HIPAA The Health Insurance Portability And Accountability Act of 1996

HIPAAHIPAA

The Health Insurance The Health Insurance Portability And Accountability Portability And Accountability

Act of 1996Act of 1996

HIPAA History and HIPAA History and ObjectivesObjectives• Improve the efficiency of the health care system.Improve the efficiency of the health care system.

• Reduce the overall cost of health care and Reduce the overall cost of health care and therefore the federal government’s future therefore the federal government’s future liability.liability.

• Protect the Privacy and Security of Individual’s Protect the Privacy and Security of Individual’s health care information by setting “Standards” health care information by setting “Standards” and “requirements”.and “requirements”.

• Standardize and automate – increased enabling Standardize and automate – increased enabling of fraud and abuse monitoring and enforcement.of fraud and abuse monitoring and enforcement.

• Eliminate pervasive Medicare fraud and abuse.Eliminate pervasive Medicare fraud and abuse.

HIPAA Major RulesHIPAA Major Rules1.1. Transaction Code SetsTransaction Code Sets Standard code sets are required for selected data elements Standard code sets are required for selected data elements

in more than one of the electronic transaction standards. in more than one of the electronic transaction standards. Electronic transaction include transactions using ANY Electronic transaction include transactions using ANY media, even when information is physically moved from media, even when information is physically moved from one location to another using diskette, tape or CD media.one location to another using diskette, tape or CD media.

2. Privacy Rule2. Privacy Rule Defines who is authorized to access information. It is the Defines who is authorized to access information. It is the

right of individuals to keep information about themselves right of individuals to keep information about themselves from being disclosed.from being disclosed.

3.3. Security RuleSecurity Rule The ability to control access and protect information from The ability to control access and protect information from

accidental or intentional disclosure to unauthorized accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. This is persons and from alteration, destruction or loss. This is the implementation of the Privacy Rules.the implementation of the Privacy Rules.

Protected Health InformationProtected Health InformationPHIPHI

• Any information that identifies individual or Any information that identifies individual or gives a reasonable basis in identifying the gives a reasonable basis in identifying the individual must be protected.individual must be protected.

• Covers all forms of information.Covers all forms of information.

• Covers names, telephone numbers, fax Covers names, telephone numbers, fax numbers, e-mail addresses, social security numbers, e-mail addresses, social security numbers, photographs, geographical numbers, photographs, geographical identifier smaller than state and any date identifier smaller than state and any date element such as birth date or service element such as birth date or service discharge date.discharge date.

The Individual’s RightsThe Individual’s Rights

• Right to access, inspect and get a Right to access, inspect and get a copy of their own information.copy of their own information.

• Right to request amendment or Right to request amendment or correction of information.correction of information.

• Right to have written notice of Right to have written notice of information practices and receive information practices and receive accounting of disclosures.accounting of disclosures.

HIPAA Rule’s and GuidelinesHIPAA Rule’s and Guidelines

• Transaction and Code SetsTransaction and Code Sets Fully effective October 16, 2003.Fully effective October 16, 2003.• Privacy Standards for Individually Privacy Standards for Individually

Identifiable health InformationIdentifiable health Information Fully effective April 14, 2003Fully effective April 14, 2003• Security StandardsSecurity Standards Fully effective date for compliance Fully effective date for compliance

enforcement Fall enforcement Fall 20042004

Who must comply with Who must comply with HIPAA?HIPAA?

• All direct and indirect providers of health All direct and indirect providers of health care services and supplies;care services and supplies;

direct providers like hospitalsdirect providers like hospitals

indirect providers like laboratoriesindirect providers like laboratories

vendorsvendors

any entity transmitting health any entity transmitting health information in electronic form.information in electronic form.

Who is Who is not not required to required to follow HIPPA Rules?follow HIPPA Rules?

• Life Insurance ProgramsLife Insurance Programs

• Worker Compensation ProgramsWorker Compensation Programs

• Property & casualty insurance Property & casualty insurance programsprograms

• Disability insurance programsDisability insurance programs

• Other non-health insurance programsOther non-health insurance programs

Federal Civil & Criminal Penalties Federal Civil & Criminal Penalties for Violation of Patient’s Right to for Violation of Patient’s Right to Privacy.Privacy.• Civil Monetary Penalties – non-criminal violations, Civil Monetary Penalties – non-criminal violations,

including disclosures made in error- not intent to including disclosures made in error- not intent to violate.violate.

$100 per violation up to $25,000 per $100 per violation up to $25,000 per year/standard/individual.year/standard/individual.

• Criminal Penalties – “knowingly” violating.Criminal Penalties – “knowingly” violating.Up to $50,000 & 1 year imprisonment for obtaining or Up to $50,000 & 1 year imprisonment for obtaining or disclosing PHI.disclosing PHI.Up to $100,000 & up to 5 years imprisonment for Up to $100,000 & up to 5 years imprisonment for obtaining or disclosing PHI under “false pretenses”.obtaining or disclosing PHI under “false pretenses”.Up to $250,000 & 10 years imprisonment for Up to $250,000 & 10 years imprisonment for obtaining PHI with the intent to sell, transfer, or use obtaining PHI with the intent to sell, transfer, or use for commercial advantage, personal gain, or for commercial advantage, personal gain, or malicious harm.malicious harm.

Who Police’s HIPAA ?Who Police’s HIPAA ?

• Office of Civil Rights of the Department Office of Civil Rights of the Department of Health & Human Services.of Health & Human Services.

• Covered Entities provide records and Covered Entities provide records and compliance reports.compliance reports.

• Any person may file a complaint with Any person may file a complaint with the Department of Health & Human the Department of Health & Human Services.Services.

• Whistleblower provisions.Whistleblower provisions.

WHO ARE THE HIPAA WHO ARE THE HIPAA WHISTLEBLOWERS?WHISTLEBLOWERS?

Your Patient RelationsYour Patient Relations

•Patients are Patients are your whistle your whistle blowersblowers

Provide Notice of Policies & Provide Notice of Policies & Procedures in Patient Procedures in Patient PrivacyPrivacy• To anyone who asks for itTo anyone who asks for it• Read or pickup at officeRead or pickup at office• Accessible on Web sitesAccessible on Web sites• Health plans provide notice at enrollment or Health plans provide notice at enrollment or

notice of availabilitynotice of availability• First Treatment Service with individuals written First Treatment Service with individuals written

acknowledgement of receiptacknowledgement of receipt• Consent and acknowledgement on one formConsent and acknowledgement on one form• Email notice of Policy and ProceduresEmail notice of Policy and Procedures

Reasonable SafeguardsReasonable Safeguards

• Speak quietlySpeak quietly

• Avoid using patient names in public Avoid using patient names in public hallways and elevators and posting signs hallways and elevators and posting signs to remind employees to protect patientto remind employees to protect patient

• Lock or isolate patient records in file Lock or isolate patient records in file cabinets or records roomscabinets or records rooms

• Passwords on computer systemsPasswords on computer systems

Concerns of HIPAA Concerns of HIPAA InvestigatorsInvestigators• ““Incidental disclosures”Incidental disclosures”• Handling in office records or computer Handling in office records or computer

screensscreens• Faxing of recordsFaxing of records

– Loss of controlLoss of control

• Transfer of records via email / computer Transfer of records via email / computer encriptionencription

• Covered Entitiy ignoring HIPAA Covered Entitiy ignoring HIPAA compliance standards compliance standards

Release of Information ROIRelease of Information ROI

• Within the Within the patient – providerpatient – provider relationship, relationship, health professionals have a legal, ethical health professionals have a legal, ethical and moral obligation to protect confidential and moral obligation to protect confidential information information

What is Confidential?What is Confidential?

• Is there a professional patient –provider Is there a professional patient –provider relationship?relationship?

• Was the information exchanged within this Was the information exchanged within this relationship?relationship?

• Is the information needed to diagnose or Is the information needed to diagnose or treat the patient?treat the patient?

What is Not Confidential?What is Not Confidential?

• Patient namePatient name

• AddressAddress

• DOBDOB

• InsurerInsurer

• Next of KinNext of Kin

• Not confidential but private!Not confidential but private!

Need to KnowNeed to Know

• Users may be authorized to see the recordUsers may be authorized to see the record

• Should have a clear “need to know” to Should have a clear “need to know” to have access have access

Record OwnershipRecord Ownership

• Provider owns the record – whatever Provider owns the record – whatever physical form it’s kept inphysical form it’s kept in– Record is maintained for benefit of patientRecord is maintained for benefit of patient– Documents service and standard of careDocuments service and standard of care

• Patient owns the information – has right to Patient owns the information – has right to control it’s flowcontrol it’s flow

• Those who violate this right may be held Those who violate this right may be held liable to the patientliable to the patient

Personal and Impersonal Personal and Impersonal UseUse

• Confidentiality belongs to the person – not Confidentiality belongs to the person – not to the informationto the information

• Personal – Uses which depend on Personal – Uses which depend on individual identity, such as patient care, individual identity, such as patient care, insurance claims and legal actioninsurance claims and legal action

• Impersonal – uses which are independent Impersonal – uses which are independent to personal identity; program evaluation , to personal identity; program evaluation , statistical report and/or researchstatistical report and/or research

Valid AuthorizationValid Authorization

• Requests in writingRequests in writing• Addressed to providerAddressed to provider• Specific name, address and DOBSpecific name, address and DOB• Specifies information requestedSpecifies information requested• Specific dates of serviceSpecific dates of service• Indicates reason information is neededIndicates reason information is needed• Date event or condition of expiration Date event or condition of expiration • Signed by patient or legal representative & relationshipSigned by patient or legal representative & relationship• WHEN IN DOUBT< DON’T GIVE IT OUT, seek adviceWHEN IN DOUBT< DON’T GIVE IT OUT, seek advice

Valid Release ProcessValid Release Process

• Locate documents/chartLocate documents/chart

• Match the signature for validationMatch the signature for validation

• Calculate chargesCalculate charges

• Make copyMake copy

• Add cover letter, stress confidentiality/ Add cover letter, stress confidentiality/ Return receipt if necessaryReturn receipt if necessary

• Mail and log itMail and log it

Telephone and Fax (ROI)Telephone and Fax (ROI)

• Discouraged but may be necessaryDiscouraged but may be necessary

• Caller name and numberCaller name and number

• Reason information is neededReason information is needed

• Information requestedInformation requested

• Special authorizationsSpecial authorizations

Telephone and Fax (ROI)Telephone and Fax (ROI)

• Call backsCall backs

• Fax with cover sheet with confidentiality Fax with cover sheet with confidentiality statement statement

• Call and confirm that fax is attendedCall and confirm that fax is attended

• Document request and release in log and Document request and release in log and patient chartpatient chart

ReleasesReleases

• PatientPatient

• AttorneyAttorney

• Failure to release may result in legal Failure to release may result in legal actionaction

• SubpoenaSubpoena

CautionCaution

• Be alert!Be alert!

• Information may be released in Information may be released in unanticipated waysunanticipated ways

• Be cautious who can see computer Be cautious who can see computer screens , schedules , copiers, fax screens , schedules , copiers, fax machines and who may over hear your machines and who may over hear your conversations conversations

What DO You Think?What DO You Think?

• One patient overhearing patient One patient overhearing patient health information laden health information laden conversation in an adjoining room conversation in an adjoining room between doctor and patient.between doctor and patient.

AnswerAnswer

• ““we don’t need to rebuild our offices we don’t need to rebuild our offices only to create a private , soundproof only to create a private , soundproof room,” room,” reports the Department of Health and reports the Department of Health and Human Services’ Office of Civil Rights (December Human Services’ Office of Civil Rights (December 2003)2003)

• Figure out in your office what Figure out in your office what “reasonable safeguards “reasonable safeguards

• Keep Your Staff AWARE!!Keep Your Staff AWARE!!

ScenarioScenario

• A patient overhears the receptionist A patient overhears the receptionist and technician making unkind and technician making unkind comments about the waist comments about the waist measurement of another patientmeasurement of another patient

AnswerAnswer

• This is not incidental disclosure. Even This is not incidental disclosure. Even if individuals were making kind or if individuals were making kind or flattering comments about a flattering comments about a patient’s waistline, it would still be patient’s waistline, it would still be inappropriate disclosure… inappropriate disclosure…

Gwen Hughes, Care Communications, Chicago Gwen Hughes, Care Communications, Chicago Ill.Ill.

ScenarioScenario

• A bartender overhears an office A bartender overhears an office assistant telling another assistant assistant telling another assistant about the famous actor that she had about the famous actor that she had as a patientas a patient

AnswerAnswer

• This is an inappropriate disclosure. This is an inappropriate disclosure. Personal discussions of patients Personal discussions of patients should not take place in or especially should not take place in or especially out of the office. out of the office.

Gwen Hughes, Care Communications, Chicago Gwen Hughes, Care Communications, Chicago Ill.Ill.

5 Step CHECK LIST5 Step CHECK LIST

• Notice of Privacy Policies and Notice of Privacy Policies and Procedures available Procedures available

• Make sure patients can assert their Make sure patients can assert their privacy rightsprivacy rights

• Keep staff trained (Part time and Full Keep staff trained (Part time and Full time and NEW STAFF)time and NEW STAFF)

• Encourage ongoing awareness and Encourage ongoing awareness and possible Incidental Disclosure eventspossible Incidental Disclosure events

• Protect the handling of your recordsProtect the handling of your records

““True Professionals Are And True Professionals Are And Should Be Held Accountable Should Be Held Accountable For Their Actions” For Their Actions” C. BruceC. Bruce

Ten Commandments of Ten Commandments of HIPAAHIPAA

1.1. Thou shalt accurately capture, code Thou shalt accurately capture, code and bill for services.and bill for services.

2.2. Thou shalt honor the Privacy & Thou shalt honor the Privacy & Security of all patient information Security of all patient information that is ethically, morally, and legally that is ethically, morally, and legally required of every workforce member required of every workforce member as a part of their job description & as as a part of their job description & as a condition of employment/service.a condition of employment/service.


3.3. Thou shalt treat all patient information, Thou shalt treat all patient information, in any form, as “PHI”.in any form, as “PHI”.

4.4. Thou shalt access & use patient Thou shalt access & use patient information on a “need to know” basis information on a “need to know” basis only – idle curiosity is a sin and illegal.only – idle curiosity is a sin and illegal.

5.5. Thou shalt not discuss patients unless it Thou shalt not discuss patients unless it is necessary for treatment, payment, or is necessary for treatment, payment, or the operation of the organization – the operation of the organization – otherwise it is gossip and wrong.otherwise it is gossip and wrong.


6.6. Thou shalt not disclose individually Thou shalt not disclose individually identifiable patient information as it identifiable patient information as it is is a crime, punishable by civil and is is a crime, punishable by civil and criminal penalties.criminal penalties.

7.7. Thou shalt discuss patient Thou shalt discuss patient information only in a private information only in a private setting.setting.

8.8. Thou shalt not share user ID’s, Thou shalt not share user ID’s, passwords, combinations, etc.passwords, combinations, etc.


9.9. Thou shalt keep paper patient records Thou shalt keep paper patient records out of sight of unauthorized persons, out of sight of unauthorized persons, including workforce members.including workforce members.

10.10.Thou shalt report something or Thou shalt report something or someone’s actions that look someone’s actions that look questionable, as if it seems wrong it questionable, as if it seems wrong it probably is. Most compliance is probably is. Most compliance is common sense.common sense.

What does this mean to me as What does this mean to me as a Vision Care Technology a Vision Care Technology

Student at SCC?Student at SCC?• All patient information is private and All patient information is private and

not to be discussed outside of a not to be discussed outside of a classroom situation.classroom situation.

• Disposal of surgery schedules will Disposal of surgery schedules will follow my clinical guidelines for follow my clinical guidelines for disposal.disposal.

• Transferring any patient information Transferring any patient information will not be done.will not be done.