HIPAA

*HIPAA

ReferencesThe HIPAA program reference handbook / Ross Leo, editor. p. cm. ISBN 0-8493-2211-1Business Continuity and HIPAA: Business Continuity Management in the Health Care Environment byJim Barnes ISBN:1931332258

*

*HIPAAThe Health Insurance Portability and Accountability Act of 1996 .

*HIPAA

*Background:Congress was concerned about:Electronic transmission of informationInformation crossing state lines with different lawsReports of violations of privacy in certain industriesThe volume of information availableLoss of privacy during transmission of health informationEfficiency and simplicity in health care system communications

Required the U.S. Department of Health and Human Services (DHHS) to adopt national standard formats for transmitting health information electronically

*Some incidents.before HIPAAAn Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem.

The late tennis star Arthur Ashes positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission.

Tammy Wynettes (American Country Music Song Writer Singer, died 1998) medical records were sold to National Enquirer by a hospital employee for $2,610. www.patientprivacyrights.org

*HIPAAFederal law

Designed to protect the privacy of individually identifiable patient information

Provide for the electronic and physical security of health and patient medical information

Simplifies billing and other electronic transactions through the use of standard transactions and code sets (billing codes)..improving efficiency

*What are the goals of HIPAA?Create a uniform floor for privacy protectionEnsure security and privacy of individual health informationEstablishes security standards for health care information systemsRole and responsibilities are defined to comply with HIPAAIncrease patient rights and inform people of their rightsProvide continuity and Portability of health benefits to individuals in between jobsProvide measures to combat fraud and abuse in health insurance and health care delivery (Accountability)Reduce administrative expenses in the healthcare systemAdministrative costs have been estimated to account for nearly 20% of healthcare costs

*HIPAA applicable toCovered Entity (CE)Health care providers who transmit information electronicallyPhysicians, hospitals, or any other provider who has direct or indirect patient contactHealth plansInsurance companies or similar agencies that pay for health careHealth care clearinghousesCompanies that facilitate the processing of health information for billing purposes

*Health information usage flowHealth information is used by multiple agents in the course of a single episode with a health problem. Below are some of the agencies and individuals who may handle health information

Admitting clerksCaregivers from the ED to the morguePhysical therapistsNutritionistsLab personnelReceptionists in MD officesTransport techsRespiratory therapistsBilling clerksInsurance agents/clerksSchool teachers/nursesHome health personnelMedical records clerksWebsite managers

*PHIProtected Health InformationAsset - Health information about a patientIndividually identifiable informationPhysical or psychological status of an individual, whether past, present, or future, that is created, collected, or otherwise in the care of a functional entity such as a health plan, provider, school, university, or other entity, and relates in any way to provision of care or payment for that care, regardless of timeframeIn any form: written, oral or electronic PHI should be shared only with agencies and individuals who have a need for the informationLimits many uses and disclosures of health information to the minimum necessary amount needed for the task

*Examples of PHIName, photograph, date of birthSocial Security Number, Passport no.Physical and mental conditionPast history of a conditionPresent conditionPlans or predictions about the future of a conditionHealth information from recordWho provided careWhat type of care was givenWhere care was givenWhen care was givenWhy care was given

*Examples of PHIIndividuals healthcare payments (Billing forms)Who was paidWhat services were covered by the paymentWhere payment was madeWhen payment was madeHow payment was madeAddress, telephone number, FAX, e-mailAdmission date/information, medical record numberFinger prints, health status, diagnosisClinical records

*When is Health Information considered identifiable?If the information is accompanied by one or more identifiers that identify or could be used to identify an individual, such as:NameAddress, phone number, fax number, e-mail addressBirth dateAdmission or treatment datesSocial Security numberMedical record number or health plan beneficiary number

*When is Health Information considered identifiable?or these individual demographic examples:License or certificate numbersVehicle license numberMedical device serial numberWeb (URL) addressIP addressBiometric identifier (finger print, iris scan, etc.)Full-face photographic images (new baby photos on bulletin boards)

*What are permitted Uses of PHI?Treatment: patient careActivities directly related to providing, coordinating, or managing the healthcare of patients

PaymentAdministrative activities associated with billing and reimbursement

Health care operationsMost other activities in support of core functions

*Business AssociateVendors, Contractors or other non-workforce members (any 3rd party entity) doing work for CE where work involves use/disclosure of Protected Health Information (PHI) A CE can be a business associate of another CERequired to subject them to the HIPAA privacy and security requirements through contract language

Business AssociateThis requirement applies to companies or persons who conduct, for example, the following activities or functions, such as: Use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and re-pricing; or Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to, or for the CE, when provision of the service involves the disclosure of individually identifiable health informationAs per HITECH - HIEs, Regional Health Information Organizations (RHIO) and eRx gateways that provide data transmission of PHI, that require routine access to PHI are BAs and must enter into BAAs with the CEs

*

Who are BAs?Insurance BrokersThird Party AdministratorsWellness CompaniesLawyersConsultantsAccountantsVendors i.e. Copy Services, Software and HardwareManagement, Billing and Staffing CompaniesMedical DirectorsAgents*

*Privacy & Security in HIPAAVery close, intertwined relationship betweenMission of any IS program: preservation of C.I.APrivacy is the goal, and Security, in all its forms, being the tool to achieve itSecurity is that set of mechanisms, controls, and practices that is employed to ensure that Privacy (confidentiality) of health information is gained and maintained in accordance with the statutes

*HIPAA RulesPrivacy and security are addressed separately under two distinct rules under HIPAAPrivacy Rule sets the standards for how protected health information should be controlleddefines who is authorized to access information and includes the right of individuals to keep information about themselves from being disclosedSecurity Rule defines the standards that require covered entities to implement basic safeguards to protect electronic protected health information (ePHI)Security is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss

*Roles & Responsibilities Two specific individuals defined under Subsection 164.530, Administrative Requirements of the privacy rule Defined specific roles and responsibilities in HIPAARolesChief Security OfficerChief Privacy officerEach of these roles must act in accordance with the requirements of the regulation to assure policy definition, awareness education, implementation, monitoring, and enforcement to achieve and maintain compliance in relation to Protected Health Information (PHI)

*Chief Security OfficerIn 164.308 of the Act, the regulation states that:A (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entityIn charge of ensuring that the entitys security and information risk management programs are well designed, thorough, and effectively address the real operational risks and threats it faces

*Chief Privacy OfficerThe Act itself reads as follows:(a)(1) Standard: personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entityPreferred the person be from the legal dept., else a senior officer is designated as CPOCPO should seek to have all members appropriately trainedProvides input and draft review of the materials to ensure that all relevant points cover safeguarding PHI

*Chief Privacy OfficerCPO must ensure that training is developed and provided, that only the most current version of a given P is in active circulationCPO does not necessarily have to understand the technical safeguards functioning at a deep level, but if he does know, its betterThe CPO must understand completely what the particular technology or mechanism does to protect sensitive informationhow effective it is at doing that, who is responsible for it, what monitoring and reporting functions it provides (if any), and what the outcome or backup plan is should the device fail to do its job correctly

*Training RequirementsAct realized that people cannot, as a practical matter, be held accountable for violations of a such complex regulation if (a) they are not informed of the contents of the Act itself; (b) they are not trained in the three Ps, policies, processes, and procedures; (c) they are not provided the criteria and process of achieving and maintaining compliance; and (d) they are not given a clear grasp of the penalties for violationsAct includes training requirements for all persons that work for a given covered entity

*Training RequirementsIt could be reasonably assumed that not all members of the entitys workforce are expected to come in contact with PHIConsideration must be given to the chance encounter with PHIthey must know precisely what to do and whom to see about itThe standard itself reads:(b)(1) Standard: training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity

*Training Requirementsthe Act calls for three types of training to effectively implement the requirements of the standard:(2)(i)(A) To each member of the covered entitys workforce by no later than the compliance date for the covered entity;(2)(i)(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entitys workforce; and(2)(i)(C) To each member of the covered entitys workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section

*Training Requirements - TypesType 1: PracticeOrganization wide general awareness training Ensures all workforce members are informed about the Act and its portent no later than the compliance date for that entity. Type 2: New employee orientationcover roughly the same material as the general awareness trainingMost significant difference: coverage given in this venue to the in-place policies, processes, and procedures used by the entity to implement and enforce the Act, and monitor personnel and institutional complianceType 3: Annual RefresherHIPAA is amended, enhanced or even rewritten from time to timeIntends to capture the significant points of such actions, and communicate them to the workforce membersNew versions would be presented during these sessions

*Training Follow-ThroughProcess includes two basic aspects:review of personnel performance and violation reports, and review of the training itself with respect to personnel findings and the regulation

The two things used in conjunction provide evidence that the training is indeed effective (or not), and how well it assists (or does not) in personnel avoiding violations

Opportunities to discuss compliance with employees, clarify directions, answer specific questions, and correct inappropriate behavior

*Documentation RequirementsRequires substantial documentation of each activity described in the regulationsVital part of the overall assurance processProvides the necessary basis for monitoring and auditing as substantive proof for internal and external reportingFor example, training should be documented, recording a minimum:Identification of the workforce member (name, number, etc.)Date and location of the trainingType of training givenName of trainerSigned and dated by employeeSigned and dated by employees manager

*Documentation HIPAA Security PolicyHIPAA security rule includes the policies, procedures, and documentation requirements. This requirement includes two standards:1. Policies and procedures standardRequired to comply with the standards and implementation specificationsstandard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart

2. Documentation standardmaintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) formimplementation specifications of the documentation standard are:Time limit (Required) ; Availability (Required) ; Updates (Required)

*Safeguards as per PHIStandard reads:(c)(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information(2) Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart

*Administrative SafeguardsPolicies, Processes and ProceduresDefines the basis Sets the boundaries for:how the program will be conducted what the responsibilities are and for whomWhat procedures are to be followed under given circumstancesIn terms of compliance, this is likely to be the most troublesome area as it is active at every moment, it is largely paper-based (meaning form and instructions-driven), and has the most human involvementMost current version of a given P should be in active circulation and useAll documents are reviewed periodically to ensure no violations, and that routine spot checks are performed to double check adherence by the workforce

*Technical SafeguardsElectronic or mechanistic measures such as combination keypads on doors, closed circuit camera systems, password controls on system access, passwords or PIN numbers for sensitive files, etc.

*Physical SafeguardsMeasures taken with respect to the premises, storage containers, rooms, and the like, wherein the PHI is keptExamples security guards, lockable storage containers, access control lists (paper or electronic), identification badges, and other such items that control access to the PHI or the system that stores it

*Text of HIPAA, 45 CFR 164: Security RequirementsSee in more detail laterthis is just a preview

*INCORPORATING HIPAA INTO ENTERPRISE SECURITY PROGRAM

*Meeting HIPAA Security requirementsGaps between current practices and the practices required for HIPAA security and privacy compliance related to personal health information present both risks and challenges to organizations

These changes must be addressed and they must be implemented to meet the HIPAA security requirements

Compliance plans that need to be developed and implemented are: .

HIPAACompliant Checklist1.Have you formally designated a person or position as your organizations privacy and security officer?

2.Do you have documented privacy and information security policies and procedures?

3.Have they been reviewed and updated, where appropriate, in the last six months?

4.Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time? *

HIPAACompliant Checklist5. Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?

6.Have you done a formal information security risk assessment in the last 12 months?

7.Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?

*

HIPAACompliant Checklist8.Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?

9. Do you require information, in all forms, to be disposed of using secure methods?

10.Do you have a documented breach response and notification plan, and a team to support the plan?

*

*Compliance Plans 1Compiling an inventory of the individually identifiable electronic health information that the organization maintains, including secondary networks that are comprised of information kept on employees personal computers and databases and are not necessarily supported by the organizations IT departmentConducting risk assessments to evaluate potential threats that could exploit the vulnerabilities to access protected health information within the organizations operating environmentDeveloping tactical plans for addressing identified risks

*Compliance Plans 2Reviewing existing information security policies to ensure they are current, consistent, and adequate to meet compliance requirements for security and privacyDeveloping new processes and policies and assigning responsibilities related to themEducating employees about the security and privacy policiesEnforcement and penalties for violationsReviewing existing vendor contracts to ensure HIPAA complianceDeveloping flexible, scalable, viable solutions to address the security and privacy requirements

*HIPAA Violations.Impact on business arrangementsNoncompliance may have an impact on business partner relationships that your organization maintains with third partiesDamage to reputationNoncompliance can lead to bad publicity, lawsuits, and damage to your brand and your credibilityViolations of the provisions of the Privacy Rule can result in civil penalties with fines of up to $250,000 and upto 10 years in prisonLoss of employee trustIf employees are concerned about unauthorized use of their health-related information, they are likely to be less candid in providing information and more inclined to mislead employers or health professionals seeking health information

*Enterprise Security and PHIHIPAA privacy regulationsapply to PHI in any formHIPAA security regulationsapply to electronic PHI

An organizations approach to HIPAA security regulations can effectively leverage the assessment information gathered and business processes developed during the implementation of HIPAA privacy regulations to support a consistent enterprise wide approach to its enterprise security projects

*Building a Security Decision Framework

*Issues and Considerations for BCP under HIPAA

*DHHS wants..During a disaster, many privacy and security initiatives may become ineffective or disabled

This is true no matter the nature of a disaster, whether it is natural (tornado, hurricane, earthquakes, etc.), intentionally manmade (war, act of terrorism, hacking, etc.), or an accidental disaster (power outage, equipment failures, software errors, etc.)

For this reason, the Department of Health and Human Services (DHHS) requires organizations that handle private health information to implement a business continuity plan

*Act states that organisations*..Maintain or transmit health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards.

Among the safeguards mentioned include protecting against any reasonably anticipated threats or hazards to the security or integrity of the information. . . .

A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it.

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.* 142.308 Security Standard

*Acts requires organisations to..Develop a data backup plan, a disaster recovery plan, and an emergency mode operation plan. It does not provide specifics on what needs to be incorporated into any of these plans

HIPAA states that contingency plan testing and revision procedures are addressable

*HIPAA Dos and DontsTreat all patient information as if you were the patient. Dont be careless or negligent with PHI in any form, whether spoken, written or electronically stored

Shred or properly dispose of all documents containing PHI that are not part of the official medical record. Do not take the medical record off of University property. Limit the PHI you take home with you

Use automatic locks on laptop computers and PDAs and log off after each time you use a computer. Do not share passwords. Purge PHI from devices as soon as possible

*HIPAA Dos and DontsUse secure networks for e-mails with PHI and add a confidentiality disclaimer to the footer of such e-mails. Do not share passwords

Set a protocol to provide for confidential sending and receipt of faxes that contain PHI and other confidential information

Discuss PHI in secure environments, or in a low voice so that others do not overhear the discussion

*HIPAA TITLES

*HIPAA Titles (Sections)Title 1Insurability and Portability

Title 3Tax Implications

Title 4Group Health

Title 5Revenue

Title 2 Administrative Simplification

*Title 2: Administrative SimplificationElectronic Health Transaction Standards and Code Sets

Privacy and Confidentiality Standards

Security and Electronic Signature Standards

Unique Identifiers

*1. Electronic Health TransactionsStandards and Code SetsAll payers, providers and clearinghouses using electronic healthcare transactions, must use a national standard format. The act designates standards for 10 specific transaction sets. (835 Payment, 837 Claim)

Health organizations also must adopt a set of industry standard codes to be used with transactions. Various coding systems are already in use to identify: diseases injuries other health problems (as well as their causes, symptoms, and actions taken)

*2. Privacy and ConfidentialityThis rule protects the privacy of information related to an individual's health, treatment, or healthcare payment.

Limits the use of individually identifiable health information, sent or stored in any format (electronic, paper, voice, etc) without patient authorization

Business partners who receive, store or have access to privately identifiable health information must ensure the privacy of the records

Patients may have access to their own medical records

The Rule's federal privacy standards do not replace other federal, state, or local laws if those laws provide more privacy

*3. Security of Health Information & Electronic Signature StandardsA uniform level of security for all health information that is: housed or transmitted electronically pertains to an individual

Organizations who use Electronic Signatures will have to meet: a standard ensuring message integrity user authentication, and non-repudiation

*4. Unique Identifiers for Providers, Employers, and Health PlansThe current system allows for multiple ID numbers assigned by different agencies and insurers. HIPAA sees this as confusing, conducive to error, and costly.It is expected that standard identifiers will reduce problems.HIPAA sets a standard identifier for: Providers Claims Payers EmployersIdentifier likely to be eliminated: Unique Patient Identifier

*PRIVACY RULE

*PRIVACY CASE EXAMPLESA Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000). An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996). The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).

*PRIVACY CASE EXAMPLESA Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997). A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991). In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).

*PRIVACY CASE EXAMPLESA banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. See the National Law Journal, May 30, 1994. A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597. A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. See New York Times, October 10, 1992, Section 1, page 25. A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)

*What do the Privacy Rules Require?Enhanced security and privacy protection for protected health informationPatient Rights and Privacy NoticePolicies and ProceduresDiscipline for breaches and violationsTraining

*The Privacy Rule Protects PHIMinimum Necessary Rule for PHI Only the degree of information required should be released.

No Minimum Necessary restriction on release of information for treatment purposesWritten patient authorization is not required for purposes of treatment, payment, or healthcare operations

*TreatmentProvision of health care

Coordination of health care among providers

Referral of patient from one provider to another

Coordination of care or other services with third parties

Appointment reminders

*PaymentDetermining coverage of health benefit claims

Billing, claims processing

Review of health care services with respect to medical necessity, coverage, appropriateness

Utilization review activities

*Health Care OperationsQuality assessment and improvementLegal servicesResearchEvaluating performance of health care professionalsGeneral administrative functionsHospital directoryAudits

*Training future health care professionals..the studentsStudents need to have a general knowledge of the Privacy RuleAlso need to know the policies and procedures of the institution and/or agency in which they are serving clinical rotationsStudents need to review the Privacy Notice and the site-specific procedures on rotations Should never remove any PHI from premises under any circumstancesIf its not covered in orientation, ASK.

*ResearchNot considered treatment, payment or operations

Use and disclosure of PHI for research purposes is clearly permissible

The Common Rule also applies

*RememberProfessionals already have an ethical responsibility to respect the confidentiality of patients

Professionals have a legal responsibility to respect the privacy of patients (except when compelled to disclose..stay tuned)

This is one more rule to the same effect: respect privacy!

*When can you disclose information?When the patient gives you consent to do so

When the patients representative gives you consent

When you receive a subpoena to produce the record

When you are required to do so

*Other DisclosuresThose required by law: child abuse, dependent adult abuse, wounds of violence

Public health activities, health oversight

Organ donation

Avert threats to public health or safety

Workers compensation (statutory)

*Also permitted.Disclosures to the FDAPublic Health registry activitiesInfectious disease reportingLaw enforcementSpecial investigations

*Research:Research is not treatment, payment or operationsIf you are a researcher AND a provider, you must get appropriate authority for use of PHI in researchPatient authorization or a waiver from the IRB

*Patient Rights under Privacy Rule:Privacy notice (Notice of Privacy Practices)informs patients of their rights and how to exercise themRequest restrictionson how entity will communicate with the patient or release information Access to medical RecordPatients may request to inspect their medical record and may request copies. Amend/correct record (PHI)Notice describes how to file a request for an amendment or addendum.

*Patient Rights under Privacy Rule:Accounting of disclosuresPatients have the right to receive an accounting of disclosures of their PHIFile a complaintif they think that privacy rights have been violated Confidentiality of PHIConfidential communicationsOpt outfundraising, notice to family,Opt out facility directory and media

*Patient AuthorisationPatient Authorization is required for ALL uses and disclosures EXCEPT those for treatment, payment, or healthcare operations.HIPAA provides some additional instances where patient authorization is not required:Releases to health oversight agenciesFor law enforcement purposesFor judicial proceedingsWhen otherwise required by law

*A Personal Representative isA parent of a child

A family member or next of kin

A legal guardian

A person with Power of Attorney

* ConfidentialityAccess to PHI on need to know basisNever share PHI unless necessary for care (minimum necessary)Billing clerk might only need to see a specific report to determine the billing codes. Admissions staff member may not need to see the medical record at all, only an order form with the admitting diagnosis and identification of the admitting physician. Only access and use the patient information that you need to do your own job. Dispose of PHI properly, confidentiallyReport breach of confidentiality to Privacy OfficerInadvertent disclosures happen in casual communications: lunch, bus, elevator

*ConfidentialityDo you let a staff member who is the patients next door neighbor look at a record?Do you let a basketball fan check an athletes progress? Do you let a staff member look up a parents next appointment on a computer?Do you allow a student to peak at a roommates record?

*Notice of Privacy Practices (NPP)Patient has the right to receive notice of privacy practices Written document informing patients how their PHI will be used or disclosedGiven to patients at first encounter (first time of of first service delivery)Given onceAcknowledgement that notice was received must be documented

*Privacy NoticeDescribes how medical information is used and disclosedSummarizes patients rightsStates who patient can contact with questionsDirects patient where to take a complaint

*Privacy Notice: BasicsPatients can restrict what is told to othersPatients can opt out of having information included in patient directory (information)Patient can receive information at alternate addressPatient can request changes to recordPatient can inspect recordPatient can ask who has had access to recordPatient can file a complaint

*Institutional Responsibilities:Assure that patients receive and acknowledge privacy noticeTrain staff and students in Privacy RuleHave policies and procedures for patients to exercise rightsMonitor compliance, respond to concerns, solve problems, answer questions

*Individual Responsibilities:Access only information necessary to do your job Treat patient information the way you would want your information treatedMake suggestions to improve the systemReport breachesRecognize privacy as an element of excellent care

*The high-risk information Mental health treatment and diagnosisHIV and infectious disease statusSubstance use history and treatmentEmergency treatment informationDiagnosis and prognosisAnything having to do with high-profile people

*The high-risk transactionsAny casual discussions that include enough information to identify the patientAny discussion that can be overheardAny discussion that is disrespectfulAny discussion that is out of context (at lunch, at home, on the bus, etc)Any discussion with someone who is not bound to maintain confidentiality

*Practical Issues:Telephone communications:

Make sure they are not overheardBe sure you are talking to the right personSome disclosures should only be in personDocument who you talked to and what was disclosed

*Practical issues:Fax communications:Check the number before sending the FAXMake sure it is received and has a cover sheet with the name on itDocument that information was sent and receivedAgain, some things should be communicated in person

*Practical issues:E-mail:Make sure you have the right address and the right personThe e-mail should contain a disclaimerThis should be used very carefully and only in conjunction with security procedures

*Other issues:Disposal of records, notes, etc:

Should be shredded and disposed of separately

Voicemail? Only if the information is not identifiable reminding of appointment on Tuesday, call with questions..

*Accounting of disclosures:You will need to keep track of disclosures that are unrelated to treatment, payment or operations. Patients have a right to ask for these for 6 years after the effective date of the rule (but not prior to)

*The consequencesA patient complaint to the institutionAn investigationDisciplinary action against you-more training, warning, suspension, termination Or a complaint to the OCRAn investigationA sanction against the hospital (fine)And possible sanctions against you

*The bottom line:We must be in compliance with the Privacy ruleWe must work together to achieve the goal of protecting PHI because it is important andWe must resolve questions in a way that assures that the important missions of the University are carried out.

*Conclusion:Confidentiality and protection of information is an element of excellent carePrivacy protection is a legal and ethical responsibilityWe must be in compliance with the rules because it is the right thing for clients and it is our responsibility as professionalsQuestions?

*SECURITY RULE

*PurposeTo ensure confidentiality, integrity and availability of all electronic protected health information (ePHI) that is created, received, maintained or transmitted by the covered entity

To protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI

To protect against any reasonably anticipated uses or disclosures of ePHI

To ensure compliance by its workforce

*What does HIPAA require for Security?Security = controls + counter-measures + procedures Ensures the appropriate protection of information assets and control access to valued resourcesMinimizes the vulnerability of assets and resources Under HIPAA, secure all access to electronically stored and transmitted protected health information (ePHI)

*Security Rule:Three sets of requirements:

Physical

Technical

Administrative Safeguards for information maintained in electronic form

*Text of HIPAA, 45 CFR 164: Security Requirements

SEC.09 Security Incident Procedures .308(a)(9)HIPAA Requirement(Formal documented instructions for reporting security breaches) that include all of the following implementation features:1. Report procedures (documented formal mechanism employed to document security incidents).2. Response procedures (documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report).

*

SEC.09 Security Incident Procedures .308(a)(9)Explanation of HIPAA RegulationThe covered entity must have written procedures for reporting security breaches to ensure that security violations are handled promptly and appropriately. These must include:1. Procedures for reporting security incidents2. Procedures describing response, i.e., actions to take when a security incident is reported

*

SEC.09 Security Incident Procedures .308(a)(9)Key Issues What constitutes a security incident? How should the covered entity define levels of incidents and sanctions for each (e.g., accessing protected health information as opposed to sharing protected health information)? How can security awareness be kept hot? How can a covered entity determine when access to protected health information is inappropriate?

*

SEC.09 Security Incident Procedures .308(a)(9)Actions required to address these Implement an incident reporting and response procedure and document it.

*

SEC.09 Security Incident Procedures .308(a)(9)Actions highly recommended to address these Tell workforce members when, how, and to whom to report a security incident. Require workforce members to acknowledge that they have received security incident training. Require workforce members to report the incident if they inadvertently access protected health information they should not have accessed. Ensure that workforce members know that they should report security violations to a supervisor, system administrator, security, internal audit, or others as appropriate.

*

SEC.09 Security Incident Procedures .308(a)(9)Require workforce members to report instances of noncompliance.Ensure that the teams of people who are typically involved in responding to a security incident have a well understood working arrangement that ensures that the incident is handled efficiently, expeditiously, and with respect for law and individual rights.

*

*Information Access ManagementAll persons authorized to have access to PHI shall have a unique User ID. This process shall include all volunteers, temporary workers and independent contractorsWorkforce members and other authorized users will be required to select passwords for each of their User IDs. User IDs and Passwords must NEVER be shared!Change password periodically

*Log-in MonitoringLog-on attempts to the computer systems are monitored.

If you do not log-on correctly within five (5) attempts your User ID and password will be automatically disabled.

An individuals access shall be restored only after the persons identity has been verified.

If you are locked out of the system because you forgot your password, please contact your supervisor.

*

Access ControlThe Security Rule requires facilities to implement access controls to the physical plant - in other words, doors need to be locked or manned.

The policies discuss a variety of types of people who have access to the facility such as Patients, Visitors, Volunteers, Staff, and Physicians. You MUST wear your identification badge at all times!

*Facility Security PlanPublic Access. All entrances in which public access to the Hospital is allowed shall be manned by reception or security personnel.

Non-public Access. All non-public entrances shall be locked or secured in some manner so as to prohibit entrance without proper authorization.

ANY staff person found tampering with the door security system (propping open doors, opening doors for others with no reason to be in the area) will be subject to disciplinary action up to and including termination.

*Visitor IdentificationAll staff MUST question visitors or other persons who are in restricted areas and are not displaying proper identification.

Vendors and contractors will be wearing their company ID in addition to hospital identification noting that they have permission to be in the building.

All employees, volunteers and other workforce members MUST wear their identification badge as issued by the hospital.

*Audit ControlsIMPORTANT!!Audit trails will document who was where in our systems and will document what the employee was accessing. This is performed by our HIPAA Officers (Privacy & Security). Your User ID will link to every item read or printed.

Every employee, physician and VIP admitted to our hospital will have their account reviewed for inappropriate access

Disciplinary action will be taken if employees are found violating HIPAA policies and accessing information that they have no need to know

*Security Incident ProceduresIf you suspect your computer has received a virus, contact your Privacy Officer, Risk Manager, and IS Director immediately

No software can be loaded onto computers without the permission of the IS Director!

This includes downloads from the Internet!

*Reporting ViolationsWe expect all employees to adhere to the privacy and security policies, but we know there may be times when the policy is being abused.Report violations or suspected violations to the Privacy Officer or HIPAA Security Official. You may report anonymously, if you wish.HMA Compliance Helpline: 1-888-462-0380 HMA, Inc. PO Box 770621, Naples, FL 34107You will not be retaliated against if you report a privacy violation. It is part of your job to report instances where you suspect policies are being broken.

*Conclusion:We must all remember to protect the privacy and security of patient information at all times.

We are all patients from time to time. How would you feel if your own health information was used or disclosed in a way that was harmful to you or your family?

HITECH ACT*

HITECT ACTHealth Information Technology for Economic and Clinical Health Act (HITECH)Enacted as part of the American Recovery and Reinvestment Act of 2009Expansive changes to HIPAA aimed at encouraging the sharing of electronic health informationProvides funding assistance and incentives to encourage implementation of electronic health records (EHRs)

*

Changes to HIPAAExpanded Responsibilities and Liability for Business AssociatesBreach NotificationEnforcement PenaltiesRestrictionsAccounting of DisclosuresSale of PHIMeaningful use of EHR

*

Breach Notification under HITECHBA Notice RequirementsRecipientsNotify CE to which the breached information relatesTimingWithout unreasonable delay but no later than 60 days following the BAs discovery of the breachContentIdentify affected individuals to the extent possible and other information available to BA

*

Notice of BreachCovered Entities and Business Associates obligated to notify

Unsecured PHI has been or is reasonably believed to have been accessed, acquired or disclosed due to breach

Effective as of September 2009

*

Definition of BreachBreach is the unauthorized access, use, or disclosure of PHI, which compromises the security or privacy of the PHI.

HITECH Act breach notification requirement applies only to the breach of unsecured PHI.

*

Secure PHIIf PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals, it is secure.HHS guidance specifies encryption and destruction as methods for safeguarding PHI.The breach of secure PHI is not subject to the breach notification requirement.Avoid having to comply with the breach notification requirement by securing PHI.

*

Who to notifyCovered Entity reports to the:IndividualSecretary of HHSMedia

Business Associate reports to the:Covered Entity

*

How to notifyThe notification shall:Describe what happened;Describe types of unsecured PHI involved in the breach;Provide steps individuals should take to protect themselves;Describe what covered entity is doing to investigate the breach, mitigate harm, and to protect against further breaches; andProvide contact procedures for individuals to ask questions or learn additional information (i.e., toll-free telephone number, e-mail address, website, or postal address).*

Restrictions on Disclosures Individuals have the right to request a restriction on disclosures and uses of their PHITo carry out treatment, payment or healthcare operationsCovered Entities are required to accept the request to restrictIf disclosure is to a health plan for purposes of carrying out payment or healthcare operationsAnd PHI pertains solely to a healthcare item or service for which the provider involved has been paid in fullEffective February 17, 2010*

Accounting of Disclosures of EHRIf Covered Entity uses electronic health recordsThen individuals have the right to an accounting upon requestFor all disclosures, including those made for treatment,payment and healthcare operationsFor prior three yearsEffective as of:January 1, 2014; orthe later of effective date of implementation of EHR or January 1, 2011.*

Prohibition on Sale of EHRA Covered Entity or a Business Associate cannot directly or indirectly receive remuneration in exchange for any PHI of an individual

Except pursuant to a valid HIPAA authorization

Or pursuant to specified exceptions

*

Restrictions on MarketingIf payment is received for making the communications,the communication is marketing, unless:1. The communication describes only a drug or biologic currently being prescribed for the individual and the amount of payment received for making the communication (if any) is reasonable in amount;2. The communication is made by the covered entity and the covered entity has received a valid HIPAA authorization; or3. The communication is made by a business associate and is consistent with the terms of its BA agreement.*

Makes elements of HIPAA directly applicable to Business AssociatesPrior to HITECH Act, Business Associates only subject to Business Associate AgreementAfter HITECH Act, Business Associates subject to government oversight and enforcementEffective February 17, 2010

*Impact on Business Associates

Some differences between HITECH and HIPAA - General*

Some differences between HITECH and HIPAA Breach Notification*

Some ways to address the provisions of the act*

CASE STUDY 1*

*CASE STUDY 2

*CASE STUDY 3

*SCENARIOS

*Consider the following example 1:You are a healthcare provider. Your friends spouse is in the hospital after an accident. Your friend asks you to review what treatment has been provided to the spouse and see if you concur. What are you able to do under HIPAA?

Access the persons chart so that you can communicate with your friend about the patients condition. Contact the charge nurse on the floor and ask her to look into the patient records for you.Advise your friend that you can only look at the medical records if you are treating the patient or you receive the patients authorization to review the medical record.

*Answer:Under HIPAA you are only allowed to use information required to do your job.Since you are not part of the patient care team, it is against the law to access the patient record or ask someone to access it on your behalf even though you may know the person and just want to be helpful. Remember, that if you were in a similar situation, you may not want your colleagues going through your medical records or those of your spouse or close friend.

*Consider the following example 2:The father and mother of an adult married competent patient are visiting the patient. As a member of the care team, you need to review and provide education to her on the new meds ordered by the physician. One medication is Prozac, a well known anti-depressant. What is the best way to approach a patient when her relatives are in the room?Ask the patients relatives to leave the room.Go ahead and explain the medications to her. She wont mind her family members overhearing.Explain to the patient that you need to discuss her medications with her, and that the information is confidential. If she says her relatives may stay in the room, go ahead explain the medications to her.

*Answer:Never assume that the patient has shared her medical information with her relatives.You should ideally ask the patients relatives to step out of the room. If the patient understands that the information is sensitive and she agrees to have her relatives present, you can go ahead and have the discussion with the patient.

The answer would be the same if it had been her husband visiting her. The patient may not have shared all of the information with her husband.

*Consider the following example 3:A physician is invited by a drug company rep to play golf. During the game, the rep begins talking about a new COX-2 inhibitor the drug company is developing. The physician gives the rep names and phone numbers of a few patients with arthritis, believing that they could benefit from the new treatment. A week later, the patients call the doctors office complaining about being solicited by the drug company to take part in a clinical trial. What does HIPAA say about this?Since the physician had good intentions, the physician has not violated HIPAA. Physicians should stop associating with drug company reps as there are many circumstances that could result in violations of federal law, including HIPAA.Since PHI was disclosed for purposes other than what state and federal law allows, an authorization from the patients should have been obtained before the PHI was released.

*Answer:This is an example of marketing under HIPAA. PHI was IMPROPERLY disclosed.Never provide information to a friend, colleague or business representative UNLESS it is required as part of your job and permitted under HIPAA and/or other state and federal laws. Always keep your patients information confidential to maintain your rapport and the patients trust. Providing an unauthorized release of information to a drug rep for marketing or research purposes violates state and federal law. This could be interpreted as an illegal disclosure for personal gain (the value of the round of golf) and subject you to a hefty fine and imprisonment.

*Consider the following example 4: A physician and a nurse were discussing a patient in an elevator filled with people. In the conversation the patients name, diagnosis and prognosis are mentioned. What could have been done differently to protect the patients privacy?The patients privacy was protected, nothing was done wrong since no written PHI was exchanged.It is important to be aware of your surroundings when you discuss patient information (PHI). The patients case should have been discussed in another room, away from other patients, or at least in low voices that could not be overheard. No patients or patient families should be allowed to use hospital staff elevators to avoid such situations.

*Answer:Although HIPAA allows incidental uses and disclosures, this type of disclosure is not allowed. PHI includes oral communications. The patients case should have been discussed in a location that allowed for privacy of the information discussed.

*Consider the following example 5:As a resident downloads a patient file into her PDA, a code blue is called. In her hurry to respond, she leaves her PDA in its cradle. When she returns, the PDA is gone. What does HIPAA require?

HIPAA says nothing because a copy of a patients file on a PDA is not PHI. The resident has a responsibility to make certain that her laptop, PDAs, and other equipment are password protected and have an automatic key lock. HIPAA does not allow the use of PDAs to store PHI.

*Answer:HIPAA requires that everyone protect PHI, whether in electronic, oral or written form. Using passwords and automatic key locks provides for the security of PHI since anyone without the password cannot access the files.

*Consider the following example 6:You are in the ER examining a 6-year-old boy and observe cigarette burns on the arms and hands of the boy. What does HIPAA require you to do?HIPAA requires you to protect patient confidentiality so no disclosure of PHI should be made.Patient safety is involved, and federal and state law require that you report this.HIPAA does not allow you to report this incident, but state law requires it.

*Answer:While HIPAA requires you to maintain patient confidentiality, exceptions exist which allow PHI disclosures. State law requires and HIPAA allows the reporting of child or elderly abuse and communicable diseases.

*QUESTIONS

*Question #1: What is PHI?A. Private history information.B. Protected health information.C. Personal health information.D. Private health insurance.Answer: B. Refer to slide 8 for a list of PHI data elements.

*Question #2. Which of these requests for copies of medical records / billing records / images requires the patients prior written authorization?Requests for copies of psychotherapy notes.Requests for copies of PHI from your employer.Requests for copies of your PHI from concerned fellow employees.Requests for publication / publicity.All of the above.Answer: E. All of the above.

*Question #3. Which of these is a HIPAA disclosure that must be logged?Release of PHI to the ME following death of a patient.Release of PHI for legal reasons.Release of PHI via e-mail or fax to the incorrect address outside of UC network.Release of PHI through a hacker attack.Lost or stolen laptop or device with PHI.All of the above.Answer: F. See facility policies on handling breaches.

*Question #4. Personal RepresentativeWhich of these statements best describes the new HIPAA personal representative? Check all that apply.Personal, legally authorized individual to make health care decisions on the individuals behalfSchool nurseEmployerParent for an adult patient (not incapacitated)Answer: A..

*True or False. Mark all that are true.

HIPAAs definition of health care operations includes conducting training programs in which students, trainees, or practitioners in healthcare learn under supervision to practice or improve their skills as healthcare providersNo authorization is needed, since this is covered in Ms. Joness general consentThe minimum necessary information should be used, as this is not a part of direct or indirect care of Ms. Jones. Ms. Jones should not be identified by nameAnswer: A, B and C are true. Question #5. Medical students / residents who participated in Ms. Joness care write up the case for presentation at grand rounds.

*Question #6. SecurityWith new hires & temporary personnel, when can I share my password to avoid patient care and/or billing delays? Choose the 1 correct answer.I may share my password with new personnel for up to 10 days until the person has their own password, as long as they have completed privacy training.B.I may post my password in a discrete area to limit access to my password.Only when temporary personnel are hired or students are visiting.Never!

Answer: D.

*Question #7. Protected Health Information comes from a health care provider or a health plan and includes:Information about an individuals conditionInformation about an individuals payment for health careAn individuals demographic information All of the above

Answer: D All of the above. Protected Health Information comes from a health care provider or a health plan and includes all of the items listed, including:Information about an individuals conditionInformation about an individuals payment for health careAn individuals demographic information

*What if a research investigator wants information about my patients?Treating physicians cannot discuss their patients and their PHI with research investigators for the purpose of recruitment. However, providers can inform their patients about research studies. For example:Research investigators can inform providers that there are research studies and clinical trials available to subjects (examples: by information letter, flyers, website,brochures)Treating physicians can inform their patients of research studies that the patients might be interested inPatients can contact the research studies they heard about from their treating physicians or from advertisements, flyers

*How does a researcher gain access to PHI from medical records?Health Information Management Services will require the investigator to show one of the following as proof of authorization to view PHI:Copy of CHR Approval Letter with statement of Waiver of Consent/Authorization of individual consent to access PHICopy of CHR Approval Letter with statement that individual subject consent/authorization will be obtained to access PHICopy of Individual Authorization signed by research subject

*Scenario 1The chief of cardiology reports to his assigned development officer that he has just treated the founder of a major San Francisco company and asks the development officer to call the patient and discuss gift opportunities.

Is this a violation of HIPAA?

The cardiologist can provide information about the patients demographics and dates of service but cannot provide disease-specific information. If the cardiologist would like the development officer to discuss disease-specific information with the patient, the cardiologist should obtain an Authorization first. In either case, the cardiologist should inform the patient that a development officer will be calling.

*Scenario 2The department of surgery asks its assigned development officer to send a fundraising letter to all of its former kidney transplant patients.


The department of surgery is asking the development officer to use a fundraising list based on disease-specific information. Neither the department nor the development office may use disease-specific information for fundraisingfor direct mail, events or major/planned giftswithout prior Authorization.

*Scenario 3The Breast Care Center creates a list of breast cancer survivors and subsequently sends this group a Health Care Communication in the form of a newsletter; the newsletter includes a remit envelope for gifts.


When combining a Health Care Communication with a fundraising appeal, the stricter standard for fundraising applies. In this case, the list is OK for a Health Care Communication, for which PHI may be used without Authorization. However, PHI can be used for fundraising only with prior Authorization. Therefore, a remit envelope for gifts may not be included in the newsletter.

*Scenario 4The Diabetes Center is asked to provide a list of former patients to the Juvenile Diabetes Foundation (JDF) which, in turn, will solicit the patients for gifts to the JDF.


The JDF is an outside entity not specifically charged with raising funds for UCSF; as such, it will not qualify for a Business Associates Agreement. Providing PHI of any kind to the JDF is therefore considered marketing and a violation of HIPAA unless the patients have Authorized the disclosure.

*Scenario 5The Childrens Hospital has built a new pediatric dialysis facility. It is working with its assigned development officer to invite the families of its diabetic patients to an opening celebration. The cost to attend the event is $1,000 per person, $900 of which can be considered a gift.


If the invitation is sent to all families of patients of the pediatric dialysis center, this is not a violation of HIPAA. Sending the invitation to a subset of this population would probably require the use of PHI and, thus, would require Authorization. The invitation must include the Opt Out language required by HIPAA for all fundraising communications.

*Scenario 6UDAR wishes to obtain lists of daily inpatient admissions and review them for known donors as well as prospective new donors.


Although HIPAA defines fundraising as a part of Operations, UDAR may view only Demographic Information from the Medical Center. UDAR staff may initiate direct contact with a patient only when an Authorization is on file. Alternately, UDAR must work through the Health Care Provider to contact the patient.

*Scenario 7A fundraising volunteer shares a list of his friends who have had skin cancer with his assigned development officer. They intend to solicit this group for gifts to UCSFs melanoma research program.


Yes. Members of the UCSF workforceincluding volunteerscannot create, use or disclose PHI that includes disease or treatment specific information for fundraising purposes without Authorization. If a volunteer wants a friend to be contacted by the development officer, s/he should provide name, address and phone number only AND advise the friend that s/he has done so. In other words, volunteers should identify individuals as having an interest in a UCSF program and not as having a particular disease.

*Scenario 8The department of neurosurgery needs to purchase an expensive new imaging machine. It plans to ask its neurosurgeons to identify former brain tumor patients and work with UDAR to develop a campaign plan.


Yes, unless and Authorization has been obtained from the patient. To access, use and disclose a list of former brain tumor patients for fundraising, a signed Authorization must be on file for each patient. Alternately, the neurosurgeons may generate a list of all their patientsnot just those with brain tumorsto be solicited for this project.

*Scenario 9The thoracic oncology programwhich does not have an assigned development officerpulls a list of its patients (i.e., all former patients of all affiliated physicians) using Demographic Information only and sends out a fundraising letter.


This is not a violation of HIPAA as long as only Demographic Information is used to pull the list. However, UCSF policy states that all solicitations should be cleared through UDAR. This is critical to assure that all HIPAA requirementssuch as honoring existing Opt Outs and providing a mechanism to accept new Opt Outshave been met.

*Scenario 10A major donor calls UDAR to say that she has a friend who is at the Medical Center for surgery on his back. The donor wants UDAR to ask the CEO to visit her friend.


Technically, this is not a violation of HIPAA. However, because the perception could be that UCSF is using a patients disease information without permission, UDAR should only provide the CEO with the information that the major donor called regarding a friend who is in the hospital. Information regarding the patients back surgery should not be discussed at this point.

*Scenario 11A reporter calls Public Affairs asking for the condition of a 43-year old man who was the victim of a car crash. He gives you the patients name but has no other details. You disclose the patients condition.


The Covered Entity may disclose a patients condition in general terms (good, fair, serious, critical or undetermined) that do not communicate specific medical information as long as the inquiry specifically contains the patients name and the patient has not placed restriction on release of information. Although California law has permitted hospitals to release a description of the nature of a patients injuries, this is not permissible under HIPAA without written Authorization.

*Scenario 12A national magazine reporter calls regarding a story on liver transplantations. She would like to interview a patient who has recently undergone a transplant to help illustrate the importance of organ donation. How can the media relations representative find an appropriate patient for the story?

A media relations representative may discuss the concept for the story and PHI with a physician to determine if there is an individual who would make a good spokesperson for the institutions liver transplant program. However, the discussion of PHI must be limited to the minimum necessary in order to make the decision and to only those persons who need to know for the decision to be made. Once it has been decided that the patient might be a good spokesperson, the physician should make the initial contact. If the patient agrees, the physician or media relations representative must obtain an Authorization for release of any PHI to the news media.

*Scenario 13A member of the UCSF staff overhears the name of a well known television personality when it is called out in a patient waiting room. She shares the information with her family at dinner that evening.


Yes. Although HIPAA tolerates Incidental Use and Disclosure, such as when a name is overheard in a patient waiting room, it does not permit a staff member to discuss that information in any context or setting not directly related to his/her work.

*Scenario 14The department of radiology sends a negative consent Authorization letter to its former patients stating that they will assume it is OK to use the patients PHI for fundraising unless they request otherwise.


Yes. HIPAA does not recognize negative consent Authorization, so this is a violation of HIPAA. HIPAA also does not recognize verbal Authorization. Only the approved UCSF Authorization form may be used to obtain permission to use PHI for fundraising.

*Remember:PHI is contained in the designated record set. Should you copy any protected information for your use to a PDA, 3x5 card, slip of paper or other site it is your responsibility to safe guard and destroy it once it is no longer needed.

It is everyone's responsibility to protect PHI and you may be at personal financial risk if you fail to do so.

*HIPAA Resources

http://www.compliancehelper.com/demo-bahttp://www.compliancehelper.com/resources/http://www.cms.gov/EducationMaterials/03_TransactionsandCodeSetMaterials.asphttp://www.cms.gov/EducationMaterials/02_HIPAAMaterials.asp#TopOfPage

*

*

*********The essence of the protected health information concept is permitting those persons and business entities with a clear and reasonable need toknow to create, collect, and maintain that information in accordance with business requirements, and preventing disclosure of it to those partiesthat have a murky need, or none at all.

Written information (reports, charts, x-rays, letters, messages, etc.)Oral communication (phone calls, meetings, informal conversations, etc.)E-mail, computerized and electronic information (computer records, faxes, voicemail, PDA entries, etc.)**************The CEO is an obvious example, as would the chief operations and financial officers, and potentially others.**Unless otherwise extended, the compliance date for the small health plans segment of covered entities was April 14, 2002; meaning that all workforce members across all covered entities, small health plans at the very least, should have received this training by that date.

*********The first means simply that it must be accomplished (task or plan) or implemented (device, software, or control). A review of the requiredstandards indicates that the required items have an on/off character; this is to say that the test of compliance is that they are either in place orthey are not. For example, either a CSO has been appointed or not; you either have log-in IDs or you do not.

The second class, addressable, means that there is some flexibility in how the standard can be accomplished to achieve compliance. As in the above,the aspects of the environment affected by the addressable standards are in many cases themselves flexible to some degree in terms of how they functionor are performed. For example; workforce clearance and termination procedures vary from place to place; contingency operations must be flexiblebecause there is not one type of contingency condition, just as there is not one type of entity.

****One of the greatest challenges in any business is protecting information in all forms as it moves in, out, and through an organization.With the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the growing concerns about security and privacy of all electronic personal information, organizations are now facing the reality of quickly and significantly changing the way they manage information.

If you answered no to any of these questions you have gaps in your security fence.If you answered no to more than three you dont have a security fence.

***************Transaction Code Sets - Uniform Electronic Transaction Standards for health care data Privacy and confidentiality provisions for individually-identifiable health care data Security procedures to protect electronically maintained health information Unique health identifiers for providers, employers, plans and individuals to be used in connection with the Uniform Electronic Transaction Standards

*****************In general, patient authorization is required unless the disclosure of PHI is for treatment, payment, or healthcare operations.

*****Accounting of disclosures Providing an accounting of a limited list of disclosures (e.g. public health case reporting) to the patient upon request is still a requirement. A new HITECH element requires accounting of e-disclosures for treatment, payment and operations. Most HIE disclosures are likely to require an accounting. Some forms of HIEs do this automatically or avoid the need for accounting by being the patients agent.

***Example : A billing clerk might only need to see a specific report to determine the billing codes. An admissions staff member may not need to see the medical record at all, only an order form with the admitting diagnosis and identification of the admitting physician. Only access and use the patient information that you need to do your own job.

*********************************electronic health records (EHRs)**Slide 53 has a spacing error*Craig, as I sat working on this tonight, I redrafted the answer as follows. I know it is not the preference, but I think we could have a real problem since the regs are specific that volunteers are workforce members. If it were a physician providing you with the list, you would have to get an Authorization. The volunteer is no different.

Documents

HIPAA