Business Law Contracts Lesson Plans Activities

Document Sample
Business Law Contracts Lesson Plans Activities Powered By Docstoc
					                                   HIPAA Training and
                                    Education Series




Health Insurance Portability and
Accountability Act (HIPAA)
Program



Privacy Overview
Training
 PLEASE NOTE THE FOLLOWING
   IMPORTANT INFORMATION:

• The slides you will be viewing were
  developed for all DHR staff.
• Any laws or regulations regarding
  DMHDDAD consumer information that
  are more stringent do take precedence
  over the HIPAA standards.
• When in doubt, check it out!
                                                        HIPAA Training and
                                                         Education Series




                          Table of Contents

Lesson 1: Origin of the HIPAA Privacy Rules
Lesson 2: Protected Health Information (PHI)
Lesson 3: Permitted Uses and Disclosures of PHI
Lesson 4: Minimum Necessary Disclosure Standard
Lesson 5: Administrative Requirements and Obligations
Lesson 6: Rights of Individuals
Lesson 7: Summary
                                HIPAA Training and
                                 Education Series




Lesson 1: Origin of the HIPAA Privacy Rules
             Lesson 1: Origin of the
             HIPAA Privacy Rules




“Banker who serves on a county health
board calls in all mortgages of
customers with cancer”

“Congresswoman’s medical records
faxed from an area hospital to the
media on the eve of her election”

“Hacker downloads medical records and
Social Security Numbers of over 5,000
patients at a local University Medical
Center”

“Employees at a health plan improperly
access private medical claims’
information of a famous athlete”
            Lesson 1: Origin of the
            HIPAA Privacy Rules




What is HIPAA Privacy?
• Health Insurance Portability and
  Accountability Act of 1996 (HIPAA)
• Improvement in healthcare systems
• Administrative Simplification
  Provisions
• Increased electronic transactions &
  general erosion of privacy in
  healthcare industry
• HIPAA Privacy Rules address how
  and to whom PHI may be disclosed
  by healthcare entities covered under
  the law.
           Lesson 1: Origin of the
           HIPAA Privacy Rules




Who Must Comply?

•Healthcare Providers
(hospitals, physicians, nurses,
Veterans Health Administration,
etc.)
•Health Plans (HMOs, PPOs,
Medicare, Medicaid, etc.)
•Healthcare
 Clearinghouses
•DHR
        Lesson 1: Origin of the
        HIPAA Privacy Rules




Who Must Comply?

• Business Associates
• Trading Partners
                                  HIPAA Training and
                                   Education Series




Lesson 2: Protected Health Information (PHI)
                Lesson 2: Protected
                Health Information (PHI)




What is Protected Health
Information?

• Individually identifiable health
  information (IIHI)
• Transmitted or stored
  electronically
• Examples of PHI include:
  –   Name, age, sex and other personal
      demographic information
  –   Health status information
  –   Prescription drug information
  –   Healthcare payment information
  –   Prior existing conditions
                Lesson 2: Protected
                Health Information (PHI)




What is Protected Health
 Information?

•   Applies to health information
    transactions such as:
     –   Claim payments and remittance
         advices
     –   Provider claims and attachments
     –   Premium invoices and payments
     –   Eligibility information
     –   Authorization and referral
         certifications
     –   First report of injury
             Lesson 2: Protected
             Health Information (PHI)




How is PHI disclosed
or transmitted?

• Telephone
• Fax Machine
• Internet/Intranet, Direct Dial-up
  Lines, Direct Data Entry and other
  EDI (Electronic Data Interchange)
• Orally
• Letters and Other Written Material
             Lesson 2: Protected
             Health Information (PHI)




How is PHI stored?

•   Magnetic disk (hard disk, floppy
    disk, etc.)
•   Tape
•   Written or “hard copies” of
    medical records, enrollment
    forms, claim forms, beneficiary
    inquiries etc.
               Lesson 2: Protected
               Health Information (PHI)




What is the importance
and value of protecting
health information?

• We all have the right to keep
  information about ourselves private
  and free from improper use or
  disclosure.
• In the electronic age, PHI may be
  more susceptible to privacy violations.
• If the healthcare industry is to
  progress, it is imperative that
  consumers feel assured that their PHI
  is safe and free from privacy
  violations.
                                HIPAA Training and
                                  Education Series




Lesson 3: Permitted Uses and Disclosures of
          PHI
               Lesson 3: Permitted Uses
               and Disclosures




What Uses and Disclosures
of PHI Require an
Authorization?
•Third party disclosures
•Marketing and fund raising activities
•Non-health related affiliates
•Underwriting or risk rating activities
•Employment determinations
•Sale, rental or barter of PHI
•Psychotherapy notes
             Lesson 3: Permitted Uses
             and Disclosures




What PHI Uses and Disclosures do
not Require an Authorization?

• Treatment, payment and healthcare
  operations (TPO)
• Public health agency activities
• Health oversight and regulatory agency
  activities
• Judicial proceedings and law enforcement
  investigations
• Healthcare fraud investigations
• Emergency situations
• Research purposes
• If information is “de-identified”
             Lesson 3: Permitted Uses
             and Disclosures




Verification Procedures

• DHR must verify the identity and
  the authority of a person
  requesting access to PHI.
• DHR must secure documentation,
  statements or other
  representations, whether oral or
  written, from the person requesting
  the PHI.
• May use professional judgment
                                 HIPAA Training and
                                   Education Series




Lesson 4: Minimum Necessary Disclosure Standard
            Lesson 4: Minimum Necessary
            Disclosure Standard




What does “minimum
necessary” mean?

•Making a reasonable effort not to
 use or disclose more than the
 minimum amount of information
 necessary to accomplish an
 intended task
             Lesson 4: Minimum Necessary
             Disclosure Standard




Why is minimum
necessary so important?

• An individual has the right to
  expect that their PHI will remain
  secure and confidential.
• The more PHI is used or
  disclosed, the more likely it is to
  be revealed to third parties.
• Limiting the exchange of PHI to
  the “minimum necessary” reduces
  the potential of fraud and abuse.
            Lesson 4: Minimum Necessary
            Disclosure Standard




How is minimum
necessary determined?

•DHR will determine who needs
 access to PHI and the amount of
 PHI needed per function.
•Varies by division and function
•DHR will evaluate each and every
 business activity requiring the use
 and/or disclosure of PHI.
•Once the minimum necessary is
 determined, DHR will communicate
 to all affected parties (employees,
 business associates, trading
 partners, etc.).
               Lesson 4: Minimum Necessary
               Disclosure Standard




Responding to a request
 for the disclosure of PHI

• DHR will develop criteria that limit
  disclosures only to that necessary to
  comply with a specific request.
• Disclosure requests must be
  individually reviewed by employees
  according to the developed criteria.
• Ensure that only the minimum amount
  necessary is disclosed
• Exceptions include requests from
  another covered entity, certain public
  officials or agencies, certain business
  associates, researchers, etc.
                                HIPAA Training and
                                  Education Series




Lesson 5: Administrative Requirements and
          Obligations
             Lesson 5: Administrative
             Requirements and Obligations




What are the
administrative
requirements under
HIPAA Privacy?
•Privacy Official
•Privacy Training Program
•Safeguards
•Complaints
•Sanctions
•Documented Policies and Procedures
•Notice of Privacy Practices
•“Business Associate” Contracts
            Lesson 5: Administrative
            Requirements and Obligations




Privacy Officer

•DHR will designate a privacy
 official or officer
•Responsible for the development,
 implementation and maintenance
 of the privacy policies and
 procedures
•In addition, DHR will designate a
 contact person to receive and
 process privacy complaints and to
 provide further information about
 privacy practices
            Lesson 5: Administrative
            Requirements and Obligations




Privacy Training
Program
• DHR will train all employees about
  privacy policies and procedures
  for PHI.
• DHR will document that training
  has been provided.
• Training will be completed within
  specific timeframes.
            Lesson 5: Administrative
            Requirements and Obligations




Safeguards
•DHR will implement and maintain
 appropriate administrative,
 technical, and physical safeguards.
•DHR will safeguard PHI from any
 intentional or unintentional use or
 disclosure, or violation of the
 requirements of the regulation.
•PHI safeguards are also a
 requirement of the HIPAA Security
 Rules.
            Lesson 5: Administrative
            Requirements and Obligations




Complaints

• DHR will develop and maintain a
  process for individuals to make
 complaints concerning:
    – Privacy policies and
      procedures;
    – Compliance with privacy
      policies and procedures ; and
    – Compliance with the Privacy
      requirements of HIPAA.
             Lesson 5: Administrative
             Requirements and Obligations




Sanctions
• DHR will implement appropriate
  sanctions for failure to comply with
  privacy policies and procedures of
  the HIPAA regulations.
• DHR will apply appropriate
  sanctions against employees who
  fail to comply with the privacy
  policies and procedures of the
  regulations.
            Lesson 5: Administrative
            Requirements and Obligations




Documented Policies and
Procedures
•DHR will develop and implement
 privacy policies and procedures
 with respect to PHI.
•Address DHR’s specific privacy
 practices as well as all of the
 elements of the HIPAA privacy
 rules
•DHR will change or update its
 policies and procedures as
 necessary and appropriate to
 remain in compliance.
             Lesson 5: Administrative
             Requirements and Obligations




Notice of Privacy
Practices
•DHR employees will provide
 individuals with a Notice of Privacy
 Practices.
•Notice must be in plain language.
•DHR will revise Privacy Notice with
 any material change to DHR’s
 privacy practices.
•Direct treatment providers will
 make a good faith effort to obtain
 the patient's written
 acknowledgement of the Notice of
 Privacy Practices and rights.
             Lesson 5: Administrative
             Requirements and Obligations




Business Associate
Contracts
•Business Associates are entities with
 which DHR shares or exchanges PHI.
•Business Associates must comply with
 HIPAA, indirectly, through mandated
 Business Associate Contracts with
 DHR.
•Business Associate Contracts allow
 DHR to obtain satisfactory assurance
 that the Business Associate will
 appropriately safeguard PHI.
•If DHR becomes aware of a material
 breach by the Business Associate, the
 contract (and relationship) must be
 terminated.
                                  HIPAA Training and
                                    Education Series




Lesson 6: Rights of Individuals
             Lesson 6: Rights of
             Individuals




What are the Rights of
Individuals Under HIPAA
Privacy?

• PHI uses and disclosures are
  permitted only with authorization.
• Request privacy protection for PHI
• Confidential communications regarding
  PHI
• Access to PHI
• Amendment or correction of PHI
• Accounting of PHI disclosures
             Lesson 6: Rights of
             Individuals




Uses & Disclosures
 Permitted Only with an
 Authorization

• Individuals have the right to
  expect that certain uses and
  disclosures of their PHI will be
  permitted only with an
  authorization.
• The authorization is not valid
  unless signed by the individual in
  question.
               Lesson 6: Rights of
               Individuals




Request Privacy
 Protection for PHI
Individuals have the right to request
 that DHR restrict:
• Uses and disclosures for treatment,
  payment and healthcare operations
  (TPO), and
• Disclosures permitted for involvement
  in the individual’s care and notification
  purposes.

DHR does not have to agree to the
 request, but must have
 procedures in place to process
 request.
              Lesson 6: Rights of
              Individuals




Confidential
 Communications
 Regarding PHI

• Individuals have the right to
  confidential communications regarding
  their PHI.
• DHR must accommodate reasonable
  requests by individuals to receive
  communications of PHI by alternative
  means or at alternative locations.
• Applies to health plans when
  disclosure of all or part of PHI could
  endanger the individual.
             Lesson 6: Rights of
             Individuals




Access to PHI
• Individuals have the right to
  unfettered access to PHI that is
  used to make decisions about the
  individual.
• Such PHI must be kept for 6 years
• Exceptions include access to
  psychotherapy notes, PHI used in
  judicial or administrative actions,
  etc.
             Lesson 6: Rights of
             Individuals




Amendment or Correction
of PHI
•An individual has the right to
 amend or correct his or her PHI in
 a designated record set (e.g.
 medical record) for as long as the
 covered entity maintains the
 information.
•DHR does not have to agree to
 amend or correct the PHI.
               Lesson 6: Rights of
               Individuals




Accounting of Disclosures

•An individual has the right to receive an
 accounting of PHI disclosures made in
 the six years prior to the request.
•Exceptions include disclosures for
 treatment, payment and healthcare
 operations, disclosures to the
 individual, for national security
 purposes, etc.
•A written account of such disclosures
 must include the date of the disclosure,
 to whom the information was disclosed,
 and a description of the information
 disclosed.
                    HIPAA Training and
                      Education Series




Lesson 7: Summary
               Lesson 7: Summary




What are the Penalties for
Non-Compliance?

•Violation of HIPAA Privacy Rules may
 lead to both civil and criminal penalties.
•Civil penalties range between $100 for
 a single violation to as much as
 $25,000 for multiple violations of the
 same requirement during a calendar
 year.
•Criminal penalties range from $50,000
 and one year in imprisonment for a
 simple PHI disclosure to as much as
 $250,000 and 10 years imprisonment
 for wrongful disclosure.
              Lesson 7: Summary




The Importance of Privacy
•HIPAA Privacy Rules address how and
 to whom protected health information
 may be disclosed.
•The increased use of electronic
 transactions of health care data and the
 general erosion of privacy necessitate
 minimum standards for the privacy of
 PHI.
•HIPAA Privacy Rules intend to assure
 individuals that their PHI will remain
 private and free from improper use or
 disclosure.
            Lesson 7: Summary




Covered Entities

“Covered entities” generally
   include:

•   Healthcare providers
•   Healthcare payers
•   Healthcare clearinghouses
             Lesson 7: Summary




Protected Health
Information (PHI)
•PHI is any and all individually
 identifiable health information.
•PHI may be in electronic, paper-
 based, or oral form.
•Includes PHI that is stored as well
 as disclosed by a covered entity
             Lesson 7: Summary




Permitted Uses and
 Disclosures
• Treatment, payment, and other
  standard healthcare operations
  (TPO) do not require an
  authorization.
• Disclosures to a third party,
  disclosures for employment
  determinations, the sale, rental or
  barter of PHI, and other such uses
  and disclosures are not permitted
  without a signed authorization.
              Lesson 7: Summary




Minimum Necessary
Disclosure Standard
•Must make a reasonable effort not to
 use or disclose more than the minimum
 amount of information necessary to
 accomplish an intended task.
•Minimum necessary does not apply to
 activities related to healthcare
 treatment, payment or healthcare
 operations (TPO), and to certain other
 activities such as disclosures to the
 Department of Health and Human
 Services (DHHS).
               Lesson 7: Summary




Administrative
 Requirements and
 Obligations

• Requirements and obligations
  include:

    –   A Privacy Official
    –   A Privacy Training Program
    –   Administrative Safeguards
    –   A Complaints Process
    –   Sanctions for Violations of Privacy
    –   Documented Policies and
        Procedures
    –   A Notice of Privacy Practices
    –   “Business Associate” Contracts
            Lesson 7: Summary




Rights of Individuals

•Uses and disclosures of PHI
 permitted only with authorization
•Request privacy protection for PHI
•Confidential communications
 regarding PHI
•Access to PHI
•Amendment or correction of PHI
•Accounting of Disclosures of PHI
FOLLOW THESE DIRECTIONS TO RECEIVE CREDIT

• ENSURE YOU VIEW THE HIPAA 101 PRESENTATION

• ENSURE YOU COMPLETE THE COMPETENCY
  EXAM AND SEND TO HRD

• ENSURE YOU COMPLETE A INSERVICE TRAINING
  ROSTER AND SEND TO HRD

				
DOCUMENT INFO
Description: Business Law Contracts Lesson Plans Activities document sample