CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.

CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices

Thursday October 24th 2013 Noon – 1:00PM

Instructions to join the meeting remotely:

1. Open a web browser and enter URL: www.readytalk.comEnter participant access code: 2093166

2. Phone in for the audio portion of the conference:

1-866-740-1260 - then enter the access code: 2093166

MEETING HANDOUTS: www.cchap.org/pmmeeting

CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices

Thursday October 24th 2013 Noon – 1:00PM

HIPAA GUIDELINES AND UPDATESKara Kohn, RN, [email protected]

MEETING HANDOUTS: www.cchap.org/pmmeeting

HIPAA

2013 Omnibus Rules and Updates

What is HIPAA?

Health Insurance Portability and Accountability Act was enacted in1996

Protects health insurance coverage when there is a change or loss of jobs for workers and their families

What is HIPAA?

Required national standards for electronic health care transactions

Gave rights to individuals 12-18 for their own privacy (including from parents)

Enacted privacy standards for PHI (Protected Health Information)

Key Terms and DefinitionsPrivacy: Patient’s right over the use and

disclosure of their own protected health information

Security: Specific measures a Covered Entity (your practice) must take to secure protected health information from unauthorized breaches of privacy

Protected Health Information (PHI): Any identifiable information which relates to an individuals past, present or future physical health or condition for which there is a reasonable cause to believe it can be used to identify that individual

Protected Health Information (PHI)

Name

Zip Code

Birth Date

Telephone Number

Fax Number

Account Number

Email Address

Social Security Number

Medical Record Number

Health Plan Numbers

Certificate/license number

Vehicle Identifiers and Serial Numbers

Device Identifiers and Serial Numbers

IP and URL address numbers

Biometric Identifiers (finger or voice prints)

Full Face Photos Images

Any other unique identifying number, characteristic or code

What is New?Requests for electronic medical charts

Request to not share information with health plans

Immunization information allowed to be shared

Restrictions for marketing, fundraising and sale of PHI

Genetic information and insurance

Business associates compliance

New notices of Privacy Practices

Chart RequestsPatients can ask for copies of their medical

information in electronic format

Patients can still ask for medical information via paper format

30 days to produce this information

No more 30 day extensions

Request by PatientsIf all services are paid in full, in person, during a

visit, a request can be made to not share information with their health plans

This includes the treatments that were received during that specific visit

Immunization RecordsIf a parent or guardian gives written permission,

your office can provide immunization information to a school

This is for schools that are required by law to have it

This process is more streamlined, making it easier for both parents and practices

Marketing, Fundraising and Genetic Information

Increased restrictions how patients information is used and disclosed to third parties for the use of marketing and fundraising

Patients can not have their personal information sold to outside parties with out a written consent from them to do so

Insurance companies cannot use genetic information for coverage and cost determinations

Business AssociateAll Business Associates must now adhere to all

HIPAA rules and regulations when in possession of PHI

A Business Associate is anyone that works in association with your practice and has access to patient information

Does not include doctor-to-doctor business, healthcare providers, insurance companies or pharmacies

Who is a Business Associate

Health Information Organizations

E-prescribing Gateways

Data Transmission Services (personal health record vendors)

Labs

Confirmation Services

Collection Agencies

Software Companies

IT Techs

Consultants

Sales Reps

After Hours Services

Business Associates cont.Any new Business Associates to your practice

should have a signed agreement by September 23, 2013

Existing Business Associates have until September 23, 2014 to sign the new agreement

You are not required to train your Business Associates

If they have a subcontractor assisting them, the Business Associates will need to have their own contract in place with their subcontractor

Increased Privacy Protection

It is now considered a breach if there is any disclosure of any PHI examples

This can include inadvertent release of PHI

Any suspected or known breach must be reported

Risk assessment must be completed and documented any time that a breach is reported

Fines of $50,000 for each violation, up to a limit of $1.5 million annually

Examples of a BreachAny posting of pictures or patient identification

onto social websites (Facebook, Twitter, Instagram, etc.)

Conversations in the waiting room disclosing PHI

Loss of office laptop containing patient information

Paperwork given to the wrong patient

Verbal communication via phone to someone who is not the patient or their parent/guardian

Examples of a Breach cont.

Permission is asked to share patient information with parents/guardians in room (age dependent)

Faxing patient information to the wrong number

Email communication sent to the wrong address or email group

Computer screen with patient information that can be viewed by other patients/families

Placing of PHI in a regular trash container

What Needs to Done in the Event of a Breach?

No longer report only a “Significant Risk”. All presumed risks are considered a breach.

Complete Breach Assessment Form

Report via HHS Website http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brin

struction.html

Potentially contact patients with knowledge of suspected or confirmed breach

How to PreventAny and all paperwork changing hands is

verified that each and every page belongs to the patient it is handed to

All patients are asked their permission to proceed speaking when there are visitors in the room that are not a parent/guardian/POA

All conversations are held at a reasonable tone and appropriate venues in the patient care area. Do not discuss patient care in hallways, waiting rooms, or exam rooms with doors open

How to PreventAll fax numbers are verified before hitting send, and a

fax cover sheet with a confidentiality statement is used at all times

All charts are maintained securely away from public view

All printouts with patient information are placed facedown when you step away from the desk

Computer screens are locked when you step away, even momentarily

Patient information is not thrown into a general trash can

Questions?Thank you