Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Health Insurance Portability and Accountability Act (HIPAA)

No description
by

Sarah Ketchie

on 6 June 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
HIPAA
Piedmont College
October 31st, 2013, in Athens, GA

Sarah K. Browning
(770)804-4700
sbrowning@thehlp.com

HIPAA Rules
1. Transactions and Code Sets
2. The Privacy Rule
3. The Security Rule
4. National Identifier Rules and Standards
5. Enforcement
Security Rule
The Security rule creates national standards to govern the systems that health entities use in accessing PHI.

HITECH
"Federal Breach Notification" requirement for non-encrypted PHI

Expands the entities impacted by HIPAA

Audit trail of all PHI disclosures for patients

No sale, marketing or fund raising with patient PHI without authorization.

Bigger penalties for violations

More resources for HHS
Privacy Rule
The Privacy rule creates national standards to protect a person's medical records and other "personal health information ("PHI").

The Health Insurance Portability and Accountability Act of 1996
HIPAA not HIPPA
Oh yeah...
Don't forget the HITECH Act, or the "Health Information Technology for Economic and Clinical Health Act"


...more on this later.
Privacy Rule
The rule requires safeguards to protect PHI and sets limits and conditions on when, where and how PHI can be shared.
Privacy Rule
The rule also grants patients certain rights to their PHI like:

the right to examine their medical records
the right to obtain a copy of records
the right to request corrections to their medical records
Security Rule
The Security Rule addresses things like:
Passwords to sign on and off computers,

Data encryption

Storage of PHI (both physical and electronic)
How does HHS manage HIPAA?
HIPAA is the brainchild of HHS, which produces all regulations that govern HIPAA. HIPAA regulations are reviewed once a year.

1. HHS publishes notice of proposed rule changes in the Federal Register. Everyone has 60 days to submit comments.

2. HHS has to respond to each comment.

3. HHS (and other affected agencies) must review the Final Rule.

4. If Congress approves the Final Rule within 60 days, the rule is published in the Federal Register.

5. The Final Rule becomes effective after 60 days.

6. Entities have 2 years and 2 months after publication to become completely compliant with any new rules.
Remember HITECH?
Why should you care?
There is no private right of action under HIPAA.

Patients CAN file a complaint against your employer with the U.S. Dept. of Health and Human Services' Office for Civil Rights ("HHS" and "OCR").
(Aside from providing the best treatment and services for your patients, of course)
Know the lingo.
Access
Administrative Safeguards
Authentication
Availability
Business Associate
Business Associate Agreement
Confidentiality
Covered Entities
Disclosure
Electronic media
Electronic-protected health information (ePHI)
Encryption
Facility
Health Information
Health Plan
Healthcare Clearinghouse
Healthcare Provider
"These are terms of art....use them artfully."
Healthcare
Information System
Integrity
Malicious Software
Physical Safeguards
Protected Health Information
Security Incident
Security or security measures
Standard
Standard-setting organization
technical safeguards
use
user
workforce
workstation
Protected Health Information
Any information related to an individual's past, present, or future mental or physical health that is created or received by a healthcare provider, public health authority, employer, life insurer, school or university, or healthcare clearinghouse.

This INCLUDES information that relates to payment.

Name, address, social security number, phone number, occupation, age, diagnoses, physical examination,s treatment plans...etc.
Covered Entity
1. Health Plans

2. Healthcare Clearinghouses

3. Healthcare providers...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies, Health insurance companies, HMOs, Company health plans, Medicare, and Medicaid
Who is NOT a Covered Entity?
Business Associates
Businesses, people or other entities that work for a Covered Entity, but aren't part of the Covered Entity's workforce, but use PHI from the Covered Entity's patients.

Medical transcription companies
Coding firms
Companies that help with billing
Lawyers!
Management Companies


Why did HHS create HIPAA?
To give patients more control.

To help patients make informed choices.

To help patients find out how their health information is being used.

To set boundaries on the use of PHI.

To protect PHI.

To hold violators accountable.
Application
Most likely, your employer will have a set of HIPAA Policies and Procedures. All staff should be trained on these procedures.
How it works in the workplace.
The Minimum Necessary Standard
When you have to discuss PHI, whether at work with co-workers or even in situations when you have an "authorization," you must use the absolute minimum amount of information necessary to complete your purpose.
Access and Computer Security

Access is limited to a need-to-know basis.
Passwords
Computer Screens
Anti-virus software


*Often, your employer will be able to track what information you have accessed through your User ID and Password.
De-Identified Information
Removing the patient's name, DOB, address, diagnoses, and SSN is NOT ENOUGH.

HIPAA regulations have a process for de-identifying information. If you are ever in a situation that requires you to de-identify information, check your employer's HIPAA Policies and Procedures and also check HHS.gov and make sure you are following the right procedures.
Confidentiality Agreements
Just about every health employee out there has to sign a confidentiality agreement.
Work Stations
Sign out of your workstation when you leave.

Don't leave medical records face-up on your desk (or better yet, don't leave medical records anywhere they are not supposed to be!)
Transferring Data, Hard Copies and the Fax Machine
All transferred data should be encrypted.
Any extra copies of medical records must be shredded when you are done using the records.
Fax machines should not be in public areas.
Always use a cover sheet when faxing.
Make sure to warn the intended recipient of the fax.
Never leave medical records sitting out on the open or on top of a fax machine.
Records Storage and Retention and Disaster Recovery Plans
Your employer will likely have a policy on records storage (PHI has to be kept for a minimum of 6 years...but because of medical malpractice laws, your employer may retain these for 10+)
Medical record systems should have a back-up plan in case of a disaster (think Hurricane Katrina or Sandy)

Audit Trails
HIPAA grants patients the right to an "audit" of how their PHI has been used and disclosed. As a result, covered entities must have a process in place to be able to provide these audit trails.
Breach
A "breach" is when a patient's PHI has been disclosed without authorization. If this happens, it must be documented. HIPAA then has a set of steps in place to notify the individual of the breach.

If something like this happens at your job, talk to your HIPAA Privacy Officer (his or her name should be listed in your company's HIPAA manual). The Privacy Officer should have a process in place to determine if the alleged breach was in fact a violation of HIPAA, and how to notify the patient.

P.S. Lawyers are pretty cool. Don't be afraid to talk to your in-house counsel or compliance officer! (but remember he/she is not YOUR lawyer...)
Complaints
Your employer should have a process in place that explains how patients can file complaints. HIPAA rules also prohibit any retaliation as a result of a complaint.
Penalties
Enforcement
HHS enforces the Privacy Rule. All other parts of HIPAA are enforced by the Centers for Medicare and Medicaid (CMS) - another government entity.
Questions?
&
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Your employer (usually)
Your school
Your next-door neighbor
Your mother.
Remember Emory?
Before we finish, a few HIPAA Horror Stories!
Full transcript