The Health Insurance Portability and Accountability Act

What is it? & How will it affect us?

Who Needs Training and Why
 Employees who come in contact with Protected

Health Information are Federally required attend training

Departments listed later

 This presentation is designed to  Familiarize you with

HIPAA regulations  Our policies and procedures regarding protected health information (PHI)  Ensure federal compliance  Our policies will be listed at

Summary of the Law
 To improve portability and continuity of health

insurance coverage in the group and individual markets.  To combat waste, fraud, and abuse in health insurance and health care delivery.  To simplify the administration of health insurance, and for other purposes.

What Exactly is HIPAA?
 Public Law 104-191 (1996)  Overseen by: Centers for Medicare and Medicaid

Services (CMS)  A federal law designed to:

Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities Ensure confidentiality of PHI

Protected Health Information
 Protected Health Information (PHI)  Any Individually Identifiable Health Information (IIHI)  Created or received by a health care provider, health plan, employer or health care clearinghouse  Relating to the past, present of future physical or mental health or condition of an individual  Transmitted in any form or medium  Examples
     Medical charts Problem logs Photographs Communications between professionals Health insurance policy number

Individual Identifiers Courtesy of
1. 2.


4. 5.

Name Geographic subdivisions smaller than a State Street Address City County Precinct Zip Code & their equivalent geocodes, except for the initial three digits Dates, except year Birth date Admission date Discharge date Date of death Telephone numbers Fax number

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

E-Mail Address Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal resource locations (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable data Any other unique identifying number, characteristic, or code

What entities are covered?
 Health Plans  Health Care

Clearinghouses  A health care provider who transmits any health information in electronic form

CMU as a Covered “Hybrid” Entity
 Hybrid Entity  A single legal entity that is a Covered Entity and whose Covered Functions are not its primary functions.  CMU’s primary purpose is to educate  We also deal with healthcare related procedures  This “theory” allows us to apply HIPAA to specific areas

CMU as a Covered “Hybrid” Entity
 Departments Affected  HR Comp and Benefits: Self-funded Dental and Prescription Plan

A covered entity because it is a health plan A covered entity because it is a provider who bills electronically for care and devices

University Health Services

Communication Disorders: Speech Pathology and Audiology

A covered entity because it is a provider who bills electronically for care and devices

HIPAA Inside the “Hybrid”

    

Internal support entities
General Counsel Internal Audit Accounts Receivable Faculty Personnel Human Resources- Employee Relations

These areas deal either with disciplinary regulations, grievances, or healthcare related transactions It is not advantageous for these areas to receive prior authorization before reviewing a file

HIPAA Inside the “Hybrid”
 Possible future covered entities:
1. Physician

Assistant Program 2. Psychology clinic 3. Physical Therapy Program

As of now they are not billing electronically, therefore not covered entities

HIPAA outside the “Hybrid” Therefore not covered
     

Information Technology Special Olympics International Student Services Office of International Education Student Disability Services Special Olympics
Where does the information come from and/or go to?  If it is not received from or sent to a provider or plan, then it is not considered PHI

 FERPA – The Family Educational Rights and Privacy


Protects the rights of students records

 Unique to universities  Especially relevant to CMU’s UHS and CDO  We service employees, students, and members of

student’s families – all as patients

 Disclosures are not consistent between the

two  Must treat student records and all other records differently  This is extremely difficult, but do-able  The necessary Directors will have a “Flow Chart” regarding proper procedures for the two

Four Components of HIPAA’s Administrative Simplification
 Transaction Standards & Code Sets

To create a uniform method of electronic communication To guard data integrity, confidentiality, and availability To ensure that Protected Health Information (PHI) is kept confidential

 Security & Electronic Signature Standards
 

 National Provider Identifier  Privacy Rule

The concentration of this presentation

Privacy Rule
 All covered entities

must be in compliance by 4/14/03  There are no exclusions or extensions available and no paperwork to submit to prove compliance

Privacy Rule
 Establishes safeguards to protect the

confidentiality of medical information  Gives patients more control over their health information  Limits release of information to the minimum necessary  Sets boundaries on the use and release of health records

Privacy Rule
 Enables patients to find out how their

information may be used and what disclosures of their information have been made to any business associates or other parties  Gives patients the right to examine and obtain copies of their own health records, and to request corrections

Privacy Rule - Consent
 The Privacy Rule was

most recently amended on 8/14/02.  Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities.

Privacy Rule - Consent
 A covered entity must make a “good faith

effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature.  The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination.  The NPP must be visibly posted at all times.

Privacy Rule - Consent
 Covered entities are not prohibited from obtaining

consent and have complete discretion in designing their individual consent process.  State law requirements may be more stringent and therefore supersede the federal requirements.

Notice of Privacy Practices
 The NPP reflects your dedication to privacy and

must be available for patient review  Copies of NPP must be on display in each waiting room  Written copies of NPP must be available on request  Copy of NPP needs to be posted on web site  The NPP informs patients that you will not release their PHI except as stated in your Notice

Notice of Privacy Practices
 The NPP states you are required to abide

by the terms of your current Privacy Notice  The NPP instructs patients how to file a privacy complaint  The NPP indicates how you will send information (mail, fax, electronic, etc.)  You must make a “good faith effort” to obtain a patient’s written acknowledgment of receipt of the notice.

Consent & Authorization
 A general document giving

 A customized document

health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO)  It gives permission only to the provider, and not to any other person or business associate  Not required, but optional

giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive.

 Authorization is required for uses and disclosures of

PHI for purposes that are not otherwise permitted or required under the Privacy Rule. Examples 3. Sale of patient mailing lists 4. Disclosing information to employers for employment decisions 5. Disclosing information for life or disability insurance

 Covered entities are required to document &

retain authorizations and to provide individuals with a copy of the signed authorization form.  Patients will need to grant authorization in advance for each type of use or disclosure.

HIPAA Privacy Rule Facts
 The rules apply to all oral,  A HIPAA team must be

written, or electronic records of covered entities.  HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient.  PHI that has been deidentified is not subject to the Privacy Rule.

appointed by each covered entity  The facility’s Notice of Privacy Practices (NPP) should be posted in public (on web site & in waiting rooms), with copies available on request.

 Must assign a Privacy

Officer  Should assign an Electronic Transaction officer  Must assign a Security Officer

HIPAA Privacy Officer
 Must have authority and independence  Is responsible for developing and

implementing the HIPAA compliance plan  Is responsible for enforcement & sanctions  Designates contact persons responsible for receiving complaints and monitoring patient contacts

Campus Wide Planning
 Knowledge  Initial Training of Workforce  Policy revision and drafting:

the list is endless  Firewall and software development, implementation and testing  Ongoing analysis and refinement

Preparing for HIPAA Compliance
1. 2. 3. 4. 5.

Enter into new contracts with Business Associates (BA) Develop Written Policies & Procedures Documentation Procedures Conduct a site survey of your own facility Site Survey Q’s for your own facility

Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA)
 BA’s are persons who perform a function or activity

involving the use or disclosure of IIHI.  Covered entities will be allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and BA.  If an entity is subject to HIPAA, a contract is not needed with another covered entity.

Preparing for HIPAA Compliance
Enter into new contracts with Business Associates (BA) Types of Business Associates
  

   

Claims processing or administration Data analysis Processing or administration Utilization Review Billing Benefit Management Computer work

       

Legal work Actuarial work Accounting work Transcriptionists Accreditation work Cleaning service Consulting work Marketing

Preparing for HIPAA Compliance
Develop Written Policies & Procedures  Decide who is responsible for determining “minimum necessary” data  Develop a records management plan  Determine who will keep records  Determine how records will be kept  Teach proper documentation

Preparing for HIPAA Compliance
Documentation Procedures

 Create record logs

Log information given in response to patient authorization Log information given in response to legal requests for PHI Log patient requests for amendments or restrictions to your Privacy Policy

 PHI disclosures must be kept a minimum of 6


Preparing for HIPAA Compliance
Conduct a Site Survey of Your Own Facility  Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones.

Preparing for HIPAA Compliance
Site Survey Q’s for Your Own Facility  Are patient records secure?  Are there individual & unique passwords assigned for computer systems?  Are collection calls or calls regarding other PHI made in a private location?

Why should we care about the HIPAA rules?
 CMU is a hybrid entity: Some parts of the university

must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable).  As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated.  HIPAA is designed to empower the patient/consumer.  HIPAA ideally will minimize cost over the long term.

Why should we care about the HIPAA rules?
Criminal Penalties
 Failure to comply: Fine &

possible exclusion from Medicare  Wrongful Disclosure: $50,000, imprisonment of up to one year, or both  Offense under False Pretenses: $100,000, imprisonment of up to five years, or both  Offense with intent to sell information: $250,000, imprisonment of up to ten years, or both

HIPAA Web Links
    

Sign up to vote on this title
UsefulNot useful