HIPPA
how do I protect patient privacy?
DON'T: • Tell anyone what you overhear about a patient. • Discuss a patient in public areas, such as elevators, hallways, or cafeterias. • Look at information about a patient unless you need it to do your job. DO: Log off the computer when you are finished. Dispose of patient information by shredding or storing it in a locked container for destruction. Clear patient information off of your desk when your leave your desk.
what is done if patient privacy is compromised?
HITECH Act What is the HITECH act?As a result of the American Recovery and Reinvestment Act of 2009, legislation passed the Health Information Technology for Economic and Clinical Healthcare (HITECH) Act which placed additional privacy and security requirements and increased civil penalties. - Requires any entity that handles PHI to report breaches, whether in paper or electronic form within the timeframe that HITECH requires. - HITECH applies to all business entities associated with healthcare organizations. - Assures entities that their responsibility is to prevent, detect, and correct any HIPAA rule violations.
why should we care about hippa rules?
Hospitals • Disciplinary action up to and including termination of employment. Civil Penalties • Up to $1.5 million per year per violation. Criminal Penalties • Up to $250,000.• Imprisonment of up to 10 years. Lawsuits • Invasion of privacy/negligence.
HIPPA rules and regulations protect...?
JOINT COMMISSION STANDARDS Patient Rights: Patients have a right to surroundings that preserve confidentiality of all information that is provided to the healthcare professional and institution. Patients have a right to practices that preserve their dignity. Healthcare professionals ensure that patient information is secured at all times and if there are any complaints, those complaints will be resolved in a timely manner. PRIVACY RULE Establishes a Federal floor (not just individual facilities) of safeguards to protect the confidentiality of medical information. Allows patients to make informed choices when seeking care, and reimbursement for care, based on how personal health information may be used. This rule protects Protected Health Information (PHI). This rule took effect on April 14, 2003. MINIMUM NECESSARY STANDARD HIPAA requires Covered Entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made (the minimum amount of information necessary to perform the job). The Minimum Necessary Standard does not apply to: Treatment. Disclosures to the individual who is the subject of the Protected Health Information (PHI). Uses or disclosures made pursuant to an individual's authorization. Uses or disclosures that are required by law.
how does HIPPA protect PHI?
Limits who may use or disclose PHI. Limits the purposes for which PHI may be used or disclosed. Limits the amount of information that may be used or disclosed (Minimum Necessary Standard). Requires use of safeguards over how PHI is used, stored, and disclosed.
omnibus rule
Omnibus Rule represents an additional layer of restrictions under HIPAA/HITECH. Addresses three specific areas: - Modifies the HIPAA Privacy, security, and enforcement regulations. - Creates an increased and tiered civil money penalty structure for security breaches under HITECH Act. - Modifies and clarifies the definition of what constitutes a reportable privacy breach. Business Associate Agreements (BAA) have updated provisions. A medical sales agent who does not receive PHI from a covered entity is not considered a Business Associate. The order of legislation passed is: 1. HIPAA2. HITECH3. Omnibus Rule
what are the consequences of not complying with HIPPA?
Penalties for Privacy Violations Civil Penalties under HIPAA:• Maximum fine of $50,000 per violation ($1,500,000 aggregate) plus court costs.Criminal Penalties under HIPAA: • Maximum of 10 years in jail and/or a $250,000 fine for serious offenses. Organization Actions: • Employee disciplinary actions including suspension or termination, for violations of the organization's policies and procedures.
safeguarding PHI
People consider health information their most confidential information, and we must protect it accordingly. Do not access PHI that you do not need. Do not discuss PHI with individuals who do not need to know it. Do not provide PHI to anyone not authorized to receive it. Misuse of PHI can result in discipline, legal penalties, and loss of trust. - When using PHI, think about: • Where you are. • Who might overhear. • Who might see. Report unusual activity immediately, like: You observe questionable practices. You find PHI in inappropriate areas. You suspect unauthorized use of your user ID or password. A patient or health plan participant complains to you about a privacy issue.
examples of business associates
- A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and forwards the processed transaction to a payer. - A third party administrator who assists a health plan with claims processing. - An independent medical transcriptionist who provides transcription services to a physician. - A CPA firm whose accounting services to a healthcare provider involve access to protected health information. - A pharmacy benefits manager who manages a health plan's pharmacist network.
HIPPA
- Hospitals inherently put patients in vulnerable situations. It is for this reason that rules, regulations, and standards have to be created. - Public Law 104-191 enacted in 1996. • Overseen by the Department of Health & Human Services (HHS). • Enforced by the Office for Civil Rights (OCR). • Structured regulations regarding: • Privacy of health information.• Security of health information. • Notification of breaches of confidentiality. • Penalties for violating HIPAA.
why was HIPPA created
- In 2000, many patients that were newly diagnosed with depression received free samples of anti-depressant medications in their mail. - This left patients wondering how the pharmaceutical companies were notified of their disease. - After a long and thorough investigation, the physician, the pharmaceutical company, and a well-known pharmacy chain were all indited on breach of confidentiality charges. - This is one example illustrating the many reasons the Federal Government needed to step in and create guidelines to protect patient privacy.
what is protected by HIPPA: direct identifiers
- Individual's name, social security number, driver's license number, etc. Name - Geographic Subdivisions Smaller than a State • Street Address • City • County • Precinct • Zip Code - Dates • Full Birth Date • Full Admission Date • Full Discharge Date • Full Date of Death - Telephone Numbers - Fax Numbers - Email Address - Social Security Number 8. Medical Record Numbers 9. Health Plan Beneficiary Number 10. Account Numbers 11. Certificate/License Numbers 12. Vehicle Identification Number 13. License Plate Number 14. Device Identifiers and Serial Numbers 15. Web Universal Resource Locations (URLs) 16. Internet Protocol (IP) Address Numbers 17. Biometric Identifiers (including Finger and Voice Prints) 18. Full Face Photographic Images (and any Comparable Data) 19. Any other unique identifying number, characteristic, or code
what are the breach notification requirements?
- Must be reported to the HIPAA security officer immediately. - An "Unsecured Protected Health Information" breach, notification to the affected individual(s), the government and, in certain cases, the media (if the breach involves more than 500 people) is mandatory. - These breach requirements are applicable to both Covered Entities (CE) and their Business Associates. - If the Covered Entities Business Associate has a breach, they must report it within 60 days. - The "snail mail" requirement states that the healthcare organization must send out a first class letter to any patients that might have been affected by the breach. - Electronic mail is allowed, given the patient agreed to receive electronic notices.
what must a covered entity do to be in compliance with HIPPA?
- Notify patients about their privacy rights and how their information can be used. - Adopt and implement privacy procedures. - Train employees so they understand the privacy procedures. - Designate a Privacy Officer. - Secure patient records containing Protected Health Information (PHI).
what does HIPPA consists of
- Standardized Electronic Data Interchange (EDI) transactions and codes for all covered entities. - Standards for security of data systems. - Privacy protections for individual health information. - Standard national identifiers for healthcare.
summary of purpose of the law
- To establish basic privacy and security protection of health information. • To guarantee individuals the right to access their Protected Health Information (PHI) and learn how it is used and disclosed. • To simplify payment for healthcare.
who implements HIPPA regulations?
- covered entities (CE) - The individuals responsible for implementing HIPAA rules and regulations. Examples include: • Health Plans • Healthcare Clearinghouses • Healthcare Providers who conduct certain financial and administrative transactions electronically.
what is protected by HIPPA
- protected health information - Any Individually Identifiable Health Information (IIHI) created or received by a covered entity that can be used to identify an individual such as PHI, diagnosis, health condition, treatment or procedure performed, and mode of payment. - Relates to past, present or future physical or mental health and healthcare of an individual. - Pertains to information transmitted in any form or by any medium: paper, electronic, and verbal communications. Examples of PHI: • Name• Address• Telephone Number• Email Address• Drivers License Number• Social Security Number• Medical Records• Photographs and Images• Billing Records• Health Plan Claims Records• Health Insurance Policy Number
others responsible for protecting patient privacy: business associates
A person or entity that performs a function or activity on behalf of a Covered Entity (CE) that requires the creation, use, or disclosure of Protected Health Information (PHI) but who is not considered part of the Covered Entities' workforce. They must have a written contract or agreement that assures they will appropriately safeguard Protected Health Information (PHI) that they create or receive.
TPO: P = payment
Activities by a healthcare provider to obtain reimbursement for healthcare. Includes: • Billing.• Eligibility/coverage determination. • Medical necessity determinations. Activities by health plan to pay claims
TPO: O = healthcare operations
Activities directly related to treatment and payment.Includes:• Credentialing, auditing, utilization review, quality assessment, training programs. Supporting activities. Includes: • Computer Systems Support Administrative and managerial activities. Includes :• Business planning, resolving complaints, and complying with HIPAA.
physical safeguards
Avoid: • Discussing PHI in front of others who do not need to know. • Leaving records accessible to patients or others who do not need to see them. • Positioning monitors where others can view them. • Using printers located in public or unsecured areas.
permitted uses of phi
General Rule: Workforce members may use or disclose PHI only for permitted uses without an individual's specific written authorization. "TPO" • Treatment • Payment • healthcare Operations Specified public policy exceptions: • Public health • Law enforcement Any other use requires individual written authorization.
ways HIPPA can be violated?
Incidental Disclosure A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure. Examples of Incidental Disclosure: • A hospital visitor may overhear a provider's confidential conversation with another provider or a patient. • A hospital visitor may glimpse a patient's information on a sign-in sheet or nursing station whiteboard. Breach Generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the Protected Health Information (PHI). All individuals working in a healthcare setting are responsible to be compliant with all HIPAA and regulations as defined in policies and procedures.
what is protected by HIPPA: indirect identifiers
Information about an individual that can be matched with other available information to identify the individual.
TPO: T = treatment
Providing, coordinating, and managing healthcare. Includes: • Direct treatment of patient. • Consultation among healthcare providers. • Indirect treatment (i.e. laboratory testing). • Patient referral from one provider to another.
what are a patient's rights under hippa?
Right to a written Notice of Privacy Practices (NPP) that informs consumers how Protected Health Information (PHI) will be used and to whom it is disclosed. Right of timely access to see and copy records for a reasonable fee. Right to an amendment of records. Right to restrict access and use. Right to an accounting of disclosures. Right to revoke authorization.