HIPPA
Request Restrictions
* Individual has right to ask for restrictions on uses and disclosures of PHI for TPO (Treatment, Payment, Health Care Options). *We are not required to agree to restrictions, but must flow if we do agree. * We need authorization for most uses/ disclosures other than TPO.
Notice of Privacy Practices (Privacy Notice)
REQUIREMENTS *Describes our legal responsibilities for maintaining privacy of PHI * Describe how we will use/ disclose PHI *Given to each patient at first service or encounter after 4/14/03 * Detailed description of privacy rights
Confidential Communications
* Individual has right to request confidential communication of health information at another address or phone number. * We must Grant request if it is reasonably easy.
HIPPA Definitions
(TPO) Treatment, Payment & Health Care Operations *Treatment - the provision, coordination or management of healthcare and related services by one or more healthcare providers, care coordination, case management, consultation between health care providers and referral from one health care provider to another. *Payment - activities of a covered entity to obtain or provide reimbursement for the provision of health care. *Health Care Operations - operations necessary to run the organization EXAMPLE: Quality assessment and improvement activities, legal services, auditing functions, business planning, general management activities, customer service, satisfaction surveys, etc.
Authorizations
* Needed for uses and disclosures of PHI other than for TPO (Traetment, Payment, and Health Care Options). * Exceptions : disclosures required by law ( disease reporting, suspected child abuse, court order). TEN REQUIRED ELEMENTS UNDER HIPPA *May be revoked by the individual in writing * Must have time limit (or expiration date) * Written in plain language * We generally may not refuse to treat an individual who refuses to sign authorization *Often coordinated through Medical Records departments, such as Health Information Management at Community Health Network or at any physician /employer facility. AUTHORIZATIONS EXAMPLES : * Birth Announcements to newspapers * use of patients photograph in pamphlet * marketing activities * release of names and type of injuries of accident victims to media * drug screen results sent to employer * PHI requested by lawyers
Business Associate
* Use or disclose PHI to perform work for or on behalf of the our Employer. *Minimum Necessary applies. *May only use or disclose PHI as stated in contract.
Other Elements
* many mandatory statements make the Privacy Notice very long. * we have added a Summary that outlines key points in Privacy Notice * You will see and recognize Privacy Notice in prominent places in all our employers facilities. * Patients will ask employees what the privacy notice means - be prepared to answer.
Patient/ Individual Rights
*Access *Accounting of Disclosure *Amendment of PHI *Confidential communications *Request restrictions *Receive Notice of Privacy Practices PATIENTS HAVE THE RIGHT TO: *Accounting of disclosures *Listing of breaches of privacy of their PHI *Right to request restriction of disclosures *Right to limit the use of patients PHI * Right to request an amendment *Right to request inaccurate information in medical record be corrected.
Penalties for Violations
*Civil fines $100 per violation up to $25,000/year. *Criminal penalties up to $250,000 and 10 years in prison for violations for personal gain, malicious harm or commercial benefit.
Why New Privacy Rules?
*Concerns about privacy of health information with increased e-commerce. *Many different State laws HIPPA privacy rule allows us to use and disclose PHI (protected health information for treatment, payment and health care operations purposes).
HIPPA Applies To
*Employees *Physicians *Volunteers *Employees of other companies, who work primarily for a network, are on-site, and who work under a network control
What is HIPPA
*HIPPA = Health Insurance Portability and Accountability Act of 1996. *Insurance reform *Changed practices of health plans & insurers regarding PORTABILITY and CONTINUITY of health coverage *Includes rules for privacy of Heath information, effective 4/14/03 *Training mandatory for all Harrison College medical students *Applies to Medicare, Medicaid, insurance companies, health care providers, hospitals, physicians, dentist, clinics, surgery centers and etc.
Amendment of PHI
*Individual has right to amend PHI (protected health information) that is incorrect. * If information in record is correct, we do not have to amend. * Rights for internal review of a denial to individuals request for amendment.
Receive Notice of Privacy Practices
*Individual has right to know how we will use & disclose her PHI * Privacy Notice given at first service on or after 4/14/03. *We will offer Privacy Notice at subsequent encounters and when Privacy Notice is revised. * This is a new document and given to all individuals/ patients in order to inform them of how we will use or disclose their Protected Health Information (PHI).
Access
*Individuals have the right to review and copy their health information and records. * Requests flow through Medical Records departments such as Health Information Management at Community Health Network or patient file at physician /employer office.
What is HIPPA
*the HIPPA privacy rule states that uses and disclosures of Protected Health Information (PHI) should be limited to the minimum necessary *Minimum necessary can be summarized: Protected Health Information used or disclosed should be limited to what they "need to know" in order to perform their jobs!
The HIPPA Privacy Rule
Administrative Requirements *Privacy Officer *Sanctions for Violations *Documentation *Policies & Procedures *Safeguards
HIPPA Definitions
Business Associate *A person or entity who performs a function for or on behalf of a covered entity; *Function involves the use or disclosure of PHI ( Protected Health Information). *a business Associate of a network such as Community Health Network, would be the hospital's accrediting entity JCAHO.
HIPPA Definitions
Covered Entity *Health Plan *Health Care Clearinghouse *Health care provider who transmits any health information in connection with a standard transaction listed in the HIPPA Privacy Rule.
Marketing
Definition- to make a communication about a product or service t hat encourages an individual to buy or use the product or service. MARKETING Does not include communications * To describe entities or providers participating in the Network or providers of physicians / employers. * To describe if services or payment are covered under health insurance. * For treatment of the individual. * For case management or to recommend alternative therapies, treatments, or health care providers for the individual. PHI (Protected Health Information) Cannot be used or disclosed for marketing purpose without the specific authorization of the individual.
Security
Electronic security ( passwords, encryption and access rights). Physical security ( locked file cabinets and offices, patient charts in. Secure area). How is PHI protected in Palm pilots, laptops computers, digital display pagers and telephones? HIPPA Security Rule effective X/X/XX.
Accounting of Disclosure
Individuals have the right to know to whom we have released their PHI * Requires tracking of : < unintended disclosures ( Fax to wrong number) < other breaches ( employee look at friends medical records) < disclosures not requiring authorization ( communicable disease reporting; birth and death reporting, etc.)
HIPPA Definitions
Minimum Necessary *Minimum Necessary = Need to know *Requirements to limit the requests for, or use or disclosure of PHI ( protected Health information) to the minimum necessary to accomplish the intended purpose of the request, use or disclosure.
Minimum Necessary
Minimum Necessary = Need to know We must access only the PHI we need to know to do our jobs. * Applies to all PHI, whether in electronic, written or oral form * Access to PHI is determined by the individual's job duties and the minimum access necessary to do the job.
HIPPA Defintions
Protected Health Information (PHI) *Individual (patient) identifiable information relating to the past, present or future health condition of the individual. * All information whether maintained in electric, paper or oral format. *Courtesy of SHIP May 2001
Other Key Policies, Procedures and Forms
Sanctions for Violations Employees who violate Network and Harrison College policies and HIPPA privacy rights are subject to disciplinary action up to and including termination on extern site or employer site. Businesses associates may have contracted terminated. Civil actions under state laws.
Uses and Disclosures of PHI- Protected Health Information
Treatment, Payment, or Operations (PTO) * May share PHI with third parties for purposes of TPO ( Treatment, Payment, Health Care Options). * Does not require specific authorization from the individual.
Requirements
We must make good faith effort to get the individuals written Acknowledgement of receipt of our Privacy Notice.
Privacy Resources
Who do I ask if I have privacy questions or concerns about possible privacy violations? Your instructor www.hhs.gov/ocr/hipaa Www.cms.hhs.gov/hipaa
Accounting of Disclosure
individual may request accounting of disclosures for 6 years before to the date of the request. We must act on the request within 60 Days. ACCOUNTING DISCLOSURES INCLUDES: * Unintentional disclosures (Fax sent to wrong number, e-mail sent to wrong address). * Other breaches ( employee looks at neighbors medical records). *Disclosures required or allowed by law (disease reporting, birth certificates, domestic violence reporting). *Includes disclosures made by businesses associates. *Does not include disclosures made through the patient directory, to the individual, to parties specified in an authorization, to law enforcement or for national security. * Provided in writing. The accounting will include for each discloser : The date of the disclosure; The name and address of the entity or person who received the PHI A brief description of the PHI disclosed. A brief statement of the purpose of the disclosure.