What is HIPAA? (1 of 2)

Similar documents
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

ACC Compliance and Ethics Committee Presentation February 19, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Effective Date: 4/3/17

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

To: Our Clients and Friends January 25, 2013

"HIPAA RULES AND COMPLIANCE"

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

The Privacy Rule. Health insurance Portability & Accountability Act

Health Law Diagnosis

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Determining Whether You Are a Business Associate

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Sample Privacy Notice

HIPAA The Health Insurance Portability and Accountability Act of 1996

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Omnibus Final Rule and Research

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Getting a Grip on HIPAA

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Overview

HIPAA & The Medical Practice

Peripheral Vascular Associates/Veintec HIPAA Notice of Privacy Practices

Highlights of the Omnibus HIPAA/HITECH Final Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

INDEPENDENCE BLUE CROSS LONG TERM CARE PROGRAM NOTICE OF PRIVACY PRACTICES

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

AFTER THE OMNIBUS RULE

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

NOTICE OF PRIVACY PRACTICES

HIPAA: Impact on Corporate Compliance

HIPAA NOTICE OF PRIVACY PRACTICES

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

It s as AWESOME as You Think It Is!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MANCHESTER UROLOGY ASSOCIATES, PA Derry Manchester Dover

SUMMARY OF PRIVACY PRACTICES

Alfred University Effective Date: January 1, 2019

Highlights of the Final Omnibus HIPAA Rule

HIPAA Data Breach ITPC

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

PEDRO J. MORALES, M.D. & TIM P. CARLSON, M.D., P.A. NOTICE OF PRIVACY PRACTICES UPDATED 01/01/2014

Florida Dermatology HIPAA Notice of Privacy Practices

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Luedtke-Storm-Mackey Chiropractic Clinic S.C. Notice of Privacy Practices. Effective September 23, 2013

Changes to HIPAA Under the Omnibus Final Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

HIPAA Omnibus Rule Compliance

TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA Compliance Under the Magnifying Glass

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Fifth National HIPAA Summit West

ALERT. November 20, 2009

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Notice of Privacy Practices

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Ottawa Children s Dentistry

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

First Name: Middle Name: Last Name: Preferred Name: Address: City: State: Zip: Mother s First & Last Name: Mother s Home Phone: Mother s Work Phone:

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA OMNIBUS FINAL RULE

ARE YOU HIP WITH HIPAA?

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Management Alert Final HIPAA Regulations Issued

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

PATIENT NOTICE OF PRIVACY PRACTICES

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax:

H E A L T H C A R E L A W U P D A T E

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

NOTICE OF PRIVACY PRACTICES

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

STATE OF FLORIDA DEPARTMENT OF. NO TALLAHASSEE, June 2, Chapter 1

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

SUMMARY OF NOTICE OF PRIVACY PRACTICES. Your rights related to your medical information are as follows:

NOTICE OF PRIVACY PRACTICES

Effective Date: March 23, 2016

Notice of Privacy Practices

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Transcription:

HIPAA 1

HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into effect on September 23, 2013 2

What is HIPAA? (1 of 2) Sets privacy standards Limits the use and release of individually identifiable health information Gives patients the right to access their medical records Restricts most disclosure of health information to the minimum needed for the intended purpose 3

What is HIPAA? (2 of 2) Improper uses or disclosures under the rule are subject to criminal and civil sanctions prescribed in HIPAA. 4

Who is covered? It s a federal law and it covers all patients and all health care providers, including administrative and accounting personnel in all 50 states. It pre-empts state law. All employees, associates, volunteers, anyone who comes in contact with patient records must be trained in HIPAA 5

What Does HIPAA Do? It holds violators accountable, with civil and criminal penalties for violations Enables patients to find out how their information may be used Limits release of information to the minimum reasonably needed for the purpose of the disclosure 6

What does it require? The law can be summarized as follows: Sharing of patient health information is on a need to know basis. Reasonable precautions must be taken to prevent the casual disclosure of the patient information in your custody. 7

HIPAA and State Laws If State rules are more stringent, the State rules must be followed HIPAA sets the minimum standards Texas Medical Records Privacy Act is the Texas law TDSHS may enforce this rule against EMS providers and individuals 8

Updates and Revisions Final Omnibus Rule Compliance date of September 23, 2013 Includes the HITECH (Health Information Technology for Economic and Clinical Health) Act Interim rule adopted in 2009 Compliance Date of September 23, 2013 9

Omnibus Rule (1 of 2) Creates 4 categories of violations that reflect culpability with 4 tiers of penalty amounts for each violation Sets a maximum penalty amount of $1.5 million for all violations of an identical provision 10

Omnibus Rule (2 of 2) Increased civil monetary penalties ($100-$50K per violation) based on the category of violation (intent) Allows enforcement by state Attorneys General Requires breach notification by service or business associates to affected patients, HHS, and the media 11

Increased Federal Civil Penalties (Categories of Culpability) Violations after reasonable precautions Minimum of $100, maximum of $25,000 Violations resulted from reasonable cause Minimum of $1,000, maximum of $100,000 Willful Neglect-Corrected within 30 days Minimum of $10,000, maximum of $250,000 Willful Neglect-Uncorrected Minimum of $50,000, maximum of $1.5 million 12

Willful Neglect Means conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated Disclosure does not have to be on purpose; just that an entity shows indifference 13

Federal Criminal Penalties For Fraud and Abuse (ex. Disclosure for money) $50,000 and 1 year minimum $250,000 and 10 years maximum Average sentence for 1 st time offender at highest level: $87,000 plus 67 months, according to federal sentencing guide 14

Texas Medical Records Privacy Act Provides for a $3,000 fine (per offense) for civil violation Provides $250,000 fine for criminal violation and up to 10 years in prison Allows Attorney General to seek injunctive relief 15

Breach Notification Under the Final Rule 16

Current Breach Rules Effective as of September 23, 2009 With a breach, the covered entity must provide notice to all affected individuals, HHS, and the media for breaches involving more than 500 individuals Business associates must notify the covered entity 17

Current Breach Rules Under the current breach rules, a breach only occurs if the breach poses a significant risk of financial, reputational, or other harm to the individual This is known as the Harm Standard 18

The New Standard Impermissible use or disclosure of PHI is presumed to be a breach unless the entity or business associate demonstrates that there is a low probability that the PHI has been compromised The burden of proof is now on the entity 19

The New Standard The federal government has taken a stronger enforcement posture and is investigating more complaints All breaches must be reported Big breaches are posted online Violations Posting Page 20

Investigation HHS will (not may ) investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect HHS has discretion to proceed to directly to fines in all cases 21

Business Associates-New Definition A business associate is a person/entity who, on behalf of a covered entity: Creates PHI Receives PHI Maintains PHI, or Transmits PHI Excluding mail, some delivery companies, phone, and internet services 22

Business Associate Agreement If an organization transmits data on your behalf and needs access to PHI, there should be a BAA Billing Companies epcr vendors (Zoll and UMC) Consulting firms Clearinghouses 23

Business Associate Agreement Business Associate now include subcontractors Collection agencies Billing company consultants that access PHI Subcontractors must enter into a BAA with the business associate NOT the covered entity 24

Business Associate Agreement BAA may continue to operate under existing BAAs entered into before January 25, 2013 for up to one year beyond compliance date (September 23, 2014) All other BAAs must be updated by September 23, 2013 25

New Restriction Rule Gives patients the right to pay out of pocket for a service and require the entity to NOT submit a claim to their insurance for that service 26

New Access Rule Grants patients the right to get an electronic copy of their PHI in a form and format requested, if it is readily producible in that form and format Word, Excel, Text, HTML, PDF Requires an entity to transmit PHI to a 3 rd party if requested by the patient 27

Notice of Privacy Practices ALL patients MUST be informed of the Privacy practices for your entity New rule will require changing of NPP Must include: a statement that patient authorization is required for: Sale of PHI Disclosures of psychotherapy notes Marketing 28

Notice of Privacy Practices Must also include: The patient s right to pay out of pocket Breach notice: the entity has a duty to inform the patient following a breach of their PHI Fundraising opt out. If an entity intends to contact individuals to conduct fundraising activities that fall under HIPAA 29

Notice of Privacy Practices All NPPs (HIPAA forms) must be updated by September 23, 2013 It is even more important now to obtain a signature on the HIPAA form for ALL patients 30

New Deceased Patient Rule PHI is protected for 50 years after the date of death Entity may disclose decedent s information to family members and other who were involved in patient s care or payment for care prior to death of patient; unless doing so is inconsistent with the patient s preference 31

Review 32

HIPAA Disclosure okay to release examples Anyone in the chain of treatment, who has a medical need for the sharing of the patient information is permitted to receive the information. Ambulance to hospital to nursing home to specialists all involved in the direct care of the patient may share the information 33

HIPAA Disclosure okay to release examples Billing companies, insurance companies, and any one the patient directs may receive the patient information Can get Cover Sheet A parent may have a copy of a minors medical records Refer to Privacy Officer The nursing home asks for a copy of the transport for a returning patient you are dropping off OK to give The destination hospital asks for patient vital signs over the radio OK to give 34

Disclosures Required by Law Infectious diseases Child Abuse Elder Abuse MVC Homicide Assault Other violent acts 35

Other Permitted Disclosures If Patient is Deceased: JPs Coroners Funeral Directors Family (unless against patient s wishes) Serious Threat to Health or Safety National security and intelligence activities (CIA, Homeland Security, FBI) 36

Examples (1 of 5) A member of the city council asks you what was the matter with his neighbor when the city ambulance responded -Decline Comment The EMS billing company contacts you and asks specific questions about care you provided -OK to discuss 37

Examples (2 of 5) A fellow EMT who did not respond to a certain call asks about the patient particulars -Decline Comment The nursing home calls you the day after you transported one of their residents to ask if you gave the patient aspirin -OK to discuss 38

Examples (3 of 5) The local newspaper is doing a story on an accident and they request an interview about the patient treatment -Decline Comment Another EMT, who did not make the run, calls you at home and asks about the run you just made -Decline Comment 39

Examples (4 of 5) Your EMS Director asks you about a call due to concerns with patient treatment -OK to discuss A police officer drops by the station (or scene) and asks for a copy of a transport report -Decline 40

Examples (5 of 5) Your partner calls you 2 hours after an EMS call because she is not feeling good about how the call went -OK to discuss During a CE class, the instructor asks for a copy of a run to use for an example -Decline or remove all patient identifiers 41

Best Policy To be safe, do NOT release any information to anyone, without contacting the Privacy Officer beforehand!!! 42

Corrections on Run Reports It should be the policy of the EMS service that unless there is a mistake on a medical record it will not be changed This includes only mistakes on patient information such as age, DOB, SS#, etc Should not include mistakes or misdiagnosis relating to medical care, regardless of what you find out later 43

Privacy Rule What you say here. What you see here.. What you hear here.. When you leave here Let it STAY here 44

HIPAA How to Comply Appoint a Privacy Officer who oversees the training and compliance of the act Train all employees, volunteers, anyone who comes in contact with patient medical records Enforce your Policies and Procedures Provide Patients with a copy of their privacy rights Establish Policies and Procedures 45

Policies Must Cover: (1 of 2) Notice of Privacy Practices Privacy Policies User of Computer equipment Privacy Training Medical Records of Employees 46

Policies Must Cover: (2 of 2) Patient Care Reports Handling Access, Security and Disclosure Patient Request for Protected Health Information E N F O R C E M E N T 47

Training, Testing, etc Every employee, associate, paid or volunteer must be trained and tested and attendance certified Every new hire/affiliate must be trained and tested within 30 days Yearly, a refresher must be conducted 48

HIPAA Safeguards (1 of 3) Keep voices down when at ER or other places where there could be inadvertent disclosure of PHI Ask patients permission to release information to family members present. If unable to give permission, limit information given Tell them only where you are transporting to But.get what info you can from them 49

HIPAA Safeguards (2 of 3) Do NOT release ANY information to people who do NOT have a need to know Police officers (except only as required) Your Family members Coffee shop talk Business associates Other EMS personnel not on the call 50

HIPAA Safeguards (3 of 3) Protect Documents Place run reports behind locked doors Keep run reports inside clipboard while in the Unit Password or otherwise protect computers Shred unneeded documentation 51

Summary Use common sense Reasonableness is used throughout the Standard People treating the patient are entitled to the information When in doubt in an administrative situation don t release the information When in doubt, keep your mouth shut! 52

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback