HIPAA_ An Overview of Privacy and Security Regulations - Training for Providers and Staff

Document Sample
HIPAA_ An Overview of Privacy and Security Regulations - Training for Providers and Staff Powered By Docstoc
					HIPAA: An Overview of
Transaction, Privacy and
Security Regulations

Training for Providers and Staff
n HIPAA stands for Health Insurance Portability
  and Accountability Act
n The law sets standards for the transmission
  of information in order to provide uniformity
  between the many healthcare systems
n The law also sets strong privacy protections
  to protect the consumer’s health information
Enforcement Responsibility
n Centers for Medicare and Medicaid (CMS) is
  responsible for the security standards
n The Department of Health and Human
  Service’s Office of Civil Rights is responsible
  for the privacy rules.
Penalties for Noncompliance
n The Federal government holds the agency liable for
n Agency Penalties: $100 - $50,000 per violation up to
  1.5 million per year; Exclusion from participating with
  Medicare/Medicaid and possible prison time.
n Entitities contracted with Pines: $50,000 per violation
  up to 1.5 million per year; Exclusion from participating
  with Medicare/Medicaid (loss of contract with Pines)
  and possible prison time.
n Staff Sanctions: Disciplinary up to and including
  termination per policy.
Who is Subject to HIPAA?
n You are if:
   n You transmit health information (bills) electronically
   n You receive third party reimbursement
   n You bill Medicare or Medicaid
   n You receive money from Pines who is a covered entity
     and subject to HIPAA rules
   n If you receive faxes with health information that may
     have been computer generated
   n If you serve even 1 consumer affected by the above,
     you are liable to comply with HIPAA regulations
Three Parts to HIPAA
n Privacy Rule: Establishes standards to
  protect the confidentiality of personal health
  information (PHI)
n Transaction Rule: Requires compliance to
  standards for electronic transmission of
  health information (ie. standard billing
n Security Rule: Sets standards related to the
  safeguard of health information.
Privacy Rules
n Requires staff training on privacy rules
n Requires the designation of a privacy officer
n Requires that all consumers know the agency’s
  disclosure of health information (Privacy Notices)
n Requires a clear protocol for handling complaints
  regarding HIPAA compliance
n Requires a “need to know” limit – only that
  information that is needed to be known can be
  released to only those people that need to know with
  proper consent (authorization).
n Allows consumers to request an amendment to their
HIPAA vs. Mental Health Code and/or
Public Health Code
n The federal government allows state law to
  pre-empt HIPAA regulations if the state laws
  are more stringent than HIPAA. In many
  cases, the mental health code and/or public
  health code for substance abuse is more
  stringent than HIPAA.
HIV Information
n Be very careful regarding releasing HIV
  information. Michigan highly regulates the
  confidentiality of HIV information. A person’s
  HIV status (positive or negative) cannot be
  disclosed without their express, written
  permission unless a medical personnel is
  exposed to their blood in an emergency
n Be just as concerned about accidental
  disclosure as you are with accidental
Transactions Rules
n Applies to agencies that transmit insurance
  bills/claims electronically or uses billing
n Organizations must use HIPAA compliant
  software and test transactions with third party
Security Rules
n Covers every type of storage or transmission of public health
    information that might take place.
n   Requires a risk assessment to be undertaken
n   Requires policies and procedures to address the security of
n   Requires the staff responsibility for security policies and
    procedures (Security Officer)
n   Requires technology security such as data backups, passwords
    that expire frequently, monitoring of computer network activity
n   Requires limits on physical access to equipment or locations to
    assure security of information:
     n   Location of fax machine
     n   Screen protectors needed on computers
     n   Shred receptacles available
Practical Security Steps
n   Control the physical access to your building. Visitors should not be allowed to
    access areas in which confidential information is kept.
n   Conversations involving sensitive information should not occur where it can be
n   Sensitive documents should not be left in view
n   Sensitive telephone conversations should not be conducted where they can be
n   Processes should be in place to assure that faxes coming in are safeguarded
n   Computers should be positioned so that confidential information cannot be seen
    by others.
n   Passwords are meant to secure information. They should be hard to guess and
    not shared.
n   Portable computers (laptops, flash drives, PDAs, etc.) should be kept secure.
    Avoid keeping sensitive information on them if they need to leave the office.
n   Email is not under your control once you push send. Make sure messages have
    a confidential information at the end, and rule of thumb should be never include
    sensitive information in the email if using the internet.
Common Breaches
n Emailing consumer names or other protected
  health information across the internet
n Giving out more information than minimally
n Discussing consumer information where
  others can hear
n *New regulations regarding breaching
  information created for citizen protection –
  see next slide
HITECH – Expansion of HIPAA
n American Recovery and Reinvestment Act (Stimulus
    Pkg): HIPAA Breach Notification Rule
n   Breach: the acquisition, access, use or disclosure of
    unsecured PHI
n   Determine a breach based on assessment of
    financial, reputational or other harm risk to individual
n   If determined a breach, must notify individual within
    60 days. If more than one, you may need to notify the
n   Annually, breach logs must go to HHS, and a client
    may ask to view their personal disclosure log
n   All disclosures of PHI must be tracked and provided
    upon request to a client
Documenting and Reporting HIPAA
   n Report to the Pines Recipient Rights Officer
     (Norma Wojack) or
   n Report to the Privacy Officer (Cathie Sutton)
   n   Report to your supervisor or other internal
       personnel that would be responsible for
       ensuring compliance to HIPAA

Shared By: