hipaa workforce training privacy and hipaa mandatory completion of training is mandatory under hipaa...
TRANSCRIPT
HIPAA Workforce Training
PRIVACY and HIPAA
MANDATORY
Completion of training is mandatory under
HIPAA for the entire workforce of the MHRB
Including volunteers, like yourselves.
What is HIPPA?
In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). This new law was enacted as part of a broad congressional attempt at incremental healthcare reform.
HIPAA has two primary purposes. One is to provide continuous insurance coverage for workers who change jobs, and the other is to “reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper”.
HIPAA Workforce Training
HIPAA requires that the MHRB create HIPAA policies and procedures that may affect your work as a Board member.
This HIPAA Training Program will answer…
What does HIPAA do?Who has to follow the HIPAA law?What is Protected Health Information?When do we start?How does HIPAA affect you?Why is HIPAA important?
What does HIPPA do?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that…– Protects the privacy of a client’s
personal and health information– Provides for electronic and physical
security of personal and health information
– Simplifies billing and other transactions
An Overview of the Law
Title IP ortab ility
Adm inistrativeRequirem ents
IndivdualRights
Use and Disclosureof PHI
PRIVACY
Identifiers
CodeSets
T ransactions
EDI
T echnicalSecurity
M echanism s
T echnicalSecurityServices
PhysicalSafeguards
Adm inistrativeProcedures
SECURIT Y
Title IIA d m in is tra tiveS im p lifica tion
Tit le IIIM ed ica l S avin g s
A ccou n ts
T it le IVG rou p H ea lth P lan
P rovis ion s
Tit le VR even u e O ffse t
P rovis ion
H IP A AH ea lth In su ran ce an d P ortab ility A c t o f 1 9 9 6
HIPAA is the FLOOR
HIPAA regulations are the minimum starting point for protecting health information and do not supersede any rules, regulations, or standards that are more stringent. For example, if ODMH rules are more stringent than HIPAA rules, we must follow the ODMH rule.
Organizational and Administrative Requirements
A Privacy Officer must be appointed to implement and develop privacy policies and procedures for the agency.Must train all employees (current and new) on privacy policies and procedures.Must amend all business associate contracts to establish the permitted and required uses and disclosures of PHI.Must verify the identity and authority of person requesting PHI.
Organizational and Administrative Requirements
Must disseminate a notice of our privacy practices to existing clients and all new clients and within 60 days of any material revision.Must notify clients every 3 years of the availability of the notice.A covered entity with a website must post their notice on the web.
Organizational and Administrative Requirements
Must document compliance with notice requirements and keep copies of notices issued.
Must document who is responsible for receiving and processing client inquiries regarding his/her PHI.
Organizational and Administrative Requirements
Must provide a process for individuals to make complaints and document such complaints and their disposition.
Must develop anti-retaliation policy.
Who has to follow HIPAA?
Everyone!Everyone!
Who Is Impacted?
Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies.Health plans – an individual or group health plan that provides or pays the cost of medical care. Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation.Business Associates and Trading Partners
Business Associate
A person or entity to whom a covered entity discloses protected health information, to perform a function on behalf of or to provide services to a covered entity.Includes lawyers, accountants, consultants, and accrediting agencies.Must have a contract obligating them to safeguard protected health information.
Business Associate Contracts
Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulationsIf the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary of Health and Human Services.
Business Associate Obligations
Must not use or disclose protected health information in violation of the law or contract.Implement safeguards against improper use or disclosure.Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations.Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations.At termination of the contract, return or destroy protected health information.
What Is Impacted?
TRANSACTIONS
A transaction is the exchange of information between two parties to carry out financial and administrative activities related to health care. It includes:– Health claims or encounter
information,– Health care payment and Explanation
of Benefits (EOB),
What Is Impacted?Transactions Continued
Coordination of benefits,
Enrollment/disenrollment in a health plan,
Eligibility for a health plan,
Health plan premium payments,
Referral certification and authorization,
First report of injury, and
Health claims attachments.
What Is Impacted?
PROTECTED HEALTH INFORMATION
Protected Health Information is defined as any information, whether oral or recorded, in any form or medium, that-
(A) Is created or received by a provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and
(B) Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
What is considered Protected Health
Information?A person’s name, address, birth date, age, phone and fax numbers, e-mail addressMedical records, diagnosis, x-rays, photos, prescriptions, lab work, test resultsBilling records, claim data, referral authorizations, explanation of benefitsResearch records
The Board may create, use and share a person’s PHI for:
Treatment Billing and Payment Agency Business Management and OperationsDisclosures Required by LawPublic Health and Other Governmental Reporting
PHI Consent
Some uses and disclosures of PHI do not require consent. The use and disclosure of protected health information relating to treatment, payment, or health care operations does not require prior written consent.
Minimum Necessary Rule
When using or disclosing Protected Health Information (PHI) or when requesting PHI from another covered entity, The Board must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless an exception applies.
Minimum Necessary RuleExceptions
The minimum necessary requirement does not apply in the following instances:
Disclosures to or requests by a health care entity for purposes of treatment.Uses or disclosures made to the individual who is the subject of the PHI.Uses or disclosures made pursuant to a valid authorization initiated by the individual.Disclosures to the secretary of the Department of Health and Human Services (HHS).Uses or disclosures that are required by law.Uses or disclosures required for compliance under HIPAA, including compliance with the implementation specifications for conducting standard data transactions.
Requests for Disclosure
The Board may rely on a request for disclosure as the minimum necessary for the stated purpose when:Making permitted disclosures to public officials, if the public official represents that the information is the minimum necessary for the stated purpose(s).The information is requested by another covered entity.The information is requested by a professional who is a member of The Board’s workforce or is a business associate of Board for the purpose of providing professional services to The Board if the professional represents that the information requested is the minimum necessary for the stated purpose(s).The information is requested for research purposes and the person requesting the information has provided documentation or representations to The Board verifying such intended purpose.
Using and Disclosing PHIWithout Consent
When a disclosure is required by federal, state, or local law, judicial or administrative proceedings, or law enforcement.Disclosure without your consent can occur in certain emergency treatment situations. To avoid harm. For specific government functions.
For workers' compensation purposes. Appointment reminders and health-related benefits or services.
For fundraising activities, public health activities, organ donations, and for research purposes.
Verification
In certain instances, as permitted or required by law, The Board can or must disclose an individual’s PHI, even where there is no specific consent or authorization from the individual to do so.
No PHI will be disclosed without precautions being made to assure that the identity of the person requesting PHI information is verified and that they have the authority to have access to the information requested.
Verification of Identity
When the identity of the person seeking disclosure of an individual’s PHI is not known to The Board, verification of the person’s identity is as follows:
If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status.
If the request is in writing, the request is on the appropriate government letterheador other accepted proof of identity is documented.
If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the governments’ authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
Verification of Authority
To verify the authority of a public official, The Board may rely on any of the following:
A written statement of the legal authority under which the information is requested or,
2. if a written statement is impracticable, an oral statement of such legal authority,
3. If a request is made pursuant to legal process, a warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal will be presumed to constitute legal authority.
Privacy Notice
Every client is provided with a Notice of Privacy Practices upon enrollment at a contract agency The Notice describes”– How the MHRB can use and share protected
health information, and – Every client’s privacy rights
The privacy notice is also published on the MHRB’s web page.Copies of the Notice of Privacy are available from the Privacy Officer or Secretary.
Clients’ PHI Rights
One of the purposes of the new HIPAA rule is to give clients more control over their PHI. Such as:The right to request limits on uses and disclosures of their PHI.The right to choose how the agency sends PHI to them. The right to view and obtain copies of their PHI. The right to correct or update their PHI.
How do clients exercise these rights?
Special forms to request changes, corrections, copies, etc. are available from the Privacy Officer.
What client information must be protected?
We must protect a client’s personal and health information that:– Is created, kept, filed, used or shared – Is written, spoken, electronic or digital
As already stated HIPAA defines client personal and health information as Protected Health Information or “PHI” for short.
When do we start?
NOW!NOW!
How will HIPAA affect your duties?
If you currently see, use, share and/or create a person’s protected health information as part of your job or duties, HIPAA will change the way you work.You must protect the privacy of the client and MHRB’s workforce protected health information.
When can you use PHI?
ONLY to do your job or duties!
At all other times, protect a client’s information as if it were your own information!
How can you use PHI?
You may look at a person’s PHI only if you need it to do your job or duties.You may use a person’s PHI only if you need it to do your job or duties.You may give a person’s PHI to others when it is necessary for them to do their jobs.You may talk to others about a person’s PHI only if it is necessary to do your job or duties.
Why is HIPAA important?
Protecting privacy is important!
We all want our PHI to be privateOur clients want their PHI to be privateIt’s the right thing to doIt’s the law
What can happen if we don’t follow HIPAA?
Someone who does not protect a person’s personal and/or health care privacy could:– Lose his/her job– Pay fines– Go to jail
Fines?
Fines rangefrom $50,000 to
$250,000 perincident
Jail?
Jail terms can be up to
10 years per incident
Did you know….?
The Board must protect your personal health information with as much diligence and security as we protect clients’ PHI.
When do we have to protect PHI?
NOW!NOW!
HIPAA Stories
Please read the following two HIPAA stories carefully as you will be asked to discuss them on the quiz.
HIPAA Story #1: Annie
After serving on the client’s rights appeal committee, I ran into the customer Annie, who filed the appeal at the grocery store. She came up to me and started talking about her appeal, the medications she was placed on and how she was not feeling any better. I told her I could not discuss her appeal that it was confidential, and that it takes time for some medications to work.
Did I do the right thing?
HIPAA Story #2: Barry
I happened to be using the copier in the MHRB office when a fax arrived. I did not read any of the details but recognized the client name on the incident report. I did not do anything with the information and kept it to myself.
Did I do the right thing?
Where to Find Out More About HIPAA
The Privacy Notice is on the agency’s Internet Website: www.whmhrb.orgContact Kim Tapie, Compliance and Privacy Officer with questions and/or concernsReview HIPAA materials in the Board’s Operations Manual
The End!
Congratulations! You have completed The HIPAA Privacy Training
.