Maintaining Patient Privacy and Confidentiality

1

HIPAA Understanding what it means to your

practice What does it mean to the office manager

and staff of the physician office?

HIPAA-Administration Simplification Electronic Data and the Privacy Component

Covered entities

POHotlines

Code SetsTPO

CMS

BANPPHPI

Covered Entities Business Associates PHI: Protected Health Information TPO: Treatment, Payment, Operations Minimal Necessary Data Amendments Notice of Privacy Practices

Hospitals and Physicians as providers of Healthcare

Health plans: BCBS, Tufts, US Family etc

Clearinghouses: The businesses that process billing information for the hospitals and submit it to the health plans

Businesses that work with your practice but don’t provide health care

The Business has employees that may have access to PHI

In general, we must have contracts with each BA and the BA agrees to follow our privacy policies

Action must be taken if the BA misuses PHI

Confidential information about our patients that we can not release.

Patient’s may request their PHI You may charge a reasonable fee for

providing records and a physician summary of the information.

60 Days to comply. No automatic access to:

Psychotherapy notes Info on a criminal, civil or administrative

action or proceeding PHI that is subject to or exempted from

CLIA (HIV data) Health information that a qualified

provider has determined would endanger the life of the individual if he had access to it.

Requires special authorization specifically identifying this information, the dates and to whom it will be released.

Treatment Payment Operations Covered entities may use PHI for the

purposes of TPO without obtaining an individual’s authorization.

Only the information that is needed should be released.

To carry out the intended purpose. Exceptions:

◦ When PHI is disclosed for treatment purposes◦ Disclosed to the individual to which the PHI

pertains◦ When PHI is disclosed to DHHS

Patient’s may request that amendments be added to the patient medical record

Request can be required to be in writing Request could be denied, but…..

◦ The request and the reason for the denial will need to be kept in the patient’s medical record

60 days to comply with the request

The six components of the Notice◦ Information regarding uses and disclosures of

PHI◦ Clarification of individual rights◦ Covered entities responsibilities (CPN)◦ How to file complaints◦ Contact information for more information◦ Effective date of the notice

Acknowledgement of receipt by the patient

•To request an accounting of health

information disclosures

•To request an amendment to their health

information

•Inspect and copy their health information

•To receive confidential communications

about their health information

•To request restrictions on uses or disclosures

•To complain to the covered entity and to

the secretary of the Department of Health

and Human Services

Accessing Employee Medical Records Training the front desk: NPP Training Medical Record Staff

◦ Processing releases of information Security Basics

◦ Not leaving Computers unattended◦ Sharing passwords◦ The foot prints of the computer

14

Blah Blah Blah

http://www.hhs.gov/ocr/hipaa/ HIPAA: The questions you

didn’t know to ask ISBN: 0-13-114426-X