human subject research regulations.
• The Privacy Policies and Procedures do not replace or
override other rules or procedures established by the
Institutional Review Board [IRB], both must be complied
with in order to conduct human research.
Don’ts
HOW DO I PROTECT MY PATIENT’S
PRIVACY?
DO’S AND DON'TS
Don’t:
• Tell anyone what you
overhear about a patient.
• Discuss a patient in
public areas, such as
elevators, hallways or
cafeterias.
• Look at information
about a patient unless
you need it to do your
job.
Do’s
Do:
• Close doors in
patient’s rooms when
discussing treatments.
• Log off the computer
when you are finished.
• Dispose of patient
information by
shredding or storing it
in a locked container
for destruction.
• Clear patient
information off of your
desk when your leave
your desk.
Computer Use
•Keep your password a
secret
•Do not log in using
someone else’s
password
•Log off of the
computer when you are
finished using it.
•Turn the computer
screen away from public
view
•Do not remove
equipment, disks, or
software without
permission.
Sending
•Call the intended recipient before
sending the fax
•Use cover sheets for faxes
•DO NOT SEND
[HIV results, Mental Abuse, Narcotic
Prescriptions, Alcohol/Substance/Child
Abuse
Receiving
•Tell the person faxing information to
alert you when he/she is about to send
the fax
•Take faxes off the machine immediately
•Do not let faxed patient information lie
around unattended
Safe Fax Use
Safe computer Use
HOW DO I PROTECT MY PATIENT’S
PRIVACY?
SAFE COMPUTER AND FAX USE
HOW DO I PROTECT MY PATIENT’S
PRIVACY?
SAFEGUARDS
• Physical Safeguards
• Computer terminals are not placed in public areas.
• Technical Safeguards
• Every associate must keep his/her password confidential.
• No photographs or recordings of any type are to be taken of
patients in the clinical setting.
• No cameras, tablets, cell phones or any electronic devices
with photography capabilities are permitted in the clinical
environment
• Administrative Safeguards
• Policy and procedure for release of patient information.
HOW WOULD HIPAA APPLY IN THE
WORKPLACE?
C ASE STUDY
• Lori, a nurse who works on 5-West, has a lot of access to
PHI. Terri, a nurse who works on 4-North, learns that her
friend and elderly neighbor, Ms. Pate, was admitted to 5West. Terri is concerned and wants to help so she asks
Lori to see Ms. Pate’s medical record. Together, they
review and discuss their findings.
• Is this a HIPAA violation? If so, what did the healthcare professionals
do wrong?
HOW WOULD HIPAA APPLY IN THE
WORKPLACE?
C ASE STUDY
• In deep conversation, Drs. Andrews and Day enter a
crowded elevator and continue discussing a code yellow.
Their conversation is quite detailed and graphic, but never
mentions the patient’s name. Engaged in their conversation,
they do not notice the onlookers intently listening to their
conversation.
• Is this a HIPAA violation? If so, what did the healthcare professionals
do wrong?
HOW WOULD HIPAA APPLY IN THE
WORKPLACE?
C ASE STUDY
• Miguel shares a semi-private room with Victor. Dr. Nixon,
Miguel’s doctor, comes in to talk to Miguel. Dr. Nixon
draws the curtain between the two patients. During this
bedside consult,Victor overhears Dr. Nixon say that Miguel
needs a hernia operation.
• Is this is HIPAA violation? If so, what did they do wrong?
WHO ELSE IS RESPONSIBLE FOR
PROTECTING PATIENT PRIVACY?
BUSINESS ASSOCIATES
• Business Associate
• A person or entity that performs a function or activity
on behalf of a Covered Entity [CE] that requires the
creation, use or disclosure of Protected Health
Information [PHI] but who is not considered part of the
Covered Entities' workforce. They must have a written
contract or agreement that assures they will
appropriately safeguard Protected Health Information
[PHI] they create or receive.
HOW DO I PROTECT MY PATIENT’S
PRIVACY?
BUSINESS ASSOCIATES PT.11
• Examples of Business Associates
• A third party administrator who assists a health plan with claims
processing.
• A CPA firm whose accounting services to a health care provider
involve access to protected health information.
• A health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health
care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist who provides transcription
services to a physician.
• A pharmacy benefits manager who manages a health plan’s
pharmacist network.
Examples of Business Associates
A health care
clearinghouse that
translates a claim
from a nonstandard format
into a standard
transaction on
behalf of a health
care provider and
forwards the
processed
transaction to a
payer.
A third party
administrator
who assists a
health plan
with claims
processing.
An
independent
medical
transcriptionist
who provides
transcription
services to a
physician.
A CPA firm
whose
accounting
services to a
health care
provider
involve access
to protected
health
information.
A pharmacy
benefits
manager who
manages a
health plan’s
pharmacist
network.
WHAT ARE SOME WAYS HIPAA C AN BE
VIOLATED?
INCIDENTAL DISCLOSURE
• A secondary use or disclosure that cannot
reasonably be prevented, is limited in nature, and
occurs as a by-product of an otherwise permitted
use or disclosure.
• Examples of Incidental Disclosure
• A hospital visitor may overhear a provider’s confidential
conversation with another provider or a patient
• A hospital visitor may glimpse a patient’s information on
a sign-in sheet or nursing station whiteboard
WHAT ARE SOME WAYS HIPAA C AN BE
VIOLATED?
BREACH
• A breach is, generally, an impermissible use or disclosure
under the Privacy Rule that compromises the security or
privacy of the protected health information.
WHAT IS DONE AFTER PATIENT PRIVACY
HAS BEEN COMPROMISED?
HITECH ACT
• What is the HITECH act?
• As a result of the American Recovery and Reinvestment Act of
2009, legislation passed the Health Information Technology for
Economic and Clinical Health Care Act which places additional
privacy and security requirements.
• This requires any entity that handles Protected Health
Information [PHI] to report breaches, whether in paper or
electronic form within timeframe that HITECH requires.
• HITECH applies to all business entities associated with
healthcare organizations such as banks, claims, clearing houses,
billing firms, health information exchanges and software
companies.
WHAT ARE THE BREACH NOTIFICATION
REQUIREMENTS?
• Notification is required to the affected individuals, the
government and in certain cases the media [if the breach
involves more than 500 people] in the event of a breach of
“Unsecured Protected Health Information”.
• These breach requirements are applicable to both Covered
Entities [CE] and their Business Associates.
• If the Covered Entities Business Associate has a breach,
they must report it within 60 days.
• The snail mail requirement states that the healthcare organization
must send out a first class letter to any patients that might have been
affected by the breach. [Electronic mail is allowed given the patient
agreed to receive electronic notices]
WHAT ARE THE CONSEQUENCES OF
NOT COMPLYING WITH HITECH?
• There are serious penalties for non-compliance, ranging
from fines of $100 to $50,000 per violation, capped at
$25,000 to $1.5 million per violation of the same standard.
• Criminal penalties of 1 to 10 years in jail for gross
negligence.
• HITECH also created new methods for enforcement,
allowing state attorney generals to enforce HIPAA
regulations.
WHAT ARE THE CONSEQUENCES OF NOT
COMPLYING WITH HIPAA?
PENALTIES FOR PRIVACY VIOLATIONS
• Civil Penalties under HIPAA:
• Maximum fine of $25,000 per violation.
• Criminal Penalties under HIPAA:
• Maximum of 10 years in jail and/or a $250,000 fine for serious
offenses.
• Organization Actions:
• Employee disciplinary actions including suspension or termination
for violations of the organizations policies and procedures.
WHO ENFORCES MEDICAL PRIVACY
REGULATIONS?
• Office for Civil Rights
• A patient may complain to the Privacy Officer in a hospital or;
• The Director of Health and Human Services [HHS]
ARE THERE OTHER LAWS THAT PROTECT
PATIENT PRIVACY?
STATE LAW VS. HIPAA
• If there is a conflict or inconsistency between an applicable
state law and the HIPAA Privacy Rule, follow the law that
provides the patient:
• Greater privacy rights,
• Greater access to information, or
• Greater privacy protections.
ARE THERE OTHER LAWS THAT PROTECT
PATIENT PRIVACY?
TEXAS MEDIC AL PRIVACY ACT [ TMPA]
• Texas Medical Privacy Act [TMPA] is as strict as HIPAA specifically on
Texas medical and dental providers.
• A training is required as in HIPAA and the information is to be
included.
• This training is required once every two years for providers.
• This training is an exact photocopy of HIPAA.
• Since EPCC is considered a hybrid entity [School and Clinic] then we
are bound to train our health care personnel, faculty and students
about The Texas Medical Privacy Act [TMPA].
HIPAA REFERENCE CONTACTS
• If you have any questions regarding HIPAA contact:
• Souraya A. Hajjar, EPCC Compliance Officer at (915)831-4143
• Or email her at [email protected]
• Your HIPAA Compliance officer at your campus or facility.
• Your Clinical instructor/coordinator at your campus or facility.
• Or refer to http://www.hhs.gov/hipaa/index.html for more
information regarding HIPAA policies and regulations.