The Health Insurance Portability and Accountability Act

HIPAA

HIPAA

HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003)

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996

HIPAA is a Federal Law HIPAA is a response to Congress, to

healthcare reform HIPAA affects the health care industry HIPAA is mandatory

What is HIPAA?

HIPAA protects the privacy and security of a patient’s health information

HIPAA provides for electronic and physical security of a patient’s health information

HIPAA prevents health care fraud and abuse HIPAA simplifies billing and other

transactions, reducing health care administrative costs

Protected Health Information (PHI)

PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

PHI may be: paper format electronic format or information transmitted orally

What Patient Information Must We Protect?

Protected Health Information (PHI) Relates to past, present, or future physical or

mental condition of an individual; provision of healthcare to an individual; of for payment of care provided to an individual

Is transmitted or maintained in any form (electronic, paper, or orally)

Identifies, or can be used to identify the individual

PHI Examples

Name Address Name of Employer Any date (birth, admit date, discharge date) Telephone and Fax numbers Email address Social Security Number Medical Records

When is it acceptable to use a patient’s PHI?

Treatment of the patient, including appointment reminders

Payment of health care bills Business and management operations Disclosures required by law Public Health and other governmental

reporting

Protect the Privacy of the Patient’s PHI

Look at a patient’s PHI only if you need it to perform your job

Use a patient’s PHI only if you need it to perform your job

Give a patient’s PHI to others only when it’s necessary for them to perform their jobs

Talk to others about a patient’s PHI only if it is necessary to perform your job, and do it discreetly

Sharing PHI

Refrain from discussing PHI in public areas unless doing so is necessary to provide treatment

Medical and support staff should take care of sharing PHI with family members, relatives, or personal representatives of patients. Information cannot be disclosed unless the patient has had an opportunity to agree with or object to the disclosure

Personal representatives are those individuals who are able to make healthcare decisions on behalf or the patient

Opportunity for Individual to Agree or Object

Notice of Privacy Practices

Must give individual opportunity to restrict or prohibit (can be oral) the use or disclosure of name, location, general condition, and religious affiliation for: Disclosure to persons who request the individual

by name (except religion) Disclosure to clergy

Emergency exception

Health Center Notice of Privacy Practices

You can find the Notice of Privacy Practices on the Health Center web site under “Services”

Services Staff Wellness Flu Virus Information

Family, Friends, and Advocates

Must give individual opportunity to agree or object: May disclose PHI relevant to person’s involvement in

care or payment to family, friends, or others identified by individual

May notify of individual’s location, condition, or death to family, personal representatives, or another responsible for care

When individual is not present or incapacitated: Above uses and disclosures are permissible using

professional judgment to determine if in best interest of individual

Public Policy Uses and Disclosures

Public Policy Purposes

(a) As required by law (b) For public health(c) About victims of abuse, neglect or domestic violence (d) For health oversight activities(e) For judicial & administrative proceedings(f) For law enforcement purposes

Public Policy Purposes (2)

(g) About decedents (to coroners, medical examiners, funeral directors)

(h) For cadaver organ, eye or tissue donations(i) For research purposes (j) To avert a serious threat to health or safety(k) For specialized government functions (military, veterans,

national security, protective services, State Dept., correctional

(l) For workers’ compensation

Investigations & Compliance Reviews

The Office of Civil Rights (OCR) may investigate complaints

OCR may conduct compliance reviews to determine whether Covered Entities are in compliance

Filing Complaints

Any person or organization may file complaint with OCR by mail or electronically Only for possible violations occurring after

compliance date Complaints should be filed within 180 days of

when the complainant knew or should have known that the act or omission occurred

Individuals may also file complaints with Covered Entity

Complaint Process

Informal review may resolve issue fully without formal investigation Many complaints will be resolved at this stage

If not, begin investigation Voluntary resolution yet possible

Technical Assistance

Civil Monetary Penalties (CMPs)

CMPs can be imposed by OCR: $100 per violation Capped at $25,000 for each calendar year for

each identical requirement or prohibition that is violated

Covered Entity has a right to notice and a hearing before a CMP becomes final

Employee Obligations

Do not disclose PHI without patient authorization

If there is an unauthorized disclosure of PHI contact OCR immediately

Information

Indiana State Department of Health Office of Technology and Compliance: http://www.in.gov/isdh/23500.htm

U.S. Department of Health & Human Services and the Office of Civil Rights: http://www.hhs.gov/ocr/privacy/