Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | amaya-maynard |
View: | 213 times |
Download: | 0 times |
11
ON- LINE TRAINING EVENT
HIPAAHIPAA(Health Insurance
Portability & Accountability Act)
ENTER
22
What is What is HIPAA??
It’s a law enacted to 1) It’s a law enacted to 1) protect personal health protect personal health informationinformation, 2) , 2) minimize minimize health insurance fraudhealth insurance fraud, and , and 3) 3) reduce administrative reduce administrative health care expenses.health care expenses.
NEXT
33
What does HIPAA What does HIPAA cover? cover? The law specifically The law specifically
addresses addresses three (3) three (3) areasareas::Medical Billing Medical Billing
Transaction StandardsTransaction StandardsProtected Health Protected Health
Information (PHI) Information (PHI) Privacy StandardsPrivacy Standards
Information Information Security Security StandardsStandardsNEXT
44
Transaction StandardsTransaction Standards National medical billing transaction National medical billing transaction
standards are in place…standards are in place… Medical providersMedical providers have been have been identifiedidentified by by
an assigned numberan assigned number UniformUniform transaction transaction codescodes are used by are used by
medical providersmedical providers CommonCommon electronic medical billing transaction electronic medical billing transaction
standardsstandards and guidelines are in use and guidelines are in use Other RequirementsOther Requirements
Data Data usage & storageusage & storage policies policies Compliant Compliant Business AssociateBusiness Associate contracts contracts AuditsAudits of Privacy, Security & Business Practices of Privacy, Security & Business Practices Information sharingInformation sharing policies policies ““Minimum NecessaryMinimum Necessary”” information exchange information exchange Electronic data Electronic data information access controlsinformation access controls
NEXT
55
Security StandardsSecurity Standards These standards ensure the These standards ensure the
confidentiality, integrity, & confidentiality, integrity, & availabilityavailability of protected of protected electronic health information, electronic health information, and…and…
……protects against threatsprotects against threats or hazards to the security of or hazards to the security of the informationthe information
Areas Involved with Areas Involved with SecuritySecurity AdministrativeAdministrative Physical SafeguardsPhysical Safeguards Technical Security ServicesTechnical Security Services Technical Security Technical Security
MechanismMechanism
NEXT
66
Information Security - Information Security - ExamplesExamples
Administrative ControlsAdministrative Controls Identifying Business Associates & Identifying Business Associates &
Issuing Appropriate AgreementsIssuing Appropriate Agreements Reinforce the Importance of Reinforce the Importance of
Information ComplianceInformation Compliance Cooperate with the internal HIPAA Cooperate with the internal HIPAA
Audit & Risk Assessment Audit & Risk Assessment ProcessesProcesses
NEXT
77
Information Security – Information Security – Examples (Cont’d)Examples (Cont’d)
Physical SafeguardsPhysical Safeguards Positioning Computer Monitors Positioning Computer Monitors
away from viewaway from view Discussing patient/client Discussing patient/client
information in a private locationinformation in a private location Keeping patient/client records out Keeping patient/client records out
of sight or access of othersof sight or access of others Knowing who is in your Facility or Knowing who is in your Facility or
Office & when (Sign In/Out)Office & when (Sign In/Out)
NEXT
88
Information Security – Information Security – Examples (Cont’d)Examples (Cont’d) Technical Security Technical Security
Services & MechanismsServices & Mechanisms IS DepartmentIS Department
Data Security includes Fire Data Security includes Fire Walls, Pop Up Blockers, Virus Walls, Pop Up Blockers, Virus Alerts, etc.Alerts, etc.
System Control MeasuresSystem Control Measures Data Back-up ProtocolsData Back-up Protocols HIPAA Security Policies & HIPAA Security Policies &
GuidelinesGuidelines Computer Data & Systems are Computer Data & Systems are
County PropertyCounty Property
NEXT
99
Privacy Standards These standards apply to protected These standards apply to protected
health information (PHI) which health information (PHI) which includes any includes any individually identifiableindividually identifiable health information. It does not apply health information. It does not apply to data contained in educational or to data contained in educational or employment records.employment records.
The privacy standards apply to both The privacy standards apply to both electronic and hard copy records to electronic and hard copy records to include fax, photocopy, carbon copy, include fax, photocopy, carbon copy, etc.etc.
Protected Health Information (PHI), Protected Health Information (PHI), created by, stored or received by a created by, stored or received by a covered entity falls under HIPAA and covered entity falls under HIPAA and must be protected by establishing must be protected by establishing safeguards.safeguards.NEXT
1010
Privacy Standards Privacy Standards (Cont’d)(Cont’d) Gives Individuals more Gives Individuals more
control over their own PHI.control over their own PHI. Sets rules for use and Sets rules for use and
release of PHIrelease of PHI Strikes a balance when Strikes a balance when
public responsibility requires public responsibility requires disclosure of data to protect disclosure of data to protect the publicthe public
NEXT
1111
Breach of Privacy Breach of Privacy StandardsStandards
Holds violators accountable with Holds violators accountable with civil and criminal penaltiescivil and criminal penalties
Penalties can be imposed if the Penalties can be imposed if the individual’s rights are violatedindividual’s rights are violated
Office of Civil Rights (OCR) is Office of Civil Rights (OCR) is charged with enforcementcharged with enforcement
Internal investigation may result in Internal investigation may result in progressive disciplinary action up progressive disciplinary action up to and including termination of to and including termination of employmentemployment
Information breach must be Information breach must be reported to OCRreported to OCR
NEXT
1212
Why is HIPAA important to Franklin County? The County is a Covered Entity The County is a Covered Entity
under HIPAAunder HIPAA The County provides and pays for The County provides and pays for
the cost of healthcarethe cost of healthcare Corporate authority rests with the Corporate authority rests with the
County CommissionersCounty Commissioners County Commissioners are County Commissioners are
responsible for all contracts responsible for all contracts involving healthcareinvolving healthcare
The County & it’s Employees are The County & it’s Employees are responsible for Due Diligenceresponsible for Due Diligence
There is no liability insurance There is no liability insurance protection, because it is the lawprotection, because it is the law
NEXT
1313
HIPAA does not apply to PHI…
……when there are more when there are more stringent State or stringent State or Federal regulations that Federal regulations that do apply to the do apply to the protected health protected health information in questioninformation in question
NEXT
1414
What are an Individual’s Rights under HIPAA?
They have a right to…They have a right to… ……access and copy health access and copy health
recordsrecords ……to request amendment or to request amendment or
correction to their recordscorrection to their records ……to an accounting record of to an accounting record of
disclosures of information from disclosures of information from their recordtheir record
……to specify how confidential to specify how confidential information is communicatedinformation is communicated
……to request restriction on how to request restriction on how health information is disclosed health information is disclosed or usedor used
NEXT
1515
Policies & Procedures for a Covered Entity
Policies and procedures are Policies and procedures are required to address the various required to address the various elements of HIPAA (elements of HIPAA (Refer to the the Employee Information Section of Employee Information Section of KIOSK, HIPAA to access these) to access these)
A Company must appoint a privacy A Company must appoint a privacy officer to 1) officer to 1) Oversee the program, Oversee the program, 2) Investigate Complaints, and 3) 2) Investigate Complaints, and 3) Train EmployeesTrain Employees
Franklin County Franklin County Privacy Officer is is Loretta McClure, Risk Manager, Risk Manager
NEXT
1616
When can a covered entity use PHI?
The rule requires written The rule requires written “authorization” from the individual “authorization” from the individual before anyone can release PHI for before anyone can release PHI for purposes purposes other thanother than:: TreatmentTreatment PaymentPayment Healthcare operationsHealthcare operations
Covered health care providers must Covered health care providers must obtain a one-time “consent” to use or obtain a one-time “consent” to use or disclose PHI, even for treatment, disclose PHI, even for treatment, payment or health care operations payment or health care operations (Note: This is not an Authorization.)(Note: This is not an Authorization.)
NEXT
1717
Authorization
Gives a covered entity authority to use or disclose PHI for specified purposes
Other than treatment, payment, health care operations
Includes: What information is being
disclosed Who is authorized to disclose the
information Who is going to use or receive
the information
NEXT
1818
HITECH Requirements – Recent Revisions to HIPAA
New requirements managing PHINew requirements managing PHI Business Associates held to same Business Associates held to same
standard as Countystandard as County New rules for data breach New rules for data breach
notification to include thresholds, notification to include thresholds, timelines, and methodstimelines, and methods
Business Associate must notify Business Associate must notify County of any data breach involving County of any data breach involving County provided informationCounty provided information
Increased penaltiesIncreased penalties
NEXT
1919
Business Associates An individual or corporate “person” An individual or corporate “person”
that performs on behalf of the that performs on behalf of the County any function or activity County any function or activity involving the use or disclosure of PHIinvolving the use or disclosure of PHI
Is not a member of the covered Is not a member of the covered entity’s workforceentity’s workforce
i.e., legal, actuarial, accounting, i.e., legal, actuarial, accounting, consulting, data processing, consulting, data processing, management, administrative, management, administrative, accreditation, financial services or accreditation, financial services or anything else for which the County anything else for which the County may contract where PHI is involvedmay contract where PHI is involved
NEXT
2020
What are Business Associate (BA) requirements, under an Agreement? Permitted PHI activities of BA identifiedPermitted PHI activities of BA identified BA agrees not to use or disclose PHI other than as BA agrees not to use or disclose PHI other than as
permitted by the agreementpermitted by the agreement BA agrees to use appropriate safeguards to prevent BA agrees to use appropriate safeguards to prevent
unauthorized use or disclosure of PHIunauthorized use or disclosure of PHI BA agrees to report any unauthorized use or BA agrees to report any unauthorized use or
disclosure of PHI to the Countydisclosure of PHI to the County BA ensures anyone receiving PHI under the BA ensures anyone receiving PHI under the
agreement adheres to the same conditions as BAagreement adheres to the same conditions as BA Agreement termination, BA returns or destroys all Agreement termination, BA returns or destroys all
County PHI in its possession or extends the County PHI in its possession or extends the protections of the contract to information retainedprotections of the contract to information retained
NEXT
2121
De-Identification of Information
Information that does not identify the Information that does not identify the individual and does not contain individual and does not contain information that can be used to information that can be used to identify an individual is not covered by identify an individual is not covered by HIPAA.HIPAA.
Examples of de-identifying Examples of de-identifying information:information: No namesNo names No geographic informationNo geographic information No dates related to the individual No dates related to the individual
(i.e., birthday, date of hire, etc.)(i.e., birthday, date of hire, etc.) No telephone numbers, e-mail No telephone numbers, e-mail
addresses, social security numbers, addresses, social security numbers, account numbers, etc. account numbers, etc. NEXT
2222
Records handled on behalf of the County should be treated in a confidential manner.
Refer to County Confidentiality Policy & Statement
Workforce Responsibilities
Remember:Loose lips sink ships!
NEXT
2323
Important Points to Consider… When You Must Share Information…When You Must Share Information…
Share only the least necessary Share only the least necessary amount informationamount information
A A PHI breachPHI breach requires requires immediate immediate noticenotice to the Privacy Officer (Risk to the Privacy Officer (Risk Manager)Manager)
An An Unusual Event formUnusual Event form can be can be used to used to report potential HIPAA report potential HIPAA violationsviolations
Risk Risk assessments and and audits are are a part of the Privacy Officer’s a part of the Privacy Officer’s responsibility
NEXT
2424
HIPAA Quiz
Next you’ll receive a series of Next you’ll receive a series of questions to be answered either questions to be answered either “true” or “false”.“true” or “false”.
Only you will know the outcome Only you will know the outcome of your responses.of your responses.
Should you feel you can do Should you feel you can do better, please feel free to review better, please feel free to review the presentation again.the presentation again.
START QUIZ
2525
Question #1Question #1
The County’s Privacy Officer The County’s Privacy Officer should be notified of PHI should be notified of PHI breaches, HIPAA investigations, breaches, HIPAA investigations, and requests for HIPAA and requests for HIPAA training?training?
FALSETRUE
2828
Question #2Question #2
HIPAA covers three sections…HIPAA covers three sections…1) Transaction Sets, 2) 1) Transaction Sets, 2) Information Security & 3) Information Security & 3) Information Privacy?Information Privacy?
FALSETRUE
3131
Question #3Question #3
Information you handle on Information you handle on behalf of the County should be behalf of the County should be handled in a confidential handled in a confidential manner?manner?
FALSETRUE
3434
Question #4Question #4
PHI refers to Protected Health PHI refers to Protected Health Information?Information?
FALSETRUE
3737
Question #5Question #5
Medical information provided for Medical information provided for an educational file or an educational file or employment file is NOT employment file is NOT considered PHI (Protected considered PHI (Protected Health Information)?Health Information)?
FALSETRUE
4040
Question #6Question #6
Under the recent HITECH Act, Under the recent HITECH Act, Business Associates are now Business Associates are now held to the same HIPAA held to the same HIPAA standards as covered entities?standards as covered entities?
FALSETRUE
4343
Question #7Question #7
Business Associates are Business Associates are required to report a breach of required to report a breach of information privacy or security to information privacy or security to the related provider?the related provider?
FALSETRUE
4646
Question #8Question #8
Individuals have the right to Individuals have the right to request copies of their medical request copies of their medical record, request changes to that record, request changes to that record, and request a list of record, and request a list of disclosures of information from disclosures of information from the record?the record?
FALSETRUE
4949
Question #9Question #9
HIPAA was enacted to assist in HIPAA was enacted to assist in reducing health insurance fraud, reducing health insurance fraud, realize efficiencies in the health realize efficiencies in the health insurance administrative insurance administrative process, and expand consumer process, and expand consumer rights to their own personal rights to their own personal health information?health information?
FALSETRUE
5252
Question #10Question #10
HIPAA applies to all situations HIPAA applies to all situations involving the discussion or involving the discussion or disclosure of personal health disclosure of personal health information.information.
TRUE FALSE
5555
Questions…
Any questions concerning the presentation Any questions concerning the presentation or HIPAA services available through the or HIPAA services available through the County can be directed to Loretta McClure, County can be directed to Loretta McClure, Risk Manager & Privacy Officer at Risk Manager & Privacy Officer at [email protected]@co.franklin.pa.us or (717)261- or (717)261-3819.3819.
NEXT
5656
Complete Training Complete Training
To be given credit for this To be given credit for this training, be sure to submit your training, be sure to submit your information (using the link information (using the link below).below).
THANK YOU for your participation!
COMPLETE