HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Size: px

Start display at page:

Download "HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT"

Juliana Stevenson
6 years ago
Views:

1 HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT COMPLIANCE TRAINING Part 1: Privacy The HIPAA Privacy Rule requires the apprpriate use and disclsure f a patient's persnal health infrmatin and cntains regulatins that all healthcare prviders must fllw fr cmpliance t prtect patient privacy. The intent f the privacy regulatins is nt t restrict access t care r prevent necessary cmmunicatin between healthcare prviders, r agencies that prvide vital services t patients. The patient and a healthcare wrker directly invlved with the care f the patient autmatically have access t prtected patient infrmatin. In general, the Privacy Rule des the fllwing: Terminlgy 1. Impses new restrictins n the use and disclsure f persnal health infrmatin 2. Gives patients mre access t their medical recrds 3. Gives patients mre prtectin f their medical recrds PHI Cvered Entity Use Disclse Ntice f Privacy Practices Acknwledgment f Receipt Authrizatin Prtected Health Infrmatin, referring t any health infrmatin that can be used t identify a specific individual. Refers t any health plan, healthcare clearinghuse r healthcare prvider wh transmits health infrmatin in electrnic frm in cnnectin with a HIPAA transactin, such as billing and claims. Refers t hw PHI is used r shared by a cvered entity r business assciate f a cvered entity. Refers t hw PHI is released, transferred and/r divulged utside the rganizatin, including claims fr payment, discharge summaries, and released hspital recrds. A dcument describing an rganizatin's bligatins, plicies and prcedures and the patient's rights regarding PHI. A dcument signed r initialed by an individual t acknwledge receipt f the Ntice f Privacy Practices. A dcument signed by an individual that authrizes specific uses r disclsure f PHI fr purpses ther than fr treatment, payment r healthcare peratins. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

2 Key Pints Patients have a right t determine hw their health infrmatin is used and shared. The rule specifically states that treatment may prceed, even if the acknwledgment f receipt f the Ntice f Privacy Practices is nt btained at the time f treatment. HIPAA des nt supersede mre stringent state law. Requests fr access t prtected health infrmatin must be presented in writing. All cvered healthcare facilities will have a prcess t btain written permissin (cnsent) t use r disclse PHI Please review facility specific HIPAA plicies and guidelines. HIPAA privacy relates t all patient recrds and health infrmatin in all media and frmats, including verbal cmmunicatins. What is prtected health infrmatin (PHI)? When a patient gives persnal health infrmatin t a cvered entity, the infrmatin becmes prtected health infrmatin (PHI). PHI includes any infrmatin (such as ral, recrded, written, r sent electrnically) abut a persn s physical r mental health, services rendered r payment fr thse services. This includes any persnal infrmatin cnnecting the patient t the recrds, such as the persn s name, scial security number, physician s persnal ntes, and billing infrmatin. PHI cannt be used r disclsed by anyne unless it is permitted r required by the Privacy Rule. PHI is infrmatin that is prtected under privacy regulatins because it can be used t identify a specific individual. Prtected Health Infrmatin (PHI) pertains t: Present, past r future healthcare. Physical, mental r scial cnditin. Payment infrmatin. Examples f Prtected Health Infrmatin (PHI) use: When a medical assistant enters the date, weight, current medicines and reasn fr an ffice visit in the patient chart. When members f a hspital's quality assurance cmmittee use PHI as part f their wrk. When a physician makes an entry in a patient s ffice r hspital chart. What is a Ntice f Privacy Practices? Adequate ntice f the use r disclsure f PHI must be given t patients. This must be accmplished n the first date f service r as sn as pssible after an emergency. If the privacy practices f a facility change, ntice must be given t patients f the changes. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

3 The fllwing must be included n the ntice f privacy practices: Patient rights and the cvered entities legal duties The ntice must be in writing The ntice must be displayed at the site f service and psted n a web site, if apprpriate A written acknwledgment f receipt f ntice must be btained frm the patient. If such is nt pssible, the reasns must be dcumented. Cpies f all ntices and acknwledgments must be retained. What are the patient privacy rights under Privacy Rules? Patients have a right t receive the Ntice f Privacy Practices Patients have the right t restrict use and disclsure f their PHI, althugh the facility is nt required t agree Patients have the right t have PHI cmmunicated t them by alternative means and lcatins t prtect cnfidentiality Patients have a right t amend the PHI and btain cpies (with sme exceptins) Patients have a right t request a histry f disclsures fr six years prir t the request, except fr disclsures made fr treatment, payment, healthcare peratins, r with previus authrizatin Patients have a right t a designated cntact persn regarding any privacy cncern r breach f privacy within the cvered entity Wh is respnsible fr privacy cmpliance? Cmpliance is the respnsibility f all emplyees. This dcument ffers guidelines nly. Yu must fllw all client specific plicies and regulatins t ensure the prtectin f private health infrmatin. HIPAA regulatins apply t persnnel, billing, medical recrds, infrmatin systems, husekeeping, administratin -- t everyne. What des ne d with Prtected Health Infrmatin (PHI)? 1. USE describes the emplyment, applicatin, sharing, examinatin r analysis f PHI by a cvered entity r a business assciate f a cvered entity. 2. DISCLOSE refers t the release, transfer, and prvisin f access t r divulging f PHI utside the rganizatin that hlds the infrmatin. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

4 Examples f Disclsure: When a physician files a claim with a health plan fr payment When a hspital sends a cpy f a patient's discharge summary t a physician in private practice When access t hspital recrds is given t the Jint Cmmissin n Accreditatin f Healthcare Organizatins (JCAHO) Yu are permitted t use r disclse PHI in the fllwing situatins: Fr treatment, payment, and healthcare peratins With authrizatin r agreement frm the patient Fr disclsure t the individual patient Fr incidental uses, such as physician s talking t patients in a semi-private rm When is authrizatin required? A signed authrizatin frm the patient is required if his/her PHI will be used fr purpses ther than treatment, payment, healthcare peratins. As a general rule, authrizatin is needed t use PHI: Fr use r disclsure f psychtherapy ntes Fr research purpses, unless a waiver is btained frm an authrized bdy Fr use and disclsure t third parties fr marketing activities, such as selling lists f patients What is included in an authrizatin frm? Each authrizatin frm cvers nly the use r disclsure described in that particular frm. The frm must cntain the fllwing: A descriptin f the PHI t be used r disclsed in clear language the patient can understand Wh will use r disclse the PHI and fr what reasns Whether r nt it will result in mnetary gain fr the cvered entity The patient s right t revke the authrizatin The date and signature f the patient whse recrds are used r disclsed An expiratin date fr use and disclsure Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

5 When is authrizatin NOT needed? PHI can be used r disclsed withut authrizatin, with patient agreement, fr the fllwing purpses: T maintain a facility patient directry T infrm family members r ther identified persns invlved in the patient s care, r ntify them n patient lcatin, cnditin, r death T infrm apprpriate agencies during disaster relief initiatives Public health activities regarding disease preventin and/r cntrl T reprt abuse, neglect, r dmestic vilence Health versight activities, such as quality assurance audits, legal investigatins, licensure, sme law enfrcement r gvernment functins Crners, medical examiners, r funeral directrs Tissue r rgan dnatins T minimize r aver a serius threat t safety and health What is a Cvered Entity? A Cvered Entity is any health plan, healthcare clearinghuse r healthcare prvider wh transmits any health infrmatin in electrnic frm in cnnectin with a HIPAA transactin. HIPAA transactins are business transactins such as billing and claims that are transmitted electrnically, either directly t the payer, r thrugh a clearinghuse. Examples f Cvered Entities: Hspitals Clinics Private practices Health plans r insurance carriers Healthcare prviders Industrial health clinics Clearinghuses Part 2: Authrizatin The Privacy Rule prvides regulatry permissin t use and disclse prtected health infrmatin (PHI) fr treatment, payment and peratins, as well as public health, safety and law enfrcement purpses. All ther purpses such as research, marketing, disclsure f psychtherapy ntes and substance abuse require specific written permissin prir t use and disclsure, called authrizatin. When a valid authrizatin frm is btained frm a patient r their representative, use r disclsure must be cnsistent with the stated intentins. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

6 Key Pints Authrizatin frms are used t dcument permissin t use r disclse PHI fr purpses ther than treatment, payment f healthcare peratins. A valid authrizatin must cntain a specified list f elements that may be adapted t suit the purpse f the authrizatin. Authrizatins may be revked at any time in writing. Dcumentatin related t authrizatins must be maintained fr six years frm the date f its creatin r the date when it last was in effect. There are nly a few situatins where a prvider as a cnditin f treatment may require an authrizatin, which includes research and PHI created slely fr the purpse f disclsure t a third party. There are special requirements fr use and disclsure f psychtherapy ntes, research that invlves treatment, and substance abuse. Authrizatin Requirements When yu btain r receive a valid authrizatin fr the use r disclsure f PHI, its use r disclsure must be cnsistent with that stated in the authrizatin. Additinally, a cpy f the authrizatin frm must be prvided t the individual. An authrizatin may be revked at any time, in writing, except t the extent that: 1. Yu have taken actin in reliance upn theren, r 2. The authrizatin was btained as a cnditin f btaining insurance cverage. Is authrizatin required fr treatment? Authrizatin is nt required fr as a cnditin f treatment, payment, and/r enrllment in the health plan, r eligibility fr benefits. Part 3: Use & Disclsure In general, HIPAA regulatins require the "reasnable safeguard" f PHI frm imprper use r disclsure. When disclsing PHI, emplyees must make reasnable effrts t disclse nly the minimum necessary amunt f infrmatin (MAIN). Under the MAIN principle, it is the respnsibility f healthcare facilities t release nly that infrmatin which will satisfy the purpse f the disclsure. HIPAA des nt restrict disclsure when it relates t cnsultatin between prviders in the curse f treatment, because such practice is an integral part f healthcare peratins. PHI may be disclsed if any f the fllwing apply: Disclsure is required by law. The individual agrees. Based n the exercise f prfessinal judgment, the disclsure is necessary t prevent harm t the individual r ther ptential victims. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

7 If unable t cnsent t disclsure, an apprpriate law enfrcement agent represents that the disclsed infrmatin is nt t be used against the individual and a delay in disclsure t btain cnsent wuld adversely affect an immediate enfrcement activity. Key Pints A cvered entity may use and/r disclse PHI n the basis f regulatry permissin: Fr treatment, payment r healthcare peratins as described in the Ntice f Privacy Practices prepared by client facilities T parents, guardians r persns acting as a representative fr a minr child. A cvered entity must give the individual a meaningful pprtunity t bject t disclsure fr: Purpses f ntifying and infrming thse peple invlved r cncerned with an individual's care. A facility directry. HIPAA regulatins require emplyees and health care rganizatins t reasnably safeguard PHI frm imprper use r disclsure. Withut authrizatin, r prviding an pprtunity fr an individual t bject, a cvered entity may use and/r disclse PHI: T the individual t whm the PHI refers. T reprt breaches f cmpliance, prfessinal ethics, r danger t patients. When the law requires disclsure. As required by Health and Human Services Secretary t mnitr and investigate cmpliance f a cvered entity. A cvered entity is bund by any limitatin t which it agrees, until the individual lifts the restrictin r until the individual is ntified in writing that the restrictin can n lnger be accmmdated. What are the apprpriate methds t reprt an issue cncerning imprper use and disclsure? Emplyees shuld nt talk with cwrkers and friends regarding cncerns. In additin t the HIPAA privacy fficer in client facilities, yu may call the cmplaint htline and / r discuss cncerns with yur wrk site supervisr as per facility prcedures and plicies. Are there penalties fr wrngful use and disclsure f Prtected Health Infrmatin (PHI)? Yes, bth an emplyee and/ r the rganizatin may be fined r sued. If a persn knwingly btains r disclses individually identifiable health infrmatin a fine and/ r imprisnment may ccur. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

8 What abut minrs (but nt legally emancipated minrs)? In general, parents have the right t access and cntrl the PHI f their minr children, except when state law verrides parental cntrl. Examples include: HIV testing f minrs withut parental permissin, cases f abuse, when parents have agreed t give up cntrl ver their minr children. NOTE: Minrs can legally cnsent t treatment under certain circumstances in sme jurisdictins. Knw yur State law regarding this pint. Oral Cmmunicatins Privacy rules d nt prhibit r require cnsent fr healthcare prviders t cmmunicate t ther healthcare prviders rally regarding patients treatment. Reasnable safeguards must be emplyed t prtect PHI frm inadvertent disclsure by verheard cnversatin, such as: Lwered vices. Mving a cnversatin t mre private areas. Prviding privacy areas fr phne cnversatins r cnversatins with patients r families. Refraining frm discussins invlving PHI in elevatrs r public hallways. Refraining frm discussins invlving PHI which d nt advance the care f an individual r are nt necessary fr billing r legitimate peratins. Part 4: Access The intent f the privacy rule is t maintain a balance between patient rights and the practice f sund medicine by acting in the best interest f the patient. Requests fr PHI must be made in writing. If apprved, patients will be ffered a cnvenient time and place in t inspect r btain a cpy f their recrd in accrdance with facility specific plicies and prcedures. Yur Respnsibilities fr Access The Privacy Rule requires timely access t PHI by indicating a cnvenient time and place fr the individual t btain a cpy f the PHI r by mailing the cpy at the individual's request. Yu must fllw client specific plicies and prcedures fr access. Part 5: Amendment Under HIPAA standards, patients have the right t amend their PHI. Amendment requests must be made in writing by cmpleting facility specific frms. Even if a request fr amendment is denied, the request itself and all subsequent dcumentatin must be included with the individual's recrds and disclsures must include appended material. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

9 An amendment invlves making a change t a recrd and des nt include deleting, changing r remving medical infrmatin. Amendments may include an: Additin t the recrd. Fr example, "I frgt t tell the dctr " r "The dctr left ut what I tld him abut " Crrectin t the recrd f a perceived inaccuracy. Fr example, "The dctr said I twisted my knee playing ftball when it really happened at wrk. I said I had played ftball the week befre with n prblem." Befre a recrd is changed, a patient must submit a Request fr Amendment t initiate the amendment prcess and that request must be apprved. Fllw facility specific prcedures. Part 6: Administratin The privacy rule allws patients t "manage" Prtected Health Infrmatin r PHI. This includes the right t: See and cpy their PHI Limit disclsure thrugh authrizatin Request further limitatins f disclsure Offer amendments and crrectins t their infrmatin if desired T ensure prtectin f PHI, the privacy rule requires cvered entities t d the fllwing: Appintment f a privacy fficial Designate a cntact persn r ffice respnsible fr receiving cmplaints Publicatin f cntact infrmatin fr patients t exercise privacy rights Develp a Ntice f Privacy Practices dcument Develp plicies and safeguards t prtect PHI and limit incidental use r disclsure Institute emplyee training prgrams Make sure cntracts with business assciates cmply with the Privacy Rule What are safeguards? Safeguards are means f prtecting PHI. Examples f reasnable measures include: Physical safeguards Lcks n drs Segregatin f charts and ther media hlding PHI frm public view Prtectin f cmputers and cmputer screens frm view Signs and ther indicatrs t restrict access t unauthrized areas Visitr sign-in and escrts if apprpriate Terminatin prcedures fr remving emplyee access Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

10 Technical safeguards. Apprpriate passwrds, cntrlled access f cmputer files, and netwrk safeguards. Media access cntrls and accuntability Data strage, backup and dispsal Administrative safeguards Well written plicies and prcedures defining apprpriate behavir and handling f PHI by the wrkfrce Prminently displayed Ntice f Privacy Practices Apprpriate training cmpleted and dcumented Sanctins and Mitigatin All healthcare rganizatins and their emplyees must recgnize that respect fr privacy and cnfidentiality is everyne's jb and demnstrate apprpriate regard fr the rules. Emplyees that d nt fllw cmpliance regulatins are subject t HR disciplinary actins. Enfrcement f Cmpliance The Department f Health and Human Services (DHHS) Office f Civil Rights (OCR) is respnsible fr enfrcement f the privacy rule. Wrngful Disclsure Wrngful disclsure invlves the inapprpriate release f identifiable health infrmatin t anther persn. Penalties can be up t $50,000 and/r imprisnment f nt mre than ne year. If the ffense is cmmitted under false pretenses, the fine is up t $100,000 and /r imprisnment f nt mre than five years. If the ffense is cmmitted with the intent t sell, transfer r use identifiable health infrmatin fr cmmercial advantage, persnal gain, r malicius harm, the fine is up t $250,000 and/r imprisnment f nt mre than ten years. Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

11 HIPAA COMPLIANCE TRAINING ACKNOWLEDGEMENT OF RECEIPT By signing belw, I acknwledge that I have cmpleted the HIPAA Cmpliance Training. I have received basic training n HIPAA requirements, such as hw health infrmatin may be used and disclsed by HIPAA cvered entities, requirements f Ntice f Privacy Practices, what an authrizatin is and what it must cntain, what an amendment is, patient rights under HIPAA, hw t safeguard privacy rule prtected infrmatin, and sanctins fr inapprpriate disclsures. PRINTED NAME: TITLE: SIGNATURE: DATE: Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

12 HIPAA POST-TEST NAME: SIGNATURE: SCORE: DATE: INSTRUCTIONS: Please answer the fllwing questins by indicating whether the statement is r. 1. The HIPAA Privacy Rules prtect patient infrmatin regarding privacy and cnfidentiality. 6. It is acceptable t disclse private health infrmatin (PHI) fr treatment and payment reasns. FALS 2. Under HIPAA, cvered entities include hspitals, health plans, and clearinghuses that transmit health infrmatin electrnically. 3. Prtected Health Infrmatin includes a patient s name and scial security number. 4. It is acceptable t discard a patient s labratry reprt in the trashcan n yur unit. 7. A patient authrizatin can never be revked. 8. If an individual refuses t sign an acknwledgement f receipt, the prvider shuld dcument refusal t sign and prceed with treatment as usual. 9. The Privacy Rule alters hw parents cnsent t treatment fr their minr children. 5. PHI may be used r disclsed withut cnsent r authrizatin fr certain public health activities, including preventin r cntrl f disease, public health surveillance, and reprts f child abuse and neglect. 10. Vilatins f the HIPAA privacy rule can include fines and imprisnment. SCORE: PASSING SCORE: EVALUATOR: Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

13 HIPAA ANSWER KEY 1. A 6. A 2. A 7. B 3. A 8. A 4. B 9. B 5. A 10. A Quality Care + Prfessinal Staff VISIONQWEST HEALTHCARE 500 N Central Suite 740 Glendale, CA Phne: (818) ext. 2 Fax: (818)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) COMPLIANCE TRAINING

1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) COMPLIANCE TRAINING Part 1: Privacy The HIPAA Privacy Rule requires the apprpriate use and disclsure f a patient's persnal health infrmatin