HIPAA Training:Health Insurance Portability and Accountability Act

Introduction

This presentation will: Provide transportation providers with information necessary

to ensure that member’s/recipient’s health information is regarded with the highest privacy and security.

Provide transportation providers with information necessary to meet the latest standards for privacy and security set forth by the governing agencies.

Focus on the daily functions of the transportation providers in regards to ensuring member’s/recipient’s privacy and security.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996.

The Department of Health and Human Services (HHS) implemented the final Privacy Rule on April 14, 2003.

The compliance date for the Security Standards was April 20, 2005.

The HITECH Act of 2009 widened the scope of privacy and security protections available under HIPAA.

The Privacy Rule

Ensures nationwide uniform procedural protection for all health information.

Imposes restrictions on the use and disclosure of Protected Health Information (PHI).

Gives people greater access to their medical records. Provides people with more control over their health

information.

Security Rule

Whereas the Privacy Rule deals with PHI in general, the Security Rule deals with electronic PHI (“ePHI”).

The scope of the Security Rule for electronic PHI has been greatly expanded in 2009 under the American Recovery & Reinvestment Act.

ARRA 2009

HITECH Act of the American Recovery & Reinvestment Act of 2009 (ARRA) imposes new obligations on a covered entity (CE) and business associate (BA).• Breach Notification• BA directly responsible for compliance with Security Rule

and directly liable for violations of Security Rule and breaches.

HIPAA Expectations

Use or disclose PHI only for work related purposes. Limit uses and disclosures to the “minimum necessary” to

accomplish the intended purpose of the use, disclosure or request.

Exercise reasonable caution to protect PHI under your control.

Understand and follow MTM privacy policies. Report any privacy problems to your supervisor, and your

MTM contact immediately.

Protected Health Information (PHI)

Individually identifiable health information…that is A. Transmitted by electronic media; B. Maintained in electronic media; or C. Transmitted or maintained in any other form or medium.

When an MTM member, agency or health provider gives personal health information to MTM, that information becomes PHI.

Examples of PHI

Information that might connect personal health information to an individual includes:• Individual’s name or address• Social Security or other identification number• Medicaid or Medicare number• Physician’s or other health care provider’s personal notes• Billing information

Use or Disclosure of PHI

HIPAA’s Privacy Rule covers the use and disclosure of PHI; it is designed to minimize careless or unethical disclosure. PHI can’t be used or disclosed unless it is permitted or required by the Privacy Rule.

PHI is used when:-Shared-Examined -Applied -Analyzed

PHI is disclosed when:-Released/transferred-Accessed in any way by anyone outside the entity holding the information.

Use or Disclosure of PHI

PHI may be shared when it’s for “TPO.”• Treatment: management of healthcare and related services

that includes coordination among healthcare providers.• Payment: various activities of healthcare providers to obtain

payment or be reimbursed for their services.• Healthcare Operations: certain administrative, financial, legal

and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of Treatment and Payment

Use or Disclosure of PHI

Transportation Providers are permitted to use or disclose PHI for:• Scheduling trip information• Confirming special needs or adaptive equipment• Incidental use such as talking to a facility or medical

provider

Minimum Necessary

Use or disclosure of PHI should be limited to the minimum amount of health related information necessary to accomplish the intended purpose of the use or disclosure.

MTM has developed policies and procedures to make sure the least amount of PHI is shared.

If you have no need to review PHI, then stop!

Maintaining Privacy

Written• Keep information in a folder during business hours and

lock drawers after hours.• Shred documents containing PHI after use.• Keep a minimal amount of information in hard copy

format.• Do not leave documents unattended at printer or Xerox

machines

Maintaining Privacy

Telephone• Leave the minimal information necessary on voice mail or

answering machines regarding confirmation of trips, or ask the member to return the call to confirm.

Maintaining Privacy

Faxes• Always include a cover sheet. The cover sheet should:

state that it is a confidential document, give a contact if the fax is received in error, and spell out the HIPAA language. Verify the fax number before sending.

Maintaining Privacy

Email• Emails containing PHI must be sent secure• Follow all directions for secured email• Do not enter any PHI in subject line

Maintaining Privacy

Workstation, Common Areas, and Vehicles• Always lock access to computer with a password and use

privacy notice.• Remove documents containing PHI from copiers and

printers as soon as possible.• Keep PHI in a folder or upside down during working hours.• Remove PHI from desk or vehicle and place in a locked

drawer at the end of the work day.• Do not discuss PHI in public areas.

Privacy Practices Designed to Protect PHI

Verify the identity and the authority of the requestor before releasing PHI.

Transmit PHI by telephone only when it can not be overheard.

When leaving messages, limit the information left to the member’s name, a request to return the call, and your name and telephone number.

Misuse of PHI

Misuse of PHI can result in civil and criminal sanctions:• Civil penalties: up to $25,000/year for inadvertent

violations. Up to $250,000 for “willful neglect”. Up to $1.5 million for repeated or uncorrected violations

• Criminal penalties: up to $250,000 fine and prison sentence up to 10 years for deliberate violations

• Sanctions by the Department of HHS.• Penalties related to not meeting contractual obligations

Examples of Misuse of PHI

A South Dakota medical student took home copies of 125 patients’ psychiatric records in order to work on a research project. When finished, he disposed of the material in the dumpster of a fast food restaurant, where they were found by a newspaper reporter.

In Florida, several hundred hospital workers browsed through the records of a famous patient who had recently come to the facility, even though few of the workers were actually involved in the case.

Reporting Misuse of PHI

Report incidents of accidental or intentional disclosure to your immediate supervisor and to MTM.

No adverse action will be taken against anyone who reports in good faith, any violation or threatened violation of the Privacy Rule, the Security Rule or related policies.

MTM must report to DHSS all uses or disclosures not permitted by the Business Associate provisions of the contract or HIPAA.

Breach of Electronic PHI (ePHI)

The HITECH Act imposes data breach notification requirements for unauthorized uses and disclosures of unsecured (unencrypted) PHI.

Breach – is the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of information.

Examples of Breach of ePHI

Theft of 57 hard drives at an insurance company’s training facility, including images from computer screens containing data that was encoded but not encrypted.

Theft of a laptop containing PHI. Laptop was password protected but not encrypted.

Breach Notification

Notice to the individual of breach of his/her PHI is required under the ARRA HITECH Act.

Breaches involving PHI of more than 500 persons in one circumstance must be immediately reported to HHS by the covered entity (for posting on the HHS site)

Business Associates must report security breaches to the covered entity

Enforcement of Privacy and Security

Office of Civil Rights has enforced the Privacy Rule since 2003.

CMS has enforced the Security Rules since 2005 As of July 27, 2009, HHS has delegated enforcement

of both rules to the Office of Civil Rights.

Resources

Centers for Medicare & Medicaid Services – HIPAA: • www.cms.hhs.gov/SecurityStandard/

Office of Civil Rights:• www.hhs.gov/ocr/hippa/

US Department of Health & Human Services:• www.hhs.gov

Glossary

Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to a covered entity.

Protected Health Information: Individually identifiable health information.

Minimum Necessary Information: The current practice is that protected health information (PHI) should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.