Your SlideShare is downloading. ×
HIPAA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

HIPAA

5,240
views

Published on

Published in: Business, Health & Medicine

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,240
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
181
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Health Insurance Portability and Accountability Act What is it? & How will it affect us?
  • 2. Who Needs Training and Why
    • Employees who come in contact with Protected Health Information are Federally required attend training
      • Departments listed later
    • This presentation is designed to
      • Familiarize you with
        • HIPAA regulations
        • Our policies and procedures regarding protected health information (PHI)
      • Ensure federal compliance
    • Our policies will be listed at www.hipaa.cmich.edu
  • 3. Summary of the Law
    • To improve portability and continuity of health insurance coverage in the group and individual markets.
    • To combat waste, fraud, and abuse in health insurance and health care delivery.
    • To simplify the administration of health insurance, and for other purposes.
  • 4. What Exactly is HIPAA?
    • Public Law 104-191 (1996)
    • Overseen by: Centers for Medicare and Medicaid Services (CMS)
    • A federal law designed to:
      • Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities
      • Ensure confidentiality of PHI
  • 5. Protected Health Information
    • Protected Health Information (PHI)
      • Any Individually Identifiable Health Information (IIHI)
        • Created or received by a health care provider, health plan, employer or health care clearinghouse
        • Relating to the past, present of future physical or mental health or condition of an individual
        • Transmitted in any form or medium
    • Examples
          • Medical charts
          • Problem logs
          • Photographs
          • Communications between professionals
          • Health insurance policy number
  • 6. Individual Identifiers Courtesy of www.hipaacow.com
    • Name
    • Geographic subdivisions smaller than a State
      • Street Address
      • City
      • County
      • Precinct
      • Zip Code & their equivalent geocodes, except for the initial three digits
    • Dates, except year
      • Birth date
      • Admission date
      • Discharge date
      • Date of death
    • Telephone numbers
    • Fax number
    • E-Mail Address
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web universal resource locations (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable data
    • Any other unique identifying number, characteristic, or code
  • 7. What entities are covered?
    • Health Plans
    • Health Care Clearinghouses
    • A health care provider who transmits any health information in electronic form
  • 8. CMU as a Covered “Hybrid” Entity
    • Hybrid Entity
      • A single legal entity that is a Covered Entity and whose Covered Functions are not its primary functions.
        • CMU’s primary purpose is to educate
        • We also deal with healthcare related procedures
        • This “theory” allows us to apply HIPAA to specific areas
  • 9. CMU as a Covered “Hybrid” Entity
    • Departments Affected
      • HR Comp and Benefits: Self-funded Dental and Prescription Plan
        • A covered entity because it is a health plan
      • University Health Services
        • A covered entity because it is a provider who bills electronically for care and devices
      • Communication Disorders: Speech Pathology and Audiology
        • A covered entity because it is a provider who bills electronically for care and devices
  • 10. HIPAA Inside the “Hybrid”
    • Internal support entities
      • General Counsel
      • Internal Audit
      • Accounts Receivable
      • Faculty Personnel
      • Human Resources- Employee Relations
        • These areas deal either with disciplinary regulations, grievances, or healthcare related transactions
        • It is not advantageous for these areas to receive prior authorization before reviewing a file
  • 11. HIPAA Inside the “Hybrid”
    • Possible future covered entities:
      • Physician Assistant Program
      • Psychology clinic
      • Physical Therapy Program
        • As of now they are not billing electronically, therefore not covered entities
  • 12. HIPAA outside the “Hybrid” Therefore not covered
    • Information Technology
    • Special Olympics
    • International Student Services
    • Office of International Education
    • Student Disability Services
    • Special Olympics
      • Where does the information come from and/or go to?
      • If it is not received from or sent to a provider or plan, then it is not considered PHI
  • 13. HIPAA vs. FERPA
    • FERPA – The Family Educational Rights and Privacy Act
      • Protects the rights of students records
    • Unique to universities
      • Especially relevant to CMU’s UHS and CDO
    • We service employees, students, and members of student’s families – all as patients
  • 14. HIPAA vs. FERPA
    • Disclosures are not consistent between the two
    • Must treat student records and all other records differently
    • This is extremely difficult, but do-able
    • The necessary Directors will have a “Flow Chart” regarding proper procedures for the two
  • 15. Four Components of HIPAA’s Administrative Simplification
    • Transaction Standards & Code Sets
      • To create a uniform method of electronic communication
    • Security & Electronic Signature Standards
      • To guard data integrity, confidentiality, and availability
      • To ensure that Protected Health Information (PHI) is kept confidential
    • National Provider Identifier
    • Privacy Rule
      • The concentration of this presentation
  • 16. Privacy Rule
    • All covered entities must be in compliance by 4/14/03
    • There are no exclusions or extensions available and no paperwork to submit to prove compliance
  • 17. Privacy Rule
    • Establishes safeguards to protect the confidentiality of medical information
    • Gives patients more control over their health information
    • Limits release of information to the minimum necessary
    • Sets boundaries on the use and release of health records
  • 18. Privacy Rule
    • Enables patients to find out how their information may be used and what disclosures of their information have been made to any business associates or other parties
    • Gives patients the right to examine and obtain copies of their own health records, and to request corrections
  • 19. Privacy Rule - Consent
    • The Privacy Rule was most recently amended on 8/14/02.
    • Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities.
  • 20. Privacy Rule - Consent
    • A covered entity must make a “good faith effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature.
    • The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination.
    • The NPP must be visibly posted at all times.
  • 21. Privacy Rule - Consent
    • Covered entities are not prohibited from obtaining consent and have complete discretion in designing their individual consent process.
    • State law requirements may be more stringent and therefore supersede the federal requirements.
  • 22. Notice of Privacy Practices
    • The NPP reflects your dedication to privacy and must be available for patient review
      • Copies of NPP must be on display in each waiting room
      • Written copies of NPP must be available on request
      • Copy of NPP needs to be posted on web site
    • The NPP informs patients that you will not release their PHI except as stated in your Notice
  • 23. Notice of Privacy Practices
    • The NPP states you are required to abide by the terms of your current Privacy Notice
    • The NPP instructs patients how to file a privacy complaint
    • The NPP indicates how you will send information (mail, fax, electronic, etc.)
    • You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice.
  • 24. Consent & Authorization
    • Consent
    • A general document giving health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO)
    • It gives permission only to the provider, and not to any other person or business associate
    • Not required, but optional
    • Authorization
    • A customized document giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive.
  • 25. Authorization
    • Authorization is required for uses and disclosures of PHI for purposes that are not otherwise permitted or required under the Privacy Rule.
    • Examples
    • Sale of patient mailing lists
    • Disclosing information to employers for employment decisions
    • Disclosing information for life or disability insurance
  • 26. Authorization
    • Covered entities are required to document & retain authorizations and to provide individuals with a copy of the signed authorization form.
    • Patients will need to grant authorization in advance for each type of use or disclosure.
  • 27. HIPAA Privacy Rule Facts
    • The rules apply to all oral, written, or electronic records of covered entities .
    • HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient.
    • PHI that has been de-identified is not subject to the Privacy Rule.
    • A HIPAA team must be appointed by each covered entity
    • The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request.
  • 28. HIPAA Team
    • Must assign a Privacy Officer
    • Should assign an Electronic Transaction officer
    • Must assign a Security Officer
  • 29. HIPAA Privacy Officer
    • Must have authority and independence
    • Is responsible for developing and implementing the HIPAA compliance plan
    • Is responsible for enforcement & sanctions
    • Designates contact persons responsible for receiving complaints and monitoring patient contacts
  • 30. Campus Wide Planning
    • Knowledge
    • Initial Training of Workforce
    • Policy revision and drafting: the list is endless
    • Firewall and software development, implementation and testing
    • Ongoing analysis and refinement
  • 31. Preparing for HIPAA Compliance
    • Enter into new contracts with Business Associates (BA)
    • Develop Written Policies & Procedures
    • Documentation Procedures
    • Conduct a site survey of your own facility
    • Site Survey Q’s for your own facility
  • 32. Preparing for HIPAA Compliance
    • Enter into new contracts with Business Associates (BA)
    • BA’s are persons who perform a function or activity involving the use or disclosure of IIHI.
    • Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA.
    • If an entity is subject to HIPAA, a contract is not needed with another covered entity.
  • 33. Preparing for HIPAA Compliance
    • Enter into new contracts with Business Associates (BA)
    • Types of Business Associates
      • Claims processing or administration
      • Data analysis
      • Processing or administration
      • Utilization Review
      • Billing
      • Benefit Management
      • Computer work
      • Legal work
      • Actuarial work
      • Accounting work
      • Transcriptionists
      • Accreditation work
      • Cleaning service
      • Consulting work
      • Marketing
  • 34. Preparing for HIPAA Compliance
    • Develop Written Policies & Procedures
    • Decide who is responsible for determining “minimum necessary” data
    • Develop a records management plan
    • Determine who will keep records
    • Determine how records will be kept
    • Teach proper documentation
  • 35. Preparing for HIPAA Compliance
    • Documentation Procedures
    • Create record logs
      • Log information given in response to patient authorization
      • Log information given in response to legal requests for PHI
      • Log patient requests for amendments or restrictions to your Privacy Policy
    • PHI disclosures must be kept a minimum of 6 years
  • 36. Preparing for HIPAA Compliance
    • Conduct a Site Survey of Your Own Facility
    • Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones.
  • 37. Preparing for HIPAA Compliance
    • Site Survey Q’s for Your Own Facility
    • Are patient records secure?
    • Are there individual & unique passwords assigned for computer systems?
    • Are collection calls or calls regarding other PHI made in a private location?
  • 38. Why should we care about the HIPAA rules?
    • CMU is a hybrid entity: Some parts of the university must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable).
    • As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated.
    • HIPAA is designed to empower the patient/consumer.
    • HIPAA ideally will minimize cost over the long term.
  • 39. Why should we care about the HIPAA rules?
    • Criminal Penalties
    • Failure to comply : Fine & possible exclusion from Medicare
    • Wrongful Disclosure : $50,000, imprisonment of up to one year, or both
    • Offense under False Pretenses : $100,000, imprisonment of up to five years, or both
    • Offense with intent to sell information : $250,000, imprisonment of up to ten years, or both
  • 40. HIPAA Web Links
    • www.hipaadvisory.com
    • www.hipaacow.com
    • www.cms.hhs.gov/hipaa
    • www.hhs.gov/ocr/hipaa
    • www.hcfa.gov/medlearn