Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Health Insurance Portability and Accountability Act (HIPAA)
Transcript of Health Insurance Portability and Accountability Act (HIPAA)
October 31st, 2013, in Athens, GA
Sarah K. Browning
1. Transactions and Code Sets
2. The Privacy Rule
3. The Security Rule
4. National Identifier Rules and Standards
The Security rule creates national standards to govern the systems that health entities use in accessing PHI.
"Federal Breach Notification" requirement for non-encrypted PHI
Expands the entities impacted by HIPAA
Audit trail of all PHI disclosures for patients
No sale, marketing or fund raising with patient PHI without authorization.
Bigger penalties for violations
More resources for HHS
The Privacy rule creates national standards to protect a person's medical records and other "personal health information ("PHI").
The Health Insurance Portability and Accountability Act of 1996
HIPAA not HIPPA
Don't forget the HITECH Act, or the "Health Information Technology for Economic and Clinical Health Act"
The rule requires safeguards to protect PHI and sets limits and conditions on when, where and how PHI can be shared.
The rule also grants patients certain rights to their PHI like:
the right to examine their medical records
the right to obtain a copy of records
the right to request corrections to their medical records
The Security Rule addresses things like:
Passwords to sign on and off computers,
Storage of PHI (both physical and electronic)
How does HHS manage HIPAA?
HIPAA is the brainchild of HHS, which produces all regulations that govern HIPAA. HIPAA regulations are reviewed once a year.
1. HHS publishes notice of proposed rule changes in the Federal Register. Everyone has 60 days to submit comments.
2. HHS has to respond to each comment.
3. HHS (and other affected agencies) must review the Final Rule.
4. If Congress approves the Final Rule within 60 days, the rule is published in the Federal Register.
5. The Final Rule becomes effective after 60 days.
6. Entities have 2 years and 2 months after publication to become completely compliant with any new rules.
Why should you care?
There is no private right of action under HIPAA.
Patients CAN file a complaint against your employer with the U.S. Dept. of Health and Human Services' Office for Civil Rights ("HHS" and "OCR").
(Aside from providing the best treatment and services for your patients, of course)
Know the lingo.
Business Associate Agreement
Electronic-protected health information (ePHI)
"These are terms of art....use them artfully."
Protected Health Information
Security or security measures
Protected Health Information
Any information related to an individual's past, present, or future mental or physical health that is created or received by a healthcare provider, public health authority, employer, life insurer, school or university, or healthcare clearinghouse.
This INCLUDES information that relates to payment.
Name, address, social security number, phone number, occupation, age, diagnoses, physical examination,s treatment plans...etc.
1. Health Plans
2. Healthcare Clearinghouses
3. Healthcare providers...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies, Health insurance companies, HMOs, Company health plans, Medicare, and Medicaid
Who is NOT a Covered Entity?
Businesses, people or other entities that work for a Covered Entity, but aren't part of the Covered Entity's workforce, but use PHI from the Covered Entity's patients.
Medical transcription companies
Companies that help with billing
Why did HHS create HIPAA?
To give patients more control.
To help patients make informed choices.
To help patients find out how their health information is being used.
To set boundaries on the use of PHI.
To protect PHI.
To hold violators accountable.
Most likely, your employer will have a set of HIPAA Policies and Procedures. All staff should be trained on these procedures.
How it works in the workplace.
The Minimum Necessary Standard
When you have to discuss PHI, whether at work with co-workers or even in situations when you have an "authorization," you must use the absolute minimum amount of information necessary to complete your purpose.
Access and Computer Security
Access is limited to a need-to-know basis.
*Often, your employer will be able to track what information you have accessed through your User ID and Password.
Removing the patient's name, DOB, address, diagnoses, and SSN is NOT ENOUGH.
HIPAA regulations have a process for de-identifying information. If you are ever in a situation that requires you to de-identify information, check your employer's HIPAA Policies and Procedures and also check HHS.gov and make sure you are following the right procedures.
Just about every health employee out there has to sign a confidentiality agreement.
Sign out of your workstation when you leave.
Don't leave medical records face-up on your desk (or better yet, don't leave medical records anywhere they are not supposed to be!)
Transferring Data, Hard Copies and the Fax Machine
All transferred data should be encrypted.
Any extra copies of medical records must be shredded when you are done using the records.
Fax machines should not be in public areas.
Always use a cover sheet when faxing.
Make sure to warn the intended recipient of the fax.
Never leave medical records sitting out on the open or on top of a fax machine.
Records Storage and Retention and Disaster Recovery Plans
Your employer will likely have a policy on records storage (PHI has to be kept for a minimum of 6 years...but because of medical malpractice laws, your employer may retain these for 10+)
Medical record systems should have a back-up plan in case of a disaster (think Hurricane Katrina or Sandy)
HIPAA grants patients the right to an "audit" of how their PHI has been used and disclosed. As a result, covered entities must have a process in place to be able to provide these audit trails.
A "breach" is when a patient's PHI has been disclosed without authorization. If this happens, it must be documented. HIPAA then has a set of steps in place to notify the individual of the breach.
If something like this happens at your job, talk to your HIPAA Privacy Officer (his or her name should be listed in your company's HIPAA manual). The Privacy Officer should have a process in place to determine if the alleged breach was in fact a violation of HIPAA, and how to notify the patient.
P.S. Lawyers are pretty cool. Don't be afraid to talk to your in-house counsel or compliance officer! (but remember he/she is not YOUR lawyer...)
Your employer should have a process in place that explains how patients can file complaints. HIPAA rules also prohibit any retaliation as a result of a complaint.
HHS enforces the Privacy Rule. All other parts of HIPAA are enforced by the Centers for Medicare and Medicaid (CMS) - another government entity.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Your employer (usually)
Your next-door neighbor
Before we finish, a few HIPAA Horror Stories!