Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | sage-threadgill |
View: | 232 times |
Download: | 0 times |
Copyright Eastern PA EMS Council February
2003
Health Information Portability and Accountability Act
It’s the law.
Copyright Eastern PA EMS Council February
2003
Committee Members
This program and information is the result of the hard work of the following committee members:
Don DeReamus – Chairperson
Barry Albertson Joseph Panczer
Andrew Brown Suzanne Raftery
Barbara Conrad Barbara Ruch
James Conrad Ruth Weber
Rose Conrad Jackie Wenzel
Michael La Bar Larry Wiersch
Copyright Eastern PA EMS Council February
2003
HIPAA
It is a Federal law passed in 1996.
It specifies what is required to protect the privacy of personally identifiable health care information.
Copyright Eastern PA EMS Council February
2003
Time Lines for HIPAA Compliance
Three separate and independent timelines required for HIPAA
compliance.
Copyright Eastern PA EMS Council February
2003
Time Lines for HIPAA Compliance
Three separate and independent timelines required for HIPAA compliance.
Privacy Rule compliance required by April 14, 2003
Copyright Eastern PA EMS Council February
2003
Time Lines for HIPAA Compliance
Three separate and independent timelines required for HIPAA compliance.
Transaction Code Set Rules (TCS) compliance required by October 16, 2002 or October 16, 2003 if you filed for an extension
Copyright Eastern PA EMS Council February
2003
Time Lines for HIPAA Compliance
Three separate and independent timelines required for HIPAA compliance.
Security Rule compliance
deadline April 21, 2005
Copyright Eastern PA EMS Council February
2003
Covered Entities
To be considered a covered entity, the organization must be either a health
care provider, a health plan, or a health care clearinghouse.
Covered entities provide services directly to the patient.
Copyright Eastern PA EMS Council February
2003
An ambulance service is considered to be a health care provider.
Covered Entities
Copyright Eastern PA EMS Council February
2003
Covered Entities
To be considered a covered entity, you must engage in electronic transactions.
This includes billing.
Copyright Eastern PA EMS Council February
2003
Protected Health Information (PHI)
When PHI enters an organization, whether it is from a patient, a bystander, a friend, a family member or a dispatch agency, all privacy and security
rules apply.
Copyright Eastern PA EMS Council February
2003
What is PHI?
Individually identifiable
information Information regarding past,
present, or future physical or
mental health
Copyright Eastern PA EMS Council February
2003
What is PHI?
Information regarding provision or payment of care to an individual. Includes any material that
is written, verbal, electronic, scanned, photographic, etc.
Copyright Eastern PA EMS Council February
2003
Examples of PHIPatient care reports (PCRs)
Dispatch records
Billing information Incident reports with
patient information.Physician Certifications
Copyright Eastern PA EMS Council February
2003
Three Allowed Uses of PHI
Treatment
Payment
Health Care Operations
These are allowed without prior patient authorization.
Copyright Eastern PA EMS Council February
2003
Treatment You may share PHI with other health care providers involved in treating
the patient. First Responders may share patient information while on the scene.
You may share information with emergency department personnel without the patient’s permission.
Facilities may share information to providers for treatment purposes.
Copyright Eastern PA EMS Council February
2003
Payment
Providers may use PHI to send invoices and file
claims.
Emergency Departments may supply “face sheet”
information to services for billing purposes.
Copyright Eastern PA EMS Council February
2003
Operations
QA/CQI, internal audits
Patient names and addresses must be omitted if using PHI for research or
education.
Copyright Eastern PA EMS Council February
2003
Business Associates
A business associate is a person or an entity that performs certain functions or
activities that involve the use or disclosure of PHI on behalf of, or
provides services to, a covered entity.
Copyright Eastern PA EMS Council February
2003
Business Associates
Covered entities must have formal “business associate” agreements in place with business associates to meet compliance guidelines under HIPAA.
Copyright Eastern PA EMS Council February
2003
Business Associates
Examples of business associates are: collection agencies billing companies computer software companies that
may have access to PHI legal counsel, etc.
Copyright Eastern PA EMS Council February
2003
Business Associates
In other words, business associates are those entities that do not perform services directly to the patient but instead provide services to covered entities
Copyright Eastern PA EMS Council February
2003
Privacy Rule-What Is Required?
o Designation of a privacy officer
o Securing of patient records and limiting access so that they are not available to those personnel who do not have a “need to know”
Copyright Eastern PA EMS Council February
2003
Examples of Security Safeguards
Include a confidentiality statement on all
e-mails, fax cover sheets and web
pages.Web page notices must be printable.
Keep patient care reports restricted.
Copyright Eastern PA EMS Council February
2003
Keep fax machines which receive PHI in
a secure location and limit access.
Obtain reasonable assurances that
those who receive your faxes do the
same.
Examples of Security Safeguards
Copyright Eastern PA EMS Council February
2003
What is the Transaction Code Set Rule? (TCS)
Requires providers to submit electronic claims in an approved format.Requires payers to accept transactions that are submitted in the standard formats.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Conduct a “gap analysis”.
Identify existing privacy related policies and procedures and review them for accuracy and compliance.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Adopt a formal privacy practice.
You may use samples from any source, but make sure you have all policies, forms, and agreements reviewed by your attorney.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Develop and provide a notice to each patient concerning your privacy
practices and make good faith effort to obtain a signed acknowledgement from
the patient that he or she has received it.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Develop a policy that protects PHI and distribute only the necessary parts of the PHI to entities that have
a “need to know”.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Identify all members of your organization who need to access
Protected Health Information (PHI) by their job descriptions and
identify what parts of PHI they need to access. Develop a policy
that contains this specific information.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Develop a policy that allows patients or their
designated representatives access to
their PHI
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Develop a Designated Record Set which will determine what information is released when
it is requested.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Develop a policy that identifies the method by
which a patient or designee may amend their PHI.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Identify business associates.
Develop and execute business associate agreements.Coordinate with vendors.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Appoint a privacy officer. This person may have other
duties within the organization.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Ensure that all required HIPAA policies, procedures and agreements have been
developed.
Copyright Eastern PA EMS Council February
2003
The Steps to HIPAA Compliance
Provide HIPAA training to all members of the organization
by April 14, 2003. These members may include, but are not limited to: crew members,
office personnel, board of directors, administrative
personnel, etc.
Copyright Eastern PA EMS Council February
2003
Continued Compliance
Monitor and revise policies as needed.
Copyright Eastern PA EMS Council February
2003
Very ImportantYou must not only
safeguard written PHI, but also verbal PHI!
There must be a written policy banning all inappropriate
banter about specific patients. Penalties for such behavior
must be included in the policy.
Copyright Eastern PA EMS Council February
2003
- Notice of Privacy Practices
- Business Associate Agreements
- Accounting Log
- “Minimum Necessary” Policies
- Who needs access to what?
You MUST Have
Copyright Eastern PA EMS Council February
2003
- Designated Record Set Policy
- Policy regarding uses and
disclosures
- Training documents
You MUST Have
Copyright Eastern PA EMS Council February
2003
- Amendment forms
- Written designation of privacy officials- Documents regarding any penalties given for privacy violations
You MUST Have
Copyright Eastern PA EMS Council February
2003
- Privacy officer job description
- Request for access form
- Request for amendment form
- Request for restriction form
You Should Have
Copyright Eastern PA EMS Council February
2003
You Should Have
-Complaint policy
-Password authorization form
-Record release policy
-Confidentiality policy