1	Health Insurance Portability and Accountability Act (HIPAA) Automated Office Procedures Joy Gayler, Instructor
2	What is HIPAA? The Health Insurance Portability and Accountability Act of 1996, was signed into law on August 21, 1996 by President Clinton. The law’s primary objectives are to: ensure health insurance portability for workers and families when they change or lose their jobs; reduce healthcare fraud and abuse; guarantee security and privacy of healthcare information; enforce standards for health information; and set standards for electronic data interchange transactions. Department of Health and Human Services (DHHS) administers the Act.
3	Why the Need for HIPAA? Advancements in Technology Allows greater access to protected health information (PHI). Increased use of electronic transmission of patient data. Increased possibility of fraud related to electronic storage and transmission of data.
4	Why the Need for HIPAA? For Example… An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem. The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission. Tammy Wynette’s medical records were sold to National Enquirer by hospital employee for $2,610.
5	Why Comply With HIPAA? Civil fines include: $100 per person per violation - up to $25,000/yr Criminal penalties include: Up to $50,000 and 1 year in jail for knowing violations Up to $100,000 and 5 years in jail for obtaining PHI with intent to sell, or use for personal gain or to cause material harm Up to $250,000 and 10 years in jail for obtaining PHI with intent to sell, transfer, or use for personal gain or to cause material harm
6	Enforcement of HIPAA Primary responsibility for the HIPAA Privacy Standards falls on the Office of Civil Rights (OCR), which is an agency within the U.S. Department of Health and Human Services (DHHS). The OCR or DHHS will not randomly inspect covered entities for compliance. A covered entity will only be investigated after a legitimate complaint is received by DHHS/OCR from a consumer. The individual, supervisor and agency can all be held liable. Current state laws that are more stringent in the area of privacy and security of personal information than HIPAA, remain in force.
7	Who is Covered by HIPAA? All healthcare providers, including hospitals, clinics, nursing homes, physicians, dentists , chiropractors and suppliers. Entities that furnish, bill, or are paid for healthcare services in the normal course of business (healthcare plans). Entities that transmit health information in electronic form in connection with specific transactions (healthcare clearinghouses).
8	Who is Covered by HIPAA? continued Educational institutions are not specifically addressed in the law, however … Business Associate: person/entity to whom the clinical agency discloses PHI … for example - students in SCSC courses that have access to PHI in the clinical setting. Hybrid Provider: entity that may be covered as both a Business Associate and a primary covered entity … i.e. an educational institution that places students in clinical settings, and provides healthcare services to the community.
9	When Do We Have to Comply With HIPAA Regulations? April 2003 – all covered entities must be in compliance with the Electronic Data Interchange (EDI) requirements. April 2003 – all “large” covered entities must be in compliance with the Security & Privacy requirements. April 2004 - all “small” covered entities must be in compliance with the Security & Privacy requirements. Business Associates – must comply with all requirements when requested by covered entity.
10	3 Major Focus Areas of HIPAA Electronic Data Interchange (EDI) Security Privacy
11	3 Major Focus Areas of HIPAA Electronic Data Interchange (EDI) Focuses on establishing national privacy and security standards for electronic health care transactions and national identifiers for providers, health plans, and employers.
12	3 Major Focus Areas of HIPAA 2) Security - Focuses on administrative, physical, and technical safeguards that keep patient information safe.
13	3 Major Focus Areas of HIPAA 3) Privacy - Focuses on defining boundaries on medical record use and release, penalties for misuse of patient information, appropriate and inappropriate disclosures of information, and appropriate access for information about self.
14	What is Protected Health Information (PHI)? Information that is “individually identifiable” about past, present, and future: physical and mental health of an patient provision of health care to the patient payment for the patient’s health care uand that can be communicated orally, in written form, or through other media
15	What is Protected Health Information (PHI)? PHI can include: Name, date of birth, social security number, address, phone number, patient account number, date/location of healthcare service delivery, diagnosis, treatment, medications, e-mail address, photo or other identifiable image, lab results, etc… Basically …any information that can be traced back to the individual!
16	Use and Disclosure Use – Sharing protected health information (PHI) within the entity that maintains the information (in the clinical environment) Disclosure – Release or transfer of PHI, providing access to, or any divulging in any other manner of PHI outside the entity holding the information (i.e. outside the clinical environment)
17	De-Identified PHI “Health information that does not identify an individual and with respect to which there is not reasonable basis to believe that the information can be used to identify and individual is not individually identifiable health information.” De-identified information may be disclosed for certain purposes (i.e. educational purposes).
18	De-Identified PHI (continued) All of the following are identifiers that need to be removed before PHI is used … names; address, city, county, precinct, zip code, birth date, admission date, discharge date, date of death, telephone numbers, fax numbers, email address, social security number, medical record number, health plan beneficiary number, account numbers, certificate/license numbers, vehicle identification numbers, device identifiers and serial numbers, URLs, IP addresses, finger and voice prints, full face photographic images and any comparable images, and any unique identifying number, characteristic or code.
19	Minimum Necessary Rule Pertains to the use, disclosure and/or request for the minimum amount of PHI needed to accomplish a necessary job/task (treatment, healthcare operations and payment). Based on the role/task of the person involved in handling the PHI (i.e. the student in a clinical rotation)
20	Minimum Necessary Rule continued “Reasonable Effort” must be used to ensure that only minimal amount of PHI is handled. Only that information that needed to meet patient care and learning needs, should be used by the student in the clinical setting. Does not apply to disclosures: Required by law To the individual, or pursuant to an authorization by individual allowing disclosure Treatment purposes - in which limiting information may impede treatment
21	Protecting Access to PHI Things to Consider... Access: who (employees, patients, students, etc…), what (type of info), when Storage: how (paper and electronic), where (filing systems, PDAs, laptops, networks, etc…) Disclosure: who, what, when, how (verbal, fax, email, etc…) Disposal/destruction: how, when, who (notes made during clinical)
22	Oral Communications are PHI The Privacy Rule applies to protected health information in all forms, including electronic, written, oral, and any other. Coverage of spoken protected health information ensures that this information retains protections when discussed or read aloud from a computer screen or written document. Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions require implementation of reasonable safeguards that reflect particular circumstances.
23	Faxes - Another Example of PHI A form of written communication When a fax is used, a privacy statement on cover page must be used.
24	Consent for Release Covered entities do not need to obtain consent from the “patient” for use or disclosure of PHI, as long as that use/disclosure is following the “minimum necessary rule” A consent can be put in place if an individual wants to limit the use of their PHI more than the HIPAA standards allow.
25	HIPAA Applies to Education Applies to any student, who in the course of their educational process, is involved in a patient’s care and/or has access to PHI (within the clinical environment, as well as associated activities outside the clinical environment). In the course of education, a patient’s PHI (including photos/images) must not be disclosed or used in any other way without the patient’s authorization/consent. “Reasonable Effort” must be made to ensure that only de-identifying PHI is used for educational.
26	Provider compliance Providers and health care organizations will be required to: Acquire written authorization from pt. for the use and disclosure of PHI for marketing purposes Post a notice of their PHI policy in a conspicuous area and distribute policy to patients and have them sign that they have read it.
27	Provider compliance Train all members of workforce likely to obtain PHI and have employees sign confidentiality agreement at least every three years verifying their honor of the HIPAA policies and procedures Designate a privacy official who is responsible for development and implementation of policy, enforcement and complaints
28	Provider compliance Establish a grievance process for patient complaints Development and implementation of technial safeguards including firewalls, data backup, updated software and hardware Development of physical and administrative safeguards to prevent unauthorized use and disclosure of PHI
29	Assess Yourself Question 1: Protected Health Information (PHI) is ANY piece of information that can be used to identify a patient. For example: patient name, account number, or health plan number. A. True B. False
30	þ Correct! (q1) Advance to the next question.
31	ý Incorrect (q1) Please go back and re-read the question and try again.
32	"Question 2" Question 2: I may not share a patient health information in which of the following situations? A. A physician involved with the care of the patient requests a lab result. B. An attorney calls requesting a diagnosis on the patient without the patient’s knowledge. C. Calling the pharmacy to fill a patient prescription.
33	þ Correct! (q2) Advance to the next question.
34	ý Incorrect (q2) Please go back and re-read the question and try again.
35	"Question 3" Question 3: You have the right to access any patient’s medical record whether or not you were involved with their treatment, payment or operational activities. A. True B. False
36	Correct! (q3) Advance to the next question.
37	ý Incorrect (q3) Please go back and re-read the question and try again.
38	"Question 4" Question 4: Minimum necessary means that access to protected health information MUST be limited to only those who “need to know”. A. True B. False
39	Correct! (q4) Advance to the next question.
40	ý Incorrect (q4) Please go back and re-read the question and try again.
41	"Question 5" Question 5: Which set of answers identify the ways in which you can protect patient health information: 1. Never share passwords. 2. Throw patient health information in the trash can. 3. Discuss patient health information in the elevator with others who do not have a “need to know.” 4. If an individual is asking for specific patient health information, questions will be asked to determine if there is a “need to know. 5. Always log off the computer when tasks are completed or if leaving the computer unattended. A. 1, 4 and 5 B. 2 and 4 C. 1 and 4 D. All of the above
42	Correct! (q5) Advance to the next question.
43	ý Incorrect (q5) Please go back and re-read the question and try again.
44	"Question 6" Question 6: I can give information to another caregiver, such as a consulting physician, over the telephone. A. True B. False
45	Correct! (q6) Advance to the next question.
46	ý Incorrect (q6) Please go back and re-read the question and try again.
47	"Question 7" Question 7: There are two types of confidentiality breaches (intentional, unintentional). I am accountable if I breach confidentiality for either of these reasons. A. True B. False
48	Correct! (q7) Advance to the next question.
49	ý Incorrect (q7) Please go back and re-read the question and try again.
50	"Question 8" Question 8: If someone overhears a conversation when I am discussing patient diagnostic or treatment information with another caregiver, and I took reasonable precautions to prevent an unintentional disclosure, this would be considered an incidental disclosure and not punishable as a breach of confidentiality. A. True B. False
51	ý Incorrect (q8) Please go back and re-read the question and try again.
52	Correct! (q8) Thank you! End of self-assessment.