HIPAA Training Health Insurance Portability and Accountability Act
HIPAA Training: Health Insurance Portability and Accountability Act
Introduction This presentation will: § Provide transportation providers with information necessary to ensure that member’s/recipient’s health information is regarded with the highest privacy and security. § Provide transportation providers with information necessary to meet the latest standards for privacy and security set forth by the governing agencies. § Focus on the daily functions of the transportation providers in regards to ensuring member’s/recipient’s privacy and security.
HIPAA § The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. § The Department of Health and Human Services (HHS) implemented the final Privacy Rule on April 14, 2003. § The compliance date for the Security Standards was April 20, 2005. § The HITECH Act of 2009 widened the scope of privacy and security protections available under HIPAA.
The Privacy Rule § Ensures nationwide uniform procedural protection for all health information. § Imposes restrictions on the use and disclosure of Protected Health Information (PHI). § Gives people greater access to their medical records. § Provides people with more control over their health information.
Security Rule § Whereas the Privacy Rule deals with PHI in general, the Security Rule deals with electronic PHI (“e. PHI”). § The scope of the Security Rule for electronic PHI has been greatly expanded in 2009 under the American Recovery & Reinvestment Act.
ARRA 2009 § HITECH Act of the American Recovery & Reinvestment Act of 2009 (ARRA) imposes new obligations on a covered entity (CE) and business associate (BA). • Breach Notification • BA directly responsible for compliance with Security Rule and directly liable for violations of Security Rule and breaches.
HIPAA Expectations § Use or disclose PHI only for work related purposes. § Limit uses and disclosures to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request. § Exercise reasonable caution to protect PHI under your control. § Understand follow MTM privacy policies. § Report any privacy problems to your supervisor, and your MTM contact immediately.
Protected Health Information (PHI) § Individually identifiable health information…that is § A. Transmitted by electronic media; § B. Maintained in electronic media; or § C. Transmitted or maintained in any other form or medium. § When an MTM member, agency or health provider gives personal health information to MTM, that information becomes PHI.
Examples of PHI § Information that might connect personal health information to an individual includes: • • • Individual’s name or address Social Security or other identification number Medicaid or Medicare number Physician’s or other health care provider’s personal notes Billing information
Use or Disclosure of PHI § HIPAA’s Privacy Rule covers the use and disclosure of PHI; it is designed to minimize careless or unethical disclosure. PHI can’t be used or disclosed unless it is permitted or required by the Privacy Rule. PHI is used when: -Shared -Examined -Applied -Analyzed PHI is disclosed when: -Released/transferred -Accessed in any way by anyone outside the entity holding the information.
Use or Disclosure of PHI § PHI may be shared when it’s for “TPO. ” • Treatment: management of healthcare and related services that includes coordination among healthcare providers. • Payment: various activities of healthcare providers to obtain payment or be reimbursed for their services. • Healthcare Operations: certain administrative, financial, legal and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of Treatment and Payment
Use or Disclosure of PHI § Transportation Providers are permitted to use or disclose PHI for: • Scheduling trip information • Confirming special needs or adaptive equipment • Incidental use such as talking to a facility or medical provider
Minimum Necessary § Use or disclosure of PHI should be limited to the minimum amount of health related information necessary to accomplish the intended purpose of the use or disclosure. § MTM has developed policies and procedures to make sure the least amount of PHI is shared. § If you have no need to review PHI, then stop!
Maintaining Privacy § Written • Keep information in a folder during business hours and lock drawers after hours. • Shred documents containing PHI after use. • Keep a minimal amount of information in hard copy format. • Do not leave documents unattended at printer or Xerox machines
Maintaining Privacy § Telephone • Leave the minimal information necessary on voice mail or answering machines regarding confirmation of trips, or ask the member to return the call to confirm.
Maintaining Privacy § Faxes • Always include a cover sheet. The cover sheet should: § state that it is a confidential document, § give a contact if the fax is received in error, and § spell out the HIPAA language. § Verify the fax number before sending.
Maintaining Privacy § Email • Emails containing PHI must be sent secure • Follow all directions for secured email • Do not enter any PHI in subject line
Maintaining Privacy § Workstation, Common Areas, and Vehicles • Always lock access to computer with a password and use privacy notice. • Remove documents containing PHI from copiers and printers as soon as possible. • Keep PHI in a folder or upside down during working hours. • Remove PHI from desk or vehicle and place in a locked drawer at the end of the work day. • Do not discuss PHI in public areas.
Privacy Practices Designed to Protect PHI § Verify the identity and the authority of the requestor before releasing PHI. § Transmit PHI by telephone only when it can not be overheard. § When leaving messages, limit the information left to the member’s name, a request to return the call, and your name and telephone number.
Misuse of PHI § Misuse of PHI can result in civil and criminal sanctions: • Civil penalties: up to $25, 000/year for inadvertent violations. Up to $250, 000 for “willful neglect”. Up to $1. 5 million for repeated or uncorrected violations • Criminal penalties: up to $250, 000 fine and prison sentence up to 10 years for deliberate violations • Sanctions by the Department of HHS. • Penalties related to not meeting contractual obligations
Examples of Misuse of PHI § A South Dakota medical student took home copies of 125 patients’ psychiatric records in order to work on a research project. When finished, he disposed of the material in the dumpster of a fast food restaurant, where they were found by a newspaper reporter. § In Florida, several hundred hospital workers browsed through the records of a famous patient who had recently come to the facility, even though few of the workers were actually involved in the case.
Reporting Misuse of PHI § Report incidents of accidental or intentional disclosure to your immediate supervisor and to MTM. § No adverse action will be taken against anyone who reports in good faith, any violation or threatened violation of the Privacy Rule, the Security Rule or related policies. § MTM must report to DHSS all uses or disclosures not permitted by the Business Associate provisions of the contract or HIPAA.
Breach of Electronic PHI (e. PHI) § The HITECH Act imposes data breach notification requirements for unauthorized uses and disclosures of unsecured (unencrypted) PHI. § Breach – is the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of information.
Examples of Breach of e. PHI § Theft of 57 hard drives at an insurance company’s training facility, including images from computer screens containing data that was encoded but not encrypted. § Theft of a laptop containing PHI. Laptop was password protected but not encrypted.
Breach Notification § Notice to the individual of breach of his/her PHI is required under the ARRA HITECH Act. § Breaches involving PHI of more than 500 persons in one circumstance must be immediately reported to HHS by the covered entity (for posting on the HHS site) § Business Associates must report security breaches to the covered entity
Enforcement of Privacy and Security § Office of Civil Rights has enforced the Privacy Rule since 2003. § CMS has enforced the Security Rules since 2005 § As of July 27, 2009, HHS has delegated enforcement of both rules to the Office of Civil Rights.
Resources § Centers for Medicare & Medicaid Services – HIPAA: • www. cms. hhs. gov/Security. Standard/ § Office of Civil Rights: • www. hhs. gov/ocr/hippa/ § US Department of Health & Human Services: • www. hhs. gov
Glossary § Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to a covered entity. § Protected Health Information: Individually identifiable health information. § Minimum Necessary Information: The current practice is that protected health information (PHI) should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.
- Slides: 28