11

ON- LINE TRAINING EVENT

HIPAAHIPAA(Health Insurance

Portability & Accountability Act)

ENTER

22

What is What is HIPAA??

It’s a law enacted to 1) It’s a law enacted to 1) protect personal health protect personal health informationinformation, 2) , 2) minimize minimize health insurance fraudhealth insurance fraud, and , and 3) 3) reduce administrative reduce administrative health care expenses.health care expenses.

NEXT

33

What does HIPAA What does HIPAA cover? cover? The law specifically The law specifically

addresses addresses three (3) three (3) areasareas::Medical Billing Medical Billing

Transaction StandardsTransaction StandardsProtected Health Protected Health

Information (PHI) Information (PHI) Privacy StandardsPrivacy Standards

Information Information Security Security StandardsStandardsNEXT

44

Transaction StandardsTransaction Standards National medical billing transaction National medical billing transaction

standards are in place…standards are in place… Medical providersMedical providers have been have been identifiedidentified by by

an assigned numberan assigned number UniformUniform transaction transaction codescodes are used by are used by

medical providersmedical providers CommonCommon electronic medical billing transaction electronic medical billing transaction

standardsstandards and guidelines are in use and guidelines are in use Other RequirementsOther Requirements

Data Data usage & storageusage & storage policies policies Compliant Compliant Business AssociateBusiness Associate contracts contracts AuditsAudits of Privacy, Security & Business Practices of Privacy, Security & Business Practices Information sharingInformation sharing policies policies ““Minimum NecessaryMinimum Necessary”” information exchange information exchange Electronic data Electronic data information access controlsinformation access controls

NEXT

55

Security StandardsSecurity Standards These standards ensure the These standards ensure the

confidentiality, integrity, & confidentiality, integrity, & availabilityavailability of protected of protected electronic health information, electronic health information, and…and…

……protects against threatsprotects against threats or hazards to the security of or hazards to the security of the informationthe information

Areas Involved with Areas Involved with SecuritySecurity AdministrativeAdministrative Physical SafeguardsPhysical Safeguards Technical Security ServicesTechnical Security Services Technical Security Technical Security

MechanismMechanism

NEXT

66

Information Security - Information Security - ExamplesExamples

Administrative ControlsAdministrative Controls Identifying Business Associates & Identifying Business Associates &

Issuing Appropriate AgreementsIssuing Appropriate Agreements Reinforce the Importance of Reinforce the Importance of

Information ComplianceInformation Compliance Cooperate with the internal HIPAA Cooperate with the internal HIPAA

Audit & Risk Assessment Audit & Risk Assessment ProcessesProcesses

NEXT

77

Information Security – Information Security – Examples (Cont’d)Examples (Cont’d)

Physical SafeguardsPhysical Safeguards Positioning Computer Monitors Positioning Computer Monitors

away from viewaway from view Discussing patient/client Discussing patient/client

information in a private locationinformation in a private location Keeping patient/client records out Keeping patient/client records out

of sight or access of othersof sight or access of others Knowing who is in your Facility or Knowing who is in your Facility or

Office & when (Sign In/Out)Office & when (Sign In/Out)

NEXT

88

Information Security – Information Security – Examples (Cont’d)Examples (Cont’d) Technical Security Technical Security

Services & MechanismsServices & Mechanisms IS DepartmentIS Department

Data Security includes Fire Data Security includes Fire Walls, Pop Up Blockers, Virus Walls, Pop Up Blockers, Virus Alerts, etc.Alerts, etc.

System Control MeasuresSystem Control Measures Data Back-up ProtocolsData Back-up Protocols HIPAA Security Policies & HIPAA Security Policies &

GuidelinesGuidelines Computer Data & Systems are Computer Data & Systems are

County PropertyCounty Property

NEXT

99

Privacy Standards These standards apply to protected These standards apply to protected

health information (PHI) which health information (PHI) which includes any includes any individually identifiableindividually identifiable health information. It does not apply health information. It does not apply to data contained in educational or to data contained in educational or employment records.employment records.

The privacy standards apply to both The privacy standards apply to both electronic and hard copy records to electronic and hard copy records to include fax, photocopy, carbon copy, include fax, photocopy, carbon copy, etc.etc.

Protected Health Information (PHI), Protected Health Information (PHI), created by, stored or received by a created by, stored or received by a covered entity falls under HIPAA and covered entity falls under HIPAA and must be protected by establishing must be protected by establishing safeguards.safeguards.NEXT

1010

Privacy Standards Privacy Standards (Cont’d)(Cont’d) Gives Individuals more Gives Individuals more

control over their own PHI.control over their own PHI. Sets rules for use and Sets rules for use and

release of PHIrelease of PHI Strikes a balance when Strikes a balance when

public responsibility requires public responsibility requires disclosure of data to protect disclosure of data to protect the publicthe public

NEXT

1111

Breach of Privacy Breach of Privacy StandardsStandards

Holds violators accountable with Holds violators accountable with civil and criminal penaltiescivil and criminal penalties

Penalties can be imposed if the Penalties can be imposed if the individual’s rights are violatedindividual’s rights are violated

Office of Civil Rights (OCR) is Office of Civil Rights (OCR) is charged with enforcementcharged with enforcement

Internal investigation may result in Internal investigation may result in progressive disciplinary action up progressive disciplinary action up to and including termination of to and including termination of employmentemployment

Information breach must be Information breach must be reported to OCRreported to OCR

NEXT

1212

Why is HIPAA important to Franklin County? The County is a Covered Entity The County is a Covered Entity

under HIPAAunder HIPAA The County provides and pays for The County provides and pays for

the cost of healthcarethe cost of healthcare Corporate authority rests with the Corporate authority rests with the

County CommissionersCounty Commissioners County Commissioners are County Commissioners are

responsible for all contracts responsible for all contracts involving healthcareinvolving healthcare

The County & it’s Employees are The County & it’s Employees are responsible for Due Diligenceresponsible for Due Diligence

There is no liability insurance There is no liability insurance protection, because it is the lawprotection, because it is the law

NEXT

1313

HIPAA does not apply to PHI…

……when there are more when there are more stringent State or stringent State or Federal regulations that Federal regulations that do apply to the do apply to the protected health protected health information in questioninformation in question

NEXT

1414

What are an Individual’s Rights under HIPAA?

They have a right to…They have a right to… ……access and copy health access and copy health

recordsrecords ……to request amendment or to request amendment or

correction to their recordscorrection to their records ……to an accounting record of to an accounting record of

disclosures of information from disclosures of information from their recordtheir record

……to specify how confidential to specify how confidential information is communicatedinformation is communicated

……to request restriction on how to request restriction on how health information is disclosed health information is disclosed or usedor used

NEXT

1515

Policies & Procedures for a Covered Entity

Policies and procedures are Policies and procedures are required to address the various required to address the various elements of HIPAA (elements of HIPAA (Refer to the the Employee Information Section of Employee Information Section of KIOSK, HIPAA to access these) to access these)

A Company must appoint a privacy A Company must appoint a privacy officer to 1) officer to 1) Oversee the program, Oversee the program, 2) Investigate Complaints, and 3) 2) Investigate Complaints, and 3) Train EmployeesTrain Employees

Franklin County Franklin County Privacy Officer is is Loretta McClure, Risk Manager, Risk Manager

NEXT

1616

When can a covered entity use PHI?

The rule requires written The rule requires written “authorization” from the individual “authorization” from the individual before anyone can release PHI for before anyone can release PHI for purposes purposes other thanother than:: TreatmentTreatment PaymentPayment Healthcare operationsHealthcare operations

Covered health care providers must Covered health care providers must obtain a one-time “consent” to use or obtain a one-time “consent” to use or disclose PHI, even for treatment, disclose PHI, even for treatment, payment or health care operations payment or health care operations (Note: This is not an Authorization.)(Note: This is not an Authorization.)

NEXT

1717

Authorization

Gives a covered entity authority to use or disclose PHI for specified purposes

Other than treatment, payment, health care operations

Includes: What information is being

disclosed Who is authorized to disclose the

information Who is going to use or receive

the information

NEXT

1818

HITECH Requirements – Recent Revisions to HIPAA

New requirements managing PHINew requirements managing PHI Business Associates held to same Business Associates held to same

standard as Countystandard as County New rules for data breach New rules for data breach

notification to include thresholds, notification to include thresholds, timelines, and methodstimelines, and methods

Business Associate must notify Business Associate must notify County of any data breach involving County of any data breach involving County provided informationCounty provided information

Increased penaltiesIncreased penalties

NEXT

1919

Business Associates An individual or corporate “person” An individual or corporate “person”

that performs on behalf of the that performs on behalf of the County any function or activity County any function or activity involving the use or disclosure of PHIinvolving the use or disclosure of PHI

Is not a member of the covered Is not a member of the covered entity’s workforceentity’s workforce

i.e., legal, actuarial, accounting, i.e., legal, actuarial, accounting, consulting, data processing, consulting, data processing, management, administrative, management, administrative, accreditation, financial services or accreditation, financial services or anything else for which the County anything else for which the County may contract where PHI is involvedmay contract where PHI is involved

NEXT

2020

What are Business Associate (BA) requirements, under an Agreement? Permitted PHI activities of BA identifiedPermitted PHI activities of BA identified BA agrees not to use or disclose PHI other than as BA agrees not to use or disclose PHI other than as

permitted by the agreementpermitted by the agreement BA agrees to use appropriate safeguards to prevent BA agrees to use appropriate safeguards to prevent

unauthorized use or disclosure of PHIunauthorized use or disclosure of PHI BA agrees to report any unauthorized use or BA agrees to report any unauthorized use or

disclosure of PHI to the Countydisclosure of PHI to the County BA ensures anyone receiving PHI under the BA ensures anyone receiving PHI under the

agreement adheres to the same conditions as BAagreement adheres to the same conditions as BA Agreement termination, BA returns or destroys all Agreement termination, BA returns or destroys all

County PHI in its possession or extends the County PHI in its possession or extends the protections of the contract to information retainedprotections of the contract to information retained

NEXT

2121

De-Identification of Information

Information that does not identify the Information that does not identify the individual and does not contain individual and does not contain information that can be used to information that can be used to identify an individual is not covered by identify an individual is not covered by HIPAA.HIPAA.

Examples of de-identifying Examples of de-identifying information:information: No namesNo names No geographic informationNo geographic information No dates related to the individual No dates related to the individual

(i.e., birthday, date of hire, etc.)(i.e., birthday, date of hire, etc.) No telephone numbers, e-mail No telephone numbers, e-mail

addresses, social security numbers, addresses, social security numbers, account numbers, etc. account numbers, etc. NEXT

2222

Records handled on behalf of the County should be treated in a confidential manner.

Refer to County Confidentiality Policy & Statement

Workforce Responsibilities

Remember:Loose lips sink ships!

NEXT

2323

Important Points to Consider… When You Must Share Information…When You Must Share Information…

Share only the least necessary Share only the least necessary amount informationamount information

A A PHI breachPHI breach requires requires immediate immediate noticenotice to the Privacy Officer (Risk to the Privacy Officer (Risk Manager)Manager)

An An Unusual Event formUnusual Event form can be can be used to used to report potential HIPAA report potential HIPAA violationsviolations

Risk Risk assessments and and audits are are a part of the Privacy Officer’s a part of the Privacy Officer’s responsibility

NEXT

2424

HIPAA Quiz

Next you’ll receive a series of Next you’ll receive a series of questions to be answered either questions to be answered either “true” or “false”.“true” or “false”.

Only you will know the outcome Only you will know the outcome of your responses.of your responses.

Should you feel you can do Should you feel you can do better, please feel free to review better, please feel free to review the presentation again.the presentation again.

START QUIZ

2525

Question #1Question #1

The County’s Privacy Officer The County’s Privacy Officer should be notified of PHI should be notified of PHI breaches, HIPAA investigations, breaches, HIPAA investigations, and requests for HIPAA and requests for HIPAA training?training?

FALSETRUE

2828

Question #2Question #2

HIPAA covers three sections…HIPAA covers three sections…1) Transaction Sets, 2) 1) Transaction Sets, 2) Information Security & 3) Information Security & 3) Information Privacy?Information Privacy?

FALSETRUE

3131

Question #3Question #3

Information you handle on Information you handle on behalf of the County should be behalf of the County should be handled in a confidential handled in a confidential manner?manner?

FALSETRUE

3434

Question #4Question #4

PHI refers to Protected Health PHI refers to Protected Health Information?Information?

FALSETRUE

3737

Question #5Question #5

Medical information provided for Medical information provided for an educational file or an educational file or employment file is NOT employment file is NOT considered PHI (Protected considered PHI (Protected Health Information)?Health Information)?

FALSETRUE

4040

Question #6Question #6

Under the recent HITECH Act, Under the recent HITECH Act, Business Associates are now Business Associates are now held to the same HIPAA held to the same HIPAA standards as covered entities?standards as covered entities?

FALSETRUE

4343

Question #7Question #7

Business Associates are Business Associates are required to report a breach of required to report a breach of information privacy or security to information privacy or security to the related provider?the related provider?

FALSETRUE

4646

Question #8Question #8

Individuals have the right to Individuals have the right to request copies of their medical request copies of their medical record, request changes to that record, request changes to that record, and request a list of record, and request a list of disclosures of information from disclosures of information from the record?the record?

FALSETRUE

4949

Question #9Question #9

HIPAA was enacted to assist in HIPAA was enacted to assist in reducing health insurance fraud, reducing health insurance fraud, realize efficiencies in the health realize efficiencies in the health insurance administrative insurance administrative process, and expand consumer process, and expand consumer rights to their own personal rights to their own personal health information?health information?

FALSETRUE

5252

Question #10Question #10

HIPAA applies to all situations HIPAA applies to all situations involving the discussion or involving the discussion or disclosure of personal health disclosure of personal health information.information.

TRUE FALSE

5555

Questions…

Any questions concerning the presentation Any questions concerning the presentation or HIPAA services available through the or HIPAA services available through the County can be directed to Loretta McClure, County can be directed to Loretta McClure, Risk Manager & Privacy Officer at Risk Manager & Privacy Officer at ljmcclure@co.franklin.pa.usljmcclure@co.franklin.pa.us or (717)261- or (717)261-3819.3819.

NEXT

5656

Complete Training Complete Training

To be given credit for this To be given credit for this training, be sure to submit your training, be sure to submit your information (using the link information (using the link below).below).

THANK YOU for your participation!

COMPLETE