HIPAA Training Abigail Fallen RHIA CHDA 872014 HIPAA
HIPAA Training Abigail Fallen, RHIA, CHDA 8/7/2014
● HIPAA Overview Agenda ● Title II ● Accidental vs Intentional Violations ● Sanctions ● Best Practices ● Use Case Examples ● Adjourn
What is HIPAA? ● Health Insurance Portability and Accountability Act ● Enacted to improve the efficiency and effectiveness of the healthcare system ● Title I: Healthcare Access, Portability, and Renewability ● Title II: Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform
HIPAA - Title II ● Draft rules aimed at increasing the efficiency of the healthcare system by creating standards for the use and dissemination of healthcare information ● Spoken, printed, electronic ● Five (5) Rules in Place ● ● ● 1. Privacy Rule 2. Transactions and Code Sets Rule 3. Security Rule 4. Unique Identifiers Rule 5. Enforcement Rule
What is a Covered Entity? ● Hospitals ● Clearing Houses ● Physician Offices ● Billing Agencies ● Health Plans ● Information System ● Employers ● Public Health Authorities ● Life Insurers Vendors ● Service Organizations ● Patients
Protected Health Information (PHI) ● Any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual ● Eighteen (18) identifiers (including but not limited to) ● ● ● ● Names Geographical identifiers smaller than 5 -digit zip code Dates related to an individual Phone/fax numbers SSN Medical Record Numbers Facial images or comparative images Any other unique identifying characteristic
Rule #1 - Privacy Rule ● Regulates the use and disclosure of PHI ● Minimum Necessary Rule ● Treatment, Payment, Operations (TPO) ● Required by law ● Public health ● Written Authorization ● Must disclose within 30 days of request ● Disclose the minimum necessary to achieve the purpose ● Covered entities are required to track disclosures
Rule #3 - Security Rule ● Complements the existing Privacy Rule ● Pertains specifically to electronic protected health information (e. PHI) ● Administrative, technical, and physical safeguards ● Physical Safeguards ● Access to equipment should be carefully controlled and monitored ● Laptops, cell phones, i. Pads
Accidental vs Intentional Violations Accidental ● Forgetting to log off your computer before leaving your workstation ● Discussing patient information in what you believe to be a private area, but realizing others could potentially hear you ● Sending encrypted data to a “bad” email address or a “bad” fax number ● No malicious intent
Accidental vs Intentional Violations Intentional ● Giving medical records or any PHI to others who do not have permission to see them ● Sharing PHI with your family members, friends, and newspapers who have no legal right to it ● Copying PHI and taking it home ● Making changes in the patient info on the computer that you do not have permission to make ● Sharing your computer password with coworkers or others ● Looking at info in paper or electronic medical records that you do not have permission to see
Rule #5 - Sanctions - Civil Type of Violation Civil Penalty (Min) Civil Penalty (Max) Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25, 000 for repeat violations $50, 000 per violation, with an annual maximum of $1. 5 million HIPAA violation due to reasonable cause and not due to willful neglect $1, 000 per violation, with an annual maximum of $100, 000 for repeat violations $50, 000 per violation, with an annual maximum of $1. 5 million
Rule #5 - Sanctions - Civil Type of Violation Civil Penalty (Min) Civil Penalty (Max) HIPAA violation due to willful neglect but violation is corrected within the required time period $10, 000 per violation, with an annual maximum of $250, 000 for repeat violations $50, 000 per violation, with an annual maximum of $1. 5 million HIPAA violation is due to willful neglect and is not corrected $50, 000 per violation, with an annual maximum of $1, 000 $50, 000 per violation, with an annual maximum of $1. 5 million
Rule #5 - Sanctions - Criminal Type of Violation Criminal Penalty Covered entities and specified individuals who "knowingly" obtain or disclose individually identifiable health information A fine of up to $50, 00 Offenses committed under false pretenses A fine of up to $100, 000 Imprisonment up to 1 year Imprisonment up to 5 year Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm A fine of up to $250, 000 Imprisonment up to 10 years
Best Practices ● Report any activity to your direct supervisor that you feel may be a violation of HIPAA ● Internal or external ● Educate your patients ● Remember the Minimum Necessary Rule ● Keep your equipment safe ● ● Encrypt emails Taking phone calls Sending faxes Handling paper records ● Obtain patient consent before accessing the HIE ● Body Language ● Environmental Awareness
HIPAA Examples Are the following scenarios HIPAA violations? ● You and your colleague are walking to Cooper when your cell phone rings. It’s the patient’s caseworker calling to ask a question about a recent PCP appointment. Can you disclose this information? ● While accompanying your patient to an appointment, the security guard stops you to ask you where you are going and why you are here. Are you allowed to share this information?
HIPAA Examples Are the following scenarios HIPAA violations? ● Your co-worker is logged into the HIE viewing a patient’s chart. Through conversation, you find out the patient is a family member of your co-worker. Is this a HIPAA violation? ● A patient enters the emergency room unconscious and in critical condition. The provider does not have a treatment relationship with the patient. Can the provider access the patient’s medical records?
HIPAA Examples Are the following scenarios HIPAA violations? ● A family member calls you to ask about a patient you are working with. What should you do?
Questions?
- Slides: 18