1 hipaa the health insurance portability and accountability act southeastern institute

1

HIPAA HIPAA The Health Insurance Portability and The Health Insurance Portability and

Accountability ActAccountability Act

Southeastern InstituteSoutheastern Institute

2

General HIPAA InformationGeneral HIPAA Information

What is HIPAA, and why was it needed?What is HIPAA, and why was it needed?• The Health Insurance Portability and The Health Insurance Portability and

Accountability Act (HIPAA), also known as the Accountability Act (HIPAA), also known as the Kennedy-Kassenbaum Bill or Public Law 104-Kennedy-Kassenbaum Bill or Public Law 104-191, was passed on August 21, 1996.191, was passed on August 21, 1996.

• It was needed to create rules governing It was needed to create rules governing administrative activities making health care administrative activities making health care more efficient, the underwriting process of more efficient, the underwriting process of group coverage and standardizing electronic group coverage and standardizing electronic transmittal of billing and claims.transmittal of billing and claims.

3


A key part to the HIPPA act also A key part to the HIPPA act also increased and standardized increased and standardized confidentiality and security of health confidentiality and security of health data.data.

HIPAA privacy regulations require that HIPAA privacy regulations require that access to patient information be limited access to patient information be limited to only those authorized, and that only to only those authorized, and that only the information necessary for a task be the information necessary for a task be visible to them. All personal health visible to them. All personal health information must be protected and kept information must be protected and kept confidential. confidential.

4


Prior to HIPAA, there was no uniformity: Prior to HIPAA, there was no uniformity: rules and regulations varied from state to rules and regulations varied from state to state, even from one health care state, even from one health care organization to another. Now HIPAA organization to another. Now HIPAA provides a uniform level of security and provides a uniform level of security and records privacy throughout the country.records privacy throughout the country.

Compliance investigations relating to HIPAA Compliance investigations relating to HIPAA are handled by the Office of Civil Rights are handled by the Office of Civil Rights which is an office within the U.S. which is an office within the U.S. Department of Health and Human Services.Department of Health and Human Services.

5


Who must become HIPAA compliant? And Who must become HIPAA compliant? And what exactly is HIPAA compliance?what exactly is HIPAA compliance?

• All health providers who meet the definition All health providers who meet the definition “covered entities” must comply with the “covered entities” must comply with the privacy and security regulations. The only privacy and security regulations. The only exception is that mental health providers exception is that mental health providers must follow special, more stringent rules.must follow special, more stringent rules.

• No matter what , your healthcare firm along No matter what , your healthcare firm along with all employees MUST follow privacy with all employees MUST follow privacy policies.policies.

6

Important HIPAA TermsImportant HIPAA Terms Protected Health Information:Protected Health Information: is data that includes references that is data that includes references that

specifically identify a patient and/or their specifically identify a patient and/or their relatives, employers, or household relatives, employers, or household members. There are 19 items that members. There are 19 items that constitute PHI:constitute PHI:

1.1. NameName2.2. AddressAddress3.3. Phone NumbersPhone Numbers4.4. Fax NumbersFax Numbers5.5. Dates (birth, death, discharge)Dates (birth, death, discharge)6.6. Social Security NumbersSocial Security Numbers

7

Important HIPAA TermsImportant HIPAA Terms PHI Continuation:PHI Continuation: 7. E-Mail Address7. E-Mail Address 8. Medical Records or Chart Numbers8. Medical Records or Chart Numbers 9. Health Plan Beneficiary Numbers9. Health Plan Beneficiary Numbers10. Account Numbers10. Account Numbers11. Certificate or License Numbers11. Certificate or License Numbers12. Vehicle Identification Numbers12. Vehicle Identification Numbers13. Device Identifiers13. Device Identifiers14. Web Universal Resource Locators (URL)14. Web Universal Resource Locators (URL)15. Internet Protocol (IP) Address Numbers15. Internet Protocol (IP) Address Numbers16. Finger or Voice prints16. Finger or Voice prints17. Full Face Photographic Images17. Full Face Photographic Images18. Any unique identifying number, characteristic , code18. Any unique identifying number, characteristic , code19. Patient’s Medical History19. Patient’s Medical History

8

Important HIPAA TermsImportant HIPAA Terms

Health Care ClearinghouseHealth Care Clearinghouse

Under HIPAA, this is “…a public or private Under HIPAA, this is “…a public or private entity that does either of the following:entity that does either of the following:

Receives or processes information from an Receives or processes information from an entity in either a standard (general entity in either a standard (general information) or non-standard(special information) or non-standard(special circumstances) content and then circumstances) content and then facilitates the information back into either facilitates the information back into either a standard or non-standard data content a standard or non-standard data content for the receiving entity.for the receiving entity.

9


Health Care Provider:Health Care Provider: Anyone who provides “medical or health Anyone who provides “medical or health

services”…..and who transmits health services”…..and who transmits health information in electronic form.information in electronic form.

Minimum Necessary:Minimum Necessary: The HIPAA health insurance privacy rule The HIPAA health insurance privacy rule

also requires covered entities that disclose also requires covered entities that disclose information to establish procedures to information to establish procedures to disclose, use or request only the minimum disclose, use or request only the minimum information necessary to accomplish the information necessary to accomplish the intended purpose.intended purpose.

10

Important HIPAA TermsImportant HIPAA Terms Authorization:Authorization: An authorization is a customized document that An authorization is a customized document that

gives covered entities permission to use specific gives covered entities permission to use specific personal health information for special purposes.personal health information for special purposes.

An authorization form is detailed and specific to:An authorization form is detailed and specific to:1.1. The permitted use and disclosuresThe permitted use and disclosures2.2. The permitted recipientThe permitted recipient3.3. The personal health information that may be The personal health information that may be

shared.shared. An authorization also has an expiration date, An authorization also has an expiration date,

and in some cases may state the specific and in some cases may state the specific purpose for health information disclosurepurpose for health information disclosure

11


Privacy Note/Notice of Privacy Policies:Privacy Note/Notice of Privacy Policies: Each covered entity must develop a health Each covered entity must develop a health

information notice to be made available at information notice to be made available at a patient’s request or posted in a a patient’s request or posted in a prominent location in their office prominent location in their office describing how it uses and distributes describing how it uses and distributes health care information.health care information.

The notice must also advise that patients The notice must also advise that patients have the right to request restrictions on have the right to request restrictions on the use or distribution of records.the use or distribution of records.

All patients should receive a copy as well. All patients should receive a copy as well.

12

Important HIPAA TermsImportant HIPAA Terms Disclosures:Disclosures: The release, transfer, provision of access to, or The release, transfer, provision of access to, or

divulging in any other manner of information divulging in any other manner of information outside the entity holding the information.outside the entity holding the information.

There are several classification of disclosures:There are several classification of disclosures:1.1. TPO (Treatment, Payment and Operations)TPO (Treatment, Payment and Operations)

Penalties:Penalties:Civil penalties consist of $100 fine per Civil penalties consist of $100 fine per compliance violation per client per year, with a compliance violation per client per year, with a maximum fine of $25,000 per year per client.maximum fine of $25,000 per year per client.

13

Important HIPAA TermsImportant HIPAA Terms Criminal penalties for being non-compliant:Criminal penalties for being non-compliant:• If you knowingly obtain protected health If you knowingly obtain protected health

information in violation of the law, you can be information in violation of the law, you can be fined up to $50,000 and sentenced up to one year fined up to $50,000 and sentenced up to one year in prison.in prison.

• If you obtain information under “false If you obtain information under “false pretenses”, it climbs to a fine of up to $100,00 pretenses”, it climbs to a fine of up to $100,00 and up to (5) years in prison.and up to (5) years in prison.

• Someone who obtains health information with Someone who obtains health information with the intent to sell, transfer, use for commercial the intent to sell, transfer, use for commercial purposes, or personal gain they can be fined up purposes, or personal gain they can be fined up to $250,000 and sentenced up to (10) years in to $250,000 and sentenced up to (10) years in prison.prison.

14

Important HIPAA TermsImportant HIPAA Terms Routine Disclosure:Routine Disclosure: These are disclosures for the use of treatment, These are disclosures for the use of treatment,

Payment and firm Operations (TPO).Payment and firm Operations (TPO). Non-routine Disclosures:Non-routine Disclosures: Disclosures for reasons other than those for Disclosures for reasons other than those for

treatment, Payment and firm Operations. The treatment, Payment and firm Operations. The client must sign an Authorization for release of client must sign an Authorization for release of protected health information for each non-routine protected health information for each non-routine disclosure.disclosure.

Incidental Disclosures:Incidental Disclosures: These are minor disclosures that are simply a These are minor disclosures that are simply a

part of doing business, such as calling a person’s part of doing business, such as calling a person’s first name in a a waiting room to let them know first name in a a waiting room to let them know you’re ready for them to come back. you’re ready for them to come back.

15

Important HIPAA TermsImportant HIPAA Terms Permitted Disclosures:Permitted Disclosures: These are disclosures that covered entities These are disclosures that covered entities

are permitted, but not required, to are permitted, but not required, to continue without patient permission. continue without patient permission. These include:These include:

1.1. Emergency circumstancesEmergency circumstances2.2. Identification of a deceased bodyIdentification of a deceased body3.3. Public health needsPublic health needs4.4. Judicial or administrative proceedingsJudicial or administrative proceedings5.5. Limited law enforcement activitiesLimited law enforcement activities6.6. Activities related to national defense and Activities related to national defense and

security.security.

16


Erring on the side of caution:Erring on the side of caution:

Since the patient data belongs to the Since the patient data belongs to the patient and not to your office, it is best to patient and not to your office, it is best to always err on the side of caution when it always err on the side of caution when it comes to releasing or discussing patient comes to releasing or discussing patient information. Follow the Golden Rule of information. Follow the Golden Rule of HIPAA: treat every person’s information HIPAA: treat every person’s information with AT LEAST the same caution and with AT LEAST the same caution and respect you would want for your own respect you would want for your own information, if not more.information, if not more.

17

Patient Acknowledgement of Patient Acknowledgement of Receipt of the Notice of Privacy Receipt of the Notice of Privacy

PracticesPractices Originally patient consent forms were Originally patient consent forms were

required. They are no longer required.required. They are no longer required. HIPAA’s Privacy and Security provisions, HIPAA’s Privacy and Security provisions,

medical offices are required to give their medical offices are required to give their patients a copy of the Notice of Privacy patients a copy of the Notice of Privacy Practices and must obtain a signed and dated Practices and must obtain a signed and dated copy of the Patient Acknowledgement of copy of the Patient Acknowledgement of Receipt of the Notice of Privacy Practices.Receipt of the Notice of Privacy Practices.

This form is filed in the patient’s chart to show This form is filed in the patient’s chart to show tangible proof of the compliance. It must also tangible proof of the compliance. It must also be kept for 6 years after their last effective be kept for 6 years after their last effective use.use.

18

Termination SecurityTermination Security In the event that an employee, who has In the event that an employee, who has

had access to any form of protected health had access to any form of protected health information is terminated, all items that information is terminated, all items that the employee had access to must be the employee had access to must be collected and a security checklist must be collected and a security checklist must be signed by terminated employee.signed by terminated employee.

The employee will also be asked to review The employee will also be asked to review and sign a notice reminding them that any and sign a notice reminding them that any confidential information that they had confidential information that they had access to remains confidential.access to remains confidential.

Violation of these policies can result in Violation of these policies can result in serious consequences.serious consequences.

19

Patient Information PrivacyPatient Information Privacy Patient Information Privacy is the centerpiece of the HIPAA Privacy Patient Information Privacy is the centerpiece of the HIPAA Privacy

and Security regulations.and Security regulations. Employees must not discuss or share protected patient data Employees must not discuss or share protected patient data

outside of the office.outside of the office. Employees must not discuss or share protected patient data with Employees must not discuss or share protected patient data with

employees not authorized to have access to that information.employees not authorized to have access to that information. Employees must not discuss protected patient information when Employees must not discuss protected patient information when

unauthorized persons can overhear the conversation.unauthorized persons can overhear the conversation. Employees must not discuss any patient information with other Employees must not discuss any patient information with other

patients.patients. Employees must not leave patients records unattended in public Employees must not leave patients records unattended in public

areas of the office.areas of the office. Records waiting to be updated or filed must be protected.Records waiting to be updated or filed must be protected. All uncompleted work must be locked up at the close of a business All uncompleted work must be locked up at the close of a business

day.day. Employees may access records for which they have a legitimate, Employees may access records for which they have a legitimate,

assigned business need.assigned business need. Employees must not remove files or copies of files from the office.Employees must not remove files or copies of files from the office.

20

Oral DiscussionsOral Discussions

Any verbal discussions with patients, Any verbal discussions with patients, relatives, or other medical personnel relatives, or other medical personnel should be as private as possible.should be as private as possible.

Always be aware of anyone walking Always be aware of anyone walking by, who may overhear part or all of by, who may overhear part or all of your conversation.your conversation.

21

Disposal of Patient DataDisposal of Patient Data Patient Data that is no longer needed and/or is past the Patient Data that is no longer needed and/or is past the

relevant storage period should be destroyed or overwritten to relevant storage period should be destroyed or overwritten to make certain that it is not possible for the information to be make certain that it is not possible for the information to be accessed again.accessed again.

Handwritten notes such as phone messages and reminder slips Handwritten notes such as phone messages and reminder slips containing protected data must be shredded as soon as they containing protected data must be shredded as soon as they are no longer needed.are no longer needed.

Dictation tapes containing protected information must be Dictation tapes containing protected information must be erased after the material is transcribed.erased after the material is transcribed.

All unwanted paper containing protected information must be All unwanted paper containing protected information must be cross-shredded.cross-shredded.

Diskettes containing protected health information or patient Diskettes containing protected health information or patient data must be reformatted when the data is no longer required. data must be reformatted when the data is no longer required.

Hard drives must be reformatted when an office computer is Hard drives must be reformatted when an office computer is sold, or when employees no longer use it to access protected sold, or when employees no longer use it to access protected patient data.patient data.

CD’S must also be destroyed if it contains protected CD’S must also be destroyed if it contains protected information. This can be done by simply snapping it in half.information. This can be done by simply snapping it in half.

22

Access Control PolicyAccess Control Policy The Security Officer will be responsible for The Security Officer will be responsible for

determining whether an employee may have access determining whether an employee may have access to patient data.to patient data.

These employees must:These employees must:1.1. Have a legitimate business need to access the Have a legitimate business need to access the

data.data.2.2. Are aware of, and agree to adhere to HIPAA privacy Are aware of, and agree to adhere to HIPAA privacy

policies.policies.3.3. Have signed a confidentiality or chain of trust Have signed a confidentiality or chain of trust

agreement.agreement.4.4. Agree absolutely not to share their account access.Agree absolutely not to share their account access. Each person should have an individual password, to Each person should have an individual password, to

which their access level is tied.which their access level is tied. The Security Office will also be responsible for The Security Office will also be responsible for

modifying a user’s access to patient data.modifying a user’s access to patient data.

23

De-IdentificationDe-Identification

De-Identification is the process by which De-Identification is the process by which identifying information is removed from a identifying information is removed from a record to make it impossible for anyone record to make it impossible for anyone seeing the data to match it to the patient to seeing the data to match it to the patient to whom the data belongs.whom the data belongs.

Always ensure that all 19 required elements Always ensure that all 19 required elements (PHI) Protected Health Information have (PHI) Protected Health Information have been properly removed and that any been properly removed and that any remaining identifying elements cannot be remaining identifying elements cannot be used to directly retrieve patient data from used to directly retrieve patient data from any other available source.any other available source.

24

Records ProcessingRecords Processing

All protected health information, in All protected health information, in written or electronic form, will be written or electronic form, will be logged in the Records Handling Log.logged in the Records Handling Log.

Under no circumstances will ANY Under no circumstances will ANY protected health information be protected health information be transmitted without the appropriate transmitted without the appropriate Patient Consent form or Patient Patient Consent form or Patient Authorization form on file, or unless Authorization form on file, or unless the information has been de-the information has been de-identified.identified.

25

Information RequestsInformation Requests All requests should be made and received in writing so All requests should be made and received in writing so

that it can be placed in the appropriate file as that it can be placed in the appropriate file as documentation of the request.documentation of the request.

Only respond to information requests when they have a Only respond to information requests when they have a properly completed and executed Patient Consent properly completed and executed Patient Consent Form, Patient Authorization form for the specific Form, Patient Authorization form for the specific information.information.

Provide only the minimum information necessary to Provide only the minimum information necessary to satisfy the specific request.satisfy the specific request.

Never release an entire medical record.Never release an entire medical record. Verify source of request and make appropriate and Verify source of request and make appropriate and

reasonable efforts to determine the true identity of the reasonable efforts to determine the true identity of the requestor.requestor.

““Document Everything” could be described as the Document Everything” could be described as the second rule of HIPAA. Better to document and never second rule of HIPAA. Better to document and never need it, than not document it and need that proof later.need it, than not document it and need that proof later.

26

Patient ListsPatient Lists During the normal course of daily activities in a During the normal course of daily activities in a

health care firm, patients lists are sometimes health care firm, patients lists are sometimes created. HIPAA requires a firm NOT to reveal the created. HIPAA requires a firm NOT to reveal the identities of any of the patients of the practice. identities of any of the patients of the practice. Certain exception are possible.Certain exception are possible.

Any lists that are likely to be seen by those not Any lists that are likely to be seen by those not authorized to view patient data must contain the authorized to view patient data must contain the minimum necessary amount of patient minimum necessary amount of patient information.information.

Covered entities, such as doctor’s offices , may Covered entities, such as doctor’s offices , may use patient sign-in sheets or call out patient use patient sign-in sheets or call out patient names in waiting rooms, so long as the names in waiting rooms, so long as the information disclosed is appropriately limited.information disclosed is appropriately limited.

27

Patient Records AmendmentsPatient Records Amendments

HIPAA says that a patient/client can amend HIPAA says that a patient/client can amend his or her medical records. This request his or her medical records. This request must be in writing, signed and dated to must be in writing, signed and dated to document the request. A legal guardian is document the request. A legal guardian is also allowed to amend the medical record.also allowed to amend the medical record.

A decision regarding allowing the A decision regarding allowing the amendment shall be within business days. amendment shall be within business days. The practice must make a decision as to The practice must make a decision as to whether or not they will allow the whether or not they will allow the amendmentamendment

28

Patient Records AccessPatient Records Access A patient can request to see or obtain a copy of his or her A patient can request to see or obtain a copy of his or her

medical records. This request can not be denied by the medical records. This request can not be denied by the practice. The firm may make a charge for providing a copy, practice. The firm may make a charge for providing a copy, but the request must be promptly carried out.but the request must be promptly carried out.

The request must be in writing and signed and dated by the The request must be in writing and signed and dated by the patient or their legal guardian.patient or their legal guardian.

If the request is to see the record, patient may have If the request is to see the record, patient may have immediate access within the office, business operations immediate access within the office, business operations permitting. permitting.

Patients will be provided a place to review the records away Patients will be provided a place to review the records away from other patients, but a staff member shall be present from other patients, but a staff member shall be present while the patient is reviewing records to ensure that the while the patient is reviewing records to ensure that the record remains intact and unaltered.record remains intact and unaltered.

If a copy of the chart is requested, the copy can be picked If a copy of the chart is requested, the copy can be picked up in person or mailed (return receipt requested) if the up in person or mailed (return receipt requested) if the patient so request in writing.patient so request in writing.

29

Patient Record Storage and AccessPatient Record Storage and Access

Current paper files must be stored in locked file Current paper files must be stored in locked file cabinets or a locking file room if they contain cabinets or a locking file room if they contain protected healthcare information or patient data.protected healthcare information or patient data.

Archived patient records will not reside in a Archived patient records will not reside in a general storage area except in locked file cabinets.general storage area except in locked file cabinets.

Patient information stored in computers will be Patient information stored in computers will be password protected.password protected.

Backup media that contains patient information Backup media that contains patient information must be stored in a locked cabinets.must be stored in a locked cabinets.

Charts for incoming patients will be kept behind Charts for incoming patients will be kept behind desks, away from patients and visitors.desks, away from patients and visitors.

Computer screens displaying patient data will be Computer screens displaying patient data will be turned away from public areas so as not to be turned away from public areas so as not to be visible to patients or others in public areas.visible to patients or others in public areas.

1 hipaa the health insurance portability and accountability act southeastern institute

Documents

hipaa compliance

hipaa compliant

hipaa privacy regulations

general hipaa informationwho

general hipaa informationwhat

general hipaa informationprior

personal health information

health services