HIPAAHealth Insurance Portability and

Accountability Act

Presented by the UMMC Office of Integrity and

Compliance

As stated in the “Compliance” module presentation, the Office of Integrity and Compliance is responsible for enforcing and overseeing the HIPAA privacy regulations for UMMC. While HIPAA privacy enforcement is just one of the many responsibilities of our office, the HIPAA privacy regulations are important to each workforce member at the UMMC and thus warrants the need for a separate training module.

Whether you are an office worker, a member of our housekeeping staff, physical facilities, a student, or a clinician, it is YOUR responsibility to ensure patient privacy is protected.

HIPAAHIPAA

Rules and Regulations Rules and Regulations to Ensure Privacyto Ensure Privacy

• The Health Insurance Portability and Accountability Act (HIPAA) set Federally recognized standards to ensure both Privacy and Security of patient health information.

• Both standards are overseen by the Office of Civil Rights.

• Within UMMC, standards are enforced by– Office of Integrity and Compliance, Privacy

Officer– Information Systems, Security Officer

Policies and ProceduresPolicies and Procedures

• UMMC has created policies and procedures to facilitate compliance with all standards.

• These are to be followed by employees who come into contact with patient health information.

• The policies can be found on the UMMC Intranet or by clicking the following link:

http://www.umc.edu/compliance/

HIPAA Privacy StandardsHIPAA Privacy Standards

The Privacy Standards provide for the following:– Boundaries for the uses and disclosures of protected

health information; – The implementation of administrative, technical and

physical safeguards to help ensure health information remains confidential;

– More control of an individual's health information by the individual; and

– Civil and criminal penalties for violators of the standards.

What information is protected by the What information is protected by the regulations?regulations?

The HIPAA Privacy Standards protect “individually identifiable health information”, which is collectively referred to as protected health information (PHI). Basically, PHI is clinical information, such as an individual’s diagnosis, in combination with some type of information that allows you to identify that individual. For instance, a diagnosis on a progress note that contains the patient’s name in right hand corner would be considered PHI. PHI can be transmitted or maintained in any form or medium, which includes PHI that is transmitted orally, stored or transmitted on paper and/or electronically.

Examples of PHIExamples of PHISome examples of confidential and protected health information:

• Documentation created by physicians, nurses, and other health care providers and assembled in medical records;

• Conversations about an individual's care or treatment between health care providers;

• Information about patients in UMMC’s computer system; and

• Billing information about an individual’s health care.

Information that can be used to identify Information that can be used to identify a patient can include:a patient can include:

• Patient’s Name;• Address or zip code;• Month and date of service

or other relevant date;• Date of Birth;• Telephone and/or fax

number;• E-mail address;• Social Security Number;• Medical Record or patient

account numbers;• Vehicle identifiers or serial

numbers;

• Health plan beneficiary number;

• Device identifiers or serial numbers;

• Biometric identifiers, including finger & voice prints;

• Full face photographic images or other images;

• Web Locators (URLs) or Internet Protocol (IP) addresses;

• Any other unique identifying number, characteristic, or code.

Which Disclosures are Allowed Which Disclosures are Allowed Without Authorization?Without Authorization?

Except for psychotherapy notes, the privacy standards allow UMMC to disclose information without an authorization for the following purposes:

• To comply with the law, such as reporting communicable diseases to the Mississippi State Department of Health;

• For the treatment of the individual;• To obtain payment for services rendered by

UMMC; and/or• To carry out the healthcare operations of UMMC.

Disclosures Allowed by LawDisclosures Allowed by Law

There are many disclosures that UMMC makes because it is required by law and therefore, no authorization is required. Some of these include but are not limited to:– Disclosures about victims of child abuse– Disclosures for judicial proceedings, such as

responding to a subpoena– Disclosures for Law Enforcement purposes

What is Considered Treatment What is Considered Treatment Under HIPAA?Under HIPAA?• Treatment includes the management of

healthcare and related services by one or more healthcare providers, including the coordination with a third party, such as a skilled nursing facility; consultations with other providers; or the referral of a patient from one provider to another. The following are examples of treatment activities:– Healthcare staff orally coordinating services at the hospital

nursing station. – The teaching physician or dental instructor discussing a

patient’s condition during training rounds.

Examples of Treatment ContinuedExamples of Treatment Continued

– A healthcare provider discussing lab test results with a patient or other provider in a joint treatment area.

– A dentist referring a patient to an orthodontist.

– Nurses or other health care providers discussing a patient’s condition over the phone with the patient, a provider, or a family member.

The billing department uses confidential information to bill patients or their insurance companies for the services they receive.

Payment Payment

What are Healthcare Operations?What are Healthcare Operations?• Healthcare operations are activities that UMMC

performs on a day-to-day basis in order to stay in business. Examples of healthcare operations include:– Utilization review activities;– Compliance activities;– Internal auditing activities;– Teaching of students; and/or– Performance improvement activities

Disclosures/Releases with AuthorizationsDisclosures/Releases with Authorizations

Disclosures, other than those previously listed, can be made by UMMC only if the patient signs an authorization.Authorizations, which are sometimes referred to as consents to release, must contain the necessary core elements and statements before the information can be released. Fulfilling an authorization that does not contain the required core elements and statements is a violation of this federal regulation. Only authorized employees can disclose patient information.

What YOU Need to Know What YOU Need to Know About HIPAA PrivacyAbout HIPAA Privacy

Several Important Concepts: Several Important Concepts: Concept #1Concept #1

Need to Know- Only access patient information if you have been assigned some form of responsibility for the patient’s care. Share information about patients only with other individuals who have a “need to know”. Part of protecting our patient’s privacy is to ensure that employees access only that information which they “need to know” in order to perform their job duties. If an employee does not have a valid reason to know a patient’s information, they should refrain from accessing it.

Several Important Concepts: Several Important Concepts: Concept #2Concept #2

Minimum Necessary- It is UMMC policy that each employee use and disclose only that information that is minimally necessary to fulfill a purpose or duty. Only access or view the minimum amount of patient health information necessary to complete your job duties.

Several Important Concepts: Several Important Concepts: Concept #3Concept #3Patients Rights- Under HIPAA, patients have several

rights related to their PHI. Below is a comprehensive list of those rights. The next slide shows how you should respond to a patient if they have questions pertaining to those rights.

• Right to access and obtain a copy of their medical record;• Right to request an amendment to their health information;• Right to receive an accounting of disclosures;• The right to request that restrictions be placed on the use of

his/her PHI even for the purposes of treatment, payment and healthcare operations;

• Right to file a complaint;• Right to agree or object to being included in the hospital

directory;• Right to request confidential communications; and• Right to a Notice of Privacy Practices

Right to access and obtain a copy of their medical record

Refer requests to Release of Information of the respective area

Right to request an amendment to health information

Refer requests to the Office of Integrity and Compliance

Right to receive an accounting of disclosures

Refer requests to Release of Information of the respective area

The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations

Refer requests to the Office of Integrity and Compliance

Right to agree or object to being included in the hospital directory

Refer inquiries to Registration

Right to request confidential communications

Refer requests to the Office of Integrity and Compliance

Right to a Notice of Privacy Practices

Refer inquiries to the Office of Integrity and Compliance

Right to file a complaint Refer complaints to the Office of Integrity and Compliance

Patient Right How to handle request

Criminal PenaltiesCriminal Penalties• Previously, employees who inappropriately

accessed, used, or disclosed a patients health information were not subject to criminal penalties. UMMC would “take the blame” and the responsible employee would only receive sanctions listed within the institution’s sanction policy.

• Now, if you inappropriately access, use, or disclose a patient’s health information, you can be charged with criminal penalties.

Did You Know…Did You Know…• The U.S. Department of Health and

Human Services (HHS) Office for Civil Rights (OCR) released a final rule, also known as the Omnibus Rule, on January 17, 2013 to enhance privacy and security of health information under HIPAA and the HITECH Act.

Revisions to HIPAA Revisions to HIPAA and HITECH Actand HITECH Act

• Among the changes and additions to the privacy laws include:– Business Associate Accountability– Authorizations– Uses/Disclosures of PHI for Marketing and

Fundraising– Protection of Decedent PHI – Breach Notifications– Additional Patient Rights– Restrictions on Uses/Disclosures of PHI– Enforcement and Security– Privacy with the Genetic Information

Business Associate AccountabilityBusiness Associate Accountability• Defined by services such as creating, receiving,

maintaining, or transmitting PHI for a Covered Entity.– Include Patient Safety Organizations (PSOs), health

information organizations (HIOs), and subcontractors

• Accountable For the Following:– Uses/disclosures of PHI which do not follow its agreement

or the Privacy Rule;– Failure to provide notification of a breach;– Failure to provide an accounting of disclosures;– Failure to report PHI to the Secretary; – Failure to comply with the Security Rule.

• Held to the Minimum Necessary Standard.

Authorizations Authorizations • Uses/Disclosures for marketing and the sale of PHI require an Authorization.

• Authorizations for research can combine conditioned and unconditioned Authorizations as long as the research elements are identified separately.

• Written Authorization is not required for disclosure of proof of immunization to schools.

• Authorizations for research can include authorization for future research as long as it is stated clearly.

Uses/Disclosures of PHI for Uses/Disclosures of PHI for Marketing and FundraisingMarketing and Fundraising

• Marketing– Limits are placed on communication considered to be

health care operations if a Covered Entity receives financial remuneration (payment) in exchange for the communication for the third party.

If financial remuneration is received, an Authorization for release of information is required by the Covered Entity.

Exceptions:– Prescription refill reminders, face to face communication, and

promotional gifts of minimal value.

• Fundraising– A Covered Entity must provide a recipient of fundraising

communication the opportunity, without unnecessary burden, to opt out of receiving communications and ensure future communication is discontinued if the recipient chooses to opt out.

Protection of Decedent PHIProtection of Decedent PHI• Identifiable information of a person who

has been deceased for more than 50 years is no longer PHI.

• Disclosures of decedent information to family members are allowed, unless it is not consistent with known preferences expressed by the individual.

Breach NotificationsBreach Notifications

• PHI inappropriately released without authorization is assumed to be a breach unless the Covered Entity can prove that there is low probability the PHI was compromised through a risk assessment.– Risk assessments identify the type of PHI involved,

the persons involved, whether PHI was acquired or viewed, and the degree to which the risk to the PHI is reduced.

• Notification of all breaches involving less than 500 individuals must be reported no later than 60 days after the end of the calendar year in which the breach was detected.

• Limited data sets with dates or zip codes are no longer exempted from breach notification.

Additional Patient RightsAdditional Patient Rights– The right to request and receive, at a reasonable

cost, their health information in electronic format if the information is maintained as an Electronic Health Record (EHR).

– The right to apply restrictions on disclosures made to Covered Entities for any item or service, for which the patient has paid the full cost out of pocket.

– The right to receive a full accounting of disclosures made by the Covered Entity or Business Associate involving treatment, payment, or health care operations during the previous three years.

Restrictions on Uses/DisclosuresRestrictions on Uses/Disclosures• When restrictions on uses/disclosures of

PHI to a health plan are enacted, the Covered Entity must use some type of notification in the medical record to identify the restrictions placed.

• Patients are responsible for notifying other entities of requested restrictions on uses/disclosures of PHI to a health plan.

Enforcement and Security Enforcement and Security • HIPAA rules continue to preempt State law, unless

the state law is more stringent.

• OCR will investigate and penalize violations due to willful neglect.– Willful neglect defined as a conscious failure. – Willful neglect included in civil money penalties.

• Organizations must evaluate and revise security measures to ensure protection of electronic PHI.

Privacy with Genetic InformationPrivacy with Genetic Information• HIPAA Privacy Rule identifies genetic

information as PHI which is in alignment with the Genetic Information Nondiscrimination Act (GINA).

• Most health plans cannot use or disclose genetic information for underwriting purposes.

Brief PointersBrief Pointers• Family and Friends- you should not access health

information of family/friends if you do not have a need to know.

• VIPS- Do not access health information of individuals who are of public interest unless you have a need to know.

• Passwords- Do not share passwords- We audit and you will be held responsible. This includes portable devices

• Disposing Patient Information- if in printed format, must be disposed- NEVER throw away in regular garbage without at least shredding by hand.

• Ongoing Monitoring- We perform ongoing monitoring of access into patient health information. Employee to Employee access.

• IF WE FIND YOU ARE NOT CONNECTED TO THE PATIENT’S CARE OR DO NOT HAVE THE APPROPRIATE “NEED TO KNOW” TO COMPLETE YOUR JOB DUTIES, YOU WILL BE HELD ACCOUNTABLE.

More InformationMore Information• IF YOU HAVE QUESTIONS-

– See Policies and Procedures Online- UMMC Intranet– Contact the Office of Integrity and Compliance

• IF YOU NEED TO REPORT A VIOLATION-– Directly to your superior– Compliance Hotline – Compliance Report Form – Contact the Office of Integrity and Compliance

Question 1Question 1What does HIPAA stand for?What does HIPAA stand for?

Click on the correct letterClick on the correct letter

a. Healthcare Information Policy and Assessment

b. Health Insurance Portability and Accountability Act

c. Health Information Privacy Act and Association

Question 1Question 1What does HIPAA stand for?What does HIPAA stand for?

a. Healthcare Information Policy and Assessment

b. Health Insurance Portability and Accountability Act

c. Health Information Privacy Act and Association

CORRECTCORRECT

Click here to go to next question

Question 1Question 1What does HIPAA stand for?What does HIPAA stand for?

a. Healthcare Information Policy and Assessment

b. Health Insurance Portability and Accountability Act

c. Health Information Privacy Act and Association

INCORRECTINCORRECT

Click here to go backClick here to go back

Question 2Question 2Lucy’s friend was admitted into the ICU for care. Because Lucy is an

UMMC employee she does not have to follow the visitation policy and can use her badge to go into the ICU visit her friend at any time

CLICK ON THE CORRECT ANSWER

TRUETRUE FALSEFALSE

Question 2Question 2Lucy’s friend was admitted into the ICU for care.

Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to

go into the ICU visit her friend at any time

TRUETRUE FALSEFALSE

CORRECT

Click here to go to next question

Question 2Question 2Lucy’s friend was admitted into the ICU for care.

Because Lucy is an UMMC employee she does not have to follow the visitation policy and can use her badge to

go into the ICU visit her friend at any time

TRUETRUE FALSEFALSE

INCORRECTINCORRECT

Click here to go back

Question 3Question 3UMMC has created policies and procedures to help UMMC has created policies and procedures to help facilitate institutional compliance with the HIPAA facilitate institutional compliance with the HIPAA

privacy regulationsprivacy regulations

CLICK ON THE CORRECT ANSWERCLICK ON THE CORRECT ANSWER

TRUETRUE FALSEFALSE

Question 3Question 3UMMC has created policies and procedures UMMC has created policies and procedures to help facilitate institutional compliance to help facilitate institutional compliance

with the HIPAA privacy regulationswith the HIPAA privacy regulations

TRUETRUE FALSEFALSE

CORRECT

Click here to go to the end

Question 3Question 3UMMC has created policies and procedures UMMC has created policies and procedures to help facilitate institutional compliance to help facilitate institutional compliance

with the HIPAA privacy regulationswith the HIPAA privacy regulations

TRUETRUE FALSEFALSE

INCORRECTINCORRECT

Click here to go back

The End of HIPAA TrainingThe End of HIPAA Training

Please close out of this Please close out of this presentation and proceed to presentation and proceed to

the next training the next training presentationpresentation