8/28/20151 county of san bernardino department of public health information security health...
TRANSCRIPT
04/19/23 1
County of San Bernardino County of San Bernardino Department of Public HealthDepartment of Public Health
Information SecurityInformation Security Health Insurance Portability and Health Insurance Portability and
Accountability ActAccountability Act
(HIPAA)(HIPAA)
Basic TrainingBasic Training Extra-Help EmployeesExtra-Help Employees
(Intended for extra-help employees who work for Public Health 30 days (Intended for extra-help employees who work for Public Health 30 days oror less) less)
04/19/23 2
IntroductionIntroduction
The purpose of this training is to provide Public Health (PH), extra-help employees (who work for PH 30 days or less) with essential information regarding the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA legislation requires all workforce members of HIPAA covered entities to receive HIPAA training.
You are required to take this training because you are now a workforce member of a PH HIPAA covered entity.
04/19/23 3
HIPAAHIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is
federal law created by Senate Bill 456.
It was developed to protect the confidentiality of an Individual's
private Information.
HIPAA states that individuals have a right to keep information about
themselves private.
This private information is referred to as:
Protected Health Information (PHI) or – Individually Identifiable Health Information (IIHI)
04/19/23 4
The Purpose of HIPAAThe Purpose of HIPAA
The purpose of the Health Insurance Portability and
Accountability Act (HIPAA) is to:
Give individuals more control over their protected health information (PHI)
Set boundaries on the use and disclosure of PHI
Establish safeguards to protect PHI
Hold HIPAA covered entities accountable with civil and
criminal penalties if they violate an individual's PHI
04/19/23 5
HIPAA National StandardsHIPAA National Standards
HIPAA sets national standards for the:
Use and disclosure of protected health information (PHI) and
The security of PHI
These standards determine:
When, how and under what circumstances a covered entity may use or disclose an individual’s PHI and
– How the PHI must be protected (i.e. Physical, Technical & Administrative Safeguards )
04/19/23 6
Examples of Why We Need HIPAA Examples of Why We Need HIPAA
After suffering from a work related injury to her wrist, a woman authorized her insurance company to release health information pertaining to her wrist. When reviewing her medical record, she discovered the entire medical file was disclosed including fertility treatment and a pregnancy loss.
A truck driver lost his job when his employer learned from his insurance company that he sought treatment for a drinking problem.
A banker who also served on his county’s health board, cross referenced customer accounts with patient information. He called due the mortgages of anyone suffering from cancer.
A public health worker walked away with a disk of 4,000 names of persons who tested positive for HIV and provided this list to two newspapers.
04/19/23 7
Why Why ““YouYou”” Need HIPAA Training! Need HIPAA Training!
Covered entities (including Public Health) are required to develop a
system of sanctions (discipline) for employees who violate HIPAA’s
privacy requirements.
Sanctions are:
penalties,
corrective action,
adverse action, or
criminal prosecution
that may result from violating HIPAA privacy requirements.
04/19/23 8
HIPAA HIPAA Federal PenaltiesFederal Penalties
The Federal Government also provides penalties for failureto comply with HIPAA. They include:
Civil$100 fine per person per violation
$25,000 fine per year for multiple violations
CriminalKnowingly or wrongfully disclosing or receiving IIHI protected by HIPAA: $50,000 and/or one year prison time
Commit offense under false pretenses: $100,000 fine and/or five years prison time
Intent to sell PHI protected by HIPAA or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time
04/19/23 9
Protected Health InformationProtected Health Information
Protected health information (PHI) refers to any information that relates to the past, present or future:
o physical or mental condition of an individual, or
o payment for the provision of health care of an individual
This information is protected when it is used together with data that might identify the individual to whom the information
belongs.
Data that might identify an individual is referred to as “unique identifiers”.
04/19/23 10
Protected Health Information Protected Health Information Unique IdentifiersUnique Identifiers
Unique identifiers may include, but are not limited to, a person’s:
Name Finger or Voice Prints
Address or City Photographic Images
Birth Date Internet Protocol (IP) Address
Social Security Number Vehicle or Device Serial Number
Telephone Number Medical Record Number
Fax Number Health Plan Beneficiary Number
E-mail Address Account Number
Names of Relatives Certificate or License Number
Names of Employers
Any unique identifying numbers, codes or characteristics
04/19/23 11
Protected Health Information Protected Health Information
SummarySummary Protected health information is any information that relates
to the past, present or future:
physical or mental condition of an individual, or
payment for the provision of health care of an individual
and
used together with one or more unique identifiers [such as the individual’s name, address, birth date, social security
number, etc. (see previous slide)]
04/19/23 12
What What is notis not Protected Health Information Protected Health Information
Protected health information does not include information
contained in:
Education Records
Worker’s Compensation Records
The Individual’s Own Personal Records
04/19/23 13
HIPAA Covered EntityHIPAA Covered Entity
A HIPAA covered entity is a:
Health Care Provider who electronically transmits protected
health information in connection with a standard transaction. This includes physicians, hospitals, labs, public health departmentsThis excludes providers who submit transactions on paper
Health Plan who provides or pays the cost of medical care – This includes Medicaid, Medicare & Blue Cross
This excludes Workers’ Compensation, State disability, etc.
Health Care Clearinghouse is narrowly defined as those that
translate data from non-standard to standard format
04/19/23 14
Public Health HIPAA Covered EntitiesPublic Health HIPAA Covered Entities
01 PAS Program Analysis & Statistics
(Excluding Vital Statistics)
03 CAH Child & Adolescent Health
04 IMM Immunizations
05 SCH School Health
07 MH Maternal Health
08 RH Reproductive Health
11 STD Sexually Transmitted Diseases
12 TB Tuberculosis Control
13 EPI Epidemiology
14 PRC Primary Care
15 AID AIDS
16 AGE Aging
21 FAS Fiscal & Administrative Services
23 CCS California Children’s Services
31 CRD Chronic Disease
32 FSS Family Support Services
33 PAL Perinatal & Adolescent Life
34 PHN PH Nursing Field Services
37 ASP Administrative Services Program
04/19/23 15
Use & Disclosure of Use & Disclosure of Protected Health InformationProtected Health Information
Use refers to the internal sharing of protected health
information (PHI). That is to say:
Information created by a covered entity
Shared internally within the covered entity
To accomplish the purpose of the covered entity
Disclosure refers to the external sharing of PHI. That is to say:
– Sharing information – To organizations that are not part of the covered entity
04/19/23 16
““More Stringent RequirementMore Stringent Requirement””
If a HIPAA covered entity is faced with two conflicting laws governing the use or disclosure of protected health information, they must follow the law with the “more stringent” requirement.
The law is more stringent if it:Further limits the use or disclosure of PHI
Provides clients with:o Greater amount of informationo Greater rights of access or amendment
– Enhances authorization/consent protections
– Imposes greater record keeping requirements (e.g., accounting of disclosures, retention periods)
04/19/23 17
Required DisclosuresRequired Disclosures
HIPAA requires disclosure of protected health information in
only two circumstances:
When requested by the individual who is the subject of the information (some exceptions)
When required by the Secretary of United States Department of Health and Human Services (DHHS) to investigate or determine if the covered entity is in compliance with HIPAA legislation.
04/19/23 18
Permitted DisclosuresPermitted Disclosures
HIPAA permits disclosures of protected health information in
these three circumstances:
For treatment, payment, and health care operations or
With an Authorization for Release of Information or
For certain limited uses and disclosures for important governmental purposes
04/19/23 19
Permitted Disclosures Permitted Disclosures
TTreatment, reatment, PPayment Health Care ayment Health Care OOperationsperations
(TPO(TPO))
A Covered entity may use or disclose protected health
information:
For its own treatment, payment or health care operations
For the treatment activities of any health care provider
For the payment activities of any health care provider
For the health care operations of another covered entity under some circumstances
04/19/23 20
Permitted DisclosuresPermitted DisclosuresAuthorization for Release of InformationAuthorization for Release of Information
HIPAA prohibits covered entities from using or disclosing protected health information (PHI) without a valid Authorization for Release of Information.
An Authorization for Release of Information is: A document Providing an individual’s permission allowing a covered entity to
– Disclose the individual’s PHI
An authorization limits the amount of PHI to be released:– To the “minimum necessary” – To accomplish the purpose of the authorization
04/19/23 21
Miscellaneous Allowable DisclosuresMiscellaneous Allowable Disclosures HIPAA allows miscellaneous disclosures of protected health
information without an Authorization in the following instances:
Family Members for 1) location 2) general condition or 3) death
Location refers to a hospital or shelter. It does not apply to home address etc. – Required by Law– Public Health Surveillance Activities (includes CPS)– Report Adult Abuse, Neglect, or Domestic Violence– Judicial and Administrative Proceedings– Limited Law Enforcement Purposes– Decedents– Serious Threat to Health or Safety
Specialized Government Functions
Involves Workers’ Compensation information
04/19/23 22
When can When can ““YouYou”” Disclose Disclose Protected Health InformationProtected Health Information
Only with your supervisor’s approval
To ensure the confidentiality of our clients protected health information (PHI), the Public Health Department prohibits extra-help employees from disclosing PHI without the
expressed permission of their immediate supervisor.
If you are an extra-help employee you may not disclose PHI
without your immediate supervisor’s approval.
This rule protects you as well as the PHI.
It is intended to be a safeguard against the accidental disclosure of PHI.
04/19/23 23
HIPAA SafeguardsHIPAA Safeguards
HIPAA covered entities are required to safeguard an
individual’s protected health information (PHI).
This requires covered entities to:
Provide appropriate administrative, technical and physical measures, policies or procedures to protect the privacy of PHI which will
Reasonably safeguard PHI from any intentional or unintentional use or disclosure
04/19/23 24
HIPAA Safeguard Tips HIPAA Safeguard Tips
Close doors or draw privacy curtains/screens
Conduct discussions so that others may not overhear them
Do not leave medical records where others can see them or access them
Keep medical test results private
Protected Health Information (PHI) should NOT be shared or viewable in public areas
Do not leave copies of PHI at copy machines, printers, or fax machines
Do not leave PHI exposed in mail boxes or conference rooms
Do not share computer passwords or leave them visible
Do not leave computer files open when leaving unlocked or shared work area
Secure PHI when no one is in the area, lock file cabinets and office doors
Safeguard PHI when records are in your possession
Return medical records to appropriate location
Dispose of paper containing PHI properly Internet encryption of PHI
04/19/23 25
Client RightsClient Rights
Clients of HIPAA covered programs have the following rights:
Right to request alternative means of receiving information Right to request additional protections – restrictions Right to access, inspect, and copy their own protected health
information (PHI) Right to have PHI amended Right to request and receive an accounting of disclosures of
their PHI Right to receive a Notice of Privacy Practices (NOPP) Right to file a complaint with the County and/or Department of
Health and Human Services (DHHS), Office of Civil Rights (OCR)
04/19/23 26
Department of Public Health Department of Public Health Complaint Procedure Complaint Procedure
A person or organization who believes a covered entity is not
complying with HIPAA requirements may file a complaint by either
of the following actions:
Call: The Public Health Department @ (909) 387-6222 or
Contact: Jim Pesta, Ethics Resource Officer
504 North Mountain View Avenue
San Bernardino, CA 92415-0038
(909) 381-7960 – Direct or (909) 388-4281- FAX