HIPAA OVERVIEW
description
Transcript of HIPAA OVERVIEW
![Page 1: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/1.jpg)
1
HIPAA OVERVIEW
ETSU
![Page 2: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/2.jpg)
2
What is HIPAA?
Health Insurance Portability and Accountability Act.
![Page 3: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/3.jpg)
3
PURPOSE – TITLE IIADMINISTRATIVE SIMPLIFICATION
To increase the efficiency and effectiveness of the entire health care system through: The electronic exchange of information The standardization of that information
To enhance the security and privacy of Protected Health Information (PHI) throughout the entire health system
![Page 4: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/4.jpg)
4
PRIVACY RULE: WHAT DOES IT DO?
HIPAA regulates the use or disclosure of Protected Health Information (PHI)
![Page 5: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/5.jpg)
5
WHAT IS PHI?
Health and demographic information about an individual that is transmitted or maintained in any medium where the information:
Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future Physical or mental health condition of an individual, or Provision of health care to an individual, or Payment for the provision of health care to an individual
![Page 6: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/6.jpg)
6
INDIVIDUAL IDENTIFIERS1. Name2. Geographic subdivisions smaller than a
State– Street Address– City – County – Precinct – Zip Code & their equivalent
geocodes, except for the initial three digits
3. Dates, except year– Birth date – Admission date– Discharge date– Date of death
4. Telephone numbers5. Fax number
6. E-Mail Address7. Social security numbers8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers11. Certificate/license numbers12. Vehicle identifiers and serial numbers,
including license plate numbers13. Device identifiers and serial numbers14. Web universal resource locations
(URLs)15. Internet Protocol (IP) address numbers16. Biometric identifiers, including finger and
voice prints17. Full face photographic images and any
comparable images18. Any other unique identifying number,
characteristic, or code
![Page 7: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/7.jpg)
7
PERMITTED USES & DISCLOSURES
HIPAA permits the use or disclosure only for the following purposes:
Treatment Payment Health Care Operations
(These are referred to as “TPO”)
![Page 8: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/8.jpg)
8
MANDATED USES & DISCLOSURES
HIPAA mandates the disclosure of PHI for certain purposes such as: Health oversight activities Judicial and administrative proceedings Law enforcement purposes Organ donation
All other uses or disclosures require an authorization
![Page 9: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/9.jpg)
9
HEALTH CARE OPERATIONS
Any of the following activities of a Covered Entity: Quality assessment and improvement and population-
based activities Peer review and credentialing activities Underwriting, premium rating, and other activities related to
the creation, renewal, or replacement of a contract of health insurance
Medical review, legal services, and auditing Business planning and development Business management and general administrative activities
![Page 10: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/10.jpg)
10
AUTHORIZATION
Authorization must be obtained for ALL uses and disclosures other than TPO or those mandated under law
Authorizations must include: A description of the information to be disclosed The name of the person or entities to whom the information
will be disclosed An expiration date Information regarding right to revoke Date and signature
![Page 11: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/11.jpg)
11
PRIVACY NOTICE
Privacy Notices Must: Be in plain language Contain a description and example of TPO Contain a description and example of other uses
and disclosures not requiring Authorization Include statements about an individual’s rights Include statements about the Covered Entity’s
duties Describe the complaint process Provide other specific requirements
![Page 12: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/12.jpg)
12
MINIMUM NECESSARY
A requirement that only “minimum necessary disclosures” may be made to accomplish the intended purpose of the
use, disclosure, or request for PHI.
![Page 13: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/13.jpg)
13
MINIMUM NECESSARY
Internal Requirements: Identify workforce who need to access PHI For each class, category or person identified, limit
access based on need-to-know External Requirements:
Limit access to what is needed to accomplish the purpose for which the request was made
Each request that is non-routine should be reviewed to determine whether it is reasonably necessary
![Page 14: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/14.jpg)
14
RESEARCH
To use or disclose PHI for research purposes, Covered Entities must obtain either:
Written authorization from the research subject. Permission from the Institutional Review Board (IRB)
or Privacy Board to waive the authorization.
![Page 15: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/15.jpg)
15
IRB WAIVER OF AUTHORIZATION
The following criteria must be met before the IRB can waive the patient authorization requirement for research:
Use of PHI will pose minimal risks to the subject’s welfare and privacy rights.
Research can not practically be conducted without the waiver or access to PHI.
Covered entity must protect PHI from inappropriate use or disclosure.
Researcher must provide written assurances that PHI will not be reused or disclosed, except as required by law.
![Page 16: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/16.jpg)
16
INDIVIDUAL RIGHTS
Individuals have the right to: Receive written notice of privacy practices Request restrictions on uses & disclosures Access, inspect & copy their PHI Request amendment or correction of their PHI Receive an accounting of disclosures of their PHI
(except those related to treatment, payment, & operations)
![Page 17: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/17.jpg)
17
ADMINISTRATIVE REQUIREMENTS
Designate a privacy officer with primary responsibility for ensuring compliance with the regulations
Establish training programs for all members of the workforce
Implement appropriate policies & procedures to prevent intentional and accidental disclosures of PHI
![Page 18: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/18.jpg)
18
ADMINISTRATIVE REQUIREMENTS
Establish a system for receiving and responding to complaints regarding the Covered Entity’s privacy practices
Implement appropriate sanctions for violations of the privacy guidelines
Make reasonable efforts to limit information to minimum necessary to accomplish a person’s purpose/job
![Page 19: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/19.jpg)
19
ENFORCEMENT
The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! Expect Class Action lawsuits.
Office For Civil Rights (OCR). Designated the enforcement agency concerning privacy regulations. They will provide guidance and monitor compliance.
Department of Justice (DOJ). Involved in criminal privacy violations. Expect fines and penalties to be high.
![Page 20: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/20.jpg)
20
PENALTIES - FAILURE TO COMPLY
Civil $100 per violation per person up to a maximum of
$25,000 per person per year per standard violated Criminal
Up to $50,000, 1 year in prison, or both, for inappropriate use of PHI
Up to $100,000, 5 years in prison, or both for using PHI under false pretenses
Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for commercial advantage, personal gain, or malicious harm
![Page 21: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/21.jpg)
21
HIPAA/Confidentiality Accountability Form
Click here for the link to the HIPAA/Confidentiality Accountability Form
Print this form, complete it and submit it to Academic Programs and Student Services in Nicks Hall, Room 230.
![Page 22: HIPAA OVERVIEW](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815d0a550346895dcb09ac/html5/thumbnails/22.jpg)
22
RESOURCESETSU Privacy Officer – Sharron Stevens at [email protected]
http.//www.cms.hhs.gov/hipaa/hipaa2 – For frequently asked questions, links to other HIPAA sites, and information on the law, regulations, and enforcement
http.//www.hhs.gov/ocr/hipaa/ - U.S. Department of Health and Human Services’ Office for Civil Rights frequently asked questions
http.//www.hhs.gov/ocr/moneypenalties.html – Interim final rule: Civil Money Penalties