HIPAA Overview. Health Insurance Portability and Accountability Act of 1996 (PL )

Transcription

1 HIPAA Overview Health Insurance Portability and Accountability Act of 1996 (PL )

2 Health Insurance Portability 1.Provides for insurance coverage to be portable as you move from job to job 2. Limits the use of pre-existing conditions once you are insured 3.Lowers chance of losing existing coverage

3 HIPAA What does this have to do with the security, privacy and regulation of transactions in health care, you ask?

4 ADMINISTRATIVE SIMPLIFICATION RULES ADMINSITRATIVE SIMPLIFICAFTION sections were embedded in HIPAA as a rider or stealth statute

5 HIPAA Administrative Simplification in a nutshell 42.U.S. C d -2 (d) (2) All health plans, health-care clearing houses, and health care providers must maintain a reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity, confidentiality and privacy of healthcare information

6 Accountability & Sanctions Congress put big teeth in this Act in the form of penalties Civil Penalties $100 - $25,000 per violation per person per year

7 and hold on to your hats! Federal Criminal Penalties $50,000 & up to 1 year in prison for obtaining or disclosing Protected Health Information (PHI) $100,000 & up to 5 years in prison for obtaining PHI under false pretenses

8 the big one $ 250,000 & up to 10 years in prison for obtaining PHI (protected health information) with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm

9 Implications This major piece of legislation has important implications for the County Accountability Bar Raised Customer Trust in the Electronic Age

10 Terms to Know PHI : Protected Health Information: anything that identifies a user of health services Minimum Need to Know standard means employees should have security levels based on job functions

11 New Rights 1.Right to Privacy Notice 2.Right to request protection of information 3.Right of access to record 4.Right to request amending record 5.Right for accounting of releases

12 Exceptions to Rights Inmates in correctional facilities, detention or jails do not have these rights. However, correctional facilities are still under the HIPAA guides regarding PHI

13 Record Retention Records should be kept for six years If a person has right of access it goes back 6 years

14 HIPAA, Three Major Sections 1. Privacy standards: compliance required by April Transaction standards; compliance due November 16, 2002 unless 1 year extension is applied for 3. Security of electronic transmissions

15 Privacy Standards (1) ADMINISTRATIVE ASPECTS (2) PHYSICAL SECURITY ASPECTS (3) TECHNICAL ASPECTS

16 Privacy: Administrative Aspects Privacy Officer Designation Policy Review and Updating Training of Board, Staff and Providers

17 Privacy: Administrative Aspects Policy Development Patient Rights Policy Security Policy Policy FAX Policy Workstation Use Policy Sanction Policy

18 Privacy: Administrative Aspects Business Associates attachment to contracts when other entities act on your behalf Chain of Trust agreements in all contracts to ensure that information that is down streamed to other providers is protected under HIPAA

19 Privacy: Physical Aspects Physical Safeguards :To protect PHI integrity, confidentiality and availability. Records kept secure; backups Physical Survey of every work site PHI not observable

20 Privacy: Physical Aspects Computer disk security Placement and use of Fax machines Adequate access protection and security of work sites for authorized entry only Surge suppressors at each computer

21 Privacy: Technical Aspects Technical Security to protect data and prevent unauthorized access Access to PHI determined for every employee based on minimum information needed to know criteria

22 Privacy: Technical Aspects Review and tightening up access to systems (PI team to ensure terminating employees removed in a timely way) Information back up (Ecura)

23 Affected Departments CSTS WCHO Public Health Children s Services Juvenile Detention Human Resources Wash. Cty. Correctional Facility

24 Next Steps Policy review and implementation - County wide Policies Ongoing security committee involvement - 10/29/02 Mtg - Representatives from PH, CSTS, WCHO, HR, RM, ITS, Facilities and Jail Security sweeps to determine if PHI is appropriately secured in the environment At the direction of the Security Committee

25 Next Steps Training Extensive training CSTS, WCHO, PH and Children Services Awareness level training all staff and inmates Business Associate Contracts Completed List All Departments amending existing contracts that require BA Contracts and Chain of Trust Agreements when necessary