The Health Insurance Portability and Accountability Act What is it? & How will it affect us?
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TheHealth Insurance Portability and
Accountability Act
What is it?&
How will it affect us?
Who Needs Training and Why
Employees who come in contact with Protected Health Information are Federally required attend training Departments listed later
This presentation is designed to Familiarize you with
HIPAA regulations Our policies and procedures regarding protected
health information (PHI) Ensure federal compliance
Our policies will be listed at www.hipaa.cmich.edu
Summary of the Law
To improve portability and continuity of health insurance coverage in the group and individual markets.
To combat waste, fraud, and abuse in health insurance and health care delivery.
To simplify the administration of health insurance, and for other purposes.
What Exactly is HIPAA?
Public Law 104-191 (1996) Overseen by: Centers for Medicare and Medicaid
Services (CMS) A federal law designed to:
Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities
Ensure confidentiality of PHI
Protected Health Information
Protected Health Information (PHI) Any Individually Identifiable Health Information (IIHI)
Created or received by a health care provider, health plan, employer or health care clearinghouse
Relating to the past, present of future physical or mental health or condition of an individual
Transmitted in any form or medium Examples
Medical charts Problem logs Photographs Communications between professionals Health insurance policy number
Individual IdentifiersCourtesy of www.hipaacow.com1. Name
2. Geographic subdivisions smaller than a State- Street Address- City- County- Precinct- Zip Code & their equivalent
geocodes, except for the initial three digits
3. Dates, except year- Birth date- Admission date- Discharge date- Date of death
4. Telephone numbers
5. Fax number
6. E-Mail Address
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web universal resource locations (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable data
18. Any other unique identifying number, characteristic, or code
What entities are covered?
Health Plans Health Care
Clearinghouses A health care provider who
transmits any health information in electronic form
CMU as a Covered “Hybrid” Entity
Hybrid Entity A single legal entity that is a Covered Entity and whose
Covered Functions are not its primary functions. CMU’s primary purpose is to educate We also deal with healthcare related procedures This “theory” allows us to apply HIPAA to specific
areas
CMU as a Covered “Hybrid” Entity
Departments Affected HR Comp and Benefits: Self-funded Dental
and Prescription Plan A covered entity because it is a health plan
University Health Services A covered entity because it is a provider who bills
electronically for care and devices Communication Disorders: Speech Pathology
and Audiology A covered entity because it is a provider who bills
electronically for care and devices
HIPAA Inside the “Hybrid”
Internal support entities General Counsel Internal Audit Accounts Receivable Faculty Personnel Human Resources- Employee Relations
These areas deal either with disciplinary regulations, grievances, or healthcare related transactions
It is not advantageous for these areas to receive prior authorization before reviewing a file
HIPAA Inside the “Hybrid”
Possible future covered entities:
1.Physician Assistant Program
2.Psychology clinic
3.Physical Therapy Program As of now they are not billing
electronically, therefore not covered entities
HIPAA outside the “Hybrid”Therefore not covered Information Technology Special Olympics International Student Services Office of International Education Student Disability Services Special Olympics
Where does the information come from and/or go to?
If it is not received from or sent to a provider or plan, then it is not considered PHI
HIPAA vs. FERPA
FERPA – The Family Educational Rights and Privacy Act Protects the rights of students records
Unique to universities Especially relevant to CMU’s UHS and CDO
We service employees, students, and members of student’s families – all as patients
HIPAA vs. FERPA
Disclosures are not consistent between the two
Must treat student records and all other records differently
This is extremely difficult, but do-able The necessary Directors will have a “Flow
Chart” regarding proper procedures for the two
Four Components of HIPAA’s Administrative Simplification
Transaction Standards & Code Sets To create a uniform method of electronic
communication
Security & Electronic Signature Standards To guard data integrity, confidentiality, and availability To ensure that Protected Health Information (PHI) is
kept confidential
National Provider Identifier Privacy Rule
The concentration of this presentation
Privacy Rule
All covered entities must be in compliance by 4/14/03
There are no exclusions or extensions available and no paperwork to submit to prove compliance
Privacy Rule
Establishes safeguards to protect the confidentiality of medical information
Gives patients more control over their health information
Limits release of information to the minimum necessary
Sets boundaries on the use and release of health records
Privacy Rule
Enables patients to find out how their information may be used and what disclosures of their information have been made to any business associates or other parties
Gives patients the right to examine and obtain copies of their own health records, and to request corrections
Privacy Rule - Consent
The Privacy Rule was most recently amended on 8/14/02.
Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities.
Privacy Rule - Consent
A covered entity must make a “good faith effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature.
The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination.
The NPP must be visibly posted at all times.
Privacy Rule - Consent
Covered entities are not prohibited from obtaining consent and have complete discretion in designing their individual consent process.
State law requirements may be more stringent and therefore supersede the federal requirements.
Notice of Privacy Practices
The NPP reflects your dedication to privacy and must be available for patient review Copies of NPP must be on display in each
waiting room Written copies of NPP must be available on
request Copy of NPP needs to be posted on web site
The NPP informs patients that you will not release their PHI except as stated in your Notice
Notice of Privacy Practices
The NPP states you are required to abide by the terms of your current Privacy Notice
The NPP instructs patients how to file a privacy complaint
The NPP indicates how you will send information (mail, fax, electronic, etc.)
You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice.
Consent & Authorization
Consent A general document giving
health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO)
It gives permission only to the provider, and not to any other person or business associate
Not required, but optional
Authorization A customized document
giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive.
Authorization
Authorization is required for uses and disclosures of PHI for purposes that are not otherwise permitted or required under the Privacy Rule.
Examples
1. Sale of patient mailing lists
2. Disclosing information to employers for employment decisions
3. Disclosing information for life or disability insurance
Authorization
Covered entities are required to document & retain authorizations and to provide individuals with a copy of the signed authorization form.
Patients will need to grant authorization in advance for each type of use or disclosure.
HIPAA Privacy Rule Facts
The rules apply to all oral, written, or electronic records of covered entities.
HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient.
PHI that has been de-identified is not subject to the Privacy Rule.
A HIPAA team must be appointed by each covered entity
The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request.
HIPAA Team
Must assign a Privacy Officer
Should assign an Electronic Transaction officer
Must assign a Security Officer
HIPAA Privacy Officer
Must have authority and independence Is responsible for developing and
implementing the HIPAA compliance plan Is responsible for enforcement & sanctions Designates contact persons responsible for
receiving complaints and monitoring patient contacts
Campus Wide Planning
Knowledge Initial Training of Workforce Policy revision and drafting:
the list is endless Firewall and software
development, implementation and testing
Ongoing analysis and refinement
Preparing for HIPAA Compliance
1. Enter into new contracts with Business Associates (BA)
2. Develop Written Policies & Procedures
3. Documentation Procedures
4. Conduct a site survey of your own facility
5. Site Survey Q’s for your own facility
Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA)
BA’s are persons who perform a function or activity involving the use or disclosure of IIHI.
Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA.
If an entity is subject to HIPAA, a contract is not needed with another covered entity.
Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA)
Types of Business Associates Claims processing or
administration Data analysis Processing or
administration Utilization Review Billing Benefit Management Computer work
Legal work Actuarial work Accounting work Transcriptionists Accreditation work Cleaning service Consulting work Marketing
Preparing for HIPAA Compliance
Develop Written Policies & Procedures Decide who is responsible for determining
“minimum necessary” data Develop a records management plan Determine who will keep records Determine how records will be kept Teach proper documentation
Preparing for HIPAA Compliance
Documentation Procedures
Create record logs Log information given in response to patient
authorization Log information given in response to legal requests for
PHI Log patient requests for amendments or restrictions to
your Privacy Policy
PHI disclosures must be kept a minimum of 6 years
Preparing for HIPAA Compliance
Conduct a Site Survey of Your Own Facility Walk through facility from the patient’s point
of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones.
Preparing for HIPAA Compliance
Site Survey Q’s for Your Own Facility
Are patient records secure? Are there individual & unique
passwords assigned for computer systems?
Are collection calls or calls regarding other PHI made in a private location?
Why should we care about the HIPAA rules? CMU is a hybrid entity: Some parts of the university
must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable).
As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated.
HIPAA is designed to empower the patient/consumer. HIPAA ideally will minimize cost over the long term.
Why should we care about the HIPAA rules?Criminal Penalties Failure to comply: Fine &
possible exclusion from Medicare
Wrongful Disclosure: $50,000, imprisonment of up to one year, or both
Offense under False Pretenses: $100,000, imprisonment of up to five years, or both
Offense with intent to sell information: $250,000, imprisonment of up to ten years, or both
HIPAA Web Links
www.hipaadvisory.com www.hipaacow.com www.cms.hhs.gov/hipaa www.hhs.gov/ocr/hipaa www.hcfa.gov/medlearn
Related Documents
