What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
HIPAA stands for Health Insurance Portability and Accountability Act
HIPAA is Federally Mandated legislation. Violations can bring civil as well as criminal penalties.
Congress provided civil and criminal penalties for covered entities that misuse personal health information. Penalties for civil violations. up to $100 per violation up to $25,000 per year for each requirement or prohibition violated.
Criminal penalties apply for knowingly obtaining protected health information in violation of the law. Criminal penalties can range: From up to $50,000 and one year in prison To $250,000 and up to 10 years in prison Depending on the severity of the offense.
The privacy regulations ensure a national floor of privacy protections for patients by limiting the ways that covered entities can use patients' personal medical information.
The Office of Civil Rights (OCR) has the authority for enforcing HIPAA Privacy regulations.
The OCR allows for more stringent state laws, but does not allow states to weaken the law.
Protect patient rights by giving them access to their health information and control over how it will be used. Improve the quality of care by restoring trust in the health care system. Improve the efficiency and effectiveness of health care delivery by standardizing systems. Protect the security and privacy of all medical records and other health information that is used or shared.
HIPAA Other Sections Administrative Simplification SECURITY PRIVACY Data Standards At Brown County, we are interested in the boxes in yellow Transactions Code Sets Identifiers Portability Medical Savings Accounts Group Health Provisions Revenue Offset Provisions
Administrative Simplification, with particular emphasis on the privacy regulations, is what concerns Brown County.
The Department of Health and Human Services (HHS) has the authority to mandate standards, require code systems and specify measures to guard protected health information.
Covered Entities The law includes entities that provide, bill or pay for medical care or process health information, or request access to medical information in order to conduct financial and administrative transactions.
Health Care Providers - Any business that furnishes, bills or is paid for health care services. Health Plans - An individual or group plan that provides for, or pays the cost of medical care. Health Care Clearinghouses - An entity that receives health information from providers and plans, and helps standardize that information into the required format for claims processing. Business Associates of the entities above are ALSO considered covered entities.
Educational Institutions are NOT considered covered entities.
Business Associate: A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity s workforce. A business associate can also be a covered entity in its own right. When Vendors signs a business associate agreement with a covered entity, the Vendor becomes a covered entity.
Business associates such as Vendors must warrant that all of their employees have been trained in HIPAA rules and regulations. Vendor Employees and contractors are responsible for compliance with HIPAA standards and regulations when. Working with client data Setting up client hardware and software
PHI: Protected Health Information. This includes individually identifiable health information transmitted by or maintained in print, spoken or electronic media or in any other form or medium.
Within HIPAA, Privacy provisions relate to Disclosure: The release, transfer, provision of, access to or divulging PHI outside of the business s internal operations. Use: With respect to PHI, means sharing, employment, application, utilization, examination or analysis of such PHI inside the business s internal operations.
The privacy rule sets limits on how identifiable health information may be used. The rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients.
Confidentiality regulations specify that Safeguarding the availability, integrity and confidentiality of protected health information is the responsibility of the covered entity and its business associates.
There are restrictions and limits on the use of protected health information, however. Brown County employees who are exposed to PHI while performing services for a client are NOT in violation of the law, unless they use or disclose the information improperly.
What is considered electronic? Computer entered data Electronic Data Interchange (EDI) data Data published as Intranet files E-mails Swipe card data Scanned data
Paper claims Paper fax Paper copies of memos or notes Telephone (voice) inquiries However, HIPAA regulations apply to BOTH electronic and non-electronic records.
The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally.
Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes.
Covered health plans, doctors and other health care providers must provide a notice to their patients concerning patients rights under the HIPAA privacy regulations.
The rule requires covered entities to have written privacy procedures. Covered entities must ensure that business associates agree to the same limitations on the use and disclosure of protected health information.
Covered entities must train their employees in their privacy procedures.
The provisions of the privacy rule generally apply equally to private sector and public sector covered entities. For example, private hospitals and government-run hospitals covered by the rule have to comply with the full range of requirements.
Covered entities must designate an individual who Ensures the procedures are followed Makes sure all employees are trained Initiates disciplinary action if the procedures are knowingly violated.
Brown County s HIPAA Compliance Officer is the Human Resources Director, Warren Kraft.
Review and monitor to ensure all Business Associate Agreements are in place Receive complaints, oversee mitigation efforts and resolve disputes over privacy violations Serve as a primary contact/resource for privacy issues/questions Collaborate with Corporation Counsel in handling federal or state government investigations
Tina Brunner, Dawn LaPlant, Lt. Heidi Michel and Chua Xiong are the Brown County Privacy Officers.
Guidance and technical assistance materials have been issued to make it as easy as possible for covered entities to comply with HIPAA requirements.
HHS's Summary of the HIPAA Omnibus Rule HHS summarized the over 500 pages of Omnibus Rule as follows: "This omnibus final rule is comprised of the following four final rules:
Omnibus Summary continued Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications: Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
Final rule adopts changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009. Final rule modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009."
Guidance and technical materials to explain the privacy rule, including an extensive, searchable collection of frequently asked questions are available at http://www.hhs.gov/ocr/hipaa/assist.html
HIPAA s toll-free information line is (866) 627-7748.
Text of the HIPAA legislation can be found at: http://aspe.hhs.gov/admnsimp/pl104191.htm
Please proceed to the exam for Module 1. The exam is located on the intranet under Employee Training on the intranet home page.
Please click on the HIPAA Training and Testing Link
Successful completion of the exam is required. A record of your exam is automatically stored.