HIPAA Privacy Training HIPAA Background l Health Insurance

HIPAA Privacy Training

HIPAA Background l Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC 2

Portability l Part One – Portability, access, and renewability requirements Copyright 2010 MHM Resources LLC 3

Administrative Simplification l Part Two – Administrative Simplification l Standards for maintenance and transmission of health information Copyright 2010 MHM Resources LLC 4

Privacy l Part Three – Privacy l The privacy regulations govern how individually identifiable medical information must be protected. Copyright 2010 MHM Resources LLC 5

Security l Part Four – Security l Regulates how health plans and other covered entities that electronically maintain or transmit PHI implement reasonable and appropriate safeguards for the availability and protection of electronic protected health information (PHI) Copyright 2010 MHM Resources LLC 6

Breach Notification l Part Five – Breach Notification l Health Information Technology for Economic and Clinical Health (HITECH) Act l Outlines how affected individuals must be notified if there is a breach of their “unsecured” PHI l Disclosure Log l Effective September 23, 2009 Copyright 2010 MHM Resources LLC 7

Flexible Benefit Plans l The Health Flexible Spending Account (FSA), or unreimbursed medical portion of a cafeteria plan; or a Health Reimbursement Arrangement (HRA) are considered to be health and welfare benefit plans. Copyright 2010 MHM Resources LLC 8

HIPAA Definitions l Covered Entity l A healthcare provider that conducts certain transactions in electronic form l A healthcare clearinghouse l A health plan - includes all the employer's welfare benefit plans like health insurance, a Health FSA within a cafeteria plan, and any HRAs. Copyright 2010 MHM Resources LLC 9

HIPAA Definitions l If you are an employer, you are generally not a covered entity. Employees, the plan, and its Business Associates may not freely share information with the employer unless firewalls exist to contain the information. Copyright 2010 MHM Resources LLC 10

HIPAA Definitions l Covered Transactions l Healthcare or dental claims administration l Healthcare eligibility l Benefits enrollment and maintenance l Payroll deduction and group premium payment l Retail pharmacy transactions Copyright 2010 MHM Resources LLC 11

HIPAA Definitions l Business Associate l A person, business, or agency that conducts covered transactions for another legal entity. Copyright 2010 MHM Resources LLC 12

HIPAA Definitions l Business Associate Agreement l The health plan must engage in a Business Associate Agreement with all Business Associates. Copyright 2010 MHM Resources LLC 13

HIPAA Definitions l Protected Health Information (PHI) l Individually identifiable medical information in any form, including oral communication that is created or received by a covered entity or employer. Copyright 2010 MHM Resources LLC 14

HIPAA Definitions l Breach of Unsecured PHI l A breach is the unauthorized access, use or disclosure of unsecured PHI. l PHI must be encrypted or destroyed l In motion, in use, at rest l Access controls do not make PHI secure Copyright 2010 MHM Resources LLC 15

HIPAA Definitions l Significant risk of harm to individual l Immediate steps were taken to obtain guarantee that PHI will not be used or disclosed l PHI returned prior to be accessed l Determine type or amount of PHI disclosed Copyright 2010 MHM Resources LLC 16

HIPAA Overview l Individuals “own” their PHI l HIPAA defines what PHI is l Privacy notice tells employees how their PHI will be used and disclosed. No other notice is required l Privacy notice gives employees certain rights to their PHI Copyright 2010 MHM Resources LLC 17

Where does PHI Come From? l Mail l Fax l Front desk l Phones l Electronically l Orally, in person Copyright 2010 MHM Resources LLC 18

Who Can See PHI? l Covered entities with privacy policies in place l Business Associates that have signed Business Associate Agreements in place with the covered entities and also have privacy policies in place l Individual employees may review and change their own PHI Copyright 2010 MHM Resources LLC 19

When Can You Reveal PHI? l Healthcare operations l Payment l Treatment l As permitted or required by law l Pursuant to an authorization Copyright 2010 MHM Resources LLC 20

When Can You Reveal PHI? l Identify individual with whom you are speaking l Verify SSN, gender, birth date, and/or address l Authorization signed by participant l “Minimum Necessary” standard l Reveal the minimum necessary information when releasing information Copyright 2010 MHM Resources LLC 21

Applies to All Covered Entities l Employers are generally not covered entities l A covered entity may not freely share an individual's PHI with the employer or a non-health plan. Copyright 2010 MHM Resources LLC 22

Protect PHI in Your Office l Train all workers with access to PHI l Don’t enter PHI into a software system or program unless information encrypted while at rest or in transit l Create a “clean desk” policy l Store PHI under lock and key l Don’t discuss an individual’s health information in public l Identify callers Copyright 2010 MHM Resources LLC 23

Protect PHI in Your Office l Letters to participants should not contain their SSNs l Offsite storage l Retain complete list of claim forms, etc. offsite l Use security tape on boxes to reveal unauthorized entry. l Trash l Shredding Copyright 2010 MHM Resources LLC 24

Protect Participant’s Privacy l Right to inspect and copy l Accounting of disclosures l Amend l Request restrictions l Request confidential communications l Right to receive a paper copy of the privacy notice Copyright 2010 MHM Resources LLC 25

Employers l Employer puts in place HIPAA privacy policies and procedures l Plan documents and Summary Plan Descriptions for all employer-sponsored health plans l Assign a HIPAA Compliance Official l Employer must certify to plan that HIPAA privacy rules are being followed Copyright 2010 MHM Resources LLC 26

Employers l The health plan must distribute a notice of privacy practices for employees l Business Associate Agreements must be in place l Train workforce on HIPPA compliance l Train workforce on breach reporting Copyright 2010 MHM Resources LLC 27

Breach Notification l Accounting for Disclosures of PHI l PHI may be disclosed for public policy and safety reasons and other mandatory disclosures listed below without an individual’s authorization l These disclosures must be logged since they were disclosed without the individual’s knowledge. The disclosure log must be made available to the individual upon request. Copyright 2010 MHM Resources LLC 28

Breach Notification l Individuals must be notified if their PHI has been disclosed and the information is unsecured PHI l Safe harbor to avoid breach notification: l Encryption whether PHI is at rest, in use or in transit l Destruction l http: //www. hhs. gov/ocr/privacy/hipaa/admi nistrative/breachnotificationrule/ Copyright 2010 MHM Resources LLC 29

Plan Service Provider l HIPAA privacy policies and procedures l Business Associate Agreements must be in place between the plan service provider (Business Associate) and the plan. Copyright 2010 MHM Resources LLC 30

Exception to Compliance l Self-administered health plans with fewer than 50 participants are exempt from privacy compliance Copyright 2010 MHM Resources LLC 31

Civil and Criminal Penalties l Substantial civil and criminal penalties apply to noncompliance of HIPAA regulations l Be aware of your state laws l Get legal counsel Copyright 2010 MHM Resources LLC 32

HIPAA Privacy – Your business depends on it