The Health Insurance Portability and Accountability Act
What is it? & How will it affect us?
Who Needs Training and Why
Employees who come in contact with Protected
Health Information are Federally required attend training
Departments listed later
This presentation is designed to Familiarize you with
HIPAA regulations Our policies and procedures regarding protected health information (PHI) Ensure federal compliance Our policies will be listed at www.hipaa.cmich.edu
Summary of the Law
To improve portability and continuity of health
insurance coverage in the group and individual markets. To combat waste, fraud, and abuse in health insurance and health care delivery. To simplify the administration of health insurance, and for other purposes.
What Exactly is HIPAA?
Public Law 104-191 (1996) Overseen by: Centers for Medicare and Medicaid
Services (CMS) A federal law designed to:
Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities Ensure confidentiality of PHI
Protected Health Information
Protected Health Information (PHI) Any Individually Identifiable Health Information (IIHI) Created or received by a health care provider, health plan, employer or health care clearinghouse Relating to the past, present of future physical or mental health or condition of an individual Transmitted in any form or medium Examples
Medical charts Problem logs Photographs Communications between professionals Health insurance policy number
Individual Identifiers Courtesy of www.hipaacow.com
1. 2.
3.
4. 5.
Name Geographic subdivisions smaller than a State Street Address City County Precinct Zip Code & their equivalent geocodes, except for the initial three digits Dates, except year Birth date Admission date Discharge date Date of death Telephone numbers Fax number
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
E-Mail Address Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal resource locations (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable data Any other unique identifying number, characteristic, or code
What entities are covered?
Health Plans Health Care
Clearinghouses A health care provider who transmits any health information in electronic form
CMU as a Covered “Hybrid” Entity
Hybrid Entity A single legal entity that is a Covered Entity and whose Covered Functions are not its primary functions. CMU’s primary purpose is to educate We also deal with healthcare related procedures This “theory” allows us to apply HIPAA to specific areas
CMU as a Covered “Hybrid” Entity
Departments Affected HR Comp and Benefits: Self-funded Dental and Prescription Plan
A covered entity because it is a health plan A covered entity because it is a provider who bills electronically for care and devices
University Health Services
Communication Disorders: Speech Pathology and Audiology
A covered entity because it is a provider who bills electronically for care and devices
HIPAA Inside the “Hybrid”
Internal support entities
General Counsel Internal Audit Accounts Receivable Faculty Personnel Human Resources- Employee Relations
These areas deal either with disciplinary regulations, grievances, or healthcare related transactions It is not advantageous for these areas to receive prior authorization before reviewing a file
HIPAA Inside the “Hybrid”
Possible future covered entities:
1. Physician
Assistant Program 2. Psychology clinic 3. Physical Therapy Program
As of now they are not billing electronically, therefore not covered entities
HIPAA outside the “Hybrid” Therefore not covered
Information Technology Special Olympics International Student Services Office of International Education Student Disability Services Special Olympics
Where does the information come from and/or go to? If it is not received from or sent to a provider or plan, then it is not considered PHI
HIPAA vs. FERPA
FERPA – The Family Educational Rights and Privacy
Act
Protects the rights of students records
Unique to universities Especially relevant to CMU’s UHS and CDO We service employees, students, and members of
student’s families – all as patients
HIPAA vs. FERPA
Disclosures are not consistent between the
two Must treat student records and all other records differently This is extremely difficult, but do-able The necessary Directors will have a “Flow Chart” regarding proper procedures for the two
Four Components of HIPAA’s Administrative Simplification
Transaction Standards & Code Sets
To create a uniform method of electronic communication To guard data integrity, confidentiality, and availability To ensure that Protected Health Information (PHI) is kept confidential
Security & Electronic Signature Standards
National Provider Identifier Privacy Rule
The concentration of this presentation
Privacy Rule
All covered entities
must be in compliance by 4/14/03 There are no exclusions or extensions available and no paperwork to submit to prove compliance
Privacy Rule
Establishes safeguards to protect the
confidentiality of medical information Gives patients more control over their health information Limits release of information to the minimum necessary Sets boundaries on the use and release of health records
Privacy Rule
Enables patients to find out how their
information may be used and what disclosures of their information have been made to any business associates or other parties Gives patients the right to examine and obtain copies of their own health records, and to request corrections
Privacy Rule - Consent
The Privacy Rule was
most recently amended on 8/14/02. Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities.
Privacy Rule - Consent
A covered entity must make a “good faith
effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature. The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination. The NPP must be visibly posted at all times.
Privacy Rule - Consent
Covered entities are not prohibited from obtaining
consent and have complete discretion in designing their individual consent process. State law requirements may be more stringent and therefore supersede the federal requirements.
Notice of Privacy Practices
The NPP reflects your dedication to privacy and
must be available for patient review Copies of NPP must be on display in each waiting room Written copies of NPP must be available on request Copy of NPP needs to be posted on web site The NPP informs patients that you will not release their PHI except as stated in your Notice
Notice of Privacy Practices
The NPP states you are required to abide
by the terms of your current Privacy Notice The NPP instructs patients how to file a privacy complaint The NPP indicates how you will send information (mail, fax, electronic, etc.) You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice.
Consent & Authorization
Consent
A general document giving
Authorization
A customized document
health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO) It gives permission only to the provider, and not to any other person or business associate Not required, but optional
giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive.
Authorization
Authorization is required for uses and disclosures of
PHI for purposes that are not otherwise permitted or required under the Privacy Rule. Examples 3. Sale of patient mailing lists 4. Disclosing information to employers for employment decisions 5. Disclosing information for life or disability insurance
Authorization
Covered entities are required to document &
retain authorizations and to provide individuals with a copy of the signed authorization form. Patients will need to grant authorization in advance for each type of use or disclosure.
HIPAA Privacy Rule Facts
The rules apply to all oral, A HIPAA team must be
written, or electronic records of covered entities. HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient. PHI that has been deidentified is not subject to the Privacy Rule.
appointed by each covered entity The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request.
HIPAA Team
Must assign a Privacy
Officer Should assign an Electronic Transaction officer Must assign a Security Officer
HIPAA Privacy Officer
Must have authority and independence Is responsible for developing and
implementing the HIPAA compliance plan Is responsible for enforcement & sanctions Designates contact persons responsible for receiving complaints and monitoring patient contacts
Campus Wide Planning
Knowledge Initial Training of Workforce Policy revision and drafting:
the list is endless Firewall and software development, implementation and testing Ongoing analysis and refinement
Preparing for HIPAA Compliance
1. 2. 3. 4. 5.
Enter into new contracts with Business Associates (BA) Develop Written Policies & Procedures Documentation Procedures Conduct a site survey of your own facility Site Survey Q’s for your own facility
Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA)
BA’s are persons who perform a function or activity
involving the use or disclosure of IIHI. Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA. If an entity is subject to HIPAA, a contract is not needed with another covered entity.
Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA) Types of Business Associates
Claims processing or administration Data analysis Processing or administration Utilization Review Billing Benefit Management Computer work
Legal work Actuarial work Accounting work Transcriptionists Accreditation work Cleaning service Consulting work Marketing
Preparing for HIPAA Compliance
Develop Written Policies & Procedures Decide who is responsible for determining “minimum necessary” data Develop a records management plan Determine who will keep records Determine how records will be kept Teach proper documentation
Preparing for HIPAA Compliance
Documentation Procedures
Create record logs
Log information given in response to patient authorization Log information given in response to legal requests for PHI Log patient requests for amendments or restrictions to your Privacy Policy
PHI disclosures must be kept a minimum of 6
years
Preparing for HIPAA Compliance
Conduct a Site Survey of Your Own Facility Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones.
Preparing for HIPAA Compliance
Site Survey Q’s for Your Own Facility Are patient records secure? Are there individual & unique passwords assigned for computer systems? Are collection calls or calls regarding other PHI made in a private location?
Why should we care about the HIPAA rules?
CMU is a hybrid entity: Some parts of the university
must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable). As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated. HIPAA is designed to empower the patient/consumer. HIPAA ideally will minimize cost over the long term.
Why should we care about the HIPAA rules?
Criminal Penalties
Failure to comply: Fine &
possible exclusion from Medicare Wrongful Disclosure: $50,000, imprisonment of up to one year, or both Offense under False Pretenses: $100,000, imprisonment of up to five years, or both Offense with intent to sell information: $250,000, imprisonment of up to ten years, or both