HIPAA and Privacy Rule Training
description
Transcript of HIPAA and Privacy Rule Training
HIPAA AND PRIVACY RULE
TRAINING
WHAT IS HIPAA? The Health Insurance Portability and
Accountability Act of 1996. Federal Law designed to protect
sensitive information. HIPAA violations are enforced by the
Department of Health and Human Services.
WHAT INFORMATION IS COVERED UNDER HIPAA?
Virtually ALL health information, or protected health information (PHI) in any format, to include:PaperElectronicOral
EXAMPLES OF SENSITIVE INFORMATION. Social Security number Credit Card numbers Driver’s License Research data Computer passwords Individual identifiable health information Personal information
NOTICE OF PRIVACY PRACTICES Health care providers provide them to
patients. They describe how the HIPAA-covered
entity uses and discloses health information.
WHAT IS THE PRIVACY RULE? The Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information.
The U.S Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Addresses the use and disclosure of individuals
health information called “PHI” (protected health information) by covered entities subject to the Privacy Rule.
WHAT IS A COVERED ENTITY? A covered entity is any person or
organization that furnishes, bills or is paid for health care services in the normal course of the business.
Pursuant to HIPAA, individually identifiable health information collected or created in a covered entity is considered “protected health information” (PHI)
A COVERED ENTITY IS ONE OF THE FOLLOWING… Health Care Provider Health Plan Health Care Clearinghouse
HEALTH CARE PROVIDER This includes providers such as..
DoctorsClinicsPsychologistsDentistsChiropractorsNursing HomesPharmacies ...but only if they transmit any information
in an electronic form in connection with a transaction for which HHS has adopted a standard.
A HEALTH PLAN This includes…
Health insurance companiesHMOsCompany health plansGovernment programs that pay for health
care, such as Medicare, Medicaid, and the military and veterans health care programs
HEALTH CARE CLEARING HOUSE This includes entities that process
nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
PHI DEFINED Protected Health information. Any information that can be used to
identify a patient (whether living or deceased) and which relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and the payment for those services.
IDENTIFIERS UNDER HIPAA Patient name Telephone number Social Security number Fax number Vehicle identification
number Email address Web URL’s Dates Names of relatives Full face photograph or
images
Health care record number
Account number Biometric identifier Device identifier Health plan beneficiary
number Certificate or license
number Any other unique
number, code, or characteristic that can be linked to an individual.
BASIC PRINCIPLE OF PRIVACY RULE To define and limit the circumstances in
which an individual’s PHI may be used or disclosed by covered entities.
A covered entity may not use or disclose protected health information, except either:as the Privacy Rule permits or requires.as the individual who is the subject of the
information (or the individual’s personal representative) authorizes in writing.
ACCESS MUST BE AUTHORIZEDAn employee may only access or disclose a patient’s PHI when this access is part of the employee’s job duties.
UNAUTHORIZED ACCESS It is never acceptable for an employer to
look at PHI “just out of curiosity” even if no harm is intended.
All information is entitled to the same protection whether it may be from a close friend or family and must be kept private.
AUTHORIZATIONS Covered entity may use/disclose PHI to
carry out essential health care functions. TreatmentPaymentHealth care operations
Disclosures for other purposes usually require a specific, written authorization from the individual of the information.
TREATMENT
Treatment means the provision, coordination, or management of health care by one or more health care providers, including:
Consultation between health care providers; or
Patient referrals
PAYMENT
Payment means activities of:Health care providers to obtain payment or
be reimbursed for their services. Health plans to obtain premiums, fulfill
coverage responsibilities, or provide reimbursement for the provision of health care.
HEALTH CARE OPERATIONS Health care operations are administrative,
financial, legal and quality improvement activities
Necessary to run business and to support core functions of treatment and payment
Quality assessment and improvement activities
Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance
Fraud and abuse detection
MINIMUM NECESSARY Only members of the workforce who
need protected health information may have access to it.
You should only have access to the “minimum necessary” amount of PHI to do their job.
VERIFICATION You can disclose PHI to a person
authorized to have the PHI. You may need to verify that the
individual really is who they claim to be.
BREACHES A breach occurs when information that by
law must be protected is:Lost, stolen, or improperly disposed of (i.e.
paper or device upon which the information is recorded cannot be accounted for
Hacked into by people or mechanized programs that are not authorized to have access
Communicated or sent to others who have no official need to receive it (for example, gossip from information learned of a medical record)
WHAT DOES ALL THIS MEAN TO YOU. Do not share PHI of your client with
anybody who does not need to know, such as your family and friends.
Do not save PHI of your client to your laptop, flash drive or other electronic media unless you are required to do so.
Do not leave PHI out for everyone to see. Do not leave PHI in a voicemail message. Do not put PHI in a trash or recycle bin, but make sure it is shredded.
REMEMBER! HIPAA is a Federal Law. HIPAA mistakes can have the same
types of consequences as any mistakes you may make at work.
Purposely disclosing PHI to unauthorized individuals is a criminal offense.
Spot the HIPAA violation (8min)http://www.youtube.com/watch?v=HuEoKsN6RKU
The Omnibus Rule (3min)http://www.youtube.com/watch?v=mX-QL9PoePU
HIPAA Training for Caregivers (23min)http://www.youtube.com/watch?v=VpxkRKH60fk