Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board

  1. 1. H AA W IP orkforce T raining P RIVACY and H AA IP
  2. 2. M ANDAT ORY Completion of training is mandatory under H AA for the entire workforce of the IP M RB H Including volunteers, like yourselves.
  3. 3. What is HIPPA? In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). This new law was enacted as part of a broad congressional attempt at incremental healthcare reform. HIPAA has two primary purposes. One is to provide continuous insurance coverage for workers who change jobs, and the other is to “ reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper” .
  4. 4. H AA W IP orkforce T raining HIPAA requires that the MHRB create HIPAA policies and procedures that may affect your work as a Board member.
  5. 5. T H AA T his IP raining P rogram will answer… What does HIPAA do? Who has to follow the HIPAA law? What is Protected Health Information? When do we start? How does HIPAA affect you? Why is HIPAA important?
  6. 6. W hat does H P do? IP A H AA is the H IP ealth Insurance P ortability and Accountability Act of 1996. It is a federal law that… – Protects the privacy of a client’ s personal and health information – Provides for electronic and physical security of personal and health information – Simplifies billing and other transactions
  7. 7. An Overview of the L aw H IP A A H e a lt h I n s u r a n c e a n d P o r t a b ilit y A c t o f 1 9 9 6 T it le I P o r t a b ilit y T it le I I A d m in is t r a t iv e S im p lific a t io n T it le I I I M e d ic a l S a v in g s A c c o u n ts P R IV A C Y EDI S E C U R IT Y U s e a n d D is c lo s u r e of PHI T r a n s a c tio n s A d m in is tr a tiv e P ro c e d u re s In d iv d u a l R ig h ts Code S e ts P h y s ic a l S a fe g u a rd s A d m in is tr a tiv e R e q u ir e m e n ts Id e n tifie r s T e c h n ic a l S e c u rity S e r v ic e s T e c h n ic a l S e c u rity M e c h a n is m s T it le I V G r o u p H e a lt h P la n P r o v is io n s T it le V R e v e n u e O ffs e t P r o v is io n
  8. 8. HIPAA is the FLOOR HIPAA regulations are the minimum starting point for protecting health information and do not supersede any rules, regulations, or standards that are more stringent. For example, if ODMH rules are more stringent than HIPAA rules, we must follow the ODMH rule.
  9. 9. Organizational and Administrative Requirements A Privacy Officer must be appointed to implement and develop privacy policies and procedures for the agency. Must train all employees (current and new) on privacy policies and procedures. Must amend all business associate contracts to establish the permitted and required uses and disclosures of PHI. Must verify the identity and authority of person requesting PHI.
  10. 10. Organizational and Administrative Requirements Must disseminate a notice of our privacy practices to existing clients and all new clients and within 60 days of any material revision. Must notify clients every 3 years of the availability of the notice. A covered entity with a website must post their notice on the web.
  11. 11. Organizational and Administrative Requirements Must document compliance with notice requirements and keep copies of notices issued. Must document who is responsible for receiving and processing client inquiries regarding his/her PHI.
  12. 12. Organizational and Administrative Requirements Must provide a process for individuals to make complaints and document such complaints and their disposition. Must develop anti-retaliation policy.
  13. 13. W has to follow H AA? ho IP Everyone!
  14. 14. W Is Impacted? ho Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. Health plans – an individual or group health plan that provides or pays the cost of medical care. Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. Business Associates and Trading Partners
  15. 15. Business Associate A person or entity to whom a covered entity discloses protected health information, to perform a function on behalf of or to provide services to a covered entity. Includes lawyers, accountants, consultants, and accrediting agencies. Must have a contract obligating them to safeguard protected health information.
  16. 16. B usiness Associate Contracts Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’ s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary of Health and Human Services.
  17. 17. B usiness Associate Obligations Must not use or disclose protected health information in violation of the law or contract. Implement safeguards against improper use or disclosure. Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. At termination of the contract, return or destroy protected health information.
  18. 18. W hat Is Impacted? T RANSACT IONS A transaction is the exchange of information between two parties to carry out financial and administrative activities related to health care. It includes: – H ealth claims or encounter information, – H ealth care payment and E xplanation of B enefits (E ), OB
  19. 19. W hat Is Impacted? T ransactions Continued Coordination of benefits, Enrollment/disenrollment in a health plan, Eligibility for a health plan, Health plan premium payments, Referral certification and authorization, First report of injury, and Health claims attachments.
  20. 20. W hat Is Impacted? P ROT CT D H AL H INF E E E T ORM ION AT Protected Health Information is defined as any information, whether oral or recorded, in any form or medium, that(A) Is created or received by a provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and (B) Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
  21. 21. What is considered Protected Health Information? A person’ s name, address, birth date, age, phone and fax numbers, email address Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results Billing records, claim data, referral authorizations, explanation of benefits Research records
  22. 22. The Board may create, use and share a person’ s PHI for: Treatment Billing and Payment Agency Business Management and Operations Disclosures Required by Law Public Health and Other Governmental Reporting
  23. 23. PHI Consent Some uses and disclosures of PHI do not require consent. The use and disclosure of protected health information relating to treatment, payment, or health care operations does not require prior written consent.
  24. 24. Minimum Necessary Rule When using or disclosing Protected Health Information (PHI) or when requesting PHI from another covered entity, The Board must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless an exception applies.
  25. 25. Minimum Necessary Rule Exceptions The minimum necessary requirement does not apply in the following instances:   Disclosures to or requests by a health care entity for purposes of treatment. Uses or disclosures made to the individual who is the subject of the PHI. Uses or disclosures made pursuant to a valid authorization initiated by the individual. Disclosures to the secretary of the Department of Health and Human Services (HHS). Uses or disclosures that are required by law. Uses or disclosures required for compliance under HIPAA, including compliance with the implementation specifications for conducting standard data transactions.
  26. 26. Requests for Disclosure The Board may rely on a request for disclosure as the minimum necessary for the stated purpose when: Making permitted disclosures to public officials, if the public official represents that the information is the minimum necessary for the stated purpose(s). The information is requested by another covered entity. The information is requested by a professional who is a member of The Board’ s workforce or is a business associate of Board for the purpose of providing professional services to The Board if the professional represents that the information requested is the minimum necessary for the stated purpose(s). The information is requested for research purposes and the person requesting the information has provided documentation or representations to The Board verifying such intended purpose.
  27. 27. Using and Disclosing PHI Without Consent When a disclosure is required by federal, state, or local law, judicial or administrative proceedings, or law enforcement. Disclosure without your consent can occur in certain emergency treatment situations. To avoid harm. For specific government functions. For workers' compensation purposes. Appointment reminders and health-related benefits or services. For fundraising activities, public health activities, organ donations, and for research purposes.
  28. 28. Verification In certain instances, as permitted or required by law, The Board can or must disclose an individual’s PHI, even where there is no specific consent or authorization from the individual to do so. No PHI will be disclosed without precautions being made to assure that the identity of the person requesting PHI information is verified and that they have the authority to have access to the information requested.
  29. 29. Verification of Identity When the identity of the person seeking disclosure of an individual’s PHI is not known to The Board, verification of the person’s identity is as follows: If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status. If the request is in writing, the request is on the appropriate government letterhead or other accepted proof of identity is documented. If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the governments’ authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
  30. 30. Verification of Authority To verify the authority of a public official, The Board may rely on any of the following: A written statement of the legal authority under which the information is requested or, 2. if a written statement is impracticable, an oral statement of such legal authority, 3. If a request is made pursuant to legal process, a warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal will be presumed to constitute legal authority.
  31. 31. Privacy Notice Every client is provided with a Notice of Privacy Practices upon enrollment at a contract agency The Notice describes” – How the MHRB can use and share protected health information, and – Every client’ s privacy rights The privacy notice is also published on the MHRB’ s web page. Copies of the Notice of Privacy are available from the Privacy Officer or Secretary.
  32. 32. Clients’ PHI Rights One of the purposes of the new H AA rule is IP to give clients more control over their P I. H Such as: The right to request limits on uses and disclosures of their PHI. The right to choose how the agency sends PHI to them. The right to view and obtain copies of their PHI. The right to correct or update their PHI.
  33. 33. How do clients exercise these rights? Special forms to request changes, corrections, copies, etc. are available from the Privacy Officer.
  34. 34. What client information must be protected? We must protect a client’ s personal and health information that: – Is created, kept, filed, used or shared – Is written, spoken, electronic or digital As already stated HIPAA defines client personal and health information as Protected Health Information or “ PHI” for short.
  35. 35. W hen do we start? NOW !
  36. 36. How will HIPAA affect your duties? If you currently see, use, share and/ or create a person’s protected health information as part of your job or duties, H AA will change the way you IP work. You must protect the privacy of the client and M RB workforce protected H ’s health information.
  37. 37. When can you use PHI? ONLY to do your job or duties! At all other times, protect a client’ s information as if it were your own information!
  38. 38. H can you use P I? ow H You may look at a person’ s PHI only if you need it to do your job or duties. You may use a person’ s PHI only if you need it to do your job or duties. You may give a person’ s PHI to others when it is necessary for them to do their jobs. You may talk to others about a person’ s PHI only if it is necessary to do your job or duties.
  39. 39. Why is HIPAA important? P rotecting privacy is important! W all want our P I to be e H private Our clients want their P I to H be private It’s the right thing to do It’s the law
  40. 40. What can happen if we don’ t follow HIPAA? Someone who does not protect a person’ s personal and/or health care privacy could: – Lose his/her job – Pay fines – Go to jail
  41. 41. F ines? Fines range from $50,000 to $250,000 per incident
  42. 42. J ail? Jail terms can be up to 10 years per incident
  43. 43. Did you know….? The Board must protect your personal health information with as much diligence and security as we protect clients’ PHI.
  44. 44. W hen do we have to protect P I? H NOW !
  45. 45. H AA Stories IP Please read the following two HIPAA stories carefully as you will be asked to discuss them on the quiz.
  46. 46. H AA Story #1: Annie IP After serving on the client’s rights appeal committee, I ran into the customer Annie, who filed the appeal at the grocery store. She came up to me and started talking about her appeal, the medications she was placed on and how she was not feeling any better. I told her I could not discuss her appeal that it was confidential, and that it takes time for some medications to work. Did I do the right thing?
  47. 47. H AA Story #2: B IP arry I happened to be using the copier in the MHRB office when a fax arrived. I did not read any of the details but recognized the client name on the incident report. I did not do anything with the information and kept it to myself. Did I do the right thing?
  48. 48. W here to F Out ind M ore About H AA IP The Privacy Notice is on the agency’ s Internet Website: Contact Kim Tapie, Compliance and Privacy Officer with questions and/or concerns Review HIPAA materials in the Board’ s Operations Manual
  49. 49. T E he nd! Congratulations! You have completed The HIPAA Privacy Training .