WELCOME TO HIPAA & HITECH TRAINING

HIPAA

• WHAT IS HIPAA?• WHO DOES IT AFFECT?• WHAT IS THE IMPACT OF HIPAA?• WHAT IS YOUR ROLE?• WHAT IS HITECH?• WHAT IS A HITECH BREACH?

WHAT IS HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) enacted by

Congress in 1996.A Federal law that protects patient’s health

coverage and informationRegulations promulgated by the Department

of Health and Human ServicesGuidelines implemented in April, 2003

TITLE I of HIPAA

Protects and provides ability to carry health insurance coverage for workers and their families when they change or lose their jobs

Limits restrictions that a group health plan can place on benefits for pre-existing conditions

Prohibits health plans from creating eligibility rules, assessing premiums for individuals in the plan based on health status, medical history, genetic information or disability

Title II of HIPAA

Known as the Administrative Simplification (AS) provisions, established national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers

Title II of HIPAA

Defines numerous offenses relating to health care and sets civil and criminal penalties for infractions

The most significant provisions for providers are the Administrative Simplification rules. These rules apply to “covered entities” including health plans, health care clearing house such as billing services and community health information systems, and health care providers that transmit data in any way regulated by HIPAA

What information must you protect? Information you create or receive in the

course of providing treatment or obtaining payment for services or while engaged in teaching and research activities, including Information related to the past, present, or future

and/or mental health or condition of an individual Information in ANY medium whether spoken,

written or electronically stored including videos, photographs and x-rays.

This information is called PROTECTED HEALTH INFORMATION (PHI)

Title II of HIPAA

The Department of Health and HumanServices has established five rules within

theAdministration Simplification provisions The Privacy Rule The Security Rule The Unique Identifiers Rule The Transactions & Code Sets Rule The Enforcement Rule

The Privacy Rule Establishes regulations for the use and disclosure of

Protected Health Information (PHI) PHI is ANY information about health status,

provision of health care or payment for health care that can be linked to an individual whether paper or electronic.

Requires covered entities to: Notify individuals of use of their PHI Document privacy policies and procedures Train all members of their workforce in

procedures regarding PHI

The Privacy Rule

Establishes regulations for the use and disclosure of Protected Health Information (PHI)

PHI is ANY information about health status, provision of health care or payment for health care that can be linked to an individual

Notice of Privacy Practices

This form describes how a facility may use and disclose the

patient/resident’s PHI and advises the patient of his/her privacy rights Most facilities will attempt to obtain a signature

acknowledging receipt of the Notice, if patient/resident refuses then the reason must to be documented

HIPAA Requirements for Authorization:Describe the PHI to be releasedIdentify who may release the PHIIdentify who may receive the PHIDescribe the purpose of the disclosureIdentify when the Authorization expiresBe signed by the patient/patient representative

Patient Specific Rights

The right to request restriction of PHI uses and disclosures The right to request confidential forms of communications The right to access and receive a copy of one’s own PHI The right to an accounting of the disclosures of PHI The right to request amendments to the medical record

Incidental uses and disclosures of PHI

“Incidental” means a use or disclosure that cannot reasonably be prevented, is limited in nature and occurs as a by-product if an otherwise permitted use or disclosure.

Examples: discussions during teaching rounds; calling out a patient’s name in the waiting room; sign in sheets.

**Incidental uses and disclosures are permitted, so long as reasonable safeguards are used to protect PHI and minimum necessary standards are applied.

The Security Rule Complements the Privacy Rule but deals

specifically with Electronic Protected Health Information (EPHI)

Identifies three types of security safeguards required for compliance: Administrative Safeguards – Policies and procedures

designed to clearly show how the entity will comply with the act

Physical Safeguards – Controlling physical access to protect against inappropriate access to protected data

Technical Safeguards – Controlling access and security to computer systems containing PHI

The Five Rules of Title II

The Unique Identifiers Rule – Covered entities, particularly third party payers, are assigned a National Provider Identifier (NPI) alphanumeric code for use in all electronic transactions

The Transactions and Code Sets Rule – Applies a unique code to health care claim and billing information, particularly for retail pharmacy chains.

The Enforcement Rule Oversight of all HIPAA Rules falls

under the Department of Health and Human Services (HHS)

Within HHS the responsibility of enforcement of the Privacy Rule by the Office of Civil Rights (OCR)

Protecting Your Patient’s PHI

When preparing care plans or other course required documents take extra care to:

Identify the patient/client by initials only Use other demographic data only to the extent necessary to identify the

patient and his/her needs to the instructor Protect the computer screen, PDA, clipboard, or notes from other

individuals who do not have a ‘need to know’ Protect your printer output from other who do not have a ‘need to know’

In the student role you are not to photocopy or fax patient documents in theprocess of working with your patient’s PHI. As an employee of an agency youmust use the agencies’ security procedures to transmit PHI.

How HIPAA Affects Clinical Practice?

As an instructor or student no information including, but not limited to, the name, age, social security number, address, phone number, diagnosis, medial history, medications, observations of health or any other unique identifier can be discussed or disclosed outside of the clinical setting

Students may not discuss a client’s PHI in public places including, but not limited to, cafeterias, hallways, client’s rooms, elevators, etc.

No tape recorders, cell phones, text messages or cameras are permitted while in clinical areas

How HIPAA Affects Clinical Practice?

Instructors and students will follow the policies and procedures of MJCC and will be compliant with these rules (see Faculty and/or Student Handbook)

Under HIPAA students may use PHI in written assignments intended for the use of training to classroom or clinical instructors

Hospitals and other facilities providing health care may put client’s names outside their door for identification and clients may share rooms

The obligation and focus is to SAFEGUARD the individual’s health information and protect their privacy

HIPAA FINES & PENALTIES

HIPAA penalties can be Civil and/or Criminal Under "General Penalty for Failure to Comply with Requirements and

Standards, “The Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part

A person who knowingly uses or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person shall be fined not more than $50,000, imprisoned not more than 1 year, or both

If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both

HIPAA Do’s & Don’t

Treat all patient information as if you were the patient. Do not be careless or negligent with PHI in any form, whether spoken, written or electronically stored.

Shred or properly dispose of al documents containing PHI that are not apart of the official medical record. Don not take the medical record off facility or school property.

Use automatic locks on laptop computers and log off after each time you use a computer. Do not share passwords.

Use secure networks for e-mails with PHI and add a confidentiality disclaimer to the footer of such e-mails.

Set a protocol to provide for confidential sending and receipts of faxes that contain PHI and other confidential information.

Discuss PHI in secure environments, or in a low voice so that others do not overhear.

HITECH

Health Information Technology for Economic and Clinical Health Act (HITECH)

HITECH is a part of the American Recovery and Reinvestment Act of 2009

It is a federal law that affects the healthcare industry

Act allocated ~$20 billion to health information technology projects, expanded the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law

HITECH-Breach Notification Provisions

One of the biggest changes in HITECH is the inclusion of a federal breach notification law for health information Many states, have data breach laws that require entities to notify

individuals State laws typically only pertain to personal information (which does not

necessarily include medical information) The law requires covered entities and business associates to notify

individuals, the Secretary of Health and Human Services and, in some cases, the media in the event of a breach of unsecured protected health information The law applies to its participating physicians and clinicians, and

employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of a facility to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to a facility, and would constitute a “business associate” of the facility if separately incorporated.

A business associate is a person or entity that performs certain functions or services for or to the facility involving the use and/or disclosure of PHI, but the person or entity is not part of the facility or its workforce (examples include law firms, transcription services and record copying companies).

HITECH-Breach Notification Provisions

Law applies to breaches of “unsecured protected health information” Protected Health Information (PHI)

Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

Is transmitted or maintained in any form (electronic, paper, or oral representation).

Identifies, or can be used to identify the individual. Examples of PHI include

Health information with identifiers, such as name, address, name of employer, telephone number, or SSN

Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts

Unsecured Information must be encrypted or destroyed in order to be

considered “secured”

HITECH-What Constitutes a BreachDefinition of “Breach”Was there an impermissible acquisition, access, use or disclosure not

permitted by the

HIPAA Privacy Rule?

Examples include: Laptop containing PHI is stolen Receptionist who is not authorized to access PHI looks through patient

files in order to learn of a person’s treatment Nurse gives discharge papers to the wrong individual Billing statements containing PHI mailed or faxed to the wrong

individual/entity

HITECH-What Constitutes a Breach

Did the impermissible use or disclosure under the HIPAA Privacy Rule compromise the security or privacy of PHI?

Is there a significant risk of financial, reputational or other harm to the individual whose PHI was used or disclosed? If the nature of the PHI does not pose a significant

risk of financial, reputational, or other harm, then the violation is not a breach.

Example: if a covered entity improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule; but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information.

HITECH-What Constitutes a Breach

Exceptions to a Breach Unintentional acquisition, access, use or disclosure by

a workforce member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate

Example: billing employee receives and opens an e-mail containing PHI about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices he is not the intended recipient, alerts the nurse of the e-mail and then deletes it. The billing employee unintentionally accessed PHI to which he was not authorized to have access. However, the billing employee’s use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

HITECH-What Constitutes a Breach(exceptions continued)

Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates

Example: A physician who has authority to use or disclose PHI at a hospital by virtue of participating in an organized health care arrangement (defined by HIPAA rules, clinically integrated care setting in which individuals typically receive health care from more than one health care provider. This includes, for example, a covered entity, such as a hospital, and the health care providers who have staff privileges at the hospital) with the hospital is similarly situated (authorized to access PHI) to a nurse or billing employee at the hospital. A physician is not similarly situated to an employee at the hospital who is not authorized to access PHI.

If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information

Example: EOBs are sent to the wrong individuals. A few of them are returned by the post office, unopened as undeliverable. It could be concluded that the improper addresses could not have reasonably retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.

HITECH-Breach Notification Obligations

If a breach has occurred, Tulane will be responsible for providing notice to The affected individuals (without unreasonable

delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)

Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach)

Media (only required if 500 or more individuals of any one state are affected)

Disciplinary ActionsCivil Penalties

Covered entities and individuals who violate these standards will be subject to civil liability.

MJCC HIPAA Policy

MIAMI-JACOBS CAREER COLLEGEProgram of Practical Nurse EducationHIPAA – Policy HIPAA regulations will require a number of changes in your work habits and in the

accustomed culture of healthcare throughout this country. These HIPAA privacy requirements apply as much outside our institution, in parking lots, restaurants and homes.

All students will complete the HIPAA training course before going to the clinical sites in TERM I. Additional HIPAA guidelines may be required by clinical facilities of the student throughout the program.

The HIPAA course will include, but not limited to: Overview and course objectives Study of the Terminology Watch the pp: HIPAA. Study the Videotape / power point content review Complete the learning activity Complete the Post test. A copy of the HIPAA course Post Test will be kept in the student’s file with signatures of

understanding the HIPAA guidelines for healthcare workers. In addition, no electronic devices are permitted in clinical settings. This includes, but in not

limited to cell phones, tape recorders, or equipment for text messaging. Failure to follow the HIPAA guidelines is a serious event and will result in immediate

dismissal from the program. Date: ________________________ Signature: __________________________ Printed Name: ______________________