DSA HIPAA BREIFING - Disability Services Agencies (DSA)

Download Report

Transcript DSA HIPAA BREIFING - Disability Services Agencies (DSA) 

Disability Services Agencies
Briefing On HIPAA
7/17/2015 5:16:18 AM
Who is this for?
• This Training is for the entire DSA workforce to provide an
overall awareness of “What is HIPAA?”
• Additional training will be provided to more specifically
address how HIPAA impacts the functions that are
performed by the following areas:
– Providers
– Case Managers/ Counselors
– Administrative/Support Staff
– Medical Records
– Admissions
7/17/2015 5:16:18 AM
2
History
• Each time a person sees a doctor, is admitted to a hospital,
goes to a pharmacist or sends a claim to a health plan, a
record is made of their confidential health information.
Congress recognized the need for national patient record
privacy standards, when they approved the Health
Insurance Portability and Accountability Act of 1996
(HIPAA).
• The final rule took effect on April 14, 2001. As required by
the HIPAA law, most covered entities have two full years –
until April 14, 2003 - to comply with the final rule's
provisions. The law gives the Department of Health and
Human Services (HHS) the authority to make appropriate
changes to the rule prior to the compliance date.
7/17/2015 5:16:18 AM
3
Brief Introduction to HIPAA
Health Insurance Portability & Accountability Act of
1996 (HIPAA)
– Public law 104-191
1 Portability: Transfer of healthcare when
employees change jobs
• COBRA – A program that ensures
continuous health plan coverage
2 Accountability: Fraud/Abuse &
Administrative Simplification

7/17/2015 5:16:18 AM
PRIVACY, SECURITY, TRANACTIONS AND
CODE SETS
4
HIPAA has four parts
1. Transactions = Billing Rules
2. Unique Health Identifiers and
Standard Medical Code Sets
3. Security Standards
4. Privacy
7/17/2015 5:16:18 AM
5
TODAY WE WILL
COVER
PRIVACY
• Privacy in Effect on 4/14/03.
• HIPAA training will occur annually.
• Additional training will also be provided for
Security and Transactions.
7/17/2015 5:16:18 AM
6
Who does HIPAA Apply to?
• Covered Entities – are either Health Care
Providers, Health Plans or Clearinghouses.
– In the DSA only WWRC is a Covered Entity.
• Business Associates – are all others that
may receive, transmit or store Protected
Health Information from a covered entity.
– All other agencies in the DSA may be
Business Associates.
7/17/2015 5:16:18 AM
7
Who does HIPAA Apply to? (cont)
• Covered Entities must enter into a contract with
Business Associates, requiring that Protected
Health Information be kept confidential by the
Business Associate receiving information from
or on behalf of the covered entity.
• Business Associates are not permitted to use or
disclose protected health information in ways
that the covered entity can not.
7/17/2015 5:16:18 AM
8
What does HIPAA apply to?
Information relating to an individual’s
health, health care treatment, or payment
for health care, is called Protected Health
Information (PHI) under HIPAA.
• Protected Health Information (PHI)
– Relates to a person’s physical or mental health, the provision
of health care, or the payment of health care;
– It identifies, or could be used to identify the person who is
the subject of the information i.e. by name,
– Is created or received by a covered entity; and
– Is transmitted or maintained in any form or medium.
7/17/2015 5:16:18 AM
9
What does HIPAA do?
• Provides Individual’s Rights
– Right to receive written notice of information practices
from health plans and providers
– Right to access their own health care information
– Right to request an amendment or correction of
protected health information that is inaccurate or
incomplete
– Right to receive accounting of when information had
been disclosed for purposes other than treatment,
payment and health care operations
7/17/2015 5:16:18 AM
10
Consent vs. Authorization
•
•
Consent - is required for all clients, it provides us the authority to share
Protected Health Information for the purposes of Treatment, Payment
and HealthCare Operations( i.e. business processes necessary to provide
services to our clients).
Authorization – is needed anytime PHI is shared and it is for reasons
other than Treatment, Payment, or HealthCare Operations (TPO).
– Example – Financial Institution has requested PHI. An authorization
will be needed to provide this information. The request for this
information would be outside of the scope of TPO.
– Disclosures without patient authorization
• Purposes of effecting treatment, payment operations, and health care
operations.
• Certain federal, state, and other oversight activities, public health,
emergencies, judicial proceedings, banking and payment processes, and
health research.
• Disclosure of PHI for research must be approved by an Institutional
Review Board or Privacy Board.
7/17/2015 5:16:18 AM
11
What do we have to do?
– Must generally obtain the patient’s consent prior to using or
disclosing PHI to carry out Treatment, Payment, or health care
Operations (TPO).
– Obtain an authorization for any disclosure outside of TPO.
– Develop mechanism for accounting for all disclosures outside
of TPO.
– Accommodate requests for amendments or corrections.
– Designate a Privacy Officer responsible for privacy activities.
– Provide Training to all staff who have access to PHI.
– Establish administrative, technical, and physical safeguards.
– Establish Policies and Procedures, and Privacy Notice.
– Develop and apply sanctions from re-training to reprimand to
termination for HIPAA privacy violations.
– Have available documentation with the regulation requirements.
– Develop methods to disclose minimum amount of PHI.
– Develop and use contracts with business associates.
7/17/2015 5:16:18 AM
12
Penalties and Enforcement
– The federal penalties are $25,000 - $250,000 fines
and/or 1 to 10 years imprisonment, dependant on
the type of violation.
– Employee Sanctions for inappropriate disclosures
7/17/2015 5:16:18 AM
13
WAYS THAT YOU CAN HELP
• When disposing of paper copies of patient records, they
should be shredded for disposal.
• Ensure that workstations can’t be viewed by visitors.
• Avoid discussing client information in public places such as
elevators, cafeterias, and waiting rooms.
• Ensure that all Facsimile copies that are sent contain a cover
page with the disclaimer statement.
• Change your password regularly
• Don’t use generic passwords and log-on names
• Secure your workstation when unattended.
7/17/2015 5:16:18 AM
14
THINGS YOU MAY NOTICE
•
•
•
•
•
•
Ongoing privacy training for workforce
Privacy notices and new authorization process
New Policy and Procedures
Privacy Office to answer HIPAA related questions.
Consent and Authorization forms revised
Email and Fax Disclosure statements
7/17/2015 5:16:18 AM
15