HIPAA Training

Ace your homework & exams now with Quizwiz!

HIPAA ENFORCEMENT RULE

-Addresses compliance, investigations, and potential penalties for violations of the HIPAA Privacy Rule and Security Rule. -The OCR within HHS is responsible for enforcing the HIPAA regulations. -Responding to incidents Document any known violation of privacy protection Establish and publicize a disciplinary policy -Building a culture of compliance Everyone in the organization sees him/herself as responsible for the privacy and security of health information. Identify and correct gaps regularly

RELEASE OF INFORMATION WITHOUT AUTHORIZATION - HIPAA allows "directory information" if :

-An inquirer has first and last name -There is no restriction of information by patient -Patient is not receiving mental health or chemical dependency services (Mental health and dependency services are not included)

HIPAA PRIVACY RULE

"The Rule strikes a balance between that permits important uses of information, while protecting the privacy of people who seek care and healing." National standards to protect health information Sets conditions on how health information can be used and disclosed by covered entities Gives patients rights over their protected health information (PHI)

Minnesota Minor Consent Law

-Any minor may give consent for medical, mental, and other health services in the following situations: Pregnancy Sexually Transmitted Diseases/Infections Drug or Alcohol Abuse Contraceptive Care -The minor is entitled to confidentiality for these visits If asked, we need to ensure information about these visits is not released without the minor's consent

Release of Information

-Understand and Follow Release of Information Policies A Release Form needs to completed for most releases of information The entire form needs to be completed and sent to Medical Records Exceptions Immunization Records can be released to Patients, Parents, Schools, or Day Care Centers State Mandated Reporting for STI's and other diseases do not need a release

Conversations

-When possible, discuss patient information privately, such as behind a closed door. -Avoid discussing patient information in waiting rooms, break rooms, etc. -Remember to talk quietly.

HIPAA VIOLATIONS Accidental Violations (& examples)

Accidental Violations : PHI is disclosed to an unauthorized person by mistake. Examples Unintentionally faxing or sending patient data to an incorrect destination Unintentionally exposing patient data to someone who shouldn't see it

HIPAA ENFORCEMENT RULE

All breaches must be reported to OCR Breaches >500 patients must be reported to news media Document all steps taken to correct the breach Cooperate quickly and fully with the investigators

HIPAA's purposes:

Balance between improving the flow of information while protecting the privacy of patients. Provide more control to patients over their personal health information Punish those who misuse patient information by imposing criminal and civil penalties.

HIPAA PRIVACY RULE Business Associates

Business Associates -Do the associates perform a service on the behalf of the healthcare organization that requires access to or using and/or disclosing our patient's PHI? Outsourced Labs Coding Virtual Radiology Attorneys Locum Tenens

Computer Etiquette

Don't share your Username and Password Don't post Usernames and Passwords on your computer, notebook, tablet, under your keyboard, etc. Create secure passwords When leaving a computer, ALWAYS: Log off, OR Lock the computer screen

These departments work together to ensure confidentiality of health medical records.

HIPAA OCR ONC HHS

HIPAA PRIVACY RULE 8. Sale, marketing, and fundraising

HIPAA prohibits the sale of PHI without the patient's authorization. Practices can communicate with patients about their services, send refill reminders, and send letters about health-related goods and services as long as the practice does not receive payment for doing so. HIPAA allows for patients to opt out of fundraising communications.

What is Minimum Necessary?

Minimum Necessary: To use or release only the information necessary to accomplish the intended purposes of the use, disclosure, or request For Employees: Access to PHI is limited to a "need-to-know" basis For individuals not employed at location: Limit the PHI provided to meet the needs of the request

HIPAA SECURITY RULE

National standards to protect electronic health information Sets conditions to ensure electronic health information is Not available to unauthorized persons Not altered or destroyed in an unauthorized way Available to authorized users when needed All the electronic protected health information (e-PHI) is covered by the security rule. The security rule does not cover oral or written protected health information. Sets standards for safeguarding protected electronic health information Requires covered entities to establish data security measures only for PHI that is maintained in electronic format. Includes handheld devices

OCR

Office for Civil Rights

ONC

Office of the National Coordinator for Health Information Technology

HIPAA History

Originated in 1996 creating standards for Protection of patient confidentiality Security of electronic systems Electronic transmission of health information 2003: Initial purpose was to set standards for transmitting electronic health data and to allow people to transfer and continue health insurance after they change or lose a job. 2009: HITECH Act Created financial incentives for healthcare providers and insurers to continue shifting to EMR And addressed privacy and security concerns related to the electronic transmission of health information. 2013: Updates to 2003 and 2009.

HIPAA PRIVACY RULE It also explains how covered entities can use and disclose:

PHI (Protected Health Information): all individually identifiable health information that is transmitted or maintained in any format or medium Electronic Handwritten Conversations

HIPAA PRIVACY RULE 1. Right of access

Patient has the right to access their own medical records within 30 days of the request. Exception is mental health notes. Health organizations can not charge for the medical record but can charge a handling fee to pay for staff, paper, postage to provide the copy. Health organizations can not withhold a copy of the medical record due to non-payment or from other providers/health organizations.

PHI Includes: Patient identifiers such as : Items in the record such as:

Patient identifiers such as : Name Patient ID Number Social Security Number Health Plan Number Date of Birth Phone Number Street Address Email Address Items in the record such as: Encounter/visit documentation Lab Results Appointment dates/times

HIPAA PRIVACY RULE 6. Right to restriction

Patient may opt to restrict disclosure of their PHI to health plans if they pay out of pocket for goods or services. Patients may direct how they wish to be contacted, such as through a particular phone number or address and if a message may be left.

What is "DIRECTORY INFORMATION" ?

Patient's name Condition (undetermined, good, fair, serious, critical) Location in facility Religion (clergy or community faith leader only)

HIPAA PRIVACY RULE 5. Friends and Family

Patients can request that their information be shared with their friends and family. A provider may also share information with these persons if, using professional judgment, he or she decides that it is in the best interest of the patient. Professional rules may require a provider to share information if the patient presents an imminent threat to themselves or another person.

HIPAA PRIVACY RULE 4. Authorization

Patients have the right to decide how their information is used or shared. Must sign a release. The exception is medical record release for payment or health care operations. Specifically, patients have the right to decide if their information can be shared with employers.

HIPAA PRIVACY RULE 3. Accounting for Disclosures

Patients have the right to know with whom their information has been shared. On request, you must be able to provide a report to your patient of the entities with whom their PHI was shared.

HIPAA PRIVACY RULE 2. Amendment

Patients have the right to request that information in their chart be amended. If the provider disagrees with the amendment the patient must be notified in writing of the following: The basis for the denial Their right to file a statement of disagreement to be kept in their file and be included with future PHI disclosures Their right to complain to the covered entity or Secretary of Health and Human Services Contact information for the covered entity's privacy officer.

HIPAA SECURITY RULE Physical Security: Technical Security: Culture of Compliance:

Physical Security: Lock offices Screen PHI from public view Technical Security: Use passwords on desktop and portable devices Encrypt data Culture of Compliance: Treat information as you would treat the patient

HIPAA PRIVACY RULE 7. Notification of privacy practices

Practices must issue a notice of privacy practices to all patient on their first visit and patients must be able to take home a copy. Practices must have a mechanism for patients to register complaints about information privacy, and to have those complaints addressed free from retaliation. HIPAA compliance officer

HIPAA Details Contains:

Privacy Rule Security Rule Enforcement Rule

PHI

Protected Health Information

HIPAA PRIVACY RULE applies for how many years after death?

The privacy rule applies for 50 years after death.

CMS

centers for medicare and medicaid services

EHRs

electronic health records

EPHI

electronic protected health information

ORC

office for civil rights

PHI is Individually Identifiable Health Information relating to:

-Identity of the individual (name, birthdate, address, etc.). -Health/condition of an individual. -Payment for health care of an individual.

CURB YOUR CURIOSITY

-New York City's public hospital system Suspended 39 employees without pay for peeking at the private medical records of a 7-year-old girl who died from beatings and torture, and became a tabloid and TV news sensation Dozens of workers at the Woodhull Medical and Mental Health Center couldn't resist looking at the child's computerized medical file The unpaid suspensions lasted from 30 to 60 days, and each of the sanctioned employees were required to undergo training in patient privacy rules before they returned to work.

Workplace Auditing

-Required by law -Random and targeted audits of user access to determine: Appropriateness of access Compliance with NHS's policies -Some Things employers will look For: Accessing or changing a patient record outside the scope of a job function Accessing a family member's record Accessing your own record Discarding chart updates

Texting and Email

Do not send patient information in email to people outside of your organization Do not communicate with patients using email or text without patient consent Do not send patient information in a text message

HIPAA PRIVACY RULE Permitted uses and disclosures:

1. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. Treatment: Provider may use patient's medical records Payment: Medical organization may use patient's medical records to generate an insurance claim and obtain payment. Health care operations: Case management and care coordination. 2. If the individual authorizes in writing

MINIMUM NECESSARY RULE

A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. -Applies when using or disclosing protected health information (PHI) or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request" -Specific request of medical records -Send home remaining records with patient.

HIPAA PRIVACY RULE 9. Sharing Immunization Records

A health care provider may disclose proof of immunization about a student or prospective student to a school for those immunizations that are required by state law. With oral or written disclosure from a Parent Guardian Student if emancipated minor or adult

HIPAA PRIVACY RULE Covered Entities include

Covered Entities include Doctors(providers), clinics, hospitals, dentists, nursing homes, and pharmacies that transmit information electronically. Health plans Healthcare clearinghouses An organization that acts as a go between for health care providers and health plans. Example: a clearinghouse may take information from a provider and put it into coded format to be used for insurance purposes.

HHS

Department of Health and Human Services

Talking about work

Do not share a patient's name or any other information that may identify him/her with family, friends, or anyone else.

HITECH

Health Information Technology for Economic and Clinical Health Act

HIPAA

Health Insurance Portability and Accountability Act

HIPAA PRIVACY RULE Identifiable: & De-identified data:

Identifiable: Information can be linked to the individual De-identified data: Has 18 specific identifiers removed and therefore is considered to make the individual who is the subject of the information unidentifiable. This means de-identified data is not protected under the HIPAA Privacy Rule as PHI and covered entities can use and disclose it more readily.

HIPAA VIOLATIONS Incidental Violations : (& examples)

Incidental Violations : Precautions are taken to safeguard PHI but someone happens to hear or see PHI. Examples Someone overhearing a conversation with a patient Someone catching a glimpse of a patient's information

Protected health information (PHI): (HIPAA PRIVACY RULE)

Information that relates to the patient's past, present, or future physical or mental health or condition to the provision of health care to an individual Or to past, present, or future payment for the provision of health care to the individual.

HIPAA VIOLATIONS Intentional Violations : (& examples)

Intentional Violations : Careless or deliberate misuse or unauthorized disclosure of PHI. Examples Accessing patient records without proper authorization Revealing patient information to unauthorized persons Purposefully altering or deleting health information

Compliance

It is your responsibility to comply with all privacy and security laws, regulations, and policies. If you ignore the rules and carelessly or deliberately use or disclose health information, you can expect: Disciplinary action, up to and including termination Civil and/or criminal charges.

RECENT PENALTIES (HIPAA)

March 2009 -Massachusetts General employee left records for 192 patients on a train -Records contained name and medical record number for all 192 patients -Contained DOB, medical insurer, policy number, diagnosis, and provider names for 66 of the patients February 25, 2011 Ordered to pay $1 million resolution fine (max fine is $1.5 mil) Must implement a corrective action plan

HIPAA PRIVACY RULE

Right of access Amendment Accounting for disclosures Authorization Friends and Family Right to Restriction Notification of Privacy Practices Sale, Marketing, and Fundraising Immunization Records

What is Treatment-Payment-Operations?

TPO: Treatment-Payment-Operations -Use and/or Disclosure without a signed authorization is allowed for: Treatment - providing care to patients. Payment - health insurance benefits and premium payment. Operations - quality improvement, training, insurance eligibility, etc. -PHI used outside of TPO is not allowed without a signed authorization.

HHS

US Department of Health and Human Services

HIPAA rules say:

You can't talk about patients outside of the office with anyone- ever. You should only access the medical information that is needed for your job/clinical experience. You need patients to give permission before you can give information to others on their behalf. Keep medical records in a secure place- both paper and electronic.


Related study sets

Networking Essentials Chapter 9 Quiz

View Set

Assessment in the Classroom (Professional Knowledge)

View Set

Module 9: Interprofessional Collaborative teamwork

View Set

Conduit and Panel Boards Mid Term

View Set

Multiple Choice Exam 2 HIST 1378

View Set