HIPAA Privacy Training
Two (2) parts of HIPAA covered inthis presentation: HIPAA Privacy – Protection for the privacyof Protected Health Information (PHI)effective April 14, 2003 (includingStandardization of electronic datainterchange in health care transactions,effective October 2003) HIPAA Security – Protection for thesecurity of electronic Protected HealthInformation (e-PHI) effective April 20, 2005
What is the difference betweenPrivacy and Security? The Privacy Rule sets the standards forhow covered entities and businessassociates are to maintain the privacy ofProtected Health Information (PHI)The Security Rule defines the standardswhich require covered entities to implementbasic safeguards to protect electronicProtected Health Information (e-PHI)
The HIPAA Training Program will help you tounderstand: What is HIPAA?Who has to follow the HIPAA law?When is the HIPAA implementationdate?How does HIPAA affect you and yourjob?Why is HIPAA important?Where can you get answers to yourquestions about HIPAA?
What is HIPAA? HIPAA is theHealth InsurancePortability andAccountability Actof 1996.HIPAA is a FederalLaw. HIPAA is aresponse, byCongress, tohealthcare reform.HIPAA affects thehealth careindustry.HIPAA ismandatory.
HIPAA Protects the privacy and security of apatient’s health information.Provides for electronic and physicalsecurity of a patient’s healthinformation.Prevents health care fraud and abuse.Simplifies billing and other transactions,reducing health care administrativecosts.
Who must follow the HIPAALaw?Covered Entities must followthe HIPAA Law.
Examples of Covered Entities ProvidersHealth PlansClearinghouses for Electronic BillingBusiness Associates (throughcontracts)
Covered Entity? The key is whetherany of the CoveredTransactions areperformedelectronically
Covered Entity AlwaysOnce you are part of a covered entity,you are a covered entity with respect toall Protected Health Information (PHI),whether it is transmitted electronically, inpaper format, or transmitted orally.
Covered Transactions Consist of Enrollment and dis-enrollmentPremium paymentsEligibilityReferral certification and authorizationHealth claimsHealth care payment and remittanceadvice
What Patient Information Must WeProtect? Protected Health Information (PHI)ØRelates to past, present, or futurephysical or mental condition of anindividual; provisions of healthcare to anindividual; or for payment of careprovided to an individual.ØIs transmitted or maintained in any form(electronic, paper, or oralrepresentation).ØIdentifies, or can be used to identify theindividual.
Examples of PHIPHI Health Information with Identifiers NameAddress (including street, city, parish, zipcode and equivalent geocodes)Name of employerAny date (birth, admit date, discharge date)Telephone and Fax numbersElectronic (email) addressesSocial Security NumberMedical Records
A Covered Entity may not use or disclose anindividual’s protected healthinformation, except asotherwise permitted, orrequired, by law.
But A Covered Entity MAY Use and Share aPatient’s PHI forØTreatment of the patient, includingappointment remindersØPayment of health care bills
And for Business and managementoperationsDisclosures required by lawPublic Health and other governmentalreporting
“Treatment” Includes Direct patient careCoordination ofcareConsultationsReferrals to otherhealth careproviders
“Payment” Includes any activities requiredto bill and collect for health care servicesprovided to patients.“Health Care Operations” Includes businessmanagement and administrative activities,quality improvement, compliance,competency, and training.
A Covered Entity Must use or share only the minimumamount of PHI necessary, except forrequests madeØ for treatment of the patientØ by the patient, or as requested by the patient toothersØ by the Secretary of the Department of Health &Human Services (DHHS)Ø as required by lawØ to complete standardized electronictransactions, as required by HIPAA
For many other uses anddisclosures of PHI A Covered Entity must get asigned authorization from thepatient (for example, to disclosePHI to a pharmaceuticalcompany).
The Authorization MUST Describe the PHI to be used or releasedIdentify who may use or release the PHIIdentify who may receive the PHIDescribe the purposes of the use ordisclosureIdentify when the authorization expiresBe signed by the patient or someonemaking health care decisions (personalrepresentative) for the patient (as perPolicy GC-022)
HIPAA RequiresA Covered Entity to: Give each patient a Notice of PrivacyPractices that describes:Ø how the facility can use and share his or herProtected Health Information (PHI)Ø a patient’s privacy rightsand Request every patient to sign a writtenacknowledgement that he/she has receivedthe Notice of Privacy Practices.
Patient Rights The right to request restriction of PHIuses & disclosuresThe right to request alternative forms ofcommunications (mail to P.O. Box, notstreet address; no message on answeringmachine, etc.)The right to access and copy patient’sPHIThe right to an accounting of thedisclosures of PHIThe right to request amendments toinformation
How does HIPAA affect MY job?
Well, if You currently see, use, or share a person’sPHI as a part of your job, HIPAA maychange the way you do your jobYou currently work directly with patients,HIPAA may change the way you do yourjobAs part of your job, you mustprotect the privacy of the patient’sPHI
When can you use PHI?Only to do your job!
At all times Protect a patient’s information as if it wereyour own! Look at a patient’s PHI only if you need it toperform your job.Use a patient’s PHI only if you need it toperform your job.Give a patient’s PHI to others only when it’snecessary for them to perform their jobs.Talk to others about a patient’s PHI only if itis necessary to perform your job, and do itdiscreetly.
For Example 1.You are a physician whose friend’s wife is ina coma in the hospital after an accident. Heasks you to review the admitting physician’sorders and see if you concur. What can youlegally do under HIPAA?A. You can look at her chart so you can answeryour friend’s questions about his wife’scondition.B. You can ask the charge nurse on the floor tolook into her records for you.C. You can tell your friend that you can only look athis wife’s medical records if her physician, thepatient, or in this case, the patient’srepresentative, allows you to do so. Suggest thatyour friend ask to discuss her treatment andprogress with the attending physician.
Answer:C. Under HIPAA, you are only allowed to use informationrequired to do your job. Since you are neither theattending physician nor part of the patient’s care team, it isagainst the law to access the patient record or asksomeone to access it on your behalf—even though youmay know the person and just want to be helpful.Remember that, if you were in a similar situation, youmight not want your colleagues going through your ownmedical records, or those of your spouse or close friend.
Public Viewing / Hearing of PHI Refrain from discussing PHI in public areas,such as elevators and reception areas,unless doing so is necessary to providetreatment to one or more patients.Medical and support staff should take care ofsharing PHI with family members, relatives,or personal representatives of patients.Information cannot be disclosed unless thepatient has had an opportunity to agree withor object to the disclosure.Personal representatives are thoseindividuals who, under Louisiana law, areable to make healthcare decisions on behalfof the patient.
For ExampleDr. Fortissimo was eating breakfast in the MedSchool Cafeteria one Monday morning, and talkingon his cell phone to another doctor. During theconversation, he referred to the patient by name,and described her diagnosis. The cafeteria workerat the next table heard the call. What could havebeen done differently to protect the patient’sprivacy?A.B.C.The patient’s privacy was protected; nothing was donewrong, since no PHI was mentioned.It is important to be aware of your surroundings when youdiscuss patient information (PHI). The patient’s caseshould have been discussed in a more private location, or,at least, in a low voice that could not be overheard.Other customers should not be allowed to eat in thatsection of the cafeteria so as to avoid such situations.
Answer:B.Although HIPAA allows incidentaluses and disclosures, this type ofdisclosure is not allowed. PHIincludes oral communications. Thepatient’s case should only havebeen discussed in a location thatprovided for the privacy of theinformation discussed.
Use and Disclosures of PHI for Research The I.R.B. (Institutional Review Board) may notauthorize the use or disclosure of PHI for researchpurposes except:Ø For reviews preparatory to research;Ø For research on the protected health informationof a decedent;Ø If the information is completely “de-identified”;Ø If the information is partially de-identified into a“limited data set” and the recipient of theinformation signs a data use agreement to protectthe privacy of such information;
Why is protecting privacy andsecurity important? We all want our privacy protectedwhen we are patients – it’s the rightthing to do.ØDon’t be careless or negligent with PHIin any form. HIPAA and federal and state lawrequire us to protect a patient’sprivacy.
Penalties are 100 per violation 25,000 for an identical violation within oneyear 50,000 for wrongful disclosure 100,000 and/or 5 years in prison forwrongful violation for obtaining PHI underfalse pretenses 250,000 and/or 10 years in prison ifcommitted with intent to sell or transfer forcommercial advantage, personal gain, ormalicious harm, includes obtaining ordisclosing.
Protecting Patient Privacy RequiresUs to Secure Patient Information
Downloading/Copying/Removing Employees should not download, copy, orremove from the clinical areas any PHI,except as necessary to perform their jobs.*At SUNY New Paltz students are notallowed to remove any PHI from the clinicalarea.
Faxing Faxing is permitted. Always include, with the faxedinformation, a cover sheet containing a ConfidentialityStatement:Ø The documents accompanying the transmission containconfidential privileged information. The recipient of thisinformation is prohibited from disclosing the contents of theinformation to another party.Ø If you are neither the intended recipient, or the employee oragent responsible for delivery to the intended recipient, youare hereby notified that disclosure of contents in any manneris strictly prohibited. Please notify [name of sender] at[facility name] by calling [phone #] immediately if youreceived this information in error.
Information that should not be faxed(except in an emergency): Drug dependencyAlcohol dependencyMental illness or psychologicalinformationSexually-transmitted disease (STD)informationHIV status
Locating a Fax Machine Location should be secure wheneverpossible,In an area that is not accessible to thepublic, andWhenever possible, in an area thatrequires security keys or badges forentry.
So, what IS “e-PHI”? e-PHI (electronic Protected Health Information) iscomputer-based patient health information that isused, created, stored, received ortransmitted using any type of electronicinformation resource. Information in an electronic medical record,patient billing information transmitted to a payer,digital images and print outs, information when itis being sent to another provider, a payer or aresearcher.
How do we protect e-PHI? Ensure the confidentiality, integrity, andavailability of information through safeguards(Information Security)Ensure that the information will not be disclosed tounauthorized individuals or processes(Confidentiality)Ensure that the condition of information has notbeen altered or destroyed in an unauthorizedmanner, and data is accurately transferred fromone system to another (Integrity)Ensure that information is accessible and usableupon demand by an authorized person(Availability)
Public Viewing/Hearing PHI should not be left inconference rooms, out on desks,or on counters where theinformation may be accessible tothe public, or to other employeesor individuals who do not have aneed to know the protectedhealth information.
Treat a Patient’s Informationas if it were your own Covered Entity Needs Your Helpin Protecting Our Patients’Privacy.
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory.
Overview of HIPAA How Does HIPAA Impact EMS? HIPAA regulations affect how EMS person-nel use and transfer patient information HIPAA requires EMS agencies to appoint a “Compliance Officer” and create HIPAA policy for the organization to follow HIPAA mandates training for EMS personnel and administrative support staffFile Size: 229KB
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business .
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business Impact .
Chapter 1 - HIPAA Basics A-1: Discussing HIPAA fundamentals 1 Who's impacted by HIPAA? HIPAA impacts health plans, health care clearinghouses, and health care providers that send or receive, directly or indirectly, HIPAA-covered transactions. These entities have to meet the requirements of HIPAA.
Basics of HIPAA and HITECH 4 What exactly is HIPAA? 4 Covered entities v. business associates 5 The HIPAA Omnibus Rule 6 7 H C E T I H HIPAA Compliance Simpliﬁed 8 Five security-thought-leader tips for HIPAA Compliance 8 Three speciﬁc HIPAA tips you need to know post-omnibus 11 Checklist: How to Make Sure You're Compliant 13
an annual employee training or as a conclusive education on HIPAA laws. Each HIPAA entity should personalize their own employee training and should undergo thorough HIPAA training in accordance with their HIPAA compliance plan. Additional information reg
STUDENT TRAINING / FACULTY RESEARCH HIPAA ORIENTATION Additional Training REQUIRED HIPAA regulated entities must provide individuals working or training within them with HIPAA training that is specific to the entity's HIPAA policies and procedures. This presentation is intended to provide a context for that mandated training; it is
quality results of AGMA Class 10 with a double cut cycle and AGMA Class 9 with a single cut cycle can be expect-ed. The 100H weighs 7,100 lbs with a cube size of 78” X 64” X 72” high. For more information, contact Bourn & Koch at (815) 965-4013, Boeing F/A-18E/F Super Hornet Completes First AESA Flight In a press release dated August 13, 2003, it was announced that the Boeing F/A-18E/F .