Introduction This presentation will Provide transportation providers with information necessary to ensure that membersrecipients health information is regarded with the highest privacy and security ID: 649698
Download Presentation The PPT/PDF document "HIPAA Training: Health Insurance Portabi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HIPAA Training:
Health Insurance Portability and Accountability ActSlide2
Introduction
This presentation will:
Provide
transportation providers with
information necessary to ensure that member’s/recipient’s health information is regarded with the highest privacy and security.
Provide
transportation providers with
information necessary to meet the latest standards for privacy and security set forth by the governing agencies.
Focus on the daily functions of the
transportation providers in
regards to ensuring member’s/recipient’s privacy and security.Slide3
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996.
The Department of Health and Human Services (HHS) implemented the final Privacy Rule on April 14, 2003.
The compliance date for the Security Standards was April 20, 2005.
The HITECH Act of 2009 widened the scope of privacy and security protections available under HIPAA.Slide4
The Privacy Rule
Ensures nationwide uniform procedural protection for all health information.
Imposes restrictions on the use and disclosure of Protected Health Information (PHI).
Gives people greater access to their medical records.
Provides people with more control over their health information.Slide5
Security RuleWhereas the Privacy Rule deals with PHI in general, the Security Rule deals with electronic PHI (“
ePHI
”).
The scope of the Security Rule for electronic PHI has been greatly expanded in 2009 under the American Recovery & Reinvestment Act.Slide6
ARRA 2009HITECH Act of the American Recovery & Reinvestment Act of 2009 (ARRA) imposes new obligations on a covered entity (CE) and business associate (BA).
Breach Notification
BA directly responsible for compliance with Security Rule and directly liable for violations of Security Rule and breaches
.Slide7
HIPAA Expectations
Use or disclose PHI only for work related purposes.
Limit uses and disclosures to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request.
Exercise reasonable caution to protect PHI under your control.
Understand and follow MTM privacy policies.
Report any privacy problems to your
supervisor, and your MTM contact immediately.Slide8
Protected
Health Information (
PHI)
Individually identifiable health information…that is
A. Transmitted by electronic media;
B. Maintained in electronic media; or
C. Transmitted or maintained in any other form or medium.
When an MTM member, agency or health provider gives personal health information to MTM, that information becomes PHI.Slide9
Examples of PHIInformation that might connect personal health information to an individual includes:
Individual’s name or address
Social Security or other identification number
Medicaid or Medicare number
Physician’s or other health care provider’s personal notes
Billing informationSlide10
Use or Disclosure of PHI
HIPAA’s Privacy Rule covers the use and disclosure of PHI; it is designed to minimize careless or unethical disclosure. PHI can’t be used or disclosed unless it is permitted or required by the Privacy Rule
.
PHI is used when:
-Shared
-Examined
-Applied
-Analyzed
PHI is disclosed when:
-Released/transferred
-Accessed
in any way by anyone outside the entity holding the information.Slide11
Use or Disclosure of PHI
PHI may be shared when it’s for “TPO.”
Treatment:
management of healthcare and related services that includes coordination among healthcare providers.
Payment:
various activities of healthcare providers to obtain payment or be reimbursed for their services.
Healthcare
Operations:
certain administrative, financial, legal and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of Treatment and PaymentSlide12
Use or Disclosure of PHI
Transportation Providers are
permitted to use or disclose PHI for:
Scheduling trip information
Confirming special needs or adaptive equipment
Incidental use such as talking to a facility or medical providerSlide13
Minimum Necessary
Use or disclosure of PHI should be limited to the minimum amount of health related information necessary to accomplish the intended purpose of the use or disclosure
.
MTM has developed policies and procedures to make sure the least amount of PHI is shared
.
If you have no need to review PHI, then stop!Slide14
Maintaining Privacy
Written
Keep information in a folder during business hours and lock drawers after hours.
Shred documents containing PHI after use.
Keep a minimal amount of information in hard copy format.
Do not leave documents unattended at printer or Xerox machinesSlide15
Maintaining Privacy
Telephone
Leave the minimal information necessary on voice mail or answering machines regarding confirmation of trips, or ask the member to return the call to confirm.Slide16
Maintaining Privacy
Faxes
Always include a cover sheet. The cover sheet should:
state that it is a confidential document,
give a contact if the fax is received in error, and
spell out the HIPAA language.
Verify the fax number before sending.Slide17
Maintaining Privacy
Email
Emails containing PHI must be sent secure
Follow all directions for secured email
Do not enter any PHI in subject lineSlide18
Maintaining Privacy
Workstation, Common Areas, and Vehicles
Always lock access to computer with a password and use privacy notice.
Remove documents containing PHI from copiers and printers as soon as possible.
Keep PHI
in
a folder or upside down during working hours.
Remove PHI from
desk or vehicle
and place in a locked drawer at the end of the work day.
Do not discuss PHI in public areas.Slide19
Privacy Practices Designed to Protect PHI
Verify the identity and the authority of the requestor before releasing PHI.
Transmit PHI by telephone only when it can not be overheard.
When leaving messages, limit the information left to the member’s name, a request to return the call, and your name and telephone number. Slide20
Misuse of PHI
Misuse of PHI can result in civil and criminal sanctions:
Civil penalties: up to $25,000/year for inadvertent violations. Up to $250,000 for “willful neglect”. Up to $1.5 million for repeated or uncorrected violations
Criminal penalties: up to $250,000 fine and prison sentence up to 10 years for deliberate violations
Sanctions by the Department of HHS.
Penalties related to not meeting contractual obligationsSlide21
Examples of Misuse of PHI
A South Dakota medical student took home copies of 125 patients’ psychiatric records in order to work on a research project. When finished, he disposed of the material in the dumpster of a fast food restaurant, where they were found by a newspaper reporter
.
In Florida, several hundred hospital workers browsed through the records of a famous patient who had recently come to the facility, even though few of the workers were actually involved in the case.Slide22
Reporting Misuse of PHI
Report incidents of accidental or intentional disclosure to your immediate supervisor and to
MTM.
No adverse action will be taken against anyone who reports in good faith, any violation or threatened violation of the Privacy Rule, the Security Rule or related policies.
MTM must report to DHSS all uses or disclosures not permitted by the Business Associate provisions of the contract or HIPAA.Slide23
Breach of Electronic PHI (ePHI)
The HITECH Act imposes data breach notification requirements for unauthorized uses and disclosures of unsecured (unencrypted) PHI.
Breach – is the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of information.Slide24
Examples of Breach of ePHI
Theft of 57 hard drives at an insurance company’s training facility, including images from computer screens containing data that was encoded but not encrypted.
Theft of a laptop containing PHI. Laptop was password protected but not encrypted.Slide25
Breach NotificationNotice to the individual of breach of his/her PHI is required under the ARRA HITECH Act.
Breaches involving PHI of more than 500 persons in one circumstance must be immediately reported to HHS by the covered entity (for posting on the HHS site)
Business Associates must report security breaches to the covered entitySlide26
Enforcement of Privacy
and
Security
Office of Civil Rights has enforced the Privacy Rule since 2003.
CMS has enforced the Security Rules since 2005
As of July 27, 2009, HHS has delegated enforcement of both rules to the Office of Civil Rights.Slide27
Resources
Centers for Medicare & Medicaid Services –
HIPAA:
www.cms.hhs.gov/SecurityStandard/
Office of Civil
Rights:
www.hhs.gov/ocr/hippa/
US Department of Health & Human
Services:
www.hhs.govSlide28
Glossary
Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to a covered entity.
Protected Health Information: Individually identifiable health information.
Minimum Necessary Information: The current practice is that protected health information (PHI) should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.