HIPAA

Health Insurance Portability and Accountability Act

Revisied: 11/2018

WHAT IS HIPAA?

•Health•Insurance•Portability and•Accountability•Act

WHAT DOES HIPAA CONSIST OF?

• 1. Standardized Electronic Data Interchangetransactions and codes for all covered entities.

• 2.Standards for security of data systems.

• 3.Privacy protections for individual health information.

• 4.Standard national identifiers for health care.

IMPORTANT HIPAA DEFINITIONS

• Privacy - state of being concealed; secret

• Confidentiality – containing private information (Ex. Medical Record).

• Authorization – to give permission for; to grant power to.

• Breach Confidentiality – to break an agreement, to violate a promise.

• Disclosure – means the release, transfer, provision of access to, or divulging of information outside the entity holding the information.

• Use – means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity.

IMPORTANT HIPAA TERMINOLOGY; PROTECTED HEALTH INFORMATION

• Protected Health Information [PHI] – is information that is created or received by a covered entity that:

• Relates to the past, present, or future physical or mental health of an individual.

• Identifies the individual or contains reasonable information that can be used to identify the individual(s).

• Examples of Protected Health Information:

• Name, address, telephone, fax, email, social security number, medical diagnoses, medical records, account numbers and photographs or images.

IMPORTANT HIPAA TERMINOLOGY;NOTICE OF PRIVACY PRACTICE

• Notice of Privacy Practice [NPP]- a notice given to patients concerning the use and disclosure of their Protected Health Information [PHI]

WHO CARRIES OUT HIPAA RULES AND REGULATIONS?

• Covered Entities are responsible for implementing HIPAA rules and regulations.• These are

• Health Plans

• Health Care Clearinghouses

• Health Care providers

WHAT MUST A COVERED ENTITY DO TO BE IN COMPLIANCE WITH HIPAA?

• Notify patients about their privacy rights and how their information can be used.

• Adopt and implement privacy procedures.

• Train employees so they understand the privacy procedures.

• Designate a Privacy Officer.

• Secure patient records containing Protected Health Information [PHI].

WHAT ARE A PATIENT’S RIGHTS UNDER HIPAA?

• Right to written Notice of Privacy Practices [NPP] that informs consumers how Protected Health Information [PHI] will be used and to whom it is disclosed

• Right of timely access to see and copy records for a reasonable fee

• Right to an amendment of records

• Right to restrict access and use

• Right to an accounting of disclosures

• Right to revoke authorization

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?THE JOINT COMMISSION STANDARDS

• Patient’s rights:

• Patients have a right to confidentiality of all information that is provided to the healthcare professional and institution.

• Health care professionals ensure that patient information is secured at all times and if there are any complaints, those complaints will be resolved in a timely manner.

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?PRIVACY RULE

• The Privacy Rule:

• Establishes a Federal floor of safeguards to protect the confidentiality of medical information.

• Allows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

• This rule is used to protect Protected Health Information [PHI]

• This rule took effect on April 14, 2003.

• YOU MAY NOT RETALIATE AGAINST OR INTIMIDATE AN EMPLOYEE WHO FILES A HIPAA COMPLAINT.

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?ACCOUNTING OF DISCLOSURES

• Accounting of Disclosures is the patient’s right to request a list of people and organizations who have received their Protected Health Information [PHI].

• Patients must submit a written Request for Accounting of Disclosures.

• A Covered Entity [CE] must respond to a the patient’s request for an accounting within 60 days of receipt of the request.

• Some Examples of Disclosures are disclosures that are:

• Required by law

• For public health agencies related to disease prevention/control

• About victims of abuse, neglect, or domestic violence

• For judicial and administrative proceedings

• For research activities

• For law enforcement activities

• For workers compensation

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?MINIMUM NECESSARY STANDARD

• HIPAA requires Covered Entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made [the minimum necessary amount of information needed to perform the job].

• The Minimum Necessary DOES NOT APPLY TO:

• Treatment

• Disclosures to the individual who is the subject of the Protected Health Information [PHI]

• Uses or disclosures made pursuant to an individual’s authorization

• Uses or disclosures that are required by law.

WHAT ARE THE HIPAA RULES AND REGULATIONS THAT PROTECT THESE

RIGHTS?RESEARCH ACTIVITIES

• NO ONE is permitted to use Protected Health Information for research without complying with the new HIPAA requirements.

• These HIPAA requirements are entirely separate from the existing federal human subject research regulations.

• The Privacy Policies and Procedures do not replace or override other rules or procedures established by the Institutional Review Board [IRB], both must be complied with in order to conduct human research.

Do:• Close doors in

patient’s rooms when discussing treatments.

• Log off the computer when you are finished.

• Dispose of patient information by shredding or storing it in a locked container for destruction.

• Clear patient information off of your desk when your leave your desk.

Don’t:• Tell anyone what you overhear about a patient.• Discuss a patient in public areas, such as elevators, hallways or cafeterias.• Look at information about a patient unless you need it to do your job.

Don

’ts

Do’s

HOW DO I PROTECT MY PATIENT’S PRIVACY?

DO’S AND DON'TS

HOW DO I PROTECT MY PATIENT’S PRIVACY?

SAFE COMPUTER AND FAX USE

Computer Use•Keep your password a secret•Do not log in using someone else’s password•Log off of the computer when you are finished using it.•Turn the computer screen away from public view•Do not remove equipment, disks, or software without permission.

Sending•Call the intended recipient before sending the fax•Use cover sheets for faxes•DO NOT SEND[HIV results, Mental Abuse, Narcotic Prescriptions, Alcohol/Substance/Child Abuse Receiving•Tell the person faxing information to alert you when he/she is about to send the fax•Take faxes off the machine immediately•Do not let faxed patient information lie around unattended

Safe

com

pute

r U

seSafe Fax U

se

HOW DO I PROTECT MY PATIENT’S PRIVACY?

SAFEGUARDS

• Physical Safeguards• Computer terminals are not placed in public areas.

• Technical Safeguards• Every associate must keep his/her password confidential.• No photographs or recordings of any type are to be taken of

patients in the clinical setting.

• No cameras, tablets, cell phones or any electronic devices with photography capabilities are permitted in the clinical environment

• Administrative Safeguards• Policy and procedure for release of patient information.

WHO ELSE IS RESPONSIBLE FOR PROTECTING PATIENT PRIVACY?

BUSINESS ASSOCIATES

• Business Associate

• A person or entity that performs a function or activity on behalf of a Covered Entity [CE] that requires the creation, use or disclosure of Protected Health Information [PHI] but who is not considered part of the Covered Entities' workforce. They must have a written contract or agreement that assures they will appropriately safeguard Protected Health Information [PHI] they create or receive.

Examples of Business AssociatesA health care

clearinghouse that translates a claim

from a non-standard format into a standard transaction on

behalf of a health care provider and

forwards the processed

transaction to a payer.

A third party administrator who assists a health plan with claims processing.

An independent

medical transcriptionist who provides transcription services to a

physician.

A CPA firm whose

accounting services to a health care provider

involve access to protected

health information.

A pharmacy benefits

manager who manages a

health plan’s pharmacist network.

WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?

INCIDENTAL DISCLOSURE

• A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure.

• Examples of Incidental Disclosure• A hospital visitor may overhear a provider’s confidential

conversation with another provider or a patient

• A hospital visitor may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard

WHAT ARE SOME WAYS HIPAA CAN BE VIOLATED?

BREACH

• A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

WHAT IS DONE AFTER PATIENT PRIVACY HAS BEEN COMPROMISED?

HITECH ACT

• What is the HITECH act?• As a result of the American Recovery and Reinvestment Act of

2009, legislation passed the Health Information Technology for Economic and Clinical Health Care Act which places additional privacy and security requirements.

• This requires any entity that handles Protected Health Information [PHI] to report breaches, whether in paper or electronic form within timeframe that HITECH requires.

• HITECH applies to all business entities associated with healthcare organizations such as banks, claims, clearing houses, billing firms, health information exchanges and software companies.

WHAT ARE THE BREACH NOTIFICATION REQUIREMENTS?

• Notification is required to the affected individuals, the government and in certain cases the media [if the breach involves more than 500 people] in the event of a breach of “Unsecured Protected Health Information”.

• These breach requirements are applicable to both Covered Entities [CE] and their Business Associates.

• If the Covered Entities Business Associate has a breach, they must report it within 60 days.• The snail mail requirement states that the healthcare organization

must send out a first class letter to any patients that might have been affected by the breach. [Electronic mail is allowed given the patient agreed to receive electronic notices]

WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HITECH?

• There are serious penalties for non-compliance, ranging from fines of $100 to $50,000 per violation, capped at $25,000 to $1.5 million per violation of the same standard.

• Criminal penalties of 1 to 10 years in jail for gross negligence.

• HITECH also created new methods for enforcement, allowing state attorney generals to enforce HIPAA regulations.

WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH HIPAA?

PENALTIES FOR PRIVACY VIOLATIONS

• Civil Penalties under HIPAA:• Maximum fine of $25,000 per violation.

• Criminal Penalties under HIPAA:• Maximum of 10 years in jail and/or a $250,000 fine for serious

offenses.

• Organization Actions:• Employee disciplinary actions including suspension or termination

for violations of the organizations policies and procedures.

WHO ENFORCES MEDICAL PRIVACY REGULATIONS?

• Office for Civil Rights• A patient may complain to the Privacy Officer in a hospital or;

• The Director of Health and Human Services [HHS]

ARE THERE OTHER LAWS THAT PROTECT PATIENT PRIVACY?

STATE LAW VS. HIPAA

• If there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:• Greater privacy rights,

• Greater access to information, or

• Greater privacy protections.

ARE THERE OTHER LAWS THAT PROTECT PATIENT PRIVACY?

TEXAS MEDICAL PRIVACY ACT [TMPA]

• Texas Medical Privacy Act [TMPA] is as strict as HIPAA specifically on Texas medical and dental providers.

• A training is required as in HIPAA and the information is to be included.

• This training is required once every two years for providers.

• This training is an exact photocopy of HIPAA.

• Since EPCC is considered a hybrid entity [School and Clinic] then we are bound to train our health care personnel, faculty and students about The Texas Medical Privacy Act [TMPA].

HIPAA REFERENCE CONTACTS

• If you have any questions regarding HIPAA contact:• Souraya A. Hajjar, EPCC Compliance Officer at (915)831-4143

• Or email her at shajjar@epcc.edu

• Your HIPAA Compliance officer at your campus or facility.

• Your Clinical instructor/coordinator at your campus or facility.

• Or refer to http://www.hhs.gov/hipaa/index.html for more information regarding HIPAA policies and regulations.

THE USE OFSOCIAL MEDIA

WHAT IS SOCIAL MEDIA

• Any form of electronic communication utilized to share ideas, pictures, personal opinions, etc. is consider Social Media

• PUBLIC SOCIAL MEDIA: Instagram, YouTube, Facebook, Twitter, Google, Snap Chat, LINKEDIN, AOL, etc.

• ELECTRONIC DEVICES: Smart Phone, Cell phone, laptop, iPad, camera, flash drives, any form of Mobile Devices.

CONFIDENTIALITY ADVICE

• Electronic devices are strictly prohibited in all patient care areas

• Copies of patients’ records should be intended for educational purposes only. Must be appropriately disposed at the end of the clinical day (Shred-it boxes)

• Students must not publish any content related to patient care that may lead to the identification of a patient (name, photos, live streaming (video),diagnostic testing, hospital name, account number, etc.)

• Must maintain confidentiality of all patients and Hospital information.