HIPAA Training

Published on May 2016 | Categories: Documents | Downloads: 24 | Comments: 0 | Views: 235
of 41
Download PDF   Embed   Report

Comments

Content

An Overview of HIPAA

Health Insurance Portability and Accountability Act – 1996
Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office Rosie Callender, RHIA

TOPICS COVERED:
What is HIPAA? HIPAA Overview Title II – Administrative Simplification Provisions HIPAA Objectives Who Must Comply with HIPAA – “Covered Entities” Penalties For Non-compliance / Enforcement Agency What information is protected by HIPAA Permitted Uses and Disclosures HIPAA Privacy Rule – Key Elements
Rosie Callender, RHIA

WHAT IS HIPAA

Health Insurance Portability Accountability Act of 1996
Rosie Callender, RHIA

HIPAA OVERVIEW
Health Insurance Portability and Accountability Act ( HIPAA)

(Accountability)

Administrative Simplification

Insurance Reform (Portability)

Compliance by10/16/03

Transactions, Code Sets,

Privacy Compliance Date: 4/14/2003

Security
Final Regulations Published on 2/20/03 Compliance Date: 4/20/2005

National Provider Identifiers
Published 1/23/04 Effective 5/23/05 Compliance by 5/23/07

Rosie Callender, RHIA

TITLE II - ADMINSTRATIVE SIMPLIFICATION PROVISIONS

A d m in is tr a tiv e S im p lific a tio n

E le c tro n ic D a ta T ra n s m is s io n

D a ta P ro te c tio n

T ra n s a c tio n

C o d e S e ts

Id e n tifie rs

S e c u rity

P riv a c y

Rosie Callender, RHIA

HIPAA Objectives
• Insurance portability and
individuals

continuity- Protect insurability of

• Accountability - to reduce the

potential for waste, fraud & abuse

• Administrative Simplification –

to apply uniform standards to electronic data transactions in a confidential and secure environment.
Rosie Callender, RHIA

Expected Results of Administrative Simplification
• Reduce handling and processing time
• Eliminate the risk of lost paper documents • Eliminate the inefficiencies of handling paper documents • Improve overall data quality / fewer errors • Decrease administrative costs • Increase faith in the protection of patients’ personal health information • Thus, improve quality of patient care!
Rosie Callender, RHIA

Electronic Transactions

What is HIPAA?
A Federal Law Created in 1996

Privacy

HIPAA = Health Insurance Portability and Accountability Act
HIPAA

• • • • •

H I P A A

= Health = Insurance = Portability and = Accountability = Act
Rosie Callender, RHIA

Administrative Simplification

Security Code Sets

Unique Identifiers

Healthcare Fraud and Abuse on the Rise

TEMP DUMP MEDICAL RECORDS

WHY HIPAA?
Rosie Callender, RHIA

Who must comply with HIPAA “ COVERED ENTITIES”
• Health care providers, that transmit or maintain patient identifiable information. • Health plans that provide or pay the cost of medical care including Medicare and Medicaid • Health care clearinghouses that process data elements or transactions • Employees ( indirectly)
Rosie Callender, RHIA

Covered Entity
Provides health care Conducts one or more standard HIPAA transactions. Transmits or receives standard transactions in electronic form. Or Performed through a Business Associate.
Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Business Associates (BA)
A person or entity that, on behalf of a Covered Entity, access and uses PHI to perform or assists in the performance of a function or activity for the CE.

Does not include a member of the workforce or volunteers.

Business Associate Agreement
• Must have a contract requiring BA to keep PHI safeguarded; • Contract must have required elements described in the regulations; • Must include other HIPAA-related risk/liability; • Does not apply to disclosure of PHI to providers for treatment; • If the CE becomes aware of a violation by the BA and fails to act, it can be penalized; • Existing contracts will not have to be compliant until 4/14/2004.
Rosie Callender, RHIA

HIPAA ELECTRONIC TRANSACTIONS
An entity id regulated by the Privacy Rule as a Covered Entity if it does any of the following electronically.

1. Claims or equivalent encounter Information 2. Payment and Remittance Advice 3. Claim Status Inquiry and Response 4. Eligibility Inquiry and Response 5. Referral Certification and Authorization Inquiry and Response 6. Enrollment and Disenrollment in a Health Plan 7. Health Plan Premium Payments 8. Coordination of Benefits
Rosie Callender, RHIA

STANDARD CODE SETS


Combination of HCPCS & CPT-4 Physician Services and other Health Care Services HCPCS – Medical supplies, Orthotics & other equipment ICD-9-CM, Vols 1&2 Conditions and other health problems & manifestations Code on Dental Procedures and Nomenclature Dental services - CDT NDC – National Drug Codes - Drugs/Biologics

• • • •

•NOTE: Local codes are replaced by standard codes.
Rosie Callender, RHIA

PENALTIES For Non-compliance
Monetary Penalty CIVIL PENALTIES $100 Up to $25,000 Term of Imprisonment N/A N/A Offense

Single violation of provision Multiple violations of identical requirement or prohibition made during the calendar year Wrongful disclosure of individually identifiable health information Wrongful disclosure of individually identifiable health information committed under false pretenses Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

CRIMINAL PENALTIES

Up to $50,000

Up to one year

Up to $100,000

Up to five years

Up to $250,000

Up to 10 years

Rosie Callender, RHIA

Enforcement Agency
Department of Health and Human Services Office of Civil Rights (OCR) will: • will investigate complaints • enforce compliance • impose civil monetary penalties Department of Justice will: • enforce criminal penalties Center for Medicare and Medicaid (CMS) will • oversee compliance with Transaction Code Sets and Identifiers
Rosie Callender, RHIA

HIPAA PRIVACY RULE – Key Elements
WHAT IS COVERED?
Protected Health Information (PHI) • individually identifiable health information


transmitted or maintained in any form or medium.

Individually Identifiable Health Information • Health information, including demographic information • •
• Created or received by a covered entity Relates to the individual’s physical or mental health or provision of, or payment for health care. Identifies the individual
Rosie Callender, RHIA

HIPAA PRIVACY RULE – Key Elements
Individually Identifiable Health Information
• Name • All geographic subdivisions smaller than state • Birth date • Telephone/Fax numbers • E-mail addresses • Social Security Number • Medical Record Number • Health Plan Number • Account Number • Certificate / license number • • • • • • • • Vehicle identifier/serial number Device identifier/serial number Uniform Resource Locators (URLs) IP addresses Biometric identifiers Photos Other unique characteristics Full face photograph

Rosie Callender, RHIA

HIPAA PRIVACY RULE – Key Elements
WHAT IS NOT COVERED?
Not PHI
• • •

Employment records Family Educational Rights and Privacy Act (FERPA) records De-identified Records: • Removal of certain identifiers so that the individual who is subject of the PHI will not longer be identified. • Statistical expert determined that risk of identification is small
• Facility may assign code of other means to allow for re- identification
Rosie Callender, RHIA

HIPAA PRIVACY RULE – Scope
• • • • • • • Consumer control of information Patient privacy rights defined Boundaries of Medical Record Usage Access controls to information Security measures for patient information Assignment of Privacy Officer Business Associate contracts

Rosie Callender, RHIA

IMPACT ON PROVIDERS
OPERATIONAL
New Administrative and Clinical Procedures (EXAMPLE: Billing, Operations Coding, Claims
Processing)

Contracts and/or Chain of Trust Agreements
(Example: providers, Payers, clearinghouses, other healthcare service companies)

• Leadership & Support

MANAGERIAL

• New or Revised Policies and Procedures • Training of Staff

TECHNOLOGICAL

• Interoperability (hardware, Software, Connectivity)
• Vendor Management •Security Infrastructure
Rosie Callender, RHIA

Maintain a HIPAA-compliant Environment
• Make obvious changes as soon as possible
• Protect your patients privacy and rights
⎯ Don’t leave medical information where people can see ⎯ Control access to your department ⎯ Don’t’ leave information on desktops ⎯ Use a screen saver ⎯ Identify patients properly before giving information ⎯ Lock your desktop when you leave it, even to run to the copier ⎯ Can others overhear PHI when you speak on the telephone? ⎯ Can passers-by easily read your computer screen?

Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Notice of Privacy Practices
An individual has a right to adequate written notice of: • uses and disclosures of PHI that may be made by the covered entity, and. • individual’s rights and covered entity’s legal duties with respect to PHI • Must be given by direct treatment providers on first service delivery after compliance date Written Acknowledgement of Receipt of Notice
Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Individual Rights • Access, copy, inspect • Request amendments/corrections • Restrict disclosures • Request confidential communications • Accounting of disclosures • Information on how to file a complaint
Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Designated Record Set
A group of records maintained by or for a covered entity that may include: Medical records billing records Enrollment, payment, claims adjudication case or medical management records systems

Used for the covered entity to make decisions about individuals

Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Uses and disclosure for PHI.
Required Disclosures To individuals who request access, and accounting of disclosures. To HHS to investigate or determine compliance with Privacy Rule. Permitted Disclosures To individuals For treatment, payment and health care operations Public policy purposes Family, friends & advocates / opportunity for individual to agree/ object Incidental disclosures Limited Data Set Authorized Disclosures For other uses or disclosures not required nor permitted. Special rules for marketing and psychotherapy notes
Rosie Callender, RHIA

Commonly Used Terminology TPO -Treatment of patients
-

Payment for treatment Health Care Operations

-

Rosie Callender, RHIA

Commonly Used Terminology
Health Care Operations
Activities related to the Covered Entity’s functions:
• Quality assessment and improvement activities

• Reviewing the competence and qualifications of health care professionals • Conduct training programs in which students, trainees learn under supervision • Conducting medical reviews, legal services, and auditing functions • Business planning and development • Business management and general administrative activities • Customer service • Resolution of grievances • Creating de-identified information or limited data set.
Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Minimum Necessary Standard
• Must make reasonable efforts to limit the use or disclosure of, and request for, PHI to minimum necessary to accomplish intended use. Exceptions: • Treatment, • Disclosure to the individual, • Disclosure to HHS/OCR or • Required by law
• Permits incidental uses or disclosures as long as reasonable

safeguards are in place.

• Role-based access. In the work place access to health information should be on a need to know basis.
Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Privacy Complaints
• CE must provide a process for individuals to make complaints concerning CE’s policies and procedures and its compliance with the privacy rule. • Complaints can be filed with the CE or DHHS/OCR

Rosie Callender, RHIA

HIPAA Privacy Rule – Key Elements
Other Requirements:
• Privacy Training • Safeguards • Mitigation process • Policies and procedures in place • Sanction process
Rosie Callender, RHIA

HIPAA & RESEARCH
• Access to PHI by researchers :
– With Authorization obtained from patient; – Without Authorization:
• • • • Documented IRB approval of a Waiver of Authorization Submit justification Preparatory to research; Research on PHI of Decedents; Limited Data Sets with a Data Use Agreement;

– De-Identified Information ( not covered by HIPAA)

Rosie Callender, RHIA

HIPAA & RESEARCH
References:
• • • • • • MSM HIPAA Website: http://www.msm.edu/hipaa/index.htm Office of Civil Rights (OCR) http://www.hhs.gov/ocr/hipaa National Institutes of Health: http://privacyruleandresearch.nih.gov American Health Information Management Association – http://www.ahima.org. OCR Frequently Asked Questions – http://www.hhs.gov/ocr/hipaa/whatsnew.html Summary of HIPAA Privacy Rule – http://www.hhs.gov/ocr/privacysummary.pdf
Rosie Callender, RHIA

Specific Security in Privacy
Effective compliance with the Privacy regulations is dependent on security of patient’s PHI.

• Role-based access required under minimum necessary rule • Verification and authentication of individuals and authorities requesting PHI • Security required by Privacy Rule applies to PHI in all forms
Rosie Callender, RHIA

Definitions for Privacy & Security
Privacy is the right of an individual to keep information about him/her from being disclosed to others. Confidentiality is the obligation of another party to respect privacy by: -Protecting personal information they receive and -Preventing it from being used or disclosed without the subject’s knowledge or permission. Security is the means used to protect integrity, availability and confidentiality of information. Physical, technical and administrative safeguards
Rosie Callender, RHIA

Specific Security in Privacy
HIPAA Security standards address organizational and facility security, not just Information Systems Requirements in four areas will address health care data integrity, confidentiality and availability: 1. Administrative procedures 2. Physical safeguards 3. Technical security services 4. Technical security mechanisms The HIPAA Security standards protects all e-PHI (electronic protected health information)
Rosie Callender, RHIA

HIPAA Security (cont’d)
What is Information Security?
All protections in place to ensure that PHI is: kept confidential (confidentiality) not improperly altered or destroyed (integrity) readily available to authorized users (availability) These principles represent the heart of any information security program.
Rosie Callender, RHIA

HIPAA Security (cont’d)
The HIPAA Security standards provides the mechanisms that support efforts to protect privacy. It covers information:
• on hard drives

• on removable/transportable digital memory medium (magnetic tape/disk) • transported electronically via the internet, e-mail or other means.

Rosie Callender, RHIA

YOUR RESPONSIBILITIES
1. 2. 3. 4. 5. 6. 7. 8. 9. Properly manage your password; Prevent the spread of viruses; Properly dispose of material with PHI (hard copy); Contact DITS to clear disks and hard drives of all PHI; before selling or giving computer to another user; Protect system from outside threats ( hackers, malicious software); Do not use unauthorized software or hardware; Follow the organizations policies regarding the use of PDAs and Laptops. Be familiar with the organizations Information Security policies. Use common sense-security
Rosie Callender, RHIA

HIPAA Web Sites
HHS Administrative Simplification Page http://aspe.os.dhhs.gov/admnsimp
American Health Information Management Association http://www.AHIMA.org Office of Civil rights - HIPAA http://www.hhs.gov/ocr/hipaa/privacy.html CMS Website http://www.cms.hhs.gov/hipaa/hipaa2/ Workgroup for Electronic Data Interchange http://www.wedi.org OCR Guidelines to Final Regulations (12/04/2002 http://www.hhs.gov/ocr/hipaa/guidelines/AllSectionsCombined.doc MSM HIPAA Website http://www.msm.edu/hipaa/index.htm
Rosie Callender, RHIA

QUESTIONS? QUESTIONS?
Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office 22 Piedmont Road Atlanta, GA 30303 (404) 756-1345 [email protected]

Rosie Callender, RHIA

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close