3. Completion of training is mandatory
under HIPAA for the entire Staff of
Sensible Care,
Whatever their position.
MANDATORY
4. The Health Insurance Portability and Accountability Act (HIPAA) was
enacted in 1996 as part of a broad congressional attempt at incremental
healthcare reform.
It took effect October 15, 2002
The Privacy Rule took effect April 14, 2003
What is HIPAA?
5. Title I guarantees individual access to health insurance, portability,
limits some pre-existing condition exclusions and does not discriminate
based on health status.
Title II addresses fraud and abuse that will most affect pre-hospital
providers.
Title III covers Medical Savings Account and provides a health
insurance tax deduction for the self-employed.
Title IV covers group health plans.
Title V deals with the costs of implementation.
It is Important to note that the Act doesnāt provide any economic relief to
providers to take care of the costs of compliance.
What does HIPAA do?
6. HIPAA has two primary purposes:
One is to provide continuous insurance coverage for workers
who change jobs,
and the other is to āreduce the costs and administrative burdens
of health care by making possible the standardized, electronic
transmission of many administrative and financial transactions
that are currently carried out manually on paperā.
PURPOSE
7. HIPAA is a comprehensive rule, and violation can result in either civil
or severe criminal penalties.
The civil aspects are enforced by the Health and Human Services
Departmentās Office of Civil Rights.
The Criminal Aspects are enforced by the Justice Department, and the
FBI is the investigating agency in charge of criminal enforcement.
HIPAA is the FLOOR: State privacy laws are left in effect to the extent
that their provisions are at least equal to the federal laws. If state laws
are less stringent, the more stringent federal rules will apply, while if
state laws are more stringent, they will apply as far as the more
stringent provisions.
8. Notifying patients about their privacy rights and how their information can be used.
(Post it and give to patient and document).
(Adopting and implementing privacy procedures for its practice, hospital, or plan.
Training employees so that they understand the privacy procedures.
Designating an individual to be responsible for seeing that the privacy procedures
are adopted and followed. (Privacy Officer)
Securing patient records containing individually identifiable health information so
that they are not readily available to those who do not need them.
What does it require?
9. STATE LAW REQUIRES YOU TO REPORT:
ļ± Disease or injury
ļ± Child abuse
ļ± Elder abuse
ļ± Spousal abuse
ļ± Birth
ļ± Death
ļ± Or for the conduct of public health surveillance, investigation or
intervention
Exceptions to HIPAA for State Law
10. It gives patients more control over their health information.
It sets boundaries on the use of release of health records.
It establishes appropriate safeguards to protect the privacy of health
information.
It holds violators accountable, with civil and criminal penalties that can
be imposed if they violate patientsā privacy rights.
It Provides for electronic and physical security of personal and health
information.
And it strikes a balance when public responsibility supports disclosure
to protect public health.
So what does HIPAA do?
11. It enables patients to find out how their information may be used, and
about certain disclosures made of their information.
It generally limits release of information to the minimum reasonably
needed for the purpose of the disclosure.
It generally gives patients the right to examine and obtain a copy of
their own health records and requests corrections.
It empowers individuals to control certain uses and disclosures of their
health information.
So what does HIPAA do? Continued
12. This HIPAA Training Program
will answerā¦
What does HIPAA do?
Who has to follow the HIPAA law?
What is Protected Health Information?
When do we start?
How does HIPAA affect you?
Why is HIPAA important?
13. For reasons that had nothing to do with a patientās medical treatment or
health care reimbursement, the patchwork of laws existing prior to
adoption of HIPAA and the Privacy Rule, personal health information
could be distributed without notice or authorization, including for
reasons that had nothing to do with a patientās medical treatment or
health care reimbursement.
Why is HIPAA needed?
14. Notifying patients about their privacy rights and how their information
can be used. (ļ Post it, give to patient, and document it.)
Adopting and implementing privacy procedures for practices,
hospitals, providers, or plans.
Training employees so that they understand the privacy procedures.
Designating an individual to be responsible for seeing that the privacy
procedures are followed. (Privacy Officer)
Securing patient records containing individually identifiable health
information so they are not readily available to those who do not need
them.
What does it require?
15. Must provide a process for individuals to make complaints and
document such complaints and their disposition.
Must develop anti-retaliation policy.
The privacy provisions:
ļ Apply to all providers using electronic media to transmit patient
information
ļ Cover any medical record and other āindividually identifiable health
informationā
ļ Mental health records are subject to even more stringent regulations.
Requirements continued
16. An Overview of the Law
Title I
Portability
Administrative
Requirements
Indivdual
Rights
Use and Disclosure
of PHI
PRIVACY
Identifiers
Code
Sets
Transactions
EDI
Technical
Security
Mechanisms
Technical
Security
Services
Physical
Safeguards
Administrative
Procedures
SECURITY
Title II
Administrative
Simplification
Title III
Medical Savings
Accounts
Title IV
Group Health Plan
Provisions
Title V
Revenue Offset
Provision
HIPAA
Health Insurance and Portability Act of 1996
17. o Civil violation
ļ§ $100 per violation
ļ§ Individuals are liable along with the provider
ļ§ $25,000 maximum civil fines per person in one year
(Contrast State penalty of $3,000 per violationāenforced by TDH)
Federal Penalties
18. For fraud , abuse & disclosure for money
$50,000 and 1 year, lowest level
$250,000 and 10 years, highest level
Average sentence for first time offender at highest level: $87,000
plus 67 months
According to federal sentencing guide
Federal Criminal Penalties
19. Texas Privacy Act, enacted in 2001, took effect September 1, 2003
Chapter 181.001 et seq., Texas Health and Safety Code
Tracks HIPAA but adds new powers to insurance commissioner to formulate
privacy rules for insurance companies
More stringent than HIPAA in some ways
May be enforced by TDH against EMS providers and individuals
Provides for $3,000 fine or civil violation, instead of $100 as HIPAA provides
Provides $250,000 for criminal violation
Allows Attorney General to seek injunctive relief
Texas Medical Records Privacy Act, SB11
21. Who Is Impacted?
Health care providers ā A provider of medical, psychiatric, or other health services,
and any other person or entity furnishing health care services or supplies.
Health plans ā an individual or group health plan that provides or pays the cost of
medical care.
Clearinghouses ā A public or private entity that processes or facilitates the processing
of non-standard data elements of health information into standard data elements and
who transmits any health information in electronic form in connection with a
transaction covered in the legislation.
Business Associates and Trading Partners
22. One who processes claims for a provider
One who uses individually identifiable health info for:
ā¢ Utilization review
ā¢ Quality assurance or improvement
ā¢ Billing, collection Agencies & Data Management
ā¢ Benefit management & Financial Services
ā¢ Medical Director, Student Rideouts, Housekeeping
ā¢ Lawyers, accountants, consultants, and accrediting agencies
ā¢ If you TREAT the Patient you are NOT a business Associate
ā¢ Must have a contract obligating them to safeguard protected health information.
Business Associate
23. Business Associate Contracts
Must establish the permitted and required uses and disclosures of
protected health information by the business associate and may not
authorize further disclosure in violation of the regulations
If the covered entity knows of a practice or pattern of activity that
constitutes a material breach of the business associateās obligations under
the contract, the covered entity must take reasonable steps to ensure cure
of the breach or terminate the contract or report the problem to the
Secretary of Health and Human Services.
24. Business Associate Obligations
Must not use or disclose protected health information in violation of the law or
contract.
Implement safeguards against improper use or disclosure.
Ensure that any agents or subcontractors agree to fulfill contractual and legal
obligations.
Afford individual access to records; make available records for amendment by the
individual; account to the individual for use or disclosure other than for payment,
treatment, or operations.
At termination of the contract, return or destroy protected health information.
25. āIn addition to the panelists prescribed by this chapter, a violation of
this chapter by an individual or facility that is licensed by an agency of
this State is subject to investigation and disciplinary proceedings,
including probation or suspension by the licensing agency. If there is
evidence that the violations of this chapter constitute a pattern or
practice, the agency may revoke the individualās or facilityās license.ā
&181.202. Disciplinary Action
26. YOUR LIABILITY INSURANCE DOES NOT INSURE YOU AGAINST
INVASION OF PRIVACY AND WILL NEITHER PAY FOR YOUR
DEFENSE NOR PAY A JUDGMENT AGAINST YOU.
One hour of a good lawyerās time begins at no less than $250-350/hr.
27. Title II and its regulations raise many questions and
problems for covered providers. These will need to be
addressed at all times if one is to be incompliance.
Title IIāPrivacy Regulations
28. What Is Impacted?
TRANSACTIONS
A transaction is the exchange of information between two parties to carry out
financial and administrative activities related to health care. It includes:
Health claims,
Health care Billing, Payments and Explanation of Benefits (EOB),
29. What Is Impacted?
Transactions Continued
Medical Records
Billing Records
Coordination of benefits,
Enrollment/disenrollment in a health plan,
Eligibility for a health plan,
Health plan premium payments,
Referral certification and authorization,
First report of injury, and
Health claims attachments.
30. So, What is Health Information?
Any information, recorded in any way whatsoever that is
-Created or received by a provider
-Relates to past, present or future physical mental health or
condition
-Related to provision of health care
-Related to payment for services
31. What Is Impacted?
PROTECTED HEALTH INFORMATION
Protected Health Information is defined as any information,
whether oral or recorded, in any form or medium, that-
(A) Is created or received by a provider, health plan, public
health authority, employer, life insurer, school, or
clearinghouse; and
(B) Relates to the past, present or future physical or mental
health or condition of an individual, the provision of health
care to an individual, or the past, present, or future payment
for the provision of health care to an individual.
32. What is considered
Protected Health Information?
A personās name, address, birth date,
age, phone and fax numbers, e-mail
address
Medical records, diagnosis, x-rays,
photos, prescriptions, lab work, test
results, assessment or procedure with
respect to physical or mental status of an
individual
Billing records, claim data, referral
authorizations, explanation of benefits
Research records
33. What Is Impacted?
PROTECTED HEALTH INFORMATION
Protected Health Information is defined as any information, whether
oral or recorded, in any form or medium, that that is a subset of
health information, including demographic information collected
from an individual, and:
(A) Is created or received by a provider, health plan, public health
authority, employer, life insurer, school, or clearinghouse; and
(B) Relates to the past, present or future physical or mental health or
condition of an individual, the provision of health care to an
individual, or the past, present, or future payment for the
provision of health care to an individual.
34. SC may create, use and share
a personās PHI for:
Treatment
Billing and Payment
Companyās Business
Management and Operations
Disclosures Required by
Law
Public Health and Other
Governmental Reporting
35. PHI Consent
Some uses and disclosures of PHI do not require
consent.
The use and disclosure of protected health information
relating to treatment, payment, or health care
operations does not require prior written consent.
36. Minimum Necessary Rule
When using or disclosing Protected Health Information (PHI) or
when requesting PHI from another covered entity, you must make
reasonable efforts to limit PHI disclosure to the minimum
necessary to accomplish the intended purpose of the use,
disclosure, or request, unless an exception applies.
37. Minimum Necessary Rule
Exceptions
The minimum necessary requirement does not apply in the following instances:
Disclosures to or requests by a health care entity for purposes of treatment.
Uses or disclosures made to the individual who is the subject of the PHI.
Uses or disclosures made pursuant to a valid authorization initiated by the
individual.
Disclosures to the secretary of the Department of Health and Human Services
(HHS).
Uses or disclosures that are required by law.
Uses or disclosures required for compliance under HIPAA, including compliance
with the implementation specifications for conducting standard data transactions.
38. Requests for Disclosure
Sensible Care may rely on a request for disclosure as the minimum
necessary for the stated purpose when:
Making permitted disclosures to public officials, if the public official
represents that the information is the minimum necessary for the stated
purpose(s).
The information is requested by another covered entity.
The information is requested by a professional who is a staff member or
is a business associate for the purpose of providing professional
services to Sensible Care if the professional represents that the
information requested is the minimum necessary for the stated
purpose(s).
The information is requested for research purposes and the person
requesting the information has provided documentation or
representations verifying such intended purpose.
39. Using and Disclosing PHI
Without Consent
When a disclosure is required
by federal, state, or local law,
judicial or administrative
proceedings, or law
enforcement.
Disclosure without consent can
occur
ļ¶in certain emergency treatment
situations.
ļ¶To avoid harm.
ļ¶For specific government
functions.
ļ¶For workers'
compensation purposes.
ļ¶ Appointment reminders
and health-related benefits
or services.
ļ¶For fundraising activities,
public health activities,
organ donations, and for
research purposes.
40. Release
Transfer
Provision of access to
Divulging
Info to anybody other than the provider
Conducting quality assessment and improvement activities
Outcome evaluation
Clinical guidelines
What constitutes Disclosure?
41. Examples:
HMO contacting a provider about treatment alternatives
ā¢ Disclosure to press
ā¢ Disclosure to police unless under the exceptions
ā¢ PEER review activities
ā¢ Training programs involving students
More Possible Instances of Disclosure
42. Use in certification, licensing or credentialing activities
Use in fraud or abuse detection
To your own lawyers when seeking legal advice
To auditors
Business planning
Customer service if using patient identifiers
To law enforcement official
**SECURITY OFFICER/PRIVATE INVESTIGATOR IS NOT
LAW ENFORCEMENT. TELL THEM NOTHING WITHOUT
AUTHORIZATION FROM PATIENT.ā
Disclosure Continuedā¦
43. Court orders and warrants
Subpoenas or summons issued by a court
Grand jury subpoenas
Subpoenas from administrative body authorized to require production
of info
Subpoenas in civil suit
Search warrant
JP in case of death
What is āRequired by lawā
44. Education records cover by Family Educational Rights and Privacy Act,
20 US Code, Section 1232g:
Employment records maintained by a provider on its own employees
Protected Health Info Excludes:
45. Before any disclosure you must:
Verify the ID of requesting person
Obtain all documentation of credentials possible
Acceptable credentials:
Government ID cards, badges, etc.
Written on appropriate government letterhead
Written statement of legal authority
If a written statement is impracticable, an oral statement of such legal
authority
Verification Requirements:
Identity & Authority
46. You must disclose the minimum necessary info as far as
based on the intended purpose of the disclosure.
GENERAL RULES:
Minimum Necessary Standard
47. Disclosure for Treatment, Dispatch & Healthcare Operations, and
Payment
Disclosures required or permitted by law, to the extent required or
permitted.
Minimum Necessary does not apply to:
49. Information may flow freely in any direction
from caregiver to caregiver,
From ambulance to hospital
From hospital to ambulance,
From nursing home to ambulance
When required for treatment
A treatment facility and its employees may discuss treatment with an
other treatment facility and its employees.
There is no āminimum necessary ruleā when treatment is involved.
Treatment and healthcare operations may overlap.
Disclosure for Treatmemt
50. When you are required to report something:
ļ¶Infectious disease
ļ¶Child abuse
ļ¶Elder abuse
ļ¶MVA
ļ¶Homicide
ļ¶Assault
Disclosures required by law
51. A hospital Emergency Dept. may give a patientās payment info to an
ambulance service provider that transported the patient to the hospital
in order to bill for itās treatment services.
Covered entities are free to engage in communications as required for
quick, effective and high quality health care.
In these circumstances, reasonable precautions could include using
lowered voices or talking apart from others when sharing protected
health info. However in a loud ER, or when patient hearing impaired,
such precautions may not be practical.
Healthcare Operations
52. Follow-up on patients
QA/QI
Peer review
Protocol Development
Policy/Procedure Development
Financial Analysis
Continuing Ed
More Healthcare Operations
53. YOU MAY DISPATCH
- 404 Broadway on a behavioral emergency
- 2057 E. Pine, CPR in progress
- 1811 Forest, OB call
YOU MAY NOT DISPATCH
- 605 W. Bonham, man has penis caught in zipper or possible rectal foreign
body
- 404 Broadway, John Johns, AIDs patient, is having hallucinations and
seeing demons
Dispatch (Healthcare Operation)
54. Info may be sent to
billing office
3rd party billing company
Collection Agency
Insurance company
Billing Clearinghouse
Attorneys
Payment
55. The Privacy Rule does not require the following types
of structural or systems changes like Encryption of
wireless or other emergency medical radio
communications which can be intercepted by scanners.
56. Q: CAN HEALTH CARE PROVIDERS ENGAGE IN CONFIDENTIAL
CONVERSATIONS WITH OTHER PROVIDERS OR WITH
PATIENTS, EVEN IF THERE IS A POSSIBILITY THAT THEY COULD
BE OVERHEARD?
A: Yes. The HIPAA Privacy Rule is not intended to prohibit providers
from talking to each other and to their patients. Provisions of this rule
require covered entities to implement reasonable safeguards that reflect
their particular circumstances and exempting treatment disclosures from
certain requirements are intended to ensure that providersā primary
considerations is the appropriate treatment of their patients.
Reasonable Precautions
57. You must have a business agreement with that associate
that guarantees that the info will be safeguarded.
Disclosures to Business Associates
58. Consent allows you to gather and use info for treatment and may be
passed along to others in the treatment chain.
Does not permit disclosure to others not involved in treatment or
payment filings or operations, such as newspapers or other media.
CONSENT and AUTHORIZATION
are different
59. Must be signed by all persons who have access to PHI
- Company staff
- Business associates and their employees
- Students
- Observers
- First responders
CONFIDENTIALITY AGREEMENT
60. WHAT YOU SAY HERE
WHAT YOU SEE HERE
WHAT YOU HEAR HEREā¦ā¦
WHEN YOU LEAVE HERE
LET IT STAY HERE
PRIVACY RULE
61. Mandatory injury reporting (bullet wounds, etc..)
Court order
Grand jury subpoenas
Administrative request
Subpoena issued by proper authority
Specific request
Necessary to ID the patient
To arrest a perpetrator
To stop a crime in progress
To prevent a crime
To disclose where Patient was taken
To prevent danger to Public Safety
Disclosures: Law Enforcement Purposes
62. Routine investigation can wait
Detectives working on a case
What a pt. tells you about ETOH ingestion
What a pt. tells you about drugs ingested
Urgent need for disclosure
vs. non-urgent need
63. You many generally rely on law enforcementās
representations unless obviously wrong.
Law Enforcement says they need it now
64. Observations that are in public are not protected
Communications between EMS and patient that would not have
occurred except for the special relationship between patient and
caregiver ARE PROTECTED.
COMMUNICATION
vs. OBSERVATION
65. Name and address
Date and place of birth
Social Security number
ABO blood type and rh factor
Type of injury
Date and time of treatment
Date and time of death
Description of distinguishing physical characteristics: Height, Weight,
Gender, Race, Hair and eye color, Facial hair, scars or tattoosā¦
Limited disclosure: ID and Location
Purposes
66. Privacy Notice
Every client is provided with a Notice of Privacy
Practices at time of transportation. The Notice
describesā
How Sensible Care can use and share protected health
information, and
Every clientās privacy rights
The privacy notice is also published on Sensible
Care website. web page.
Copies of the Notice of Privacy are available from
the Privacy Officer or Program Manager.
67. Clientsā PHI Rights
One of the purposes of the new HIPAA rule is to give clients more
control over their PHI. Such as:
The right to request limits on uses and disclosures of their PHI.
The right to choose how we send PHI to them.
The right to view and obtain copies of their PHI.
The right to correct or update their PHI.
68. How do clients exercise these rights?
Special forms to request changes, corrections, copies, etc. are available from
the Privacy Officer.
69. What client information
must be protected?
We must protect a clientās personal and health information that:
Is created, kept, filed, used or shared
Is written, spoken, electronic or digital
As already stated HIPAA defines client personal and health information as
Protected Health Information or āPHIā for short.
71. How will HIPAA affect your duties?
If you currently see, use, share and/or create a personās protected health
information as part of your job or duties, HIPAA will change the way you
work.
You must protect the privacy of the client and Sensible Careās staff
protected health information.
72. When can you use PHI?
ONLY to do your job or duties!
At all other times, protect a clientās information as
if it were your own information!
73. How can you use PHI?
You may look at a personās
PHI only if you need it to do
your job or duties.
You may use a personās PHI
only if you need it to do your job or duties.
You may give a personās PHI to
others when it is necessary for them to do their jobs.
You may talk to others about a personās PHI only if it is
necessary to do your job or duties.
74. Why is HIPAA important?
Protecting privacy is important!
We all want our PHI to be
private
Our clients want their PHI to
be private
Itās the right thing to do
Itās the law
75. What can happen if we
donāt follow HIPAA?
Someone who does not
protect a personās personal
and/or health care privacy
could:
Lose his/her job
Pay fines
Go to jail
80. Where to Find Out
More About HIPAA
Check the copy you received with your Hiring Packet.
Also, The Privacy Notice is on the our Internet
Website: www.SensibleCare.org
Contact Suzanne Guggenheim, Compliance and
Privacy Officer with questions and/or concerns