HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

Transcription

1

2 HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers. Privacy Rule Security Rule HIPAA helps ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling and privacy.

3 It is required that all employees who deal with personal health information (PHI) are trained on the HIPAA Privacy and Security Rules. This has become even more important due to an increase in HIPAA enforcement by the Office of Civil Rights (OCR). The OCR is the federal agency in charge of enforcing HIPAA. By doing proper employee HIPAA training and having Privacy & Security Policies in place, it can lessen the chance of enforcement actions by the OCR.

4 Privacy Rule The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

5 The Privacy Rule permits these Uses & Disclosures: Disclosure to the individual/personal representative (parent/guardian) Disclosure for treatment, payment, and health care operations Disclosures required by state or federal law Disclosures to Business Associates Disclosures as authorized by the patient

6 Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient Public Health Activities To public health authority To report child abuse/neglect To FDA Law Enforcement Purposes Abuse, Neglect, and Domestic Violence Judicial and Administrative Proceedings If you are unsure whether a disclosure is permitted talk to the Compliance Officer or HIPAA Officer

7 When the individual is present (and has the capacity) and: Agreed or has previously agreed to the disclosure Has had the opportunity to object to the disclosure and does not; or It can be reasonably decided given the circumstances that the person does not object Example: When a patient brings someone into the exam room with them, the caregiver can reasonably determine the individual does not object to the disclosure of their health information. When the individual is unable to consent in an emergency Professional determines it is in the patient s best interest May use professional judgment to make reasonable decisions about who is permitted to pick up prescriptions, supplies, or other similar forms of PHI

8 Incidental uses and disclosures are defined as secondary uses or disclosures that: Are permitted by HIPAA Cannot be reasonably prevented Are limited in nature Occur as a by-product of an otherwise permissible use or disclosure Reasonable Safeguards and Minimum Necessary Standards are in place Example A doctor can confer at a nurse s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.

9 Protected health information (PHI) should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.

10 Minimum Necessary Standard does not apply to the following: Disclosures to or requests made by a healthcare provider for treatment purposes Uses and disclosures by or to a patient for their own PHI Disclosures made under a valid authorization Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose

11 A Business Associate (BA) is any individual or entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (CE). All Business Associates need to sign a Business Associate Agreement (BAA). The BAA states - Any privacy rule limitation on how a CE may use or disclose PHI automatically extends to BA. If there is a breach of PHI on the BA s behalf, they need to inform the CE immediately.

12 The Privacy Rule gives patients the right to: Access their PHI Request restrictions to their PHI Request amendments to their PHI Request an accounting of disclosures Request confidential communications

13 A covered entity (CE) has 30 days to provide access to a patient There is a one-time 30 day extension If a patient requests an electronic copy of PHI, the CE must provide access in an electronic format If the EMR has links to images or other data, the images/data must also be included in the electronic copy provided to the patient Encrypted , Thumb Drive, Patient Portal

14 If requested by an individual, a CE must transmit a copy of PHI directly to another person designated by the individual Request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI

15 A patient has the right to request restrictions to a health plan when paying in full Except when disclosure is required by law If the patient does not pay, the CE can bill and disclose information to the insurance plan The CE can ask patients to pay upfront The CE can require prepayment where precertification would otherwise be required

16 Right to Request Confidential Communications Must agree to reasonable requests, cannot ask why Right to Amendment Patient requests for amendment of a medical record must be made in writing. The patient must provide the reason for requesting the amendment. Right to Accounting of Disclosures Must account for certain disclosures (date, time, who received, what was disclosed, and why) Do not need to account for: Treatment, payment or healthcare operations To individual Incidental/authorized More than six years prior

17 When a patient signs an acknowledgement that they received the Notice of Privacy Practices, this is not a substitute for HIPAA authorization/consent form. The patient still needs to sign and give authorization for disclosure of their PHI in certain situations. This requires certain language in the consent form Purpose of use/disclosure Right to revoke

18 Security Rule The Security Rule covers electronic personal health information (EPHI) and states how it needs to be protected. There are specific standards that have to be met to protect EPHI. CEs must complete a Security Risk Assessment and implement protections based on the assessment. The assessment looks at every area in our organization that stores EPHI. HIPAA states the Security Risk Assessment needs to be completed each year.

19 We can protect EPHI by: Encryption Laptops Desktops Phones If something is not encrypted use extreme caution! Use Passwords/change passwords Log off when leaving your work station Security Rule audits throughout the year

20 A CE is required by law to sanction employees who violate HIPAA Privacy & Security Rules. Any violations of HIPAA will be handled under the CE s discipline policy, similar to other employee discipline issues. Sanctions for uses or disclosures of PHI could include termination of employment, depending on the nature of the violation.

21 What is a breach of PHI? A breach is an impermissible use or disclosure of unsecured PHI. Unsecured PHI is a hardcopy or electronic PHI that has not been rendered unusable and unreadable or encrypted. Impermissible use or disclosure is presumed to be a breach, unless the CE can demonstrate that there is a low probability that the PHI has been compromised. The CE must notify the patient(s), government, and possibly the media and press if there is a violation of the Privacy and Security Rule.

22 Factors to assess the probability that PHI has been compromised: Nature and extent of PHI involved, including identifiers and likelihood of re-identification Unauthorized person who used the PHI or to whom the disclosure was made Whether PHI was actually acquired and used There will continue to be more guidance regarding breaches from the OCR in the future If you ever suspect there has been an unsecured disclosure of PHI make sure to talk to the HIPAA Officer or Compliance Officer.

23 Curious Employees Remember Minimum Necessary Standards What do you need to do your job? Do not access family & friends PHI HIPAA employee sanctions will be followed Lost/Stolen laptops, phones, hard drives, flash drives (anything with EPHI) Firewall Issues Yearly Security Risk Assessments and Audits

24 If you have any questions or concerns regarding the HIPAA Privacy & Security Rules, please contact: HIPAA Officer (Bobbi Nawrocki) Compliance Officer (Julie Morgan)