Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act...

Copyright Eastern PA EMS Council February

2003

Health Information Portability and Accountability Act

It’s the law.


2003

Committee Members

This program and information is the result of the hard work of the following committee members:

Don DeReamus – Chairperson

Barry Albertson Joseph Panczer

Andrew Brown Suzanne Raftery

Barbara Conrad Barbara Ruch

James Conrad Ruth Weber

Rose Conrad Jackie Wenzel

Michael La Bar Larry Wiersch


2003

HIPAA

It is a Federal law passed in 1996.

It specifies what is required to protect the privacy of personally identifiable health care information.


2003

Time Lines for HIPAA Compliance

Three separate and independent timelines required for HIPAA

compliance.


2003


Three separate and independent timelines required for HIPAA compliance.

Privacy Rule compliance required by April 14, 2003


2003



Transaction Code Set Rules (TCS) compliance required by October 16, 2002 or October 16, 2003 if you filed for an extension


2003



Security Rule compliance

deadline April 21, 2005


2003

Covered Entities

To be considered a covered entity, the organization must be either a health

care provider, a health plan, or a health care clearinghouse.

Covered entities provide services directly to the patient.


2003

An ambulance service is considered to be a health care provider.

Covered Entities


2003

Covered Entities

To be considered a covered entity, you must engage in electronic transactions.

This includes billing.


2003

Protected Health Information (PHI)

When PHI enters an organization, whether it is from a patient, a bystander, a friend, a family member or a dispatch agency, all privacy and security

rules apply.


2003

What is PHI?

Individually identifiable

information Information regarding past,

present, or future physical or

mental health


2003

What is PHI?

Information regarding provision or payment of care to an individual. Includes any material that

is written, verbal, electronic, scanned, photographic, etc.


2003

Examples of PHIPatient care reports (PCRs)

Dispatch records

Billing information Incident reports with

patient information.Physician Certifications


2003

Three Allowed Uses of PHI

Treatment

Payment

Health Care Operations

These are allowed without prior patient authorization.


2003

Treatment You may share PHI with other health care providers involved in treating

the patient. First Responders may share patient information while on the scene.

You may share information with emergency department personnel without the patient’s permission.

Facilities may share information to providers for treatment purposes.


2003

Payment

Providers may use PHI to send invoices and file

claims.

Emergency Departments may supply “face sheet”

information to services for billing purposes.


2003

Operations

QA/CQI, internal audits

Patient names and addresses must be omitted if using PHI for research or

education.


2003

Business Associates

A business associate is a person or an entity that performs certain functions or

activities that involve the use or disclosure of PHI on behalf of, or

provides services to, a covered entity.


2003

Business Associates

Covered entities must have formal “business associate” agreements in place with business associates to meet compliance guidelines under HIPAA.


2003

Business Associates

Examples of business associates are: collection agencies billing companies computer software companies that

may have access to PHI legal counsel, etc.


2003

Business Associates

In other words, business associates are those entities that do not perform services directly to the patient but instead provide services to covered entities


2003

Privacy Rule-What Is Required?

o Designation of a privacy officer

o Securing of patient records and limiting access so that they are not available to those personnel who do not have a “need to know”


2003

Examples of Security Safeguards

Include a confidentiality statement on all

e-mails, fax cover sheets and web

pages.Web page notices must be printable.

Keep patient care reports restricted.


2003

Keep fax machines which receive PHI in

a secure location and limit access.

Obtain reasonable assurances that

those who receive your faxes do the

same.

Examples of Security Safeguards


2003

What is the Transaction Code Set Rule? (TCS)

Requires providers to submit electronic claims in an approved format.Requires payers to accept transactions that are submitted in the standard formats.


2003

The Steps to HIPAA Compliance

Conduct a “gap analysis”.

Identify existing privacy related policies and procedures and review them for accuracy and compliance.


2003


Adopt a formal privacy practice.

You may use samples from any source, but make sure you have all policies, forms, and agreements reviewed by your attorney.


2003


Develop and provide a notice to each patient concerning your privacy

practices and make good faith effort to obtain a signed acknowledgement from

the patient that he or she has received it.


2003


Develop a policy that protects PHI and distribute only the necessary parts of the PHI to entities that have

a “need to know”.


2003


Identify all members of your organization who need to access

Protected Health Information (PHI) by their job descriptions and

identify what parts of PHI they need to access. Develop a policy

that contains this specific information.


2003


Develop a policy that allows patients or their

designated representatives access to

their PHI


2003


Develop a Designated Record Set which will determine what information is released when

it is requested.


2003


Develop a policy that identifies the method by

which a patient or designee may amend their PHI.


2003


Identify business associates.

Develop and execute business associate agreements.Coordinate with vendors.


2003


Appoint a privacy officer. This person may have other

duties within the organization.


2003


Ensure that all required HIPAA policies, procedures and agreements have been

developed.


2003


Provide HIPAA training to all members of the organization

by April 14, 2003. These members may include, but are not limited to: crew members,

office personnel, board of directors, administrative

personnel, etc.


2003

Continued Compliance

Monitor and revise policies as needed.


2003

Very ImportantYou must not only

safeguard written PHI, but also verbal PHI!

There must be a written policy banning all inappropriate

banter about specific patients. Penalties for such behavior

must be included in the policy.


2003

What You Must Have!


2003

- Notice of Privacy Practices

- Business Associate Agreements

- Accounting Log

- “Minimum Necessary” Policies

- Who needs access to what?

You MUST Have


2003

- Designated Record Set Policy

- Policy regarding uses and

disclosures

- Training documents

You MUST Have


2003

- Amendment forms

- Written designation of privacy officials- Documents regarding any penalties given for privacy violations

You MUST Have


2003

What Would It Be Nice to Have?


2003

- Privacy officer job description

- Request for access form

- Request for amendment form

- Request for restriction form

You Should Have


2003

You Should Have

-Complaint policy

-Password authorization form

-Record release policy

-Confidentiality policy


2003

If you choose to use sample forms, agreements or policies from any source, review each of them with your attorney.

Date post:	15-Dec-2015
Category:	Documents
Upload:	sage-threadgill
View:	232 times
Download:	0 times