HIPAA
What does treatment include? (Tpo)
*direct pt care *coordination of care *consultations *referrals to other health care providers
What does HIPAA do?
1. Protects the privacy and security of pt's health information 2. Provides for electronic and physical security of pt's health information 3. Prevents health care fraud and abuse 4. Simplifies billing and other transactions, reducing health care admin costs
What can a covered entity use and share pt's PHI for?
1. Treatment of the pt, including appt reminders 2. Payment of health care bills 3. Health Care OPERATIONS aka. TPO
What is a covered entity?
1. a health care provider that conducts certain transactions in electronic form 2. a health care clearinghouse 3. a health plan TTUSCH is a Covered Entity
What does health care Operations include? (tpO)
1. business management 2. administrative activities 3. quality improvement 4. compliance 5. risk management 6. education/training
Protecting patient information:
1. do not discuss of leave PHI in public areas, such as conference rooms, class rooms, restrooms, elevators, cafeteria, local coffee shop 2. if private area is not available, remember to keep voice at appropriate level so not easily overheard 3. members of the workforce should not share PHI with family members, relatives, visitors, etc. without pt. authorization
Information that should not be faxed (except in an emergency)
1. drug dependency 2. alcohol dependency 3. mental illness or psychological information 4. sexuality transmitted disease (STD)info 5. HIV statud
Must use or share only the min necessary amount of PHI needed, except for requests made:
1. for tx of the pt 2. for uses & disclosures that na individual has authorized 3. by the Secretary of the Department of Health & Human Services (DHHS) 4. as required by law
Protect pt info as if it were your own...
1. look at or use pt's PHI only if you need it to perform you job (minimum necessary) 2. give a pt PHI to others only when it's necessary for them to perform their jobs 3. talk to other about a pt's PHI only if it is necessary to perform you job, and do it discreetly (avoid discussing in public areas, elevators, etc.)
What areas can create challenges for insuring HIPAA is being followed correctly?
1. research 2. fundraising 3. marketing
Education & Training
1. training developed for members of workforce e.g new employee/ annual HIPAA training 2. education developed by and/or presented to students, residents, faculty, ets. within HSC, i.e not shared outside of TTUHSC workforce 3. Use only the pHI pertinent to/necessary for the education/ training being conducted. When possible, PHI should be removed
Who does the Covered Entity consist of?
All of us members of the HSC workforce (faculty, residents, staff, students, volunteers). We are all responsible for HSC's Protected Health Info(PHI) whether it is transmitted electronically, in paper format, or transmitted orally.
What does payment include?(tPo)
Any activities required to: bill for services/collections *for health care services provided to pt's
Notice of Privacy Practice
CE must: Present a Notice of Privacy Practice (NPP) to the pt (and provide a copy upon request) AND Request every patient sign an acknowledgement that he/she has received the NPP
Has a breach occurred (or not sure)?
Contact your supervisor and/ or privacy officer IMMEDIATELY
Texting PHI:
Cortext (imprivata) is the ONLY secure testi messaging platform approved for use by the HSC
Who must follow the HIPAA Law?
Covered Entities
What is e-PHI?
Electronic protected health information is computer based patient health information that is used, created, stored, received or transmitted by the CE using any type of electronic information resource *Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs *info sent from CE to another provider, payer or researcher
When does a CE have to protect PHI?
From birth to beyond (RIP)
What are two sides of HIPAA?
HIPAA Privacy HIPAA Security
What doe the notice of privacy practice explain?
How the CE can use and share the pt's information (PHI)
What is IRB?*
Institutional Review Board
What is the Health Insurance Portability and Accountability Act? HIPAA
It is a federal law signed into law on Aug. 21, 1996 *A response by Congress to health care reform *affects the health care industry *IS MANDATORY
HIPPA aka
Kennedy-Kassenbaum Act
Places you will find PHI
Medical records (progress noted, x-rays, lab results, test results, etc.) billing records research records case studies quality assessments
PHI cont.
Name Address Name of employer Any date Telephone&fax numbers Electronic addresses SSN Health plan beneficiary number Acct #: medical & billing records, claims data, referral authorization, EOBs Certificate/license number Any vehicle serial number URL Internet address Finger prints or voice prints photographic images ANY other unique identifying number, characteristic, or code
Email:
PHI is allowed in internal messages without encryption it must be going to another ttuhsc or ttu email *transmission of PHI to external parties outside of ttuhsc/ttu requires encryption [SS] on subject line
Covered Entities
Person, business, or agency- furnished, bills, or receives payment for health care in the normal course of business *Also, conducts covered transactions: activities normally associated w billing Covered transaction are transmitted in electronic form
Why was HIPAA proposed?
Proposed due to the growing national concerns for health care reform
What patient information must we protect?
Protected Health Information (PHI)
HIPPA Privacy
Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003)
HIPAA Security
Protection for the security of electronic Protected Health Information (e-PHI) effective April 20, 2005
Minimum Necessary Standard
Responsible efforts are made to limit the use and disclosure of PHI to only the information needed to accomplish the intended purpose *Dont look @ information you don't have a need to know
What is the difference btwn privacy and security?
The privacy rule sets the standards for how Covered Entities and Business Associated are to maintain the privacy of PHI *The security rule defines the standards which require Covered Entities to implement basic safeguards to protect e-PHI
When are DUAs typically used w/i the HSC?
When sharing data btwn the HSC and an external entity for research projects
What must be signed btwn the Covered Entity and the BA?
a Business associate agreement Ex: transcription services, temporary staffing services, EHR vendors, billing software vendors
Marketing*
a covered entity health care provider may use PHI to communicate with the pt about a health related product of service it provides *a CE health care provider may use PHI to communicate with the pt about general health issues: disease prevention, wellness classes, etc.
Unsecured PHI=
any information that is NOT: encrypted or destroyed
How do we protect e-phi?
dont share you eRaider username.password secure CPU and portable devices at all times Have your computer and portable devices encrypted If taking portable device out of the building do not leave where device could be available for theft dont store PHI on thumb drives, etc. that can be easily lost/misplaced
Reporting obligations
if the investigation shows a breach has occurred the CE is responsible for providing notice to: the affected individual (without unreasonable delay and in no event later than 60 days from the date of disocvery)
Data Use Agreement (DUA)
is a written agreement used for the transfer of data that has been developed by nonprofit, government or private industry, where the data is nonpublic or is otherwise subject to some restrictions on its use. This is often employed when the data contains PHI whose release would violate HIPAA
WHat is a breach?
is an impermissible acquisition, access, use or disclosure not permitted by HIPAA Ex: laptop containing PHI stolen, receptionist who is not authorized to access PHI looks through pt files in order to learn of persons' tx, nurse gives discharge papers to the wrong individual
Business Associate Agreement
is required to insure the BA has sufficient safeguards for protecting the Covered Entities information containing PHY in accordance w HIPAA *it is the responsibility of department administration when entering into an agreement/contract with an external entity (vendor, contractor, academic institution) to determine if PHI will be used. If so, BAA is required *BAA review & approval will proceed through the HSC Contracting System
What is a Business Associate (BA)?
it is a person or entity which performs certain functions or activities involving the use and/or disclosure of PHI, but the person or entity is not a part of the Covered Entity (CE) or its workforce
Public viewing:
laptops/ workstation screens/ paper reports should not be left on desks or on counters where the information may be accessible to the public, other employees or individuals who do not have a need to know the protected health information
Breach notification Requirements
law requires CE & BAs to notify individuals, the secretary of health and human services and, in some cases the media in the event of a breach of unsecured protected health information
FINANCIAL PENALTIES for HSC***
look at slide
Covered entity...
may not use or disclose an individual's protected health information, except as otherwise permitted, or required, by law
Next step..investigation
once a possible breach is reported, it will need to be investigate by the Privacy Officer
PHI
relates to past, present, or future physical or mental condition of an individual; provisions of health care to an individual; or for payment of care provided to an individual *is transmitted or maintained in any form (electronic, paper, or oral representation) *identifies, or can be used to identify the individual
NPP & patient rights:*
see slide
Password protection
see slide
Workstation security best practices
see slide
Release of Information (ROI)
signed authorization the CE gets from the pt to release PHI to anyone other than the pt
Individuals, parents or guardians may request to access, inspect, and/or obtain a copy of their PHI maintained in a designated record set by...
signing a Patient Request for Access
Fundraising*
the covered entity may use, or disclose to a business associate or to an institutionally related foundation the following PHI for the purpose of fundraising funds for its own benefit,w/o an authorization, but only if included in the Notice of Privacy Practice 1. demographic information related to an individual and 2. dates of health care provided to an individual
DUA review and approval with proceed through what?
through the HSC contracting system
When is a breach considered discovered?
when the incident becomes known not when the CE or BA concluded the analysis of whether the facts constitute a Breach
How does HIPPA affect my job?
you are part of the "workforce" regardless if you are paid by the CE (HSC)
