HIPAA
Why is payment a permitted use for PHI?
-fro the healthcare provider to obtain reimbursement for healthcare It includes -billing -eligibility/coverage determination -medical necessity determination -activities by health plan to pay claims
Understand patient rights under HIPAA.
- Right to a written Notice of Privacy Practices (NPP) that informs them how Protected Health Information (PHI) will be used and to whom it is disclosed. - Right of timely access to see and copy records for a reasonable fee. - Right to an amendment of records. - Right to restrict access and use. - Right to an accounting of disclosures. - Right to revoke authorization.
What type of rules does HIPAA have to protect patient privacy?
HIPAA uses EDI (Electronic Data Interchange) is a the computer-to-computer exchange of business documents in a standard electronic format between business partners. --it keeps anonymous things. -HIPAA has standards for the security of data systems. -It has privacy protections for the individual's health information -have standard national identifies for healthcare
Why is healthcare operations a permitted use for PHI?
activities related to treatment and payment It includes: -credentialing, auditing, utilization review, quality assessment and training programs. Supporting activities includes: -Computer System Support Administrative and managerial actitivies: Include: -business planning, resolving complaints and complying with HIPAA.
What is the Final Omnibus rule?
set in 2013. -it fills gaps in existing HIPAA and HITECH regulations. -they further the standards that need to be applied for the ePHI to be unusable, undecipherable and unreadable in the event of a breach. --so pretty much this rule is standards set in place once there is a breach.. the other ones was help privacy (by using tech more instead of paper.. aka HITECH or just HIPAA that focuses on the overal privacy and protection of PHI from initially getting out)
what is individually Identifiable Health Information (IIHI)
-information, including demographic data, that relates to: The individual's past, present or future physical or mental health condition.
What is the purpose of HIPAA
-HIPAA sets rules, regulations and standards to protect and ensure patients rights. -it establishes basic privacy and security protection of the patients health information. -the patient has the right to access their PHI (Protected Health Information) and learn how it is used and disclosed. -It simplifies payment for healthcare
What things classify in the PHI?
-name -address -telefone # -email address -drivers licence -SS -medical records -photographs and images -billing records -health plan claims records -health insurance policy number ---basically all of your personal information
What are the consequences of violating HIPAA rules?
Hospitals -Disciplinary action up to and including termination of employment. Civil Penalties - There is a maximum fine of $50,000 per violation. -Up to $1.5 million aggregate per year. Criminal Penalties -There is a maximum fine of $250,000 per violation. -can go to jail for up to 10 years. Lawsuits -can get sued for invasion of privacy/negligence.
What are Covered Entities (CE)?
Individuals that are responsible for implementing HIPAA rules and regulations ex: health plans healthcare providers healthcare clearinghouses
WHAT IS PROTECTED BY HIPAA?
-Any individually identifiable information (IIHI) created or received by a covered entity (the insurance companies, your doctors, etc) that can be used to identify the patient in any way. --part of these things includes the Protected Health Information (PHI), their diagnosis, health condition, treatment/procedure, and mode of payment. -The information protected is information from past present or future procedures and this protection still applies if its written, electronic, verbal, etc.
what is the general rule when it comes to the permition to use/disclose a person's PHI?
-any workforce member can disclose or use the PHI or a patient only for permitted uses without an individual's specific written authorization. permitted uses: (osea uses they should be using the PHI for to conduct their job properly TPO: -treatment -payment -healthcare options Specified public policy exceptions: -public health -law enforcement ---any other use would need the individual's written authorization.
health information is protected if what?
-if it directly or indirectly identifies someone. direct identifiers: -its information that is specific to the patient. (not generalized) -for example: name, street address, bday, discharge date, date of death, SS, license plate, account number, IP address, finger prints, email address, etc. indirect identifiers: -information about an individual that can be matched with other avaliable information to identify the individual ex: place of birth, age, race, religion, hair color, eye color, year of birth, weight, height, etc.
Why is treatment a permitted use for PHI?
-it is needed to prove, coordinate and manage the healthcare of the patient. Different ways this can be applied include: -the direct treatment of the partient -for the HCP to consult among other health care providers -indirect treatment (ex: laboratory testing) -patient referral from one provider to another.
How does HIPAA protect PHI?
-it limits who may use of disclose PHI -it limits the purposes for which PHI may be used or disclosed -limits the amount of information that may be used or disclosed. -it requires the use of safe guards over how phi is used, stored and disclosed.
Business associates
-its a person or entity that performs a function or activity on behalf of a covered entity (health plans, clearinghouses, and certain health care providers.. pretty much people that have to follow HIPAA) that requires the creation, use or disclosure of a patient's PHI (patient health information) but who is not considered part of the covered entities workforce. For example: -a medical device representative that needs pertinent partient information for an invoice. -to obtain the PHI, the business associates need a written contract or agreement that makes sure they will properly safeguard Protected HEalth information (PHI) that they create or receive. --all of the vendor credentialinf systems have agreements in place from the hospitals which they read. and sign. -------so, pretty much since Reps arent really HPC, they are considered business associates. And they do need to access PHI or make invoices/need information for the invoices (which is PHI). So, since they arent HPC and they do not follow HIPAA, they do need to follow HIPAA protocol when it comes to this. so, they need to sign stuff to say that they will keep information confidential.
HIPAA sets structured regulations about:
-protect the privacy of the health information -secures the health information of the patient -notifies if there has been a breach of confidentiality.
What is the Breach notification rule?
-set in 2009 -states that if there are breaches that affect more than 500 people, they have to be reported to the Department of Health and Human Services Office for Civil Rights -if the 500 people breaches happen in only one area, they have to be notified to news outlets in the area -the breaches have to be reported within 60 days -the healthcare organizati0on has to send a letter to each person.. electronic mail is allowed.
HITECH ACT
-stated in 2009. -their goal at first was to persuade healthcare authorities to start using electronic health records (EHR) -they also introduced the Meaningful Use incentive program. (which stage one was to incentivize healthcare organizations to stop using paper and put everything electronically.)
What do Covered Entities have to do to be in compliance with HIPAA?
-they have to notify the patients about their rights and how their information is being used. -they must adopt and implement privacy procedures -they have to designate a privacy officer -they must secure patient records that contain PHI (protected health information)
What are some ways HIPAA can be violated?
1. Incidental disclosure -a secondary use or disclosure that can't be reasonably prevented, doesnt happen often and happens as a by product of an otherwise permitted use or disclosure. examples: A). a hospital visitor may overhear a provider's confidential conversation with another provider or a patient. --if they are in the hospital and they were having a private convo and he evesdropped.. hard to control that. B). a hospital visitor may see a patients information on a sign in sheet or a nursing station whiteboard. 2. Breach - when the PHI that is electronically stored has been infiltrated.
FInal Ombibus rule specidies the encryption standarss that need to be applied in order to render ePHI unusable undecipherable and unreadable in an event of a breach.. How do they do this? What were three things that they added to the previous regulations?
1. It modifies HIPAA Privacy Security and Enforcement regulations 2. It increases the penalty/civil money penalty structure for the people who do the breaches under HITECH Act. 3. It modified the definition od what constitutes a reportable privacy breach. --so, more things are breaches... not so generalized.
what are examples of business associates?
1. a third party administrator who assists a Physicial office with claims processing 2. an independent medical transcriptionist who provides transcription services to a physician. 3. a medical device rep who has access to secure areas such as the OR. 4. a pharmacy benefits manager who oversees a health plants pharmacy network.
How can you protect patient privacy
DON'T: 1. tell anyone what you overheard about a patient aka keep your mouth shut 2. never discuss any patient information in public areas where others can hear you (like elevators, hallways or cafeterias) 3. dont look at information about a patient undless you need it to do your job. DO: 1. log off your computer when you are finished 2. get rid of the patient information by shredding or storing it in a locked container for destruction. 3. clear patient info off your desk when you leave your desk. 4. Report any privacy issues/any wrong thing others are doing.
HIPAA is overseen by who and enforced by whom?
It is overseen by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR)
HIPAA Privacy Rule
Law that regulates the use and disclosure of patients' protected health information (PHI). -it establishes a federal floor (not just for individual facilities) of safeguards to protect the confidentiality of medical information. -it allows the patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. -this rule protects PHI -this rule took effect on april 14, 2003 ---osea you may not retaliate against or intimidate an employe who files for HIPAA complaint.