Published on

Published in: Business, Health & Medicine
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. The Health Insurance Portability and Accountability Act What is it? & How will it affect us?
  2. 2. Who Needs Training and Why <ul><li>Employees who come in contact with Protected Health Information are Federally required attend training </li></ul><ul><ul><li>Departments listed later </li></ul></ul><ul><li>This presentation is designed to </li></ul><ul><ul><li>Familiarize you with </li></ul></ul><ul><ul><ul><li>HIPAA regulations </li></ul></ul></ul><ul><ul><ul><li>Our policies and procedures regarding protected health information (PHI) </li></ul></ul></ul><ul><ul><li>Ensure federal compliance </li></ul></ul><ul><li>Our policies will be listed at www.hipaa.cmich.edu </li></ul>
  3. 3. Summary of the Law <ul><li>To improve portability and continuity of health insurance coverage in the group and individual markets. </li></ul><ul><li>To combat waste, fraud, and abuse in health insurance and health care delivery. </li></ul><ul><li>To simplify the administration of health insurance, and for other purposes. </li></ul>
  4. 4. What Exactly is HIPAA? <ul><li>Public Law 104-191 (1996) </li></ul><ul><li>Overseen by: Centers for Medicare and Medicaid Services (CMS) </li></ul><ul><li>A federal law designed to: </li></ul><ul><ul><li>Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities </li></ul></ul><ul><ul><li>Ensure confidentiality of PHI </li></ul></ul>
  5. 5. Protected Health Information <ul><li>Protected Health Information (PHI) </li></ul><ul><ul><li>Any Individually Identifiable Health Information (IIHI) </li></ul></ul><ul><ul><ul><li>Created or received by a health care provider, health plan, employer or health care clearinghouse </li></ul></ul></ul><ul><ul><ul><li>Relating to the past, present of future physical or mental health or condition of an individual </li></ul></ul></ul><ul><ul><ul><li>Transmitted in any form or medium </li></ul></ul></ul><ul><li>Examples </li></ul><ul><ul><ul><ul><li>Medical charts </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Problem logs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Photographs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Communications between professionals </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Health insurance policy number </li></ul></ul></ul></ul>
  6. 6. Individual Identifiers Courtesy of www.hipaacow.com <ul><li>Name </li></ul><ul><li>Geographic subdivisions smaller than a State </li></ul><ul><ul><li>Street Address </li></ul></ul><ul><ul><li>City </li></ul></ul><ul><ul><li>County </li></ul></ul><ul><ul><li>Precinct </li></ul></ul><ul><ul><li>Zip Code & their equivalent geocodes, except for the initial three digits </li></ul></ul><ul><li>Dates, except year </li></ul><ul><ul><li>Birth date </li></ul></ul><ul><ul><li>Admission date </li></ul></ul><ul><ul><li>Discharge date </li></ul></ul><ul><ul><li>Date of death </li></ul></ul><ul><li>Telephone numbers </li></ul><ul><li>Fax number </li></ul><ul><li>E-Mail Address </li></ul><ul><li>Social Security numbers </li></ul><ul><li>Medical record numbers </li></ul><ul><li>Health plan beneficiary numbers </li></ul><ul><li>Account numbers </li></ul><ul><li>Certificate/license numbers </li></ul><ul><li>Vehicle identifiers and serial numbers, including license plate numbers </li></ul><ul><li>Device identifiers and serial numbers </li></ul><ul><li>Web universal resource locations (URLs) </li></ul><ul><li>Internet Protocol (IP) address numbers </li></ul><ul><li>Biometric identifiers, including finger and voice prints </li></ul><ul><li>Full face photographic images and any comparable data </li></ul><ul><li>Any other unique identifying number, characteristic, or code </li></ul>
  7. 7. What entities are covered? <ul><li>Health Plans </li></ul><ul><li>Health Care Clearinghouses </li></ul><ul><li>A health care provider who transmits any health information in electronic form </li></ul>
  8. 8. CMU as a Covered “Hybrid” Entity <ul><li>Hybrid Entity </li></ul><ul><ul><li>A single legal entity that is a Covered Entity and whose Covered Functions are not its primary functions. </li></ul></ul><ul><ul><ul><li>CMU’s primary purpose is to educate </li></ul></ul></ul><ul><ul><ul><li>We also deal with healthcare related procedures </li></ul></ul></ul><ul><ul><ul><li>This “theory” allows us to apply HIPAA to specific areas </li></ul></ul></ul>
  9. 9. CMU as a Covered “Hybrid” Entity <ul><li>Departments Affected </li></ul><ul><ul><li>HR Comp and Benefits: Self-funded Dental and Prescription Plan </li></ul></ul><ul><ul><ul><li>A covered entity because it is a health plan </li></ul></ul></ul><ul><ul><li>University Health Services </li></ul></ul><ul><ul><ul><li>A covered entity because it is a provider who bills electronically for care and devices </li></ul></ul></ul><ul><ul><li>Communication Disorders: Speech Pathology and Audiology </li></ul></ul><ul><ul><ul><li>A covered entity because it is a provider who bills electronically for care and devices </li></ul></ul></ul>
  10. 10. HIPAA Inside the “Hybrid” <ul><li>Internal support entities </li></ul><ul><ul><li>General Counsel </li></ul></ul><ul><ul><li>Internal Audit </li></ul></ul><ul><ul><li>Accounts Receivable </li></ul></ul><ul><ul><li>Faculty Personnel </li></ul></ul><ul><ul><li>Human Resources- Employee Relations </li></ul></ul><ul><ul><ul><li>These areas deal either with disciplinary regulations, grievances, or healthcare related transactions </li></ul></ul></ul><ul><ul><ul><li>It is not advantageous for these areas to receive prior authorization before reviewing a file </li></ul></ul></ul>
  11. 11. HIPAA Inside the “Hybrid” <ul><li>Possible future covered entities: </li></ul><ul><ul><li>Physician Assistant Program </li></ul></ul><ul><ul><li>Psychology clinic </li></ul></ul><ul><ul><li>Physical Therapy Program </li></ul></ul><ul><ul><ul><li>As of now they are not billing electronically, therefore not covered entities </li></ul></ul></ul>
  12. 12. HIPAA outside the “Hybrid” Therefore not covered <ul><li>Information Technology </li></ul><ul><li>Special Olympics </li></ul><ul><li>International Student Services </li></ul><ul><li>Office of International Education </li></ul><ul><li>Student Disability Services </li></ul><ul><li>Special Olympics </li></ul><ul><ul><li>Where does the information come from and/or go to? </li></ul></ul><ul><ul><li>If it is not received from or sent to a provider or plan, then it is not considered PHI </li></ul></ul>
  13. 13. HIPAA vs. FERPA <ul><li>FERPA – The Family Educational Rights and Privacy Act </li></ul><ul><ul><li>Protects the rights of students records </li></ul></ul><ul><li>Unique to universities </li></ul><ul><ul><li>Especially relevant to CMU’s UHS and CDO </li></ul></ul><ul><li>We service employees, students, and members of student’s families – all as patients </li></ul>
  14. 14. HIPAA vs. FERPA <ul><li>Disclosures are not consistent between the two </li></ul><ul><li>Must treat student records and all other records differently </li></ul><ul><li>This is extremely difficult, but do-able </li></ul><ul><li>The necessary Directors will have a “Flow Chart” regarding proper procedures for the two </li></ul>
  15. 15. Four Components of HIPAA’s Administrative Simplification <ul><li>Transaction Standards & Code Sets </li></ul><ul><ul><li>To create a uniform method of electronic communication </li></ul></ul><ul><li>Security & Electronic Signature Standards </li></ul><ul><ul><li>To guard data integrity, confidentiality, and availability </li></ul></ul><ul><ul><li>To ensure that Protected Health Information (PHI) is kept confidential </li></ul></ul><ul><li>National Provider Identifier </li></ul><ul><li>Privacy Rule </li></ul><ul><ul><li>The concentration of this presentation </li></ul></ul>
  16. 16. Privacy Rule <ul><li>All covered entities must be in compliance by 4/14/03 </li></ul><ul><li>There are no exclusions or extensions available and no paperwork to submit to prove compliance </li></ul>
  17. 17. Privacy Rule <ul><li>Establishes safeguards to protect the confidentiality of medical information </li></ul><ul><li>Gives patients more control over their health information </li></ul><ul><li>Limits release of information to the minimum necessary </li></ul><ul><li>Sets boundaries on the use and release of health records </li></ul>
  18. 18. Privacy Rule <ul><li>Enables patients to find out how their information may be used and what disclosures of their information have been made to any business associates or other parties </li></ul><ul><li>Gives patients the right to examine and obtain copies of their own health records, and to request corrections </li></ul>
  19. 19. Privacy Rule - Consent <ul><li>The Privacy Rule was most recently amended on 8/14/02. </li></ul><ul><li>Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities. </li></ul>
  20. 20. Privacy Rule - Consent <ul><li>A covered entity must make a “good faith effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature. </li></ul><ul><li>The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination. </li></ul><ul><li>The NPP must be visibly posted at all times. </li></ul>
  21. 21. Privacy Rule - Consent <ul><li>Covered entities are not prohibited from obtaining consent and have complete discretion in designing their individual consent process. </li></ul><ul><li>State law requirements may be more stringent and therefore supersede the federal requirements. </li></ul>
  22. 22. Notice of Privacy Practices <ul><li>The NPP reflects your dedication to privacy and must be available for patient review </li></ul><ul><ul><li>Copies of NPP must be on display in each waiting room </li></ul></ul><ul><ul><li>Written copies of NPP must be available on request </li></ul></ul><ul><ul><li>Copy of NPP needs to be posted on web site </li></ul></ul><ul><li>The NPP informs patients that you will not release their PHI except as stated in your Notice </li></ul>
  23. 23. Notice of Privacy Practices <ul><li>The NPP states you are required to abide by the terms of your current Privacy Notice </li></ul><ul><li>The NPP instructs patients how to file a privacy complaint </li></ul><ul><li>The NPP indicates how you will send information (mail, fax, electronic, etc.) </li></ul><ul><li>You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice. </li></ul>
  24. 24. Consent & Authorization <ul><li>Consent </li></ul><ul><li>A general document giving health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO) </li></ul><ul><li>It gives permission only to the provider, and not to any other person or business associate </li></ul><ul><li>Not required, but optional </li></ul><ul><li>Authorization </li></ul><ul><li>A customized document giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive. </li></ul>
  25. 25. Authorization <ul><li>Authorization is required for uses and disclosures of PHI for purposes that are not otherwise permitted or required under the Privacy Rule. </li></ul><ul><li>Examples </li></ul><ul><li>Sale of patient mailing lists </li></ul><ul><li>Disclosing information to employers for employment decisions </li></ul><ul><li>Disclosing information for life or disability insurance </li></ul>
  26. 26. Authorization <ul><li>Covered entities are required to document & retain authorizations and to provide individuals with a copy of the signed authorization form. </li></ul><ul><li>Patients will need to grant authorization in advance for each type of use or disclosure. </li></ul>
  27. 27. HIPAA Privacy Rule Facts <ul><li>The rules apply to all oral, written, or electronic records of covered entities . </li></ul><ul><li>HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient. </li></ul><ul><li>PHI that has been de-identified is not subject to the Privacy Rule. </li></ul><ul><li>A HIPAA team must be appointed by each covered entity </li></ul><ul><li>The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request. </li></ul>
  28. 28. HIPAA Team <ul><li>Must assign a Privacy Officer </li></ul><ul><li>Should assign an Electronic Transaction officer </li></ul><ul><li>Must assign a Security Officer </li></ul>
  29. 29. HIPAA Privacy Officer <ul><li>Must have authority and independence </li></ul><ul><li>Is responsible for developing and implementing the HIPAA compliance plan </li></ul><ul><li>Is responsible for enforcement & sanctions </li></ul><ul><li>Designates contact persons responsible for receiving complaints and monitoring patient contacts </li></ul>
  30. 30. Campus Wide Planning <ul><li>Knowledge </li></ul><ul><li>Initial Training of Workforce </li></ul><ul><li>Policy revision and drafting: the list is endless </li></ul><ul><li>Firewall and software development, implementation and testing </li></ul><ul><li>Ongoing analysis and refinement </li></ul>
  31. 31. Preparing for HIPAA Compliance <ul><li>Enter into new contracts with Business Associates (BA) </li></ul><ul><li>Develop Written Policies & Procedures </li></ul><ul><li>Documentation Procedures </li></ul><ul><li>Conduct a site survey of your own facility </li></ul><ul><li>Site Survey Q’s for your own facility </li></ul>
  32. 32. Preparing for HIPAA Compliance <ul><li>Enter into new contracts with Business Associates (BA) </li></ul><ul><li>BA’s are persons who perform a function or activity involving the use or disclosure of IIHI. </li></ul><ul><li>Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA. </li></ul><ul><li>If an entity is subject to HIPAA, a contract is not needed with another covered entity. </li></ul>
  33. 33. Preparing for HIPAA Compliance <ul><li>Enter into new contracts with Business Associates (BA) </li></ul><ul><li>Types of Business Associates </li></ul><ul><ul><li>Claims processing or administration </li></ul></ul><ul><ul><li>Data analysis </li></ul></ul><ul><ul><li>Processing or administration </li></ul></ul><ul><ul><li>Utilization Review </li></ul></ul><ul><ul><li>Billing </li></ul></ul><ul><ul><li>Benefit Management </li></ul></ul><ul><ul><li>Computer work </li></ul></ul><ul><ul><li>Legal work </li></ul></ul><ul><ul><li>Actuarial work </li></ul></ul><ul><ul><li>Accounting work </li></ul></ul><ul><ul><li>Transcriptionists </li></ul></ul><ul><ul><li>Accreditation work </li></ul></ul><ul><ul><li>Cleaning service </li></ul></ul><ul><ul><li>Consulting work </li></ul></ul><ul><ul><li>Marketing </li></ul></ul>
  34. 34. Preparing for HIPAA Compliance <ul><li>Develop Written Policies & Procedures </li></ul><ul><li>Decide who is responsible for determining “minimum necessary” data </li></ul><ul><li>Develop a records management plan </li></ul><ul><li>Determine who will keep records </li></ul><ul><li>Determine how records will be kept </li></ul><ul><li>Teach proper documentation </li></ul>
  35. 35. Preparing for HIPAA Compliance <ul><li>Documentation Procedures </li></ul><ul><li>Create record logs </li></ul><ul><ul><li>Log information given in response to patient authorization </li></ul></ul><ul><ul><li>Log information given in response to legal requests for PHI </li></ul></ul><ul><ul><li>Log patient requests for amendments or restrictions to your Privacy Policy </li></ul></ul><ul><li>PHI disclosures must be kept a minimum of 6 years </li></ul>
  36. 36. Preparing for HIPAA Compliance <ul><li>Conduct a Site Survey of Your Own Facility </li></ul><ul><li>Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones. </li></ul>
  37. 37. Preparing for HIPAA Compliance <ul><li>Site Survey Q’s for Your Own Facility </li></ul><ul><li>Are patient records secure? </li></ul><ul><li>Are there individual & unique passwords assigned for computer systems? </li></ul><ul><li>Are collection calls or calls regarding other PHI made in a private location? </li></ul>
  38. 38. Why should we care about the HIPAA rules? <ul><li>CMU is a hybrid entity: Some parts of the university must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable). </li></ul><ul><li>As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated. </li></ul><ul><li>HIPAA is designed to empower the patient/consumer. </li></ul><ul><li>HIPAA ideally will minimize cost over the long term. </li></ul>
  39. 39. Why should we care about the HIPAA rules? <ul><li>Criminal Penalties </li></ul><ul><li>Failure to comply : Fine & possible exclusion from Medicare </li></ul><ul><li>Wrongful Disclosure : $50,000, imprisonment of up to one year, or both </li></ul><ul><li>Offense under False Pretenses : $100,000, imprisonment of up to five years, or both </li></ul><ul><li>Offense with intent to sell information : $250,000, imprisonment of up to ten years, or both </li></ul>
  40. 40. HIPAA Web Links <ul><li>www.hipaadvisory.com </li></ul><ul><li>www.hipaacow.com </li></ul><ul><li>www.cms.hhs.gov/hipaa </li></ul><ul><li>www.hhs.gov/ocr/hipaa </li></ul><ul><li>www.hcfa.gov/medlearn </li></ul>