81
Sensible Care EMS Employee Training Privacy and HIPAA HIPAA

Hippa training v2

Tags:

Embed Size (px)

DESCRIPTION

Sensible EMS - HIPAA Training

Citation preview

  • 1. Sensible Care EMS Employee Training Privacy and HIPAA

2. Completion of training is mandatory under HIPAA for the entire Staff of Sensible Care, Whatever their position. MANDATORY 3. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 as part of a broad congressional attempt at incremental healthcare reform. It took effect October 15, 2002 The Privacy Rule took effect April 14, 2003 What is HIPAA? 4. Title I guarantees individual access to health insurance, portability, limits some pre-existing condition exclusions and does not discriminate based on health status. Title II addresses fraud and abuse that will most affect pre-hospital providers. Title III covers Medical Savings Account and provides a health insurance tax deduction for the self-employed. Title IV covers group health plans. Title V deals with the costs of implementation. It is Important to note that the Act doesnt provide any economic relief to providers to take care of the costs of compliance. What does HIPAA do? 5. HIPAA has two primary purposes: One is to provide continuous insurance coverage for workers who change jobs, and the other is to reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper. PURPOSE 6. HIPAA is a comprehensive rule, and violation can result in either civil or severe criminal penalties. The civil aspects are enforced by the Health and Human Services Departments Office of Civil Rights. The Criminal Aspects are enforced by the Justice Department, and the FBI is the investigating agency in charge of criminal enforcement. HIPAA is the FLOOR: State privacy laws are left in effect to the extent that their provisions are at least equal to the federal laws. If state laws are less stringent, the more stringent federal rules will apply, while if state laws are more stringent, they will apply as far as the more stringent provisions. 7. Notifying patients about their privacy rights and how their information can be used. (Post it and give to patient and document). (Adopting and implementing privacy procedures for its practice, hospital, or plan. Training employees so that they understand the privacy procedures. Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed. (Privacy Officer) Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them. What does it require? 8. STATE LAW REQUIRES YOU TO REPORT: Disease or injury Child abuse Elder abuse Spousal abuse Birth Death Or for the conduct of public health surveillance, investigation or intervention Exceptions to HIPAA for State Law 9. It gives patients more control over their health information. It sets boundaries on the use of release of health records. It establishes appropriate safeguards to protect the privacy of health information. It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients privacy rights. It Provides for electronic and physical security of personal and health information. And it strikes a balance when public responsibility supports disclosure to protect public health. So what does HIPAA do? 10. It enables patients to find out how their information may be used, and about certain disclosures made of their information. It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure. It generally gives patients the right to examine and obtain a copy of their own health records and requests corrections. It empowers individuals to control certain uses and disclosures of their health information. So what does HIPAA do? Continued 11. This HIPAA Training Program will answer What does HIPAA do? Who has to follow the HIPAA law? What is Protected Health Information? When do we start? How does HIPAA affect you? Why is HIPAA important? 12. For reasons that had nothing to do with a patients medical treatment or health care reimbursement, the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed without notice or authorization, including for reasons that had nothing to do with a patients medical treatment or health care reimbursement. Why is HIPAA needed? 13. Notifying patients about their privacy rights and how their information can be used. ( Post it, give to patient, and document it.) Adopting and implementing privacy procedures for practices, hospitals, providers, or plans. Training employees so that they understand the privacy procedures. Designating an individual to be responsible for seeing that the privacy procedures are followed. (Privacy Officer) Securing patient records containing individually identifiable health information so they are not readily available to those who do not need them. What does it require? 14. Must provide a process for individuals to make complaints and document such complaints and their disposition. Must develop anti-retaliation policy. The privacy provisions: Apply to all providers using electronic media to transmit patient information Cover any medical record and other individually identifiable health information Mental health records are subject to even more stringent regulations. Requirements continued 15. An Overview of the Law Title I Portability Administrative Requirements Indivdual Rights Use and Disclosure of PHI PRIVACY Identifiers Code Sets Transactions EDI Technical Security Mechanisms Technical Security Services Physical Safeguards Administrative Procedures SECURITY Title II Administrative Simplification Title III Medical Savings Accounts Title IV Group Health Plan Provisions Title V Revenue Offset Provision HIPAA Health Insurance and Portability Act of 1996 16. o Civil violation $100 per violation Individuals are liable along with the provider $25,000 maximum civil fines per person in one year (Contrast State penalty of $3,000 per violationenforced by TDH) Federal Penalties 17. For fraud , abuse & disclosure for money $50,000 and 1 year, lowest level $250,000 and 10 years, highest level Average sentence for first time offender at highest level: $87,000 plus 67 months According to federal sentencing guide Federal Criminal Penalties 18. Texas Privacy Act, enacted in 2001, took effect September 1, 2003 Chapter 181.001 et seq., Texas Health and Safety Code Tracks HIPAA but adds new powers to insurance commissioner to formulate privacy rules for insurance companies More stringent than HIPAA in some ways May be enforced by TDH against EMS providers and individuals Provides for $3,000 fine or civil violation, instead of $100 as HIPAA provides Provides $250,000 for criminal violation Allows Attorney General to seek injunctive relief Texas Medical Records Privacy Act, SB11 19. Who has to follow HIPAA? Everyone! 20. Who Is Impacted? Health care providers A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. Health plans an individual or group health plan that provides or pays the cost of medical care. Clearinghouses A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. Business Associates and Trading Partners 21. One who processes claims for a provider One who uses individually identifiable health info for: Utilization review Quality assurance or improvement Billing, collection Agencies & Data Management Benefit management & Financial Services Medical Director, Student Rideouts, Housekeeping Lawyers, accountants, consultants, and accrediting agencies If you TREAT the Patient you are NOT a business Associate Must have a contract obligating them to safeguard protected health information. Business Associate 22. Business Associate Contracts Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associates obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary of Health and Human Services. 23. Business Associate Obligations Must not use or disclose protected health information in violation of the law or contract. Implement safeguards against improper use or disclosure. Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. At termination of the contract, return or destroy protected health information. 24. In addition to the panelists prescribed by this chapter, a violation of this chapter by an individual or facility that is licensed by an agency of this State is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter constitute a pattern or practice, the agency may revoke the individuals or facilitys license. &181.202. Disciplinary Action 25. YOUR LIABILITY INSURANCE DOES NOT INSURE YOU AGAINST INVASION OF PRIVACY AND WILL NEITHER PAY FOR YOUR DEFENSE NOR PAY A JUDGMENT AGAINST YOU. One hour of a good lawyers time begins at no less than $250-350/hr. 26. Title II and its regulations raise many questions and problems for covered providers. These will need to be addressed at all times if one is to be incompliance. Title IIPrivacy Regulations 27. What Is Impacted? TRANSACTIONS A transaction is the exchange of information between two parties to carry out financial and administrative activities related to health care. It includes: Health claims, Health care Billing, Payments and Explanation of Benefits (EOB), 28. What Is Impacted? Transactions Continued Medical Records Billing Records Coordination of benefits, Enrollment/disenrollment in a health plan, Eligibility for a health plan, Health plan premium payments, Referral certification and authorization, First report of injury, and Health claims attachments. 29. So, What is Health Information? Any information, recorded in any way whatsoever that is -Created or received by a provider -Relates to past, present or future physical mental health or condition -Related to provision of health care -Related to payment for services 30. What Is Impacted? PROTECTED HEALTH INFORMATION Protected Health Information is defined as any information, whether oral or recorded, in any form or medium, that- (A) Is created or received by a provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and (B) Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 31. What is considered Protected Health Information? A persons name, address, birth date, age, phone and fax numbers, e-mail address Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results, assessment or procedure with respect to physical or mental status of an individual Billing records, claim data, referral authorizations, explanation of benefits Research records 32. What Is Impacted? PROTECTED HEALTH INFORMATION Protected Health Information is defined as any information, whether oral or recorded, in any form or medium, that that is a subset of health information, including demographic information collected from an individual, and: (A) Is created or received by a provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and (B) Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 33. SC may create, use and share a persons PHI for: Treatment Billing and Payment Companys Business Management and Operations Disclosures Required by Law Public Health and Other Governmental Reporting 34. PHI Consent Some uses and disclosures of PHI do not require consent. The use and disclosure of protected health information relating to treatment, payment, or health care operations does not require prior written consent. 35. Minimum Necessary Rule When using or disclosing Protected Health Information (PHI) or when requesting PHI from another covered entity, you must make reasonable efforts to limit PHI disclosure to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless an exception applies. 36. Minimum Necessary Rule Exceptions The minimum necessary requirement does not apply in the following instances: Disclosures to or requests by a health care entity for purposes of treatment. Uses or disclosures made to the individual who is the subject of the PHI. Uses or disclosures made pursuant to a valid authorization initiated by the individual. Disclosures to the secretary of the Department of Health and Human Services (HHS). Uses or disclosures that are required by law. Uses or disclosures required for compliance under HIPAA, including compliance with the implementation specifications for conducting standard data transactions. 37. Requests for Disclosure Sensible Care may rely on a request for disclosure as the minimum necessary for the stated purpose when: Making permitted disclosures to public officials, if the public official represents that the information is the minimum necessary for the stated purpose(s). The information is requested by another covered entity. The information is requested by a professional who is a staff member or is a business associate for the purpose of providing professional services to Sensible Care if the professional represents that the information requested is the minimum necessary for the stated purpose(s). The information is requested for research purposes and the person requesting the information has provided documentation or representations verifying such intended purpose. 38. Using and Disclosing PHI Without Consent When a disclosure is required by federal, state, or local law, judicial or administrative proceedings, or law enforcement. Disclosure without consent can occur in certain emergency treatment situations. To avoid harm. For specific government functions. For workers' compensation purposes. Appointment reminders and health-related benefits or services. For fundraising activities, public health activities, organ donations, and for research purposes. 39. Release Transfer Provision of access to Divulging Info to anybody other than the provider Conducting quality assessment and improvement activities Outcome evaluation Clinical guidelines What constitutes Disclosure? 40. Examples: HMO contacting a provider about treatment alternatives Disclosure to press Disclosure to police unless under the exceptions PEER review activities Training programs involving students More Possible Instances of Disclosure 41. Use in certification, licensing or credentialing activities Use in fraud or abuse detection To your own lawyers when seeking legal advice To auditors Business planning Customer service if using patient identifiers To law enforcement official **SECURITY OFFICER/PRIVATE INVESTIGATOR IS NOT LAW ENFORCEMENT. TELL THEM NOTHING WITHOUT AUTHORIZATION FROM PATIENT. Disclosure Continued 42. Court orders and warrants Subpoenas or summons issued by a court Grand jury subpoenas Subpoenas from administrative body authorized to require production of info Subpoenas in civil suit Search warrant JP in case of death What is Required by law 43. Education records cover by Family Educational Rights and Privacy Act, 20 US Code, Section 1232g: Employment records maintained by a provider on its own employees Protected Health Info Excludes: 44. Before any disclosure you must: Verify the ID of requesting person Obtain all documentation of credentials possible Acceptable credentials: Government ID cards, badges, etc. Written on appropriate government letterhead Written statement of legal authority If a written statement is impracticable, an oral statement of such legal authority Verification Requirements: Identity & Authority 45. You must disclose the minimum necessary info as far as based on the intended purpose of the disclosure. GENERAL RULES: Minimum Necessary Standard 46. Disclosure for Treatment, Dispatch & Healthcare Operations, and Payment Disclosures required or permitted by law, to the extent required or permitted. Minimum Necessary does not apply to: 47. Field treatment Hospital treatment Surgery ICU Rehab Nursing Home What Treatment? 48. Information may flow freely in any direction from caregiver to caregiver, From ambulance to hospital From hospital to ambulance, From nursing home to ambulance When required for treatment A treatment facility and its employees may discuss treatment with an other treatment facility and its employees. There is no minimum necessary rule when treatment is involved. Treatment and healthcare operations may overlap. Disclosure for Treatmemt 49. When you are required to report something: Infectious disease Child abuse Elder abuse MVA Homicide Assault Disclosures required by law 50. A hospital Emergency Dept. may give a patients payment info to an ambulance service provider that transported the patient to the hospital in order to bill for its treatment services. Covered entities are free to engage in communications as required for quick, effective and high quality health care. In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health info. However in a loud ER, or when patient hearing impaired, such precautions may not be practical. Healthcare Operations 51. Follow-up on patients QA/QI Peer review Protocol Development Policy/Procedure Development Financial Analysis Continuing Ed More Healthcare Operations 52. YOU MAY DISPATCH - 404 Broadway on a behavioral emergency - 2057 E. Pine, CPR in progress - 1811 Forest, OB call YOU MAY NOT DISPATCH - 605 W. Bonham, man has penis caught in zipper or possible rectal foreign body - 404 Broadway, John Johns, AIDs patient, is having hallucinations and seeing demons Dispatch (Healthcare Operation) 53. Info may be sent to billing office 3rd party billing company Collection Agency Insurance company Billing Clearinghouse Attorneys Payment 54. The Privacy Rule does not require the following types of structural or systems changes like Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners. 55. Q: CAN HEALTH CARE PROVIDERS ENGAGE IN CONFIDENTIAL CONVERSATIONS WITH OTHER PROVIDERS OR WITH PATIENTS, EVEN IF THERE IS A POSSIBILITY THAT THEY COULD BE OVERHEARD? A: Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule require covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers primary considerations is the appropriate treatment of their patients. Reasonable Precautions 56. You must have a business agreement with that associate that guarantees that the info will be safeguarded. Disclosures to Business Associates 57. Consent allows you to gather and use info for treatment and may be passed along to others in the treatment chain. Does not permit disclosure to others not involved in treatment or payment filings or operations, such as newspapers or other media. CONSENT and AUTHORIZATION are different 58. Must be signed by all persons who have access to PHI - Company staff - Business associates and their employees - Students - Observers - First responders CONFIDENTIALITY AGREEMENT 59. WHAT YOU SAY HERE WHAT YOU SEE HERE WHAT YOU HEAR HERE WHEN YOU LEAVE HERE LET IT STAY HERE PRIVACY RULE 60. Mandatory injury reporting (bullet wounds, etc..) Court order Grand jury subpoenas Administrative request Subpoena issued by proper authority Specific request Necessary to ID the patient To arrest a perpetrator To stop a crime in progress To prevent a crime To disclose where Patient was taken To prevent danger to Public Safety Disclosures: Law Enforcement Purposes 61. Routine investigation can wait Detectives working on a case What a pt. tells you about ETOH ingestion What a pt. tells you about drugs ingested Urgent need for disclosure vs. non-urgent need 62. You many generally rely on law enforcements representations unless obviously wrong. Law Enforcement says they need it now 63. Observations that are in public are not protected Communications between EMS and patient that would not have occurred except for the special relationship between patient and caregiver ARE PROTECTED. COMMUNICATION vs. OBSERVATION 64. Name and address Date and place of birth Social Security number ABO blood type and rh factor Type of injury Date and time of treatment Date and time of death Description of distinguishing physical characteristics: Height, Weight, Gender, Race, Hair and eye color, Facial hair, scars or tattoos Limited disclosure: ID and Location Purposes 65. Privacy Notice Every client is provided with a Notice of Privacy Practices at time of transportation. The Notice describes How Sensible Care can use and share protected health information, and Every clients privacy rights The privacy notice is also published on Sensible Care website. web page. Copies of the Notice of Privacy are available from the Privacy Officer or Program Manager. 66. Clients PHI Rights One of the purposes of the new HIPAA rule is to give clients more control over their PHI. Such as: The right to request limits on uses and disclosures of their PHI. The right to choose how we send PHI to them. The right to view and obtain copies of their PHI. The right to correct or update their PHI. 67. How do clients exercise these rights? Special forms to request changes, corrections, copies, etc. are available from the Privacy Officer. 68. What client information must be protected? We must protect a clients personal and health information that: Is created, kept, filed, used or shared Is written, spoken, electronic or digital As already stated HIPAA defines client personal and health information as Protected Health Information or PHI for short. 69. When do we start? NOW! 70. How will HIPAA affect your duties? If you currently see, use, share and/or create a persons protected health information as part of your job or duties, HIPAA will change the way you work. You must protect the privacy of the client and Sensible Cares staff protected health information. 71. When can you use PHI? ONLY to do your job or duties! At all other times, protect a clients information as if it were your own information! 72. How can you use PHI? You may look at a persons PHI only if you need it to do your job or duties. You may use a persons PHI only if you need it to do your job or duties. You may give a persons PHI to others when it is necessary for them to do their jobs. You may talk to others about a persons PHI only if it is necessary to do your job or duties. 73. Why is HIPAA important? Protecting privacy is important! We all want our PHI to be private Our clients want their PHI to be private Its the right thing to do Its the law 74. What can happen if we dont follow HIPAA? Someone who does not protect a persons personal and/or health care privacy could: Lose his/her job Pay fines Go to jail 75. Fines? Fines range from $50,000 to $250,000 per incident 76. Jail? Jail terms can be up to 10 years per incident 77. Did you know.? Sensible Care must protect your personal health information with as much diligence and security as we protect clients PHI. 78. When do we have to protect PHI? NOW! ALWAYS! 79. Where to Find Out More About HIPAA Check the copy you received with your Hiring Packet. Also, The Privacy Notice is on the our Internet Website: www.SensibleCare.org Contact Suzanne Guggenheim, Compliance and Privacy Officer with questions and/or concerns 80. The End! Congratulations! You have completed The HIPAA Privacy Training .


HIPPA Privacy Rules

HIPPA Privacy Rules

Documents
HIPPA-1... · HIPPA-1. HIPPA-2. AUTHORIZATION TO DISCLOSE PROTECTED HEALTH INFORMATION Developed for Texas Health & Safety Code § 181.154(d) Please read this entire form before signing

HIPPA-1... · HIPPA-1. HIPPA-2. AUTHORIZATION TO DISCLOSE PROTECTED HEALTH INFORMATION Developed for Texas Health & Safety Code § 181.154(d) Please read this entire form before signing

Documents
r15 Distributor Training v2

r15 Distributor Training v2

Documents
Videoscribe v2 Training Manual

Videoscribe v2 Training Manual

Documents
Hippa final JU nursing informatics

Hippa final JU nursing informatics

Education
TLMCL03 Training Manual v2

TLMCL03 Training Manual v2

Documents
HIPPA Security Rules of Engagement

HIPPA Security Rules of Engagement

Documents
Digital advertising Training V2

Digital advertising Training V2

Marketing
Wgm wah training v2

Wgm wah training v2

Business
Department of Labor: hippa

Department of Labor: hippa

Documents
Active Shooter Training v2

Active Shooter Training v2

Documents
HIPPA Security Presentation

HIPPA Security Presentation

Documents
Presentation to: Health IT HIPPA Workshop

Presentation to: Health IT HIPPA Workshop

Documents
HIPPA Simplification 2013-03

HIPPA Simplification 2013-03

Documents
2013 06-21 HIPPA omnibus rule

2013 06-21 HIPPA omnibus rule

Health & Medicine
Hippa Medical Consent Form

Hippa Medical Consent Form

Documents
Elsie member training v2 110112

Elsie member training v2 110112

Technology
MAO HIPPA POLICY AND PROCEDURE MANUALmaoi.org/.../05/MAO-HIPPA-Policy-and-Procedure-Manual_V3.pdf · 2019-05-03 · MAO HIPPA POLICY AND PROCEDURE MANUAL September 2018 Created: September

MAO HIPPA POLICY AND PROCEDURE MANUALmaoi.org/.../05/MAO-HIPPA-Policy-and-Procedure-Manual_V3.pdf · 2019-05-03 · MAO HIPPA POLICY AND PROCEDURE MANUAL September 2018 Created: September

Documents
Directions For VA Privacy, Hippa and Security Training for Students

Directions For VA Privacy, Hippa and Security Training for Students

Documents
UMTS Training Program v2

UMTS Training Program v2

Documents
HIPPA 101 Training

HIPPA 101 Training

Education
Simatic Modbus Training v2

Simatic Modbus Training v2

Documents
Reviewed & Revised - April 2014 Hertford County Public Health Authority HIPPA Employee Annual Training Presentation Presented by: Renée Davenport HCPHA’s

Reviewed & Revised - April 2014 Hertford County Public Health Authority HIPPA Employee Annual Training Presentation Presented by: Renée Davenport HCPHA’s

Documents
BuzzMetrics 20 Training Deck-V2

BuzzMetrics 20 Training Deck-V2

Documents
Presentation hippa

Presentation hippa

Healthcare
Power training methods v2 1

Power training methods v2 1

Sports
Hippa slide show

Hippa slide show

Economy & Finance
Consent and HIPPA Form - da4e1j5r7gw87.cloudfront.net

Consent and HIPPA Form - da4e1j5r7gw87.cloudfront.net

Documents
Rhino Level1 Training V2

Rhino Level1 Training V2

Documents
Building HIPPA Compliant Websites Using Joomla

Building HIPPA Compliant Websites Using Joomla

Internet