HIPAA 2010


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • HIPAA 2010

    1. 1. HIPAA Health Insurance Portability and Accountability Act Barbara Benson, R.T.
    2. 2. History of Medical Ethics <ul><li>Hippocrates  460 BC </li></ul><ul><li>Practice medicine for the benefit of patients </li></ul><ul><li>Primum non nocere First, do no harm </li></ul><ul><li>Abstain from mischief and corruption </li></ul><ul><li>Maintain doctor-patient confidentiality </li></ul>
    3. 3. History of Medical Ethics <ul><li>Thomas Percival  1803 </li></ul><ul><li>Published the first code of medical ethics </li></ul><ul><li>Later adopted by the AMA in 1847 </li></ul><ul><li>Moral authority and independence of physicians, responsibility to care for the sick, and </li></ul><ul><li>individual honor </li></ul>
    4. 4. <ul><li>Declaration of Geneva  1948 </li></ul><ul><li>Meant to update the Hippocratic Oath </li></ul><ul><li>Health and conscience </li></ul><ul><li>Voluntary consent </li></ul><ul><li>Access without discrimination </li></ul>History of Medical Ethics
    5. 5. Commonalities <ul><li>Honesty </li></ul><ul><li>Integrity </li></ul><ul><li>Confidentiality </li></ul>
    6. 6. HIPAA -Kennedy-Kassenbaum Bill <ul><li>Health Information Portability and Accountability Act </li></ul><ul><li>Protects the privacy and security of patient information </li></ul><ul><li>Sets limits on who can look at and receive </li></ul><ul><li>health information </li></ul><ul><li>Final rule issued 8-14-02 requiring compliance by 8-14-03 </li></ul>
    7. 7. HIPAA Enforcement <ul><li>Civil Penalties </li></ul><ul><li>Up to $100 per violation per individual </li></ul><ul><li>Criminal Penalties </li></ul><ul><li>“ Egregious violations”… the sale of information, gaining access under false pretenses, or releasing information with harmful intent included </li></ul><ul><li>Up to $250,000 fine and possible incarceration </li></ul>
    8. 8. What is Protected? <ul><li>Protected Health Information  PHI </li></ul><ul><ul><li>Individually identifiable health information </li></ul></ul><ul><ul><li>Information that can be linked to a particular </li></ul></ul><ul><ul><li>person originating from a health care service event </li></ul></ul><ul><ul><li>A physical or mental health condition at any time </li></ul></ul>
    9. 9. HIPAA Identifiers <ul><li>Geographic subdivisions smaller than a State </li></ul><ul><li>Dates (except year) directly related to patient </li></ul><ul><li>Telephone numbers, Fax numbers, E-mail addresses, SS numbers </li></ul><ul><li>Medical record numbers , Health plan beneficiary numbers </li></ul><ul><li>Account numbers , Certificate/license numbers , Vehicle identifiers </li></ul><ul><li>Device identifiers and serial numbers, Web URLs , IP address numbers </li></ul><ul><li>Biometric identifiers, including finger and voice prints </li></ul><ul><li>Full face photos </li></ul><ul><li>Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data </li></ul>
    10. 10. PHI Communication Methods <ul><li>HIPAA governs where and how PHI is </li></ul><ul><li>communicated between all TPO’s </li></ul><ul><li> Electronic communication </li></ul><ul><li> Written communication including the medical record </li></ul><ul><li>  Verbal communication between healthcare workers or between healthcare workers and </li></ul><ul><li> the patient </li></ul>
    11. 11. Privacy of Communication <ul><li>Access, Use or Disclosure of all </li></ul><ul><li>Protected Health Information is based on : </li></ul><ul><li>• Need to Know </li></ul><ul><li>and </li></ul><ul><li>• Minimum Necessary </li></ul>
    12. 12. Who Must Protect it? Covered Entities • A Health Plan or a Healthcare Provider who transmits any health information in electronic form in connection with a transaction • Business Associates with whom they share PHI
    13. 13. “ Need to Know” <ul><li>Individually identifiable information should </li></ul><ul><li>be made available only to persons whose </li></ul><ul><li>job requires access to that information. </li></ul>
    14. 14. “ Minimum Necessary” <ul><li>• Only information that is the minimum necessary </li></ul><ul><li>to get the job done no matter how much access </li></ul><ul><li>is provided or available </li></ul><ul><li>• Having access to patient information does not give the right to access or disclose regardless of intent </li></ul>
    15. 15. “ Minimum Necessary” <ul><li>Before looking at information, ask yourself </li></ul><ul><li>“ Do I need to know this to do my job?” </li></ul><ul><li>Before sharing information, ask yourself </li></ul><ul><li>“ Do they need to know this information to do their job?” </li></ul>
    16. 16. “ Minimum Necessary” <ul><li>Clinicians may look at and share with other clinicians the entire medical record of patients </li></ul><ul><li>they are treating </li></ul>
    17. 17. Patient Rights
    18. 18. Notice of Privacy Practices  NPP <ul><li>Governs the uses of PHI as permissible by the </li></ul><ul><li>patient within Treatment, Payment and </li></ul><ul><li>Healthcare Operations (TPO’s) </li></ul><ul><li>Once the patient is given a NPP at the first treatment encounter, PHI can be used for any TPO purpose </li></ul><ul><li>NPP is a once in a lifetime requirement </li></ul>
    19. 19. NPP Requirements <ul><li>Post NPP prominently </li></ul><ul><li>The patient signs a separate acknowledgement document that contains the privacy officer contact information for that facility </li></ul><ul><li>Copies of NPP and acknowledgement sheet to patent </li></ul>
    20. 20. Patient Rights <ul><li>NPP Includes the patient's right to: </li></ul><ul><li> Restrict </li></ul><ul><li> Access </li></ul><ul><li> Amend </li></ul><ul><li> Accounting </li></ul><ul><li> Alternative Communication Methods </li></ul><ul><li> Complain </li></ul>
    21. 21. Patient Rights <ul><li>Minors (under 18) have a right to confidential treatment with respect to the following without </li></ul><ul><li>a parents consent or notice: </li></ul><ul><ul><li>Abortion </li></ul></ul><ul><ul><li>Birth control </li></ul></ul><ul><ul><li>STD testing </li></ul></ul><ul><ul><li>HIV/AIDS testing </li></ul></ul><ul><ul><li>Mental health counseling </li></ul></ul>
    22. 22. Permitted by Law <ul><li>Outside of TPO or patient authorization, the only </li></ul><ul><li>other permitted use of PHI are those required by law: </li></ul><ul><ul><li>Investigations by HHS </li></ul></ul><ul><ul><li>Reporting about victims of abuse, neglect or domestic violence </li></ul></ul><ul><ul><li>Adverse Event Reporting </li></ul></ul><ul><ul><li>Reporting to Public Health Authorities </li></ul></ul>
    23. 23. HIPAA Authorization <ul><li>Patient Authorization Elements </li></ul><ul><ul><li>The information </li></ul></ul><ul><ul><li>Who may use or disclose the information </li></ul></ul><ul><ul><li>Who may receive the information </li></ul></ul><ul><ul><li>Purpose of the use or disclosure </li></ul></ul><ul><ul><li>Expiration date or event </li></ul></ul><ul><ul><li>Individual’s signature and date </li></ul></ul><ul><ul><li>Right to revoke authorization </li></ul></ul><ul><ul><li>Right to refuse to sign authorization </li></ul></ul><ul><ul><li>Redisclosure statement </li></ul></ul>
    24. 24. Record Keeping <ul><li>Good record keeping is a must </li></ul><ul><li>Authorizations for use of PHI should be kept for </li></ul><ul><li>at least six years </li></ul><ul><li>Additionally, a record of what information was sent, and to whom. </li></ul>
    25. 25. Privacy Protection
    26. 26. <ul><li>Acceptable to use the patient’s full name on </li></ul><ul><li>sign in sheets but not the reason for the visit </li></ul><ul><li>Acceptable to page a patient using their full name </li></ul><ul><li>Ask companions to honor the patient’s privacy </li></ul><ul><li>by waiting in another room </li></ul>Privacy Protection
    27. 27. Privacy Protection <ul><li>Do not leave medical information on </li></ul><ul><li>answering machines </li></ul><ul><li>Do not leave the medical record unattended </li></ul><ul><li>Dispose of patient information properly </li></ul>
    28. 28. Computer Privacy Protection <ul><li>Use 7 character alpha numeric passwords </li></ul><ul><li>Do not share passwords </li></ul><ul><li>Secure written passwords </li></ul><ul><li>Log off </li></ul><ul><li>Use screen savers </li></ul><ul><li>Keep monitor facing away from onlookers </li></ul><ul><li>Avoid sending the patient information using e-mail </li></ul>
    29. 29. Practical Privacy Tips <ul><li>Be aware of your surroundings and who’s listening </li></ul><ul><li>Close doors whenever possible </li></ul><ul><li>Speak as softly as possible </li></ul><ul><li>Knock before entering </li></ul><ul><li>Secure the privacy of all medical records before walking away </li></ul>
    30. 30. HIPAA and Research An authorization must be signed by patients for all clinical research HIPAA Disclosure Universe Authorization signed by patient for all clinical research Waiver Criteria applied before records research Exceptions Documented De-identified Limited Dataset TPO Public Safety and other exceptions
    31. 31. Research Authorization <ul><li>Who can use or disclose PHI </li></ul><ul><li>To whom PHI may be disclosed </li></ul><ul><li>What PHI may be used or disclosed </li></ul><ul><li>The purposes of the used or disclosed PHI </li></ul><ul><li>The duration of the authorization (expiration date or event) </li></ul>