11

HIPAAHIPAA Education Education CCAC Professional Development CCAC Professional Development

Training September 2006Training September 2006

22

Privacy Privacy and and ConfidentialityConfidentialityhave always been important have always been important ethical considerations in any ethical considerations in any

healthcare environment.healthcare environment.

Introduction

33

The U.S. Government has The U.S. Government has set laws in place to set laws in place to makemake suresure that privacy and that privacy and confidentiality are followed confidentiality are followed

PrivacyConfidentiality

HIPAA

44

What is What is HIPAAHIPAA??

Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act– Law enacted in 1996Law enacted in 1996– Privacy Rule in 2003Privacy Rule in 2003– Security Rule in 2005Security Rule in 2005

Health Plans, Clearing Houses Health Plans, Clearing Houses and Healthcare Providersand Healthcare Providersmust complymust comply

55

Or else be hit with Federal Or else be hit with Federal penalties!!!penalties!!!

66

These penalties can be These penalties can be either civil ranging up to either civil ranging up to $25,000$25,000 or orcriminal ranging up to criminal ranging up to $250,000 or prison $250,000 or prison sentences up to 10 yearssentences up to 10 years

77

Patient Rights Under Patient Rights Under HIPAAHIPAA

Gives patients moreGives patients more controlcontrol over over their health informationtheir health information

Protects patients health information Protects patients health information andand anyany information that could information that could identify the patient.identify the patient.

Gives conditions on how health Gives conditions on how health information may be released.information may be released.

Requires providers to safeguard health Requires providers to safeguard health information whether it is verbal, information whether it is verbal, written or electronic.written or electronic.

88

HIPAA defines patient information HIPAA defines patient information as Protected Health Informationas Protected Health Information

(PHI)(PHI) NameName AddressAddress RelativesRelatives EmployersEmployers Birth DateBirth Date TelephoneTelephone Fax NumberFax Number Social Security #Social Security #

License NumberLicense Number Health Plan Health Plan

NumberNumber Medical Record Medical Record

NumberNumber Finger/Voice PrintsFinger/Voice Prints Internet AddressInternet Address Email AddressEmail Address Vehicle Serial Vehicle Serial

NumberNumber

99

Privacy PrinciplesPrivacy Principles

What does HIPAA require Providers to do?What does HIPAA require Providers to do?– Develop policies and proceduresDevelop policies and procedures– Educate employeesEducate employees– Give patients a copy of the Notice of Privacy Give patients a copy of the Notice of Privacy

PracticesPractices– Create a new authorization form Create a new authorization form – Develop “safeguards” for protecting Develop “safeguards” for protecting

informationinformation– Designate a Privacy Officer and Security Designate a Privacy Officer and Security

OfficerOfficer

1010

Privacy PrinciplesPrivacy Principles

Notice of Privacy Practices (NPP)Notice of Privacy Practices (NPP)– Given to the patient upon registrationGiven to the patient upon registration– Describes how information may be Describes how information may be

used and disclosedused and disclosed– Responsibility to safeguard informationResponsibility to safeguard information– Patient should “acknowledge” the Patient should “acknowledge” the

receipt of Noticereceipt of Notice– Outlines Patients Rights under HIPAAOutlines Patients Rights under HIPAA

1111

Privacy PrinciplesPrivacy Principles

Patient’s Health Information RightsPatient’s Health Information Rights– Restrict use and disclosureRestrict use and disclosure– Inspect and copy the recordInspect and copy the record– Add an amendment to the recordAdd an amendment to the record– Know what information was released Know what information was released

for other purposesfor other purposes– Complain about health information Complain about health information

practicespractices

1212

Ways to Protect Ways to Protect ConfidentialityConfidentiality

Confidential communicationsConfidential communications Guidelines for Telephone UseGuidelines for Telephone Use Fax policyFax policy Using Records and Other Using Records and Other

InformationInformation– Patient AuthorizationPatient Authorization– T-P-O Treatment, Payment, T-P-O Treatment, Payment,

OperationsOperations

1313

Ways to Protect Ways to Protect ConfidentialityConfidentiality

The Minimum Necessary StandardThe Minimum Necessary Standard

As a healthcare employee As a healthcare employee you should ask you should ask yourself…yourself…

1414

……do I do I need to knowneed to know this to do my job?????this to do my job?????

This is called the “This is called the “Minimum Minimum NecessaryNecessary””

1515

The Minimum Necessary standard requires providers to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to. and disclosure of PHI.

Providers should have a policy to limit how much PHI is used, disclosed, and requested for certain purposes. Policies must limit who has access to PHI, and under what conditions, based on individual job responsibilities and the nature of their business.

Minimum Necessary StandardMinimum Necessary Standard

1616

This law This law DOES NOTDOES NOT interfere interfere with your staff continuing to with your staff continuing to provide the Quality Care you provide the Quality Care you

have always provided!!!have always provided!!!

There is no Minimum Necessary requirement when it There is no Minimum Necessary requirement when it comes to treating a patient. For treatment purposes comes to treating a patient. For treatment purposes

you are allowed to share information freely with other you are allowed to share information freely with other treatment personnel directly caring for the patienttreatment personnel directly caring for the patient

What HIPAA is NOT…What HIPAA is NOT…

1717

Scenario Scenario

You have just had to deal You have just had to deal with a very demanding with a very demanding customer and need to customer and need to discuss your frustrations discuss your frustrations with someone. As you walk with someone. As you walk outside to get some air, you outside to get some air, you see a friend from another see a friend from another department. What do you department. What do you do?do?

1818

Protecting the Medical Protecting the Medical RecordRecord

What do I need to know about What do I need to know about releasing patient information?releasing patient information?– Is this for T-P-O?Is this for T-P-O?– Is there an Authorization?Is there an Authorization?– Did I ask the patient?Did I ask the patient?– Are there adequate safeguards?Are there adequate safeguards?– Did I use professional judgment?Did I use professional judgment?

1919

The Security RegulationThe Security Regulationand Electronic Informationand Electronic Information

Protecting Electronic Protected Protecting Electronic Protected Health Information (ePHI)Health Information (ePHI)– C-ConfidentialityC-Confidentiality– I-IntegrityI-Integrity– A- AvailabilityA- Availability

Risk AssessmentRisk Assessment Safeguards for Protecting DataSafeguards for Protecting Data

2020

Helpful Hints When Helpful Hints When Working with ComputersWorking with Computers

Never share your password Never share your password

Always keep computer screens pointed Always keep computer screens pointed away from the publicaway from the public

Never remove computer equipment, Never remove computer equipment, disks or software from the facility unless disks or software from the facility unless you have permission to do soyou have permission to do so

Only access the information that you Only access the information that you needneed

2121

Helpful Hints When Helpful Hints When Working with ComputersWorking with Computers

Always double check the address line of Always double check the address line of an email before you send itan email before you send it

Don’t leave your computer unattended. If Don’t leave your computer unattended. If you have to walk away, log off before you you have to walk away, log off before you leaveleave

Look out for suspicious activity to makeLook out for suspicious activity to make sure no one else uses your account or sure no one else uses your account or

passwordpassword

2222

Exceptions to the RuleExceptions to the Rule

Reasons for releasing confidential Reasons for releasing confidential informationinformation

When reporting is requiredWhen reporting is required What happens if you accidentally What happens if you accidentally

release information?release information?

2323

Understanding Your Understanding Your RoleRole Read the Privacy NoticeRead the Privacy Notice Know your company’s policies Know your company’s policies

and proceduresand procedures Know when state regulationKnow when state regulation

“ “pre-empts” HIPAApre-empts” HIPAA Use appropriate safeguardsUse appropriate safeguards Talk to your Privacy OfficerTalk to your Privacy Officer

2424

What is New with What is New with HIPAA?HIPAA?

TransactionsTransactions Claims attachmentClaims attachment

EnforcementEnforcementComplaint DrivenComplaint Driven

Monetary/Civil PenaltiesMonetary/Civil Penalties

National Provider IdentifierNational Provider IdentifierAssigned identifier to be used inAssigned identifier to be used in

all external electronic transactionsall external electronic transactions(May 2007 effective date)(May 2007 effective date)

2525