Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • As a member of the Covered Entity and when acting on behalf of the Covered Entity, your access to PHI is on a “need to know” basis as it is for all MTF Staff.
    However, when you are acting as a “Commander”, your access to PHI reverts to the access we provide Line Commanders in that your access is based on your need under
    the “Military Command Authority” provision of HIPAA. You may not access PHI simply because you are a member of the MTF.
    Always be cognizant of the hat you are wearing when accessing or requesting PHI.
  • 1) The Public Law was passed in 1996
    2) The Department of Health and Human Services subsequently published the “rules” for HIPAA in the Federal Register under 45 CFR parts 160, 162, and 164
    3) It soon became apparent that many business practices within the healthcare industry would need to be created and/or modified in order to achieve the goals of HIPAA. Transactions and code sets are how the medical information written into a patient’s chart is converted into a standardized language (i.e. codes) for billing and other transactions. To facilitate this process a standard method of transmitting the data between entities was developed. The Security Rule protects this data, as well as other electronic health information to ensure its confidentiality, integrity, and availability.
    4) When people hear the word HIPAA they usually think about privacy. This is because the HIPAA Privacy Rule is the most visible rule to the average beneficiary.
  • Complying with the HIPAA law is a balance between ensuring we protect the confidentiality of our patient/ beneficiary Protected Health Information (PHI), while at the same time, providing “line” commanders with the necessary information to ensure they know the fitness for duty and ability to perform the military mission of their units in this time of war.
    The implementing DoD regulation is DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003
  • What MTF policies and procedures should be established:
    Establish an approved roster of Commanders and his/her designees who have access to HIPAA PHI on their behalf
    Screen release so that only the “minimum necessary” is released. For example, a clinical summary is appropriate rather than releasing all or parts of the medical record.
    The MTF has to account for these disclosures.
    MCA DOES NOT apply to dependents and retirees
  • 1) The Medical Group must document each instance in which it discusses or provides health outside the Covered Entity. The individual to whom the information pertains has a right to know who received the information and the purpose of the communication. The Medical Group HIPAA Privacy Officer maintains a centralized log of all disclosures, which includes:
    - The date of the disclosure
    - The name of the entity or person who received the protected health information and, if known, the address
    - A brief description of the protected health information disclosed
    - A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure
    2) The Medical Group does not have to account for disclosures...
    - …for treatment, payment, or health care operations;
    …for notification of, or to persons involved in an individual’s health care or payment for health care
    …for disaster relief
    …for facility directories
    …for a limited data set
    …for national security or intelligence purposes
    - …to the individual
    - …to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody
    -  …when authorized by the individual
  • 1) The Privacy Rule applies to all forms of health information; electronic, written, and oral communications.
    2) Determining who is and is not a covered entity subject to HIPAA is not as simple as it may sound. There are individuals in the healthcare industry that are NOT subject to HIPAA because they do not meet the definition of a covered entity. Likewise, there are other individuals and organizations with access to health information that do NOT have to comply with HIPAA. Some of these may include:
    - Life insurance companies
    - Workers compensation carriers
    - Schools (education records are covered by other rules)
    - Certain state agencies
    3) As described above, HIPAA does not apply to individuals and organizations that do not meet the definition of a covered entity. For example, Line of the Air Force (i.e. non-medical) personnel do not meet the definition of a covered entity, and therefore are NOT subject to the HIPAA Privacy Rule
    4) For purposes of this presentation it is important to understand everyone affiliated with the Air Force Medical Service, from the personnel at your local medical group to the staff at the Surgeon General’s office fall under the umbrella of HIPAA
    5) The Medical Group develops local policies and procedures to implement the requirements of HIPAA
    - The Challenge: Develop business practices that strike a balance between your “need-to-know” and the protection of the individual’s privacy rights
    6) Workforce within the MTF includes all military personnel, civil service personnel, contractors, and even volunteers at your local Medical Group must receive extensive HIPAA training
    7) Criminal penalties can apply to an individual, but civil penalties only apply to the covered entity. Civil and criminal penalties have been imposed within civilian healthcare entities, but such penalties have not been imposed within the AFMS and it is unclear how these penalties would apply to the AFMS
    1) This principle of “Minimum Necessary” also applies within the covered entity. Even medical personnel can only access information needed to perform their job, and only in the amount necessary to accomplish the task at hand, although providers are not bound by minimum necessary. To ensure compliance with these requirements the Medical Group is required to have policies and procedures in place to identify individuals or groups of individuals with access to health information and the types of information they may access; this is known as “role-based-access.” Members of the Medical Group may not accesses health information without a legitimate need, nor may they accesses information in an amount beyond the minimum necessary to accomplish the permitted use or disclosure.
    2) When requesting information from the Medical Group you need to keep in mind they can only provide the information in the Minimum Necessary amount required to properly address your need for the information.
    Example: A member of your organization has been placed on restricted activities due to a complication of pregnancy, and must remain on desk duty until delivering the baby. You require this information in order to make a fitness for duty determination and evaluate how the individual’s ability to perform her duties may be affected. You do NOT need to know what the specific complication is in order to make the determination, and if the medics divulged this information without justification, it would exceed the Minimum Necessary amount of information.
    NOTE: When the MTF provides PHI to the Active Duty member’s commander, it is the MTF that risks a HIPAA violation should an Active Duty member complain to HHS, and it is the MTF that could be held accountable for the violation, not the commander or any organization outside the MTF.
    Disclosure; DoD 6025.18-R, DL1.1.8
    Health Information; DoD 6025.18-R, DL1.1.15
    - You can see by this definition that virtually everything in the medical community is “health information”
    Individually Identifiable Health Information; DoD 6025.18-R, DL1.1.20
    - Even removing names from information is not always enough to prevent it from being “identified”
    Protected Health Information; DoD 6025.18-R, DL1.1.28
    - Once health information is linked to an individual the requirement for the covered entity to safeguard it under HIPAA takes effect
    Minimum Necessary; DoD 6025.18-R, C8.2
    - As the name implies, the medics cannot provide information beyond the minimum necessary (least amount) necessary to achieve the purpose of the disclosure
  • An individual (with the exception of inmates) has a right to receive Notice (commonly referred to as a “Right to Notice”) of Privacy Practices (NOPP) of the uses and disclosures of protected health information (PHI) that may be made by the MDG, of individual’s rights as afforded under the Health Insurance Portability and Accountability Act (HIPAA) and our legal duties and privacy practices related to the use and disclosure of PHI. The MHS NOPP is issued through the TRICARE Management Activity (TMA).
    The “Acknowledgement of Military Health System Notice of Privacy Practices” health record label will be adhered to the lower centered portion of the backside jacket of the Outpatient Health Record and the Dental record
    Monthly inspections of medical/ dental records for NOPP compliance will be conducted and reported to the appropriate committee. This inspection will include a sample size of records that 1) have / do not have a NOPP label on the record and 2) a sample size of records that 1) have / do not have a signed patients signature.
    If the individual declines to acknowledge receipt of this notice, check box, “Patient/Representative” Declined to Sign”. MDG staff must initial the label.
  • 1) DoD 5400.11-R, DoD Privacy Program. DL1.14. Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).
  • To facilitate your leadership of the HIPAA Program, ensure you are familiar with the HIPAA Privacy and Security Officers.
  • To facilitate your leadership of the HIPAA Program, ensure you are familiar with the main HIPAA Privacy and Security Officer roles and responsibilities.
  • Examples:
    Misdirected fax documents containing PHI or PII information
    Failing to properly secure documents when mailing or transporting PHI
    Lost or stolen laptop with PII
    Loss of a CD with PHI
    Providing patients with another patients medical/ dental information
    Sending emails containing PHI/ PII unencrypted
    For an individual the harmful effects from lost, compromised, or stolen PHI can result in:
    Identity theft
    Medical identity theft
    Substantial loss of time and money to repair damage to credit rating and medical and financial records
  • The requirement to make the US-CERT notification is found in DoD 5400.11-r and AFI 33-332. This is a line requirement under the DoD and AF Privacy Program. However, TMA will accept this same report to satisfy reporting requirements under HIPAA/HITECH
  • Hipaa

    1. 1. Air Force Medical Operations Agency Excellent Healthcare, Clinical Currency HIPAA Privacy and Security 1
    2. 2. What HSA Students needs to know about HIPAA  To provide an introductory overview of HIPAA and how it affects you as a TOPA or future Systems Flight Commander  INTERNAL - This presentation focuses on how the HIPAA Privacy and Security Rule impact the Privacy Officer in TOPA, the Security Officer in Systems Flight, and you as a medical member of the Covered Entity.  EXTERNAL – How HIPAA affects your interaction with Wing ‘Line” commanders  It is not intended to provide you with a comprehensive understanding of the entire Privacy and Security Rule, nor is it intended to address all the various requirements your Medical Group must observe in order to be in compliance with the rule Excellent Healthcare, Clinical Currency
    3. 3. General Overview of HIPAA  Public Law 104-191 Also known as the Health Insurance Portability and Accountability Act (HIPAA) - Primary AF Guidance for HIPAA Privacy includes AFI 41-210 and DoD 6025.18-R - Primary AF Guidance for HIPAA Security includes AFI 41-217 -  The overarching purposes of HIPAA are to: Improve the portability and continuity of health insurance coverage Combat waste, fraud, and abuse in health insurance and health care delivery - Simplify the administration of health insurance - Standardize all electronic transaction code sets (EDI) -  HIPAA is much more than just privacy and security: several functions within the healthcare industry needed to be overhauled or standardized in order to meet the mandates of HIPAA - Transaction and Code Set Standards – ICD-9, CPT - National Identifier Standards – National Provider Identifier (NPI) - Security Standards Excellent Healthcare, Clinical Currency
    4. 4. Medical Group Improve HIPAA and Sustain Program • Complete the MDG medical mission and comply with HIPAA requirements • Make HIPAA IMPROVE the combat operations capability of AFB ‘Line” Units • Secure PHI • Get needed Protected Health Information (PHI) to Wing Excellent Healthcare, Clinical Currency
    5. 5. Military Command Authority (MCA)  The Military Command Authority (MCA) Exemption permits disclosure of PHI to a member’s commander in order to determine fitness for duty to conduct the mission.  But, this exemption applies only to the PHI of Active Duty ARMED FORCES MEMBERS. Excellent Healthcare, Clinical Currency
    6. 6. A Unit Commander wants to know their airman’s condition.  The member’s authorization is NOT required; AND  Only the “Minimum Necessary” information will be disclosed (Similar to “OPSEC” rules) ALL DISCLOSURES MUST BE DOCUMENTED BY THE MTF Excellent Healthcare, Clinical Currency
    7. 7. Military Command Authority (MCA)  to determine the member’s fitness for duty,  to determine the member’s fitness to perform any particular mission, assignment, order, or duty, including compliance with any actions required as a precondition to performance of such mission, assignment, order, or duty.  to carry out activities under the authority of DoD Directive 6490.2, “Joint Medical Surveillance,” August 30, 1997.  to carry out any other activity necessary to the proper execution of the mission of the Armed Forces.  Appropriate military command authorities are considered all commanders who exercise authority over an individual who is a member of the Armed Forces.  The use may be by the Commander or his/her designee. Excellent Healthcare, Clinical Currency
    8. 8. MCA Impact  ‘Line’ commander’s perceive HIPAA as a barrier to obtain medical information on the airmen under their command  The MDG must maintain and update a MCA roster of commanders and their designees. This roster must include Medical Commanders and their Designees.  ‘Line’ commanders must educate their staff that only the commander and his/her designee may obtain Protected Health Information (PHI) from the MDG  Many of the AF Health and Human Services (HHS) complaints have resulted from the MDG disclosing PHI to a ‘Line’ member who is not on the MDG MCA list Excellent Healthcare, Clinical Currency
    9. 9. Military Command Authority (MCA)  Common Examples of health information flows from the MDG - Readiness Reports (PIMR) - Quarters notices to the Line - Physical Profiles and Duty Limiting Condition Reports - Appointment Scheduling and Reminders - Direct Communications from Healthcare Providers - Family Advocacy and support programs - Required communications from Mental Health Provider - MEB/PEB Processing - PRP determinations - CITA reports - PHAs - Request to access an individual’s health records for a specific purpose - Request to meet with a provider to receive clarification of duty limitations, etc - Commander Directed Mental Health Evaluation Excellent Healthcare, Clinical Currency
    10. 10. Military Command Authority (MCA)  Air Force actions resulting from the Ft Hood incident  Briefing that should be given to all ‘Line’ commanders  Memorandum For ALMAJCOM/CV; from HQ USAF/SG; Subject: Sharing Protected Health Information with Appropriate Command Authorities; 14 May 2010  Memorandum For All MTF/CC; from AFMOA/CC; Subject: Disclosure of Protected Health Information to Appropriate Command Authorities; 24 May 2010  PowerPoint – Awareness Campaign Presentation  Suggest presentation be viewed in “notes” mode Excellent Healthcare, Clinical Currency 10
    11. 11. The Privacy Rule –Disclosing Information  What is a Disclosure? -  The release, transfer, provision of access to, or divulging of information in any manner outside the covered entity holding the information Any time the Medical Group provides health information of an individual under your command, they are making a disclosure and must document it There are three types of disclosures - Patient’s authorization is not required - Patient’s authorization is required - Patient must be given the opportunity to either agree with, or object to the disclosure; such notice is provided by the Notice of Privacy Practices As Required by Law Judicial and Administrative Proceedings Medical Facility Patient Directory Research Involving Minimal Risk Inmates in Correctional Institutions or in Custody Law Enforcement Purposes Cadaveric Organ, Eye or Tissue Donation Purposes Workers Compensation Public Health Activities Specialized Government Functions (MCA) About Decedents Avert A Serious Threat to Health or Safety Health Oversight Activities About Victims of Abuse, Neglect, or Domestic Violence Excellent Healthcare, Clinical Currency
    12. 12. Six Year Retention Requirement  Documentation associated with HIPAA Privacy/Security Program must be maintained for six years from date of implementation or last use    Privacy Implementation Date: 14 Apr 03 Security Implementation Date: 21 Apr 05 Common documents to be retained:   Commander Designee letters  Medical Group Instructions or Operating Instructions  Local training plans/sign in sheets  Security Risk Assessment (OCTAVE)  Privacy Gap Analysis (HIPAA Basics)/MEDFACTS Compliance Assessments   Privacy Officer/Security Officer appointment letters Disclosure accountings; complaints; requests for restriction, amendments, or confidential communications Items should be maintained in file system, not a continuity binder Excellent Healthcare, Clinical Currency 12
    13. 13. The Privacy Rule - In a Nutshell  What it does… - Sets boundaries on the use and release of health records Establishes safeguards that must be met to protect the privacy of health information Holds violators accountable with civil and criminal penalties that can be imposed if the patient’s privacy rights are violated  What the Medical Group Must Do to Comply… - Develop local policies & procedures to ensure compliance with privacy requirements Enforce workforce compliance with policies & procedures, to include sanctions when required Ensure workforce is trained on HIPAA requirements Make the MHS Notice of Privacy Practices available to beneficiaries Excellent Healthcare, Clinical Currency
    14. 14. The Privacy Rule – Key Terms - Disclosure: Allowing healthcare information to be accessed, released, or otherwise conveyed in any manner outside the entity holding the information - Protected Health Information (PHI): Individually identifiable health information in any form o Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and o Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual - Minimum Necessary: The minimum amount of protected health information necessary to accomplish a permitted use or disclosure o The HIPAA Privacy Rule requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information o Even within the Medical Group, staff members may only share or gain access to PHI on a “role-based” basis Excellent Healthcare, Clinical Currency
    15. 15. Notice and Authorizations  We are required to give our patients a Notice Of Privacy Practices when we make our first contact with them  This notice tells them how we will use or disclose their health information according to the HIPAA law  Finally, it tells our patients about their rights to access their own health information and receive confidential communications  We ask that our patients sign an acknowledgement of this Notice Of Privacy Practices to confirm that they have received it and understand it. This sticker is placed on the back of medical and dental records Excellent Healthcare, Clinical Currency
    16. 16. HIPAA Patient Privacy Rights – NoPP To Inspect and Copy To Request Restrictions To request Confidential Communications To Request Amendment To an Accounting of Disclosures To Obtain a Copy of this Notice To File a Complaint Excellent Healthcare, Clinical Currency
    17. 17. HIPAA and How It Affects You  Transmission of PHI from the Medical Group to You - The Medical Group must observe Privacy Act and AF Communications Guidelines to ensure e-mail containing PHI is properly safeguarded during transmission o Includes use of PKI encryption and Digital Signature as outlined in AFI 33-119 o Must be For Official Use Only (FOUO) as outlined in AFI 33-332 o Information is not transmitted to distribution lists unless each recipient is a Commander’s Designee and has a need to receive the information being transmitted  The Medical Group will not transmit an e-mail message containing PHI if it cannot be properly encrypted Verification of Identity - Medical Group personnel must verify the identity of Commander’s and designees prior to disclosing health information o  Privacy Officer should have a good process in place for members of the MDG to know who the Commanders and the Commander designees are in each unit. Where HIPAA Ends and the Privacy Act Begins - PHI is a subset of Personally Identifiable Information (PII) as defined in DoD 5400.11-R Within the Medical Group, PHI is governed by both the Privacy Act (PA) and HIPAA Once properly released by the Medical Group, the information ceases to be protected by HIPAA, but remains subject to the Privacy Act Excellent Healthcare, Clinical Currency
    18. 18. HIPAA and How It Affects You as a Privacy Officer HIPAA Privacy Officers’ Roles and Responsibilities Be the MTF’s initial Point of Contact for all HIPAA Privacy issues and concerns  Monitor compliance with HIPAA training requirements  Ensure adherence to Federal Law, MHS, and AF SG policies and procedures at the MTF level       Investigate patient privacy complaints Develop MTF specific polices and procedures Implement methods to track disclosures of PHI Chair HIPAA Compliance teams Completes HIPAA Privacy risk assessment Excellent Healthcare, Clinical Currency
    19. 19. HIPAA and How It Affects You as a Security Officer HIPAA Security Officers’ Roles and Responsibilities     Oversee compliance with HIPAA Security Rule Establish policies and procedures to manage electronic PHI/PII Monitor compliance with HIPAA training requirements Chairs the Medical Information Security Readiness Team (MISRT)    Develop HIPAA Security MTF specific polices and procedures Ensure sanction policies are consistently applied for failure to comply with ePHI security and breaches Complete OCTAVE HIPAA security risk assessment Excellent Healthcare, Clinical Currency
    20. 20. Important Contacts  Effective management requires establishing good working relationships with:  Wing SJA/Medical Legal Advisor  Regional Medical Legal Consultant  AFMOA Regional Health Information Compliance Rep  Base Comm Sq IT Staff  Local hospital Privacy Officers where frequent admissions occur  MDG Patient Advocate  Base Privacy Act Officer  Base Freedom of Information Act (FOIA) Officer Excellent Healthcare, Clinical Currency 20
    21. 21. Trends  HITECH Breaches: AFMS has experienced 3 total that affected 500 plus individuals PHI.  Improper disposal, PHI accidentally recycled or employee removal of medical forms/PHI  Inappropriate AHLTA and CHCS access- “AHLTA Snooping”  Errant emails containing PHI/PII sent unencrypted, sent to wrong email/ unintended recipients, on mail group to MDG All email groups.  Violation of the “Minimum Necessary” principal when the MDG discloses too health information  MTF mails wrong medical records to requestor  Lost electronic equipment: Laptop/media storage/CD/thumb drive  US Postal or Fedex: medical records packages open during shipment to other MTFs or AFPC.  Test results to wrong patients  Pharmacy dispenses to wrong patient  Verbal breaches of PHI to neighbors about neighbors Excellent Healthcare, Clinical Currency
    22. 22. HIPAA and Privacy Act Incidents  An Incident, defined per HIPAA, is the KNOWN or PERCEIVED unauthorized access, use, disclosure, modification, or destruction of Protected Health Information (PHI).  An Incident, defined per the Privacy Act, is the KNOWN or PERCEIVED unauthorized access, use, disclosure, modification, or destruction of Personally Identifiable Information (PII) Excellent Healthcare, Clinical Currency
    23. 23. HIPAA Incidents  AFMS personnel must report potential and actual compromises of PII to the United States Computer Emergency Readiness Team (US-CERT) within one hour of the breach occurring or becoming known.  A Defense Privacy Civil Liberties Office (DPCLO) Breach Report is then accomplished.  AFMS organizations experiencing a breach of PHI must provide a copy of the DPCLO Breach Report to AFMOA/SGAT as soon as possible, but not later than 24 hours after the breach occurred or became known.  AFMOA/SGAT will forward the report to AFMSA/SG3SA where the report will be reviewed for content and clarity before forwarding to the TMA Privacy Office. AFMSA/SG3SA maintains copies of all correspondence and reports associated with breach reporting for purposes of tracking and trending incidents within the AFMS, and for documenting HHS reporting requirements. Excellent Healthcare, Clinical Currency 23
    24. 24. USCERT Notification Procedures 11/14/13 Excellent Healthcare, Clinical Currency 24
    25. 25. Affected Individual Notification Procedures  A “risk of harm” assessment will be accomplished after the incident. If the assessment results in a “high risk of harm” the affected individuals will be notified as soon as possible, but not later than 10 working days after the loss, theft, or compromise is discovered and the identities of the individuals ascertained. The notification should be in writing and should be concise, conspicuous, and in plain language.  NOTE: The 10-day period is a line requirement under DoD 5400.11-R, and AFI 33-332 and begins after the Component is able to determine the identities of the individuals whose records were lost. If the Component is only able to identify some but not all of the affected individuals, notification shall be given to those that can be identified with follow-up notifications made to those subsequently identified 11/14/13 Excellent Healthcare, Clinical Currency 25
    26. 26. Most Common Privacy Issues  Health and Human Services reports the following as the most common types of issues investigated (in order of frequency):  Impermissible uses and disclosures of PHI  Lack of safeguard of PHI  Lack of patient access to PHI - CLIA  Uses or disclosures of more than “Minimum Necessary” PHI  Lack of or invalid authorizations for uses and disclosures Excellent Healthcare, Clinical Currency 26
    27. 27. HOW TO AVOID BREACHES  Do not leave PII unattended  Lock records in cabinets/offices  Do not remove PII from office workspace • Limit the extraction of PII from protected information systems (i.e. export to Microsoft Access, Excel, Printed Format, etc.)  Be deliberate before posting in shared environments ( shared drives)  Give access only as needed to perform duties • Limit disclosure/access to absolute minimal needed • Have checks/balances in place to prevent misuse Properly destroy records when record retention is met You can’t lose what you don’t have! Excellent Healthcare, Clinical Currency
    28. 28. HIPAA Compliance  MEDFACTS  We have added HIPAA elements into MEDFACTS.  These are regulatory elements to ensure your program is in compliance with the HIPAA rule.  If your Privacy and Security officers do not have a MEDFACTS account, suggest they get with MDG QA folks to obtain one. Excellent Healthcare, Clinical Currency 28
    29. 29. Summary  HIPAA hasn’t changed your ability to access the health information you need to effectively execute the military mission  The Specialized Government Functions provision allows the Medical Group to disclose information to appropriate military command authorities or their designated representative  The Medical Group must observe the “Minimum Necessary” principal when they disclose health information to you  HIPAA protects health information, but the Privacy Act remains in force  Leadership Role overseeing HIPAA Privacy and Security functions to keep the MTF compliant.  Always feel free to confer with any case you are dealing with by consulting with your AFMOA HIPAA Reps. Excellent Healthcare, Clinical Currency
    30. 30. “HIPAA-theticals” for discussion  While in the Public Health area a MSgt who works in PH says to a friend who is not a member of the MDG, “I know your girlfriend has an STD.” The PH officer hears about it and calls you to ask what should be done.  What should you do and how should you follow this potential breach of PHI? What guidance and direction would you give your HIPAA Privacy Officer (HPO), who is a lower rank than the MSgt?  The Specialized Government Functions provision in HIPAA rules, outlined in the DoD 6025.18-R, allows the Medical Group to disclose information to appropriate military command authorities or their designated representative(s). Your HPO comes and tells you that an Army Colonel on the base for an exercise is a Senior Aide for the 4 star Admiral commander who is running the Joint Exercise. He says he needs a daily list of the exercise members who come to the MDG so he can brief the Admiral on the health status of the unit. You do not have a MCA list from the Admiral. When the HPO first told the Colonel he could not get the list, the Colonel became visibly angry and demanded to speak with the CO of the MTF.  What actions would you take to assist the HPO from being intimidated by the Colonel and how would you provide top cover on this situation? Excellent Healthcare, Clinical Currency
    31. 31. “HIPAA-theticals” for discussion  A airman in the Patient Administration section reports to you that one of the other technicians has been accessing AHLTA/CHCS and reviewing the medical status of other MTF staff.  Do you consider this a privacy breach? Should you involve your HIPAA Security Officer with your HIPAA Privacy Officer? What rule did this Airman break if any? What resources do you have available to investigate this issue?  A member of your MTF contacts an AD Patient’s unit and speaks to the member’s direct supervisor. The MTF staff member discusses the patient’s medical condition with the supervisor.  Do you consider this a Privacy Violation? What rule did the MTF staff member break if any? Who should have the MTF Staff member contacted, if not the direct supervisor? Excellent Healthcare, Clinical Currency
    32. 32. AFMOA Health Info Compliance POCs • Chief, Health Benefits Support Branch: 210-395-9944 • Support Branch: 210-395-9926 (DSN: 969) • North: 210-395-9953 • South: 210-395-9814 • West: 210-395-9921 • OCONUS: 210-395-9948 • Org email box: afmoahipaatraining@us.af.mil Excellent Healthcare, Clinical Currency
    33. 33. Resources    DoD 6025.18-R AFI 41-210 AFI 41-217  Military Health System - http://www.tricare.mil/tmaprivacy/Hipaa.cfm  Department of Health and Human Services -  http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html AF HIPAA Guide - https://kx.afms.mil/kxweb/dotmil/kj.do?functionalArea=HIPAA  HIPAA Briefing for Commanders https://kx.afms.mil/kxweb/dotmil/kjFolderList.do?folder=Toolkits&functionalArea=AFMOAHealthBenefits Excellent Healthcare, Clinical Currency
    34. 34. Questions? Excellent Healthcare, Clinical Currency