HIPAA

The Health Insurance Portability and Accountability Act What is it? & How will it affect us? Who Needs Training and Why  Employees who come in contact with Protected Health Information are Federally required attend training  Departments listed later  This presentation is designed to  Familiarize you with HIPAA regulations  Our policies and procedures regarding protected health information (PHI)  Ensure federal compliance  Our policies will be listed at www.hipaa.cmich.edu  Summary of the Law  To improve portability and continuity of health insurance coverage in the group and individual markets.  To combat waste, fraud, and abuse in health insurance and health care delivery.  To simplify the administration of health insurance, and for other purposes. What Exactly is HIPAA?  Public Law 104-191 (1996)  Overseen by: Centers for Medicare and Medicaid Services (CMS)  A federal law designed to:   Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities Ensure confidentiality of PHI Protected Health Information  Protected Health Information (PHI)  Any Individually Identifiable Health Information (IIHI)  Created or received by a health care provider, health plan, employer or health care clearinghouse  Relating to the past, present of future physical or mental health or condition of an individual  Transmitted in any form or medium  Examples      Medical charts Problem logs Photographs Communications between professionals Health insurance policy number Individual Identifiers Courtesy of www.hipaacow.com 1. 2. 3. 4. 5. Name Geographic subdivisions smaller than a State Street Address City County Precinct Zip Code & their equivalent geocodes, except for the initial three digits Dates, except year Birth date Admission date Discharge date Date of death Telephone numbers Fax number 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. E-Mail Address Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal resource locations (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable data Any other unique identifying number, characteristic, or code What entities are covered?  Health Plans  Health Care Clearinghouses  A health care provider who transmits any health information in electronic form CMU as a Covered “Hybrid” Entity  Hybrid Entity  A single legal entity that is a Covered Entity and whose Covered Functions are not its primary functions.  CMU’s primary purpose is to educate  We also deal with healthcare related procedures  This “theory” allows us to apply HIPAA to specific areas CMU as a Covered “Hybrid” Entity  Departments Affected  HR Comp and Benefits: Self-funded Dental and Prescription Plan  A covered entity because it is a health plan  University Health Services  A covered entity because it is a provider who bills electronically for care and devices  Communication Disorders: Speech Pathology and Audiology  A covered entity because it is a provider who bills electronically for care and devices HIPAA Inside the “Hybrid”       Internal support entities General Counsel Internal Audit Accounts Receivable Faculty Personnel Human Resources- Employee Relations   These areas deal either with disciplinary regulations, grievances, or healthcare related transactions It is not advantageous for these areas to receive prior authorization before reviewing a file HIPAA Inside the “Hybrid”  Possible future covered entities: 1. Physician Assistant Program 2. Psychology clinic 3. Physical Therapy Program  As of now they are not billing electronically, therefore not covered entities HIPAA outside the “Hybrid” Therefore not covered       Information Technology Special Olympics International Student Services Office of International Education Student Disability Services Special Olympics   Where does the information come from and/or go to? If it is not received from or sent to a provider or plan, then it is not considered PHI HIPAA vs. FERPA  FERPA – The Family Educational Rights and Privacy Act  Protects the rights of students records  Unique to universities  Especially relevant to CMU’s UHS and CDO  We service employees, students, and members of student’s families – all as patients HIPAA vs. FERPA  Disclosures are not consistent between the two  Must treat student records and all other records differently  This is extremely difficult, but do-able  The necessary Directors will have a “Flow Chart” regarding proper procedures for the two Four Components of HIPAA’s Administrative Simplification  Transaction Standards & Code Sets  To create a uniform method of electronic communication To guard data integrity, confidentiality, and availability To ensure that Protected Health Information (PHI) is kept confidential  Security & Electronic Signature Standards    National Provider Identifier  Privacy Rule  The concentration of this presentation Privacy Rule  All covered entities must be in compliance by 4/14/03  There are no exclusions or extensions available and no paperwork to submit to prove compliance Privacy Rule  Establishes safeguards to protect the confidentiality of medical information  Gives patients more control over their health information  Limits release of information to the minimum necessary  Sets boundaries on the use and release of health records Privacy Rule  Enables patients to find out how their information may be used and what disclosures of their information have been made to any business associates or other parties  Gives patients the right to examine and obtain copies of their own health records, and to request corrections Privacy Rule - Consent  The Privacy Rule was most recently amended on 8/14/02.  Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities. Privacy Rule - Consent  A covered entity must make a “good faith effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature.  The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination.  The NPP must be visibly posted at all times. Privacy Rule - Consent  Covered entities are not prohibited from obtaining consent and have complete discretion in designing their individual consent process.  State law requirements may be more stringent and therefore supersede the federal requirements. Notice of Privacy Practices  The NPP reflects your dedication to privacy and must be available for patient review  Copies of NPP must be on display in each waiting room  Written copies of NPP must be available on request  Copy of NPP needs to be posted on web site  The NPP informs patients that you will not release their PHI except as stated in your Notice Notice of Privacy Practices  The NPP states you are required to abide by the terms of your current Privacy Notice  The NPP instructs patients how to file a privacy complaint  The NPP indicates how you will send information (mail, fax, electronic, etc.)  You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice. Consent & Authorization Consent  A general document giving Authorization  A customized document health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO)  It gives permission only to the provider, and not to any other person or business associate  Not required, but optional giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive. Authorization  Authorization is required for uses and disclosures of PHI for purposes that are not otherwise permitted or required under the Privacy Rule. Examples 1. Sale of patient mailing lists 2. Disclosing information to employers for employment decisions 3. Disclosing information for life or disability insurance Authorization  Covered entities are required to document & retain authorizations and to provide individuals with a copy of the signed authorization form.  Patients will need to grant authorization in advance for each type of use or disclosure. HIPAA Privacy Rule Facts  The rules apply to all oral,  A HIPAA team must be written, or electronic records of covered entities.  HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient.  PHI that has been deidentified is not subject to the Privacy Rule. appointed by each covered entity  The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request. HIPAA Team  Must assign a Privacy Officer  Should assign an Electronic Transaction officer  Must assign a Security Officer HIPAA Privacy Officer  Must have authority and independence  Is responsible for developing and implementing the HIPAA compliance plan  Is responsible for enforcement & sanctions  Designates contact persons responsible for receiving complaints and monitoring patient contacts Campus Wide Planning  Knowledge  Initial Training of Workforce  Policy revision and drafting: the list is endless  Firewall and software development, implementation and testing  Ongoing analysis and refinement Preparing for HIPAA Compliance 1. 2. 3. 4. 5. Enter into new contracts with Business Associates (BA) Develop Written Policies & Procedures Documentation Procedures Conduct a site survey of your own facility Site Survey Q’s for your own facility Preparing for HIPAA Compliance Enter into new contracts with Business Associates (BA)  BA’s are persons who perform a function or activity involving the use or disclosure of IIHI.  Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA.  If an entity is subject to HIPAA, a contract is not needed with another covered entity. Preparing for HIPAA Compliance Enter into new contracts with Business Associates (BA) Types of Business Associates        Claims processing or administration Data analysis Processing or administration Utilization Review Billing Benefit Management Computer work         Legal work Actuarial work Accounting work Transcriptionists Accreditation work Cleaning service Consulting work Marketing Preparing for HIPAA Compliance Develop Written Policies & Procedures  Decide who is responsible for determining “minimum necessary” data  Develop a records management plan  Determine who will keep records  Determine how records will be kept  Teach proper documentation Preparing for HIPAA Compliance Documentation Procedures  Create record logs    Log information given in response to patient authorization Log information given in response to legal requests for PHI Log patient requests for amendments or restrictions to your Privacy Policy  PHI disclosures must be kept a minimum of 6 years Preparing for HIPAA Compliance Conduct a Site Survey of Your Own Facility  Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones. Preparing for HIPAA Compliance Site Survey Q’s for Your Own Facility  Are patient records secure?  Are there individual & unique passwords assigned for computer systems?  Are collection calls or calls regarding other PHI made in a private location? Why should we care about the HIPAA rules?  CMU is a hybrid entity: Some parts of the university must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable).  As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated.  HIPAA is designed to empower the patient/consumer.  HIPAA ideally will minimize cost over the long term. Why should we care about the HIPAA rules? Criminal Penalties  Failure to comply: Fine & possible exclusion from Medicare  Wrongful Disclosure: $50,000, imprisonment of up to one year, or both  Offense under False Pretenses: $100,000, imprisonment of up to five years, or both  Offense with intent to sell information: $250,000, imprisonment of up to ten years, or both HIPAA Web Links  www.hipaadvisory.com  www.hipaacow.com  www.cms.hhs.gov/hipaa  www.hhs.gov/ocr/hipaa  www.hcfa.gov/medlearn