HIPAA Privacy & Security. Transportation Providers 2017

Similar documents
HIPAA PRIVACY AND SECURITY AWARENESS

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

HIPAA The Health Insurance Portability and Accountability Act of 1996

ARE YOU HIP WITH HIPAA?

HIPAA Compliance Guide

Determining Whether You Are a Business Associate

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Effective Date: 4/3/17

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Background and History

"HIPAA RULES AND COMPLIANCE"

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

1 Security 101 for Covered Entities

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA COMPLIANCE. for Small & Mid-Size Practices

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA & The Medical Practice

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

The Privacy Rule. Health insurance Portability & Accountability Act

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

March 1. HIPAA Privacy Policy

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

LEGAL ISSUES IN HEALTH IT SECURITY

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Security How secure and compliant are you from this 5 letter word?

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Privacy, Breach, & Security Rules

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA Service Description

EXCERPT. Do the Right Thing R1112 P1112

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Field Training 2015

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA and Lawyers: Your stakes have just been raised

It s as AWESOME as You Think It Is!

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA, Privacy, and Security Oh My!

HIPAA Privacy Overview

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Management Alert Final HIPAA Regulations Issued

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

The Audits are coming!

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

NMH HIPAA Privacy Training Version

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

HIPAA: Impact on Corporate Compliance

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

Compliance Fraud, Waste and Abuse HIPAA Privacy and Security

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

AFTER THE OMNIBUS RULE

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HHS, Office for Civil Rights. IAPP October 11, 2012

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Business Associate Agreement

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

H E A L T H C A R E L A W U P D A T E

COMPLIANCE DEPARTMENT. LSUHSC-S Louisiana State University Health Sciences Center Shreveport ACKNOWLEDGEMENT RECEIPT

RISK TRACK. Privacy and Data Protection

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

ARRA s Amendments to HIPAA Privacy & Security Rules

Transcription:

HIPAA Privacy & Security Transportation Providers 2017

HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information every time you provide services. Much of this information is protected from disclosure by the Health Insurance Portability and Accountability Act, also known as HIPAA. This educational presentation seeks to explain the privacy and security of healthcare information in compliance with HIPAA. The materials also cover the Texas Medical Privacy law. Thank you for taking the time to review these materials. At the end of this presentation, you can take a quiz that presents hypothetical situations for you to analyze to test your knowledge.

Topics Covered What is HIPAA? Who is Subject to HIPAA? Protected Health Information HIPAA Privacy Reasonable Safeguards HIPAA Security Administrative Safeguards Physical Safeguards Technical Safeguards Handling PHI Security Breaches PHI Rights of Individuals Enforcement Quiz

What is HIPAA? HIPAA is a far reaching federal law passed in 1996. HIPAA does many things, but its primary purposes are: Privacy and security of healthcare information Standardization of healthcare data Insurance portability for individuals who lose or change jobs Preventing discrimination against applicants or businesses Preventing fraud with stiff penalties and tight controls As a federal law, HIPAA applies to all states. Keep in mind, however, that you must also comply with any more restrictive state laws regarding the privacy and security of healthcare information. If there is a conflict between HIPAA and state laws, HIPAA preempts state law unless the state law is more strict. In other words, you must follow whichever law provides greater protection to members.

Who is Subject to HIPAA? Covered Entities Organizations such as hospitals, insurance companies, self insured employers, and small physician practices are considered covered entities under HIPAA. There are three categories of covered entities: Healthcare plans Healthcare providers Clearinghouses Transportation providers brokers are not covered entities because they do not fall into any of these three categories.

Who is Subject to HIPAA? (continued) Business Associates Many covered entities use the services of other individuals and businesses to help them carry out their healthcare activities and functions. These business associates include auditors, consultants, lawyers, claims processing firms, pharmacy benefit managers, and the like. Business associates also include entities that provide data transmission services involving personal health information protected by HIPAA. A non emergency medical transportation broker is a business associate of the health plans and state Medicaid agencies who are their clients.

Who is Subject to HIPAA? (continued) Business associates are subject to HIPAA in several ways: They must provide written (contractual) assurance to the covered entity that they will comply with the HIPAA requirements imposed on them, use the information only for proper purposes and safeguard it from misuse, and help the covered entity comply with some of its HIPAA privacy related duties. They must comply with all HIPAA regulations requiring administrative, physical, and technical safeguards for the security of the protected information. They must comply with certain HIPAA regulations pertaining to the privacy of the information.

Who is Subject to HIPAA? (continued) The Security Rule A law passed after HIPAA went into effect, the Health Information Technology for Economic and Clinical Health Act, or HITECH (effective in 2010) made the HIPAA Security Rule directly applicable to business associates. Prior to this, business associates were only contractually liable to covered entities for any security (or privacy) violations. In other words, before HITECH, if a business associate violated HIPAA it would be in breach of contract, not in violation of HIPAA itself. Now, business associates are subject to the same HIPAA penalties as covered entities.

Who is Subject to HIPAA? (continued) The Privacy Rule Another law, the Omnibus Rule (effective in 2013) made certain portions of the HIPAA Privacy Rule directly applicable to business associates. The applicable portions are the general rules pertaining to uses and disclosures of protected information and organizational requirements.

Who is Subject to HIPAA? (continued) Business Associate Subcontractors In many instances, a business associate delegates functions, actions and services to subcontractors individuals and entities outside of the business associate's workforce. HIPAA requires agreements between business associates and their subcontractors providing that the subcontractor is subject to the same HIPAA requirements concerning access to and use of protected health information as the business associate. Subcontractors also are directly subject to HIPAA requirements separate and apart from their contractual agreements with business associates. For these reasons, the subcontracted transportation providers with NEMT brokers does business must also comply with HIPAA.

Protected Health Information (PHI) HIPAA protects information that qualifies as protected health information, or PHI. PHI is essentially any part of an individual's medical record or payment history. In HIPAA terms, PHI is information that concerns Any past, present or future physical or mental health of an individual Providing healthcare to an individual Payment for healthcare for an individual This means that when a NEMT broker enters trip information into its reservations system, a billing department clerk process trip logs and claims for payment, transportation brokers or providers speak with members on the phone or in person, or brokers and providers exchange trip manifests, any identifiable health information becomes PHI under HIPAA. HIPAA has separate but interrelated Privacy and Security rules. The Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI.

The Privacy Rule The Privacy Rule addresses the use and disclosure of PHI. In general, transportation providers may use or disclose a member s PHI only under these conditions: To communicate directly with the individual about his/her PHI With the individual's written authorization or other legal agreement, subject to certain exceptions Without the individual's authorization for treatment, payment and operations (TPO), subject to certain exceptions If allowed by state law, PHI may be disclosed to a child's parent or guardian. When using or disclosing PHI or when requesting PHI from a covered entity or business associate, you must make reasonable efforts to limit your use or disclosure as much as possible.

Reasonable Safeguards The Privacy Rule requires that you use reasonable safeguards to protect the confidentiality of PHI. Reasonable safeguards include Speaking softly when discussing PHI in public spaces, such as in a waiting rooms or in vehicles that are multi loaded Not using the name of the individual whose PHI is being discussed Reminding employees to keep PHI secure at their workstations, at fax machines and copiers, and in other public spaces Isolating and locking filing cabinets or anything else that contains PHI Equipping computers with password protected screensavers

The Security Rule HIPAA's Security Rule addresses the creation, receipt, maintenance and transmission of electronic PHI. This Rule applies equally to covered entities and business associates. The primary goals of the Security Rule are to Maintain the confidentiality of stored and transmitted electronic PHI Protect electronic PHI from unauthorized creation, modification and deletion Ensure that electronic PHI is available to authorized individuals or entities when needed The Security Rule sets out three types of security safeguards required for compliance: administrative, physical and technical safeguards.

Administrative Safeguards The Security Rule includes these administrative safeguards: Security Officer Designating a Security Officer to be responsible for the development and implementation of security policies Workforce Security Developing a plan for granting employees varying levels of access to PHI Contingency Plan Developing a plan for responding to system emergencies and natural disasters Business Associate Contracts Having contracts with business associates to protect the confidentiality of PHI Termination Procedures Implementing procedures to prevent a terminated employee from having access to confidential information

Physical Safeguards The Security Rule requires that you protect PHI from fire and environmental hazards, as well as from intrusion. Physical safeguards include Facility Access Controls Developing procedures that allow authorized access to places where PHI is kept but that deter intruders Workstation Use Developing procedures to handle PHI that is or may be displayed on computer screens Workstation Security Providing secured rooms, curtains, partitions, or user IDs and passwords for workstations on which PHI is processed Device and Media Controls Having procedures for the handling of computer hardware and software (such as laptops, cell phones, tablets, and media used with them), including proper disposal and storage

Technical Safeguards The Security Rule also requires that you implement certain technical safeguards for electronic PHI, including Access Controls Limiting access to PHI on a need to know basis, based on roles and context Audit Controls Recording and examining system activity to eliminate unnecessary access to PHI Person or Entity Authentication Using verification controls such as passwords, PIN numbers, biometrics, or tokens to ensure that those seeking access to PHI actually have authorization Transmission Security Protecting PHI during transmission over electronic networks, including encryption and protections such as firewalls, SSL/TLS protocol and S/MIME support

Handling PHI In line with those safeguards, please follow the following guidelines when handling member PHI: Access PHI only to the extent necessary to perform job related functions Destroy PHI once it is no longer needed in accordance with established recordmanagement policies and procedures Take steps to verify the proper receipt of transmitted PHI, whether by fax, phone, or e mail Secure work areas by keeping documents containing PHI in a locked cabinet and maintaining strong passwords on electronic systems Take special precautions while working in the field or at home to ensure that PHI is secured in laptop computers and briefcases

Security Breach The Security Rule distinguishes between secure and unsecure PHI. Secure PHI is information that is Protected by a technology or methodology specified by the government (the Health & Human Services Department, or HHS) Rendered "unusable, unreadable, or indecipherable" to unauthorized persons Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI, notice must be given to the affected individuals and, if the breach affects 500 or more individuals, to the government and the media. If you become aware of a security breach, please report it to your supervisor immediately. They must then report it to the transportation broker s HIPAA Compliance Officer.

PHI Rights of Individuals In addition to what has already been discussed, members have these rights over the use and disclosure of their PHI with respect to their health plans, which are covered entities: Covered entities must abide by an individual's request not to divulge PHI with his/her health plan for payment or healthcare operations if he/she is paying for the full service cost to which the PHI relates. Individuals are entitled to copies of any records that the covered entity keeps electronically Individuals have the right to request that a covered entity correct any inaccurate PHI Covered entities maintaining electronic health records must provide an accounting of all PHI disclosures made for treatment, payment and healthcare operations during the prior three years, upon the individual's request

Enforcement Failure to comply with HIPAA can lead to significant financial and other penalties, such as the following: Civil fines range from $100 to $50,000 for each violation up to $1.5 million per year Criminal penalties for a basic offense may include a fine of up to $50,000 and/or imprisonment for up to one year Criminal penalties for an offense committed under false pretenses may include a fine of up to $100,000 and/or imprisonment for up to five years Criminal penalties for an offense committed with the intent to use PHI for one's commercial advantage may include a fine of up to $250,000 and/or imprisonment for up to ten years

Enforcement (continued) Civil Fines The civil penalties for HIPAA violations are based on a tiered approach, depending on the type of violation: Fines for unintentional violations may be $100 per violation and up to $25,000 per year Fines for "reasonable cause" violations may be $1,000 per violation and up to $100,000 per year Fines for "willful neglect" (but rectified) violations may be $10,000 per violation and up to $250,000 per year Fines for "willful neglect" (and un rectified) violations may be $50,000 per violation and up to $1.5 million per year Civil penalties are now required for covered entities or business associates who are found to have made a "willful neglect" violation, such as failure to follow HIPAA policies and procedures, or failure to sufficiently train and supervise employees.

Quiz Which of the following is the best summary of one of HIPAA's primary purposes? 1. Keeping a business associate s information private 2. Keeping people s personal health information private 3. Keeping people safe from identity theft

Quiz Number 2 is the correct answer. One of HIPAA s primary purposes is safeguarding the privacy and security of personal healthcare information.

Quiz Which of these is the best reason to be sure you understand how HIPAA affects your day to day job responsibilities? 1. Violations of HIPAA can incur substantial penalties, including large fines and imprisonment. 2. Protecting the privacy of personal healthcare information aids the integrity of our healthcare system. 3. Both of the above.

Quiz Number 3 is the correct answer. Understanding how HIPAA affects your job responsibilities will help keep you and your organization compliant with HIPAA regulations and provides a valuable public service to all participants in our healthcare system.

Quiz Jane is a Medicare Advantage (Medicare Part C) member of Big Health Plan, a managed care organization. She called Big Health Plan s subcontracted NEMT broker to schedule a trip for her annual physical. The broker referred the trip to its subcontractor, Super Duper Transport, an NEMT provider, who called Jane the day before the trip to confirm. Is Jane s personal health information protected by HIPAA in this situation? 1. No, because the NEMT broker is not subject to HIPAA. 2. No, because the Super Duper Transport is not subject to HIPAA. 3. Yes, because both entities are subject to HIPAA.

Quiz Number 3 is the correct answer. Big Health Plan is a covered entity and both the NEMT broker and the NEMT provider are subject to HIPAA. The broker is Big Health Plan s business associate, and the transportation provider is the broker s business associate. All parties are covered by HIPAA s privacy and security rules.

Quiz Bob scheduled trips for appointments with his medical doctor on Monday, his chiropractor on Tuesday, his psychiatrist on Wednesday, a walk in clinic on Thursday, and his dentist on Friday. On what day(s) was Bob s personal health information unprotected by HIPAA? 1. Tuesday and Friday 2. Thursday 3. Wednesday and Monday 4. It was protected every day.

Quiz Number 4 is the correct answer. PHI includes information regarding any past, present, or future physical or mental health of an individual, which means that information about all of Bob s trips and doctor visits would be subject to HIPAA protection.

Quiz A news reporter called the hospital where a local celebrity has recently had knee surgery. The reporter told the receptionist that he needed some information for an important article and offers her a small fee for her assistance. What is the appropriate response from the receptionist. 1. No. HIPAA prohibits the release of that information. 2. Certainly. He s a celebrity and therefore a figure the public is entitled to hear about. 3. Perhaps, but I will need approval from the hospital administration.

Quiz Number 1 is the correct answer. Under HIPAA, the patient, whether a celebrity or not, may see his/her own medical chart, but this information must remain secure from unauthorized release or transmission to others, including reporters. The hospital may only release the information with the patient s written authorization.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback