Your SlideShare is downloading. ×
HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu

627

Published on

HIPAA & HITECH Made Easy for Behavioral Health Professionals …

HIPAA & HITECH Made Easy for Behavioral Health Professionals
1-Hour Webinar

At the TeleMental Health institute, we have the option for you to earn CEUs while you learn thee updates of HIPAA and HITECH:

For 1 CEU for mental health professionals and nurses, go to this page: for details: http://telehealth.org/hipaa-hitech

Join the innovative group of over 1,200 mental health professionals at the TeleMental Health Institute: www.telehealth.org

Published in: Education, Business, Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
627
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HIPAA & HITECH Made Easy for Behavioral Health Professionals Marlene M. Maheu, Ph. D. Executive Director Te| eMenta| Health Institute a
  • 2. ‘WIW r-lHu'. —r. Ilin. >.Hu Disclaimer 0 I am an MFT and clinical sychologist, not an attorney, physician or Information echnology specialist. My goal is educational only. The information I resent is my best attempt to bring you timely and re evant in ormation in a rapidly evolving area. I therefore make no warranty, guarantee, or representation as to the accuracy or sufficiency of the information contained in my training. a My goal is to outline the issues and alert ou to what's happening, including legal, ethical and ot er risk management issues. You are encouraged to seek specific advice related to your circumstance from your qualified authorities.
  • 3. Health Insurance Portability and Accountability Act (HIPAA) Three HIPAA Rules: 9 Transmission * Privacy * Security
  • 4. HIPAA Privacy Rule ° Data are ’’individually identifiable’’ if they include any of the 18 types of identifiers if the provider or researcher if the information could be used, either alone or in combination with other information, to identify an individual:
  • 5. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA Privacy Rule (cont. ) 2. Address (all geographic subdivisions smaller than state, including street address, city, county, zip code) 3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89) 4 Telephone numbers 5. Fax number 6. Email address 7 Social Security number 8 Medical record number 9 Health plan beneficiary number 10. Account number 11. Certificate/ license number 12. Any vehicle or other device serial number 13. Device identifiers or serial numbers 14. Web URL 15. Internet Protocol (IP) address numbers 16. Finger or voice prints 17. Photographic images 18. Any other characteristic that could uniquely identify the individual
  • 6. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA ’’Final Rule” * When HIPAA was first passed in 1996, most health care practitioners, hospitals and insurance companies scurried to bring themselves into compliance with the new standards. In the face of these final rules, business associates will have to engage in the same process. * HHS is stepping up enforcement efforts. * See Federal Register available online at http: //federaIregister. gov/ a/2013-01073, and on FDsys. gov
  • 7. _: lntelligently discuss how HITECH relates to HIPAA ’! I l l r “T” “‘"‘"TT”'TT_ ‘*‘““‘‘"“'‘I —“ TT" " ti ' tr Ll‘
  • 8. ((6 1:1: 'l| .=| “": ‘_E . :I: ;uI| :I ‘__lH'V. _H““l”" HIPAA vs. HITECH Health Information Technology for Economic and Clinical Health (HITECH Act) of 2009: * Applied privacy and security provisions and penalties to business associates * Imposed new breach notification requirements ° Created stricter disclosure requirements, such as: ° Limiting the disclosure of PHI the minimum necessary “I Requiring health care providers to make available an accounting of certain disclosures when made at client/ patient’s request ° Strengthening enforcement procedures and penalties
  • 9. /. _:I, : 'l| .=| “": ‘_E . :I: ;IIII: I Mummfinlnu Breach Reporting Requirements 0 If aware of a potential breach of protected (E, H , health information: i — Conduct risk assessment “j~ — Mitigate breaches ° Purchase 1 year account 7‘ to Equifax, Transunion or g Experian — Report breach to affected clients, the federal government, and in some cases, the media
  • 10. /(6 -I, :'. :'Il.3-"I'll Ivizrauiz ‘__lH'V. _H”“l”" Insurance Company Disclosures 6 Do not disclose treatment / _ ‘ information to your client's health insurance ~. ;s carrier if they are paying ’ you out-of-pocket, unless the disclosure is required W by law
  • 11. /. _:I, : IIl= ‘uf. ‘_5 : I:, IIII: I, ‘__lH'V. _H“'m: " Client/ Patient Request for Records * Clients/ patients may ask for copies of their electronic health records in electronic form and you *5 I must comply ff, “ ‘ s
  • 12. _; What makes you a ”covered entity”? ’ . - “‘“t‘"—‘“"'*'“= ~». .:; ’ “Vii” . - Ii
  • 13. /(q I. III. I.. I.III. ... .I. I Covered Entity The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers that transmit health information electronically. Providers subject to the Privacy rule include: 0 Doctors, 0 Clinics, 0 Psychologists, 0 Dentists, 0 Chiropractors, 0 Nursing Homes, and, o Pharmacies. http: //www. hrsa. gov/ healthlt/ toolbox/ Health| TAdoptiontoo| box/ Privacyandsecurity/ entityhipaa. html
  • 14. .7. . _ . . E ,7 —: .. Explain why encryption is not adequate for HIPAA compliance I I . _j__~— —- “mi. 7‘ I m /1‘ 7T 7 3' J; " ‘* —. %. — —— — , _- , i _ *~; .—’s: —: , _ *
  • 15. HIPAA and Encryption ° HIPAA sets many different types of standards * Technology does not need to be in compliance with those standards * Professionals have to be in compliance with the standards
  • 16. _: I Name 5 little known, yet essential changes to HIPAA and HITECH as ofJanuary 2013 I l ,2” . .. ;. _'_' ' ’ ’ '_. ;__'_*'_—; "_. __ I_ Z __ __ -7).
  • 17. /(6 -I, :'. :'ll. =-“I, -‘.5 = .v1;VIa= z ‘__lH'V. _H”“l”" HIPAA ’’Final Rule” ~ Infrastructure, documentation, and procedures for information privacy and it security, and data encryption and disposal will have to be ‘$2 > evaluated and brought into . /2 compliance. _, ... «_fj‘. L Companies need to provide _ formal security training to all W. employees, designate a } security official and implement appropriate business associate contracts with their own subcontractors.
  • 18. HIPAA, Business Associates & HITECH - All Business Associates in health care must sign an agreement stating their adherence to HIPAA II‘ standards - Transactions - Security 4 - Privacy - True for any service you hire - This requirement is now enforced by the HITECH ACT '7‘
  • 19. -. I.: '.: 'll. =-"': ‘.E Hizmiz ‘__lH'V. _H”“l”" HIPAA "Final Rule” January 17, 2013 Business associates of covered entities are directly liable for compliance with HIPAA Privacy and Security Rules’ requirements. Includes contractors, subcontractors and business service companies working for health care providers, (e. g., companies providing electronic health records software, teleconferencing, data back-up and storage, billing, transcription and other IT services). ~ Raises the maximum penalty for data breaches from a previous cap of $250,000 to a maximum penalty is $1.5 million per violation.
  • 20. ‘WIW r-lHu'. —r. llin; .~1u Business Association Agreements Remember to update Business Association Agreements (BAAs) “ Contractors & subcontractors — Billing . ._ W — Data storage ; A — Office admins — Whomever has access
  • 21. /(6 '. I.= -.= -.l= .-y-r. '.5 -Zvinlvuir ‘__m“_W'_>__: " HIPAA Policies * Use HIPAA compliant technologies and develop written processes — Document policies * Security & privacy policies — Repairs i — Staff training ‘Z — Breach notification, etc.
  • 22. Email Send PHI in unencrypted e- mail only if the client/ patient is advised of the risk and still requests use of email as a means of transmission
  • 23. ‘“. W‘ r-lHuI—I. Ilin. >.~1u Unencrypted Email The new ethical standards released by the American Counseling Association (March, 2014) now state that counselors cannot have an initial contact with a potential client in email.
  • 24. WI"! r—lHu'. —I. Ilh. ».-In Policies & Procedures Implement or update privacy and security policies gt, * , and procedures: ‘ 0 Need policies to be i‘? > written (a paragraph is ok) " T: * Staff education ° Breach procedures — Consult your attorney — 500 or more records 9 notify media
  • 25. ‘l I I I l at’ A I I kL, g § —‘—' Explain at least 2 warning against Skype by leading mental health professional associations . . , _,_, _;W: :"': "'_*_ Yd:
  • 26. F‘: 'l| .=| “": ‘_E . :i1;In| :I ‘__"4'M“““l. u! Skype and Health Privacy * Free * AES 265-bit encryption * Access to patient’s environment BUT * Skype makes no claim that its services can be used in a H| PAA—comp| iant manner 6 Skype does not offer a BA Agreement * Cannot verify transmission security 9 Does not provide breach notification r Does not provide technical support 6 Frequently dropped calls — Emergencies? 6» No audit trails
  • 27. APA 2014 Skype Statement Li EMAIL 6 l"KlN I Home 1 Pracboeupdate » Practicaupdale — Apni 24. 2014 » Practitioner Folnler Does Ihe use of Practice Updlh I April 24, 2014 " l’-5‘ ‘r ‘L 1' 'APAteamawIInMlcmeofI to create mental health Thle new lawn mm on APA Practice omnluclon provides answers Irovn APA ‘mm ""009" ‘SW99 '" Practice atafl to common Inquirtee from members. ‘"9 °"“’°°"“ collaborative education By Legal and Regulatory Aliens stall pmgmm Given the growing use of tedlnology for communication. many practitioners are ' APAISI(ypa In the interested in knowing whether popular options are compatible with Health insurance daaaroom pmyet: ‘Let's Portability and Accountability Not (HIPAA) requirements. Skype. Msoee oeeic leatures Talk Aooul Mental Health‘ are free and easy to use, in one such option of interest to practidng psychologists. . Dwmon ‘B U“. HIPAA does not epeolly the itlnde at leamologlee that covered entities should use for lnleoonflmnclng for board creating. receiving, atotlng or transmitting electrorllc patient health information (ePl-ll). meetlng Under the HIPAA Security Rule. covered entities must conduct lndlvlduel risk assessment: about the technologies (hardware, software, etc. ) they use that store or tlanamlt QPHI. Skype does use enayption. a factor related to HIPAA Secunty Rule compinnce. Even ' “"3 °“°' " M” (279) so. that factor alone does not accommodate HIPAA requirements. ' web Page (201) The use at Skype raises several ooncems related to HIPAA ' Megaznne Article (147) First. liability for failure to comply with HIPAA is now shared equally by covered entities ' Journal (82) and business associates — third parties that provide aervicea to covered entities and . web M, ” (.5) mey have access to PHI. so It is critical tor practitioners to have business associate agreements In place. Yet Skype does not offer oualneee eaeoclate agreements for health we professionals who want to use It for teiehealth purposes. In fact, Mlcroeolt, whim owns Skwfi. did not mention Skype In Ila April 2013 press release announang its updated business 09‘ "'9 3m'u3"° http: //www. apapracticecentra| .or / update/2014/04-24/skype—hipaa. aspx
  • 28. "I. =-. ='. .=. "u. ‘.5 = .v1;VIa= z ‘__m“_H““l_£" American Psychological Association 1. Practitioners need to have Business Associate’s Agreements, but Skype doesn't offer BAAs 2. Lack of audit controls to monitor who is accessing ePH| 3. Lack of breach notification tools to alert users of unauthorized disclosures or access to ePH|
  • 29. II} HIPAA requires an ”audit trai Skype doesn't provide audit trails — and isn't obligated to , .. 4 ‘hi: ‘ ‘ «E l‘: : If MN / //V A . J .
  • 30. /(6 -I, :'. :'ll. =-“I, -‘.5 ivizlalil ‘__lH'V. _H”“l”" HIPPA & Private Practices From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information; Lack of patient access to their protected health information; Uses or disclosures of more than the minimum necessary protected health information; and 5. Lack of administrative safeguards of electronic protected health informatior . ".“’! "!“ The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Practices; General Hospitals; J Outpatient Facilitiesf Health Plans (group health plans and health insurance issuers); and, Pharmacies. . ”‘: ".‘*’N! “ l http: //www. hhs. gov/ ocr/ privacy/ hipaa/ enforcement/ highlights/ index. htm|
  • 31. F‘: 'l| .=| “": ‘_E . :l1;lq| :z ‘__"4'Y'_M““l. u! 6 Read Skype’s Privacy Policy Skype may gather and use info about you. .. — Identification data (e. g. name, username, address, telephone number, mobile number, email address) — Electronic identification data (e. g. IP addresses, cookies) — List of your contacts and related data — Content of instant messaging communications, VMs, video messages Skype uses its own cookies for a variety of purposes, including to — Provide internal and customer analytics and gain statistics and metrics about our websites Skype’s analytics, ad-serving and affiliate partners may also set and access cookies on your computer Skype will take appropriate organizational and technical measures to protect the personal data and traffic data provided to it or collected by it with due observance of the applicable obligations and exceptions under the relevant legislation
  • 32. /C G“ "l. :l‘. ".‘. E ': m‘. ,m 1'-"—tl'. -!Al“li. ull3 Skype’s Hackings . ‘io_-. :-i‘r: i.olii: u: 2') By Leonas Sendrauskas on November 14, 2012, [UPDATE:14I11I2012@15:28GMT] Early this moming we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
  • 33. ls Skype Reliable? Skype tiles & pixelates, the audio gets tinny, echoes develop, and often calls drop entirely. Sometimes consumers can see A you and hear you, without your l awareness.
  • 34. pg, ii(u, v.i. }[; _x. ~id: iai ~“.0Iiu,0i'iIlr: :rl'r: iiil-31' Liii. -ii. ti trifling ‘LL’ in; -ii_‘-. '_-i-lhi‘i"-uii. >' Elan WARNING) SUICIDAL THOUGHTS AND BEHAVIORS Antidepressants increased the risk of suicidal thoughts and behavior in children, adolescents. and young adults in short-term studies. These studies did not show an Telepsychiatry: 111e Perils of Using Skype can make it an fee| MDD can make it all feel oveniiiheiming. ‘ Please suula on nght for imomn: Safety Information Ind lncicatznri if‘ First released in 2003, Skype offers free. worldwide video access to any patientwlth an lntemet Q '. ' “i y 5 Connection, either by mobile device or desktop computer. What it does not offer, however, is a P(‘, ‘ means of communication clearly suitable for clinical services—especia| |y in mental health. { ‘Y 't§§ Accoroklq to estimates reported by groups such as the Institute for Heaithcare Consumerism, " V ‘Q. { telehealth is poised to grow by 55% in 2013 alone, and 6~foId by 2017.‘-2 Wisely or ciiierwise, «El I‘, 3 some ofthis grown. will likely occurvia Skype. Thus, it is prudentto conside". .'ie issues. ,. .‘A_ r WARNWG5 5U'c'DAL THOUGHTS AND BEHAWORS ‘ti: flit A ‘ /7‘ Antidepressants increased the risk of suicidal thou his The Heaiui ; ... ... ... .ce Portability and Accountability Act ’ ‘gp-_. w‘i. EJ'! 9-It Ordinarily, neither federal nor state law is designed to regulate specific proprietary V“ ‘i . entities such as Skype and its competitors. Video-chat platforms were developed for marketing to the general consumer, and notfor health care. The Health and behavior in children, adolescents. and young a ults in short-terni studies. These studies did not show an i Insurance Portability and Accountability Act (HIPAA) holds professionals SEARCHM EDICA RX responsible for conducting their own internal risk assessments regarding their chosen technologies. Before using any equipment the professional should BWW59 "W95 by "3"‘93 require documentation that explicitly promises 'HlPAA compliance’ or ‘HPAA 5 3 5 3 compatibility‘ One couldtake further comfort in a designation ofFederaI Information Processing Standard (FIPS) certification, a standard that may meet 5 -- I V ' ‘:3 i‘- and exceed HPAA standards? .5 » ii 0 HIPAA requires the use of equipmentthat allows for audit trails. According to the American Health Information ManagementAssoclation. audit trails allow Seam" 7°’ “N955 breaches to be traced. ‘ Like other proprietary platforms. Skype makes it 7 7 impossible to conduct approved security audits via audit trails. Skype itself is not
  • 35. l l l l ii I i Name the top US government website to reference when needing HIPAA/ HITECH information. Zjjojjm . ... . ' . ..—n H ~ . :, T‘ *2 —' ‘’ unis, A . .. .e. .-J. -—; £*w V c - .2».
  • 36. Ur-‘L ! l’-lfr-. l-uil'—lil- -ll : i—l*-llli 33 : l', llIl'-Jl ~‘1—lr~'1l-‘. —k'~ . |~: ¢. . éifll JF‘fi, )_, ,i-, K~, j‘; ,'_i_i , ';-_, ~._i[; ,', .—}. _i. *_i. ’,'i, -. ,i, i._ V I 3 Search , '.'i'+lIL: ,-‘: ~—I/ u; -7’ : lul'—i'-’f-. *-, -‘T‘-i= ,li-lI- 9 ‘I‘2:- All = |=l: HHS Home| HHS News| About HHS Font Size - + Print Download Reader "~_ Health Information Privacy Office for Civil Rights Civfl Rights Health Information Privacy OCR Home > Health Information Privacy > HIPAA Administrative Simplification Statute and Rules HIPAA Administrative Simplification Statute and Rules “"Jl, lIll| :'l', L“ : Ll}l, ;!; ‘ HIPAA §, ('_ll‘-ill? -,lt§lIL'l _ To improve the efficiency and effectiveness of the health “ U"d°"5ta'_‘d'"9 care system, the Health Insurance Portability and l’ HHS a””°“”°e5 3 “WM """a¢Y Accountability Act of 1995 (HIPAA), Public Law 104-191, jfinal rule that i-i1pA_A included Administrative Simplification provisions that 'mP': me“§-5 3 Administrative required HHS to adopt national standards for electronic "”m_ ? ' ° f h . Sin-1p| ifi¢afion health care transactions and code sets, unique health at ‘3 statute and identifiers, and security. At the same time, Congress C ° Rules recognized that advances in electronic technology could 5tfe”9the" the , erode the privacy of health information. Consequently, P"'Va‘_5V and ggmus Congress incorporated into HIPAA provisions that mandated Sec‘-"“7Y . the adoption of Federal privacy protections for individually F"'°'5e°t'°"‘5 7°’ R I k ' ' " ema "19 identifiable health information. hea“5h_ '”f°"""at'°” statute established under _ HHS published a final Privacy Rule in December 2000, which , HIPAA- P""’a°V R“'e was later modified in August 2002. This Rule set national security Ruie standards for the protection of individually identifiable health information by three types of covered entities: health : ":rf'_: h t, plans, health care clearinghouses, and health care providers R3“: "3 '°" who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was other required as of April 14, 2003 (April 14, 2004, for small Administrative health plans). ¢". '.u~. .I5f1—~l: .. .
  • 37. ._; Identify more than 60 HIPAA Compliant alternatives to Skype l l 'h— 1 ——r— 4’ -— —— -- -——~——-4~—-—-~—-—- ‘. gr __ __ sat i %——fiV>*: ‘”"¢~. :,‘A ‘“' ‘7%’“"“'
  • 38. /(6 fI. =-. =-. i.= .-‘um -Zlizllvlil ‘__m“_W'_>__: " OCPM Step 3 Legal Issues: Which Technologies to Use? No Guesswork Needed HWAA Compliant Handoff - any Deviczetasx/ Se! cr,2f‘$€l‘Vtvct-n t . - sweeping _ 9 Work
  • 39. /(q 1-—lHu'. .rAll3n. >.~il: H| PAA—Comp| iant Video Alternatives www. te| ehea| th, org[video ; . .1 . “ I - r. I ii -. i an. "_ 5 2.2 . l —_KL: _—: 7- ‘
  • 40. Identify at least 3 HIPAA requirements for risk assessment
  • 41. /(6 , i:q: I. l.= .‘tl. ‘_i . :i: ;uii: i ‘__lH'V. _H““l”" Risk Assessment & HIPAA ° Conduct regular assessments — Identify all devices used with PHI — Identify potential weakness in security policies, processes and systems — Set & document goals for remediation ° HHS’s Office for Civil Rights and the Office of the National Coordinator for Health IT have released a security risk assessment tool: * http: //www. hea| thit. gov/ providers- professionals/ security—risk—assessment
  • 42. Identify at least one reason that HIPAA evokes concern among clinicians with regard to duty to warn -——i . —.<»— — -:73. -—_v-—— , ——, , 7. -¢——-, -
  • 43. /(6 -I? “ “_= '|"""E mum‘ r—lHu'. —Mlin. ».~iu Confidentiality Risk & HIPAA? ° HIPAA is not a risk to privacy or confidentiality standards for mandated reporting. — Privacy is the client/ patient’s right to keep their information from being disseminated. — Confidentiality is our legal duty to protect the client's patient’s privacy. * HIPAA has set a standard for privacy and confidentiality.
  • 44. OCPM: Online Clinical Practice Management Identify 3 states that have laws that are even more stringent than HIPAA for ,1?-hf‘? -. , -, "3’? ~ — 7?? » We , .. _-. «'za‘-; x=*-r privacyqor securit
  • 45. /(6 , i:q: I. l.= .‘tl. ‘_§ . :i#; uii: i ‘__lH'V. _M““l”" State vs. Federal Law * Many states have their own privacy laws, which can be more stringent than federal law HIPAA & H ITECH. xi‘; /; . . * Examples are California, Illinois, New York & Texas. ,
  • 46. HIPAA U. S. Department of Health & Human Services HHS. gov Improving the health, safety, and well-being of America HHS Home| HHS News| About HHS Search 5.‘ OCR 0 All HHS Font Size - + Print Download Reader 1 Health Information Privacy Understanding HIPAA Privacy HIPAA Administrative Simplification Statute and Rules Enforcement Activities R Results How to File a Complaint News Archive Frequently Asked Questions PSQIA xR Home > He_a_| th Informati_on Privacy > Fre_qi. i_ent| _y AsLed Qi. ig_st_ions 11 '37:. :v How do I know if a State law is "more stringent" than the HIPAA Privacy Rule? Answer: In general, a State law is "more stringent" than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals‘ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of "more stringent" at 45 C. F.R. 1§Q.2Q2 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is "more stringent" than the Privacy Rule. In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws. See 45 C. F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements.
  • 47. /(6 ma: I. l.= .‘iI. ‘_§ . :i#; uii: g ‘__lH'V. _M““l”" State vs. Federal Law * Consider obtaining a legal review of your HIPAA policies, procedures and other documents by your local, informed attorney. Q; A 4-’ * Speak with your professional association's , ethics or legal office.
  • 48. /(6 '. |.= '.3'Il. =.‘iI. ‘.E Ian-Vu: z ‘__m“_W'_>__: " Notice of Privacy Practices Update your Notice of Privacy Practices: gt, * ° OCR and the Office of the National Coordinator for “F > Health Information T: Technology released a Model Notice of Privacy y Practices, get it here: a http: //www. hhs. gov/ ocr/ priv acy/ hipaa/ modelnotices. htm|
  • 49. F‘: 'l| .=| “": ‘_E . :i1;In| :I ‘__"4'Y'_M““l. u! Notice of Privacy Practices (cont. ) Notice of Privacy Practices * Make available to existing clients on request X» ° Post on your website P/ 9 Displav in a prominent C‘ " W location in your professional premises * ° Provide copy to all new clients
  • 50. F": 'ii= """i Mal. “ 1‘-ll—iI'. —iAll3I; .'Il! Sale of Protected Health information (PHI) 4* There are additional new restrictions on marketing T‘ and sale of PHI, which should be included in if practitioners’ HIPAA ‘ M’; policies and procedures ' g and Notice of Privacy Practices, if relevant.
  • 51. Where can you get all the other needed HIPAA forms? (Your professional association)
  • 52. /C I? “ 'il. :l‘. ".‘. i ': m‘. ,': i V-ii—il'I-fAi“li. Ui[f Enforcement The most common types of I _ covered entities required ‘ to take corrective action: ‘ * Private Practices ‘ v r 0 General Hospitals ~ I * Outpatient Facilities , _ p ‘(L If“? * Health Plans (group health A "““[ J“ plans and health insurance issuers) and ° Pharmacies http: //www. hhs. gov/ ocr/ privacy/ hipaa/ enforcement/ highlights/ inde x. htm|
  • 53. |l. B.Dopartm-Itolflmlthlflumlnlarvlcao . g0V nIIIpmoIgo-nuanuuaunnnano-0-uuunonu Health Information Privacy . . V ) Office for Clvl nights I (‘NI mg In Mei: Inlovmofina Fnvacy , I . I . A , . . I ‘ , I _ Cue Examples and Resolution Agreements an tuvnplu mun . Vina an-noun new new covnson ormuai ta-I -tr-uiww cnmpvy I. IIIvI ma mq. ..»nnm~a. s at on I-many ’ ' ‘ > I l, *'~¢-r‘'-*H "5 WV” and $I(uvIly Inlet >uIIoaII. .uy, an «pun um ooun mm taco cumulus of ma mu-I. iIn auimu uval ’ ' ‘ ' ' "”" out uuI. I.I. [urn can -u ammo: uIIu. .qn our uI«aI¢. IvIII~II grim. ’ ' " I ‘ I I I I I I I FAA ; .sIII. rI MrI"I: a1|I'l sI. I I. .. I.4 n. .I. . can Example: 2 iuFtK‘VIlr'( ; I.; I.III. . n I4.. . n. n. . n. -I. II. .III - E. . . I :4.. . 41». .. : L‘ , ‘ ~‘ ' ' I . II. ... . . g I ( -4 7 Resolution Agreements unauu. -In II. nun [CIVrIdliV">V nonunion Agnomonn um clul honey Donovan -A rgguuxxon aqreemarit I9 - com-u alpaca Dr Hus um I: «Iv-Ims entity -1| I. >IIcrI the cauereu anuw arees to neflb-'75 Ct"VJI-'| ooligniom (e g . sun tmmmg) can make reports lo mas, uervamiy For a nation at me: was own: the neuoa, >045 mowers we uwuaa ematvs uynpunce aim at: oixlgazlons A vcsoiwon JQVEQMEVIK mvrw Iwoum Incmde mu oovmeru or a reso-uuon -n-ounz men anvcemenu are «curved to “we Imnuqnouns wan mom inflow! wiznmeo. V00:-V was run not neon able In Iucn ll nwdacmry ltlfliullnfi through In Lovlvnd an. In's a«nooInInuu cIzvI-Iumm or coil! -LLIVI (non Inruugn Iurm IIWDINIII mum, cwll menu or-Iums (cum) --y no Immna Var rIon¢IwpII. nm Against - my-Ian mmy. To nu. ms: nu cm. -ion mm 21 Itsoluhon aomcmenu Mo msuod cram m on: (ovnvcd uvury Maul 5:-mu g -a. .I. LI. ..“-. ... -I IIIIIM. .. I n. ... II. Now II. - I. . cu»-I. .I. II«I Ag‘-~»; ~:_-ouvvnlu I~Ag-an, ago "LA. L;: v; 'r_-152.2-"J -Au-1In, 'auu r«~. .«-, r'l. P‘lVI": III I. I- up: -: .;I ‘i‘Ifi: I"VJ I; amalgam CL‘U‘i1I: "'. "i . »I: LcI u. .v. .-‘ax’. .-5.. ': '«LI~m_~r. II. ~. z-(rev I , «’~vII>II. IIIII»-nu‘ I~. >'r~III -~"~III1jMI- I. _:_, .fi. 'uigg; ;, - _. '::1:. ~_uE‘_I_-. £I~: J. u;: L._'- “JLJQ -Inn: -our 1'7. In: t . I . . rNu—rI. :<Iy_c. :1-v. ) Lzr. 3.; -32 - was at. we . . . ~ 1 . . . 2.63: I, VD ». I I_, I Q) : ..'. ;;. uuI. »t_(n. _'. :' ' ' *<" *4 *. .:: I:s -lpl t_: .I_nxl«
  • 54. Discussion? Tele/ Mental Health Institute, Inc. contact@te| ehea| th. org www. te| ehea| th. org

×