Upload
kgriffin62
View
1.468
Download
0
Embed Size (px)
Citation preview
The Health Insurance Portability and Accountability Act
HIPAA
HIPAA
HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003)
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996
HIPAA is a Federal Law HIPAA is a response to Congress, to
healthcare reform HIPAA affects the health care industry HIPAA is mandatory
What is HIPAA?
HIPAA protects the privacy and security of a patient’s health information
HIPAA provides for electronic and physical security of a patient’s health information
HIPAA prevents health care fraud and abuse HIPAA simplifies billing and other
transactions, reducing health care administrative costs
Protected Health Information (PHI)
PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
PHI may be: paper format electronic format or information transmitted orally
What Patient Information Must We Protect?
Protected Health Information (PHI) Relates to past, present, or future physical or
mental condition of an individual; provision of healthcare to an individual; of for payment of care provided to an individual
Is transmitted or maintained in any form (electronic, paper, or orally)
Identifies, or can be used to identify the individual
PHI Examples
Name Address Name of Employer Any date (birth, admit date, discharge date) Telephone and Fax numbers Email address Social Security Number Medical Records
When is it acceptable to use a patient’s PHI?
Treatment of the patient, including appointment reminders
Payment of health care bills Business and management operations Disclosures required by law Public Health and other governmental
reporting
Protect the Privacy of the Patient’s PHI
Look at a patient’s PHI only if you need it to perform your job
Use a patient’s PHI only if you need it to perform your job
Give a patient’s PHI to others only when it’s necessary for them to perform their jobs
Talk to others about a patient’s PHI only if it is necessary to perform your job, and do it discreetly
Sharing PHI
Refrain from discussing PHI in public areas unless doing so is necessary to provide treatment
Medical and support staff should take care of sharing PHI with family members, relatives, or personal representatives of patients. Information cannot be disclosed unless the patient has had an opportunity to agree with or object to the disclosure
Personal representatives are those individuals who are able to make healthcare decisions on behalf or the patient
Opportunity for Individual to Agree or Object
Notice of Privacy Practices
Must give individual opportunity to restrict or prohibit (can be oral) the use or disclosure of name, location, general condition, and religious affiliation for: Disclosure to persons who request the individual
by name (except religion) Disclosure to clergy
Emergency exception
Health Center Notice of Privacy Practices
You can find the Notice of Privacy Practices on the Health Center web site under “Services”
Services Staff Wellness Flu Virus Information
Family, Friends, and Advocates
Must give individual opportunity to agree or object: May disclose PHI relevant to person’s involvement in
care or payment to family, friends, or others identified by individual
May notify of individual’s location, condition, or death to family, personal representatives, or another responsible for care
When individual is not present or incapacitated: Above uses and disclosures are permissible using
professional judgment to determine if in best interest of individual
Public Policy Uses and Disclosures
Public Policy Purposes
(a) As required by law (b) For public health(c) About victims of abuse, neglect or domestic violence (d) For health oversight activities(e) For judicial & administrative proceedings(f) For law enforcement purposes
Public Policy Purposes (2)
(g) About decedents (to coroners, medical examiners, funeral directors)
(h) For cadaver organ, eye or tissue donations(i) For research purposes (j) To avert a serious threat to health or safety(k) For specialized government functions (military, veterans,
national security, protective services, State Dept., correctional
(l) For workers’ compensation
Investigations & Compliance Reviews
The Office of Civil Rights (OCR) may investigate complaints
OCR may conduct compliance reviews to determine whether Covered Entities are in compliance
Filing Complaints
Any person or organization may file complaint with OCR by mail or electronically Only for possible violations occurring after
compliance date Complaints should be filed within 180 days of
when the complainant knew or should have known that the act or omission occurred
Individuals may also file complaints with Covered Entity
Complaint Process
Informal review may resolve issue fully without formal investigation Many complaints will be resolved at this stage
If not, begin investigation Voluntary resolution yet possible
Technical Assistance
Civil Monetary Penalties (CMPs)
CMPs can be imposed by OCR: $100 per violation Capped at $25,000 for each calendar year for
each identical requirement or prohibition that is violated
Covered Entity has a right to notice and a hearing before a CMP becomes final
Employee Obligations
Do not disclose PHI without patient authorization
If there is an unauthorized disclosure of PHI contact OCR immediately
Information
Indiana State Department of Health Office of Technology and Compliance: http://www.in.gov/isdh/23500.htm
U.S. Department of Health & Human Services and the Office of Civil Rights: http://www.hhs.gov/ocr/privacy/