1

2013 FCSRMC HIPAA TRAINING

Presented by Carol Crews, CMPE

2

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Congress called for the Department of Health & Human Services to develop standards and requirements for the electronic transmission of health information

Title II - Administrative Simplification provision - provides legislation around privacy, security and electronic data

In a constantly changing environment, FCSRMC is committed to educating employees about healthcare information concerning HIPAA.

What is HIPAA?

3

Standardization of Electronic Transactions & Code Sets

Privacy

Security

National Provider Identifiers

Electronic Signatures

Electronic Medical Records

Six Key Areas of HIPAA

4

• A covered entity includes a health plan or payor (including government payors), a healthcare clearinghouse such as a billing service, or a healthcare provider such as a physician, hospital, or pharmacy. (Does not include Life, Worker’s Comp, Disability or Property and Casualty plans).

 • All healthcare providers who transmit any healthcare information

in electronic form, which includes telephones, fax machines and computers, are considered covered entities.

• FSCRMC, acting as the covered entity and it’s member colleges, acting as the plan sponsor, have undertaken fiduciary duties to the plan. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA. This may include hospital and medical benefit plans, dental plans, vision plans, health flexible spending accounts and employee assistance plans.

What is a Covered Entity (CE)?

5

Covered Entities (CEs) must have contracts from any third party or business associate who may have access to PHI while carrying out certain functions or activities on behalf of the college or covered entity. Business Associates includes vendors, contractors and subcontractors for CEs.

Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations.

Business Associates must notify the CE if they discover a data breach and must include the ID of each subject and any other information that the CE is required to include in the notice of a breach.

What is a Business Associate?

6

• Anything that connects a patient or employee/individual to his or her information

 • Medical records and health data containing individually

identifiable health information  

• Names, identification numbers (social security number, address, phone number), medical records, physician’s personal notes, and billing information

What is Protected Health Information (PHI)?

7

Any health information that is collected from the patient/individual, or created or received by a Covered Entity, that could potentially identify an individual such as:

the past, present or future physical or mental health or condition of an individual

the provision of healthcare

the past, present or future payment for the provision of healthcare by your college

What is Individually Identifiable Health Information (IIHI)?

8

• Names• Geographic subdivisions smaller that a state (city, street

address, county, precinct, zip code)• All elements of dates (birth date, admission date,

discharge date, date of death). Exception - years• Telephone & fax numbers• E-Mail address• Social Security Numbers• Medical records numbers• Health plan beneficiary numbers• Account Numbers• Certificate/license numbers

Examples of IIHI

9

Other Examples:

• Vehicle identifiers and serial numbers, (including license plate numbers)

• Device identifiers and serial numbers• URL’s (Uniform Resource Locator)• IP Address numbers• Biometric identifiers, including voice and fingerprints• Full face photographic images• Any other unique identifying number, characteristic, or

code

Examples of IIHI

10

HIPAA’s Privacy Rule covers the use and disclosure of PHI for:

• Individually Identifiable Health Information (IIHI) held or disclosed by a health plan regardless of how it is communicated (electronically, verbally, or written)

• Information shared, examined, applied or analyzed by a covered entity that receives or maintains it

• Information that is disclosed when released, transferred, allowed to be accessed or divulged outside the entity

• Patient or employee/individual rights over health information

HIPAA’s Privacy Rule

11

HIPAA's Privacy Rule is everyone's business ‑ from the CEO to the maintenance staff. It protects our fundamental right to privacy and the confidentiality of our medical information. 

Basically, the HIPAA Privacy Rule:• Imposes restrictions on the use and disclosure of

personal health information

• Created new rights for individuals concerning their health information

Privacy Compliance

12

Covered entities cannot share PHI without the individual's awareness of their privacy rights.

To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions.

Consent can be revoked by an employee/individual (patient) in writing.

It is the policy of FCSRMC and it’s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it’s member colleges is not obligated to grant the request.

Consent and Authorization

13

A summary of the Privacy Notice that is brief and written in plain language will be provided to the employee/individual. It will outline:

• How PHI will be used and disclosed

• The patient/employee's privacy rights, date, and patient or patient representative's signature

• Refer patient to review the organization's Notice of Privacy Practices

This should be provided by the Group’s Health Plan TPA to the Group Health Plan participants.

Consent and Authorization

14

Authorization: Can be requested for specific purposes For use/disclosure of PHI outside the health care facility for the

continuum of care Generally, for reasons other than treatment, payment and

health operation purposes Only covers use/disclosure outlined in the form Must have an expiration date

Authorization forms must contain: Description of PHI to be used/disclosed Name of Covered Entity authorized to use/disclose The party to whom PHI will be released  Date, signature and expiration date

Consent and Authorization

15

The individual who is the subject of the information:

has authorized the use or disclosure

has received the Notice of Privacy Practices developed and distributed by your third party administrator (TPA) thus allowing the use or disclosure, and the use or disclosure is for reatment, payment or health care operations

agrees with the disclosure via the authorization form or a signed copy of this Privacy Policy and the disclosure is to persons involved in the processing or assistance of health care claims

is provided the disclosure for compliance-related purposes

Under what condition can PHI be used or disclosed?

16

The use or disclosure is for one of the HIPAA “public purposes” (i.e. required by law, etc.)

The information is disclosed for the purposes of a judicial or administrative proceeding only when accompanied by appropriate documentation and directed to the TPA.

Patient Health Information will never be utilized to make employment decisions (hiring, termination, promotion)

Under what condition can PHI be used or disclosed?

17

The Privacy Rule gives employees/individuals the right to:

Review the Notice of Privacy Practices

Review past access and request amendments

Limit access to PHI - Access is limited to people who need it for their specific job function and only the minimum necessary to accomplish the assigned job function

Employee (patient) Rights

18

The following requests should be directed to and processed by the Group’s Health Plan TPA:

Request a review and/or amendment of the health record

Restrict disclosures

Have access to his/her own PHI

Receive a PHI disclosure for disclosures that have occurred outside the TPO relationships

Employee (patient) Rights

19

File a written complaint if privacy is violated.◦ Complaints should be directed to the college’s privacy

contact, and any intimidating or retaliatory acts is prohibited.

Know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.◦ Physical protection of premises and PHI◦ Technical protection of PHI maintained electronically◦ Administrative protection

Employee (patient) Rights

20

The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has been assigned the authority to enforce the Privacy Rule. The OCR has several responsibilities:

• Investigating complaints it receives from individuals who believe that a Covered Entity is not complying with HIPAA privacy requirements

• Providing Covered Entities with assistance in order to achieve compliance

• Making determinations regarding exceptions to state law pre-emption. 

Any person or organization can file a complaint with OCR, but complaints typically must be filed within 180 days of the occurrence of an action in violation of the Privacy Rule.

Enforcement of HIPAA Compliance

21

Security encompasses the measures organizations must take to protect information within their possession from internal and external threats.

The Security Rule:

Focuses on requirements for safeguarding PHI in the electronic form through policies, procedures and technology in order to preserve confidentiality, integrity and availability of electronic PHI.

Mandates that PHI is concealed from people who do not have the right to see the information.

Mandates integrity of data by ensuring information has not been improperly changed or deleted.

HIPAA Security Rule

22

Establish an “accounting” procedure to track uses and releases of PHI

Limit access to only those employees that require it (“Minimum necessary”)

“Minimum necessary” use must identify persons or classes of persons who need access to PHI to carry out their duties

“Minimum necessary” use must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas)

Create PHI “Firewalls”

23

Current and former employees (malicious intent, curiosity, carelessness)

Visitors

Business Associates

Hackers, criminals, terrorists

Improper use or disposal of PHI

Threats to Your PHI and Your Company

24

Ensure that security plans, policies, procedures, training and contractual agreements exist

Establish an employee termination policy

Security incident reporting system (report, respond, repair)

Procedures that address staff responsibilities for protecting data

Security safeguards that protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion

The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included

Security Safeguards

25

Maintain the following documentation for six years, unless a longer period applies:

All necessary policies and procedures. Ensure changes to policies and procedures are not implemented until documented and appropriate persons are notified.

Business Associate Agreements

Patient Acknowledgement of Privacy Policies

Maintain Documentation

26

Authorization forms

Notices and amended notices

Training of employees

Patient/employee complaints and their disposition (this must be documented on the complaint form and forwarded to FCSRMC)

Your organization must cooperate with an OCR investigation or compliance review should these occur.

Maintain Documentation

27

In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law.  However, the Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations. Medical paperwork that should be filed separately includes the following:

Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions Anything that identifies a medical issue

Medical Information – Personnel Records

28

Impermissible use/disclosure of PHI which poses significant risk or harm such as financial, reputational, or other harm.

A Covered Entity (CE) that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHI must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach.

It is not a breach if there is good faith belief that the disclosure was to an unauthorized person who would not be able to retain the PHI.

It is not a breach it if is unintentional acquisition or use in good faith in the course and scope of employment to someone authorized to access PHI.

What is a Breach?

29

Improper use or disclosure of PHI can result in the following fines and/or imprisonment, as set forth under HIPAA: 

• If offender did not know, and by exercising reasonable diligence would not have known that he/she violated the law: $100 - $50,000/violation for identical violations.

• If the violation was due to reasonable cause and not willful neglect: $1,000 - $50,000/violation for identical violations.

 • If the violation was due to willful neglect but was corrected: $10,000 -

$50,000/violation, and imprisonment up to 5 years.

• If the violation was due to willful neglect and was not corrected: $50,000 and imprisonment up to 10 years.

Maximum for all violations of a single standard in a year: $1,500,000.

 

Penalties under HIPAA

30

If records are placed in the wrong hands, it can negatively impact your personal safety, job security, or relationships.

• Do not share Personal Health Information without prior consent or authorization. Always ensure that the information is being sent to the correct person by never releasing information without referring to the consent or authorization.

• Use and disclose the minimum necessary to protect patient privacy.

• Remember, privacy is everyone's business. HIPAA is a federal law that all must abide by.

How important is it to you that your records remain private and confidential?

31

Identify systems/areas that have covered data (paper and electronic)

Secure your PHI (paper and electronic)

Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff

Assign internal roles and responsibilities

Encrypt data at rest / in transit

Key Points

32

Provide initial training at hire and annually thereafter. Use the group attendance log as documentation.

Maintain a separate employee health file.

Keep all protected information in a limited access area and under lock and key.

Key Points

33

Manage your password – Do not write password anywhere and do not share with anyone

Use workstations properly

Know FCSRMC’s sanction policies

Learn and follow the college’s policies and procedures Don’t leave information open and unattended

Lock computer, desk and file cabinets when you leave

Use the shredder when destroying information

How Can Staff Help?

34

We are HIPAA Compliant !