HIPAA Training Presentationfor New Employees

How did we get here?

HIPAAPolice

1

2

Goals of this sessionTo answer the following question:

• What is HIPAA?• What is HIPAA?

Health Insurance Portability and Accountability Act

(HIPAA) 1996

3

Portable health

insurance

1992

The Origin of HIPAA

+

4

Portability Enable people to easily change from one health insurance plan to another when changing jobs or becoming unemployed

AccountabilityEnable federal government to increase authority for fraud enforcement

Administrative Includes patient privacy, confidentiality and security of health information

H

IP

AA

Health Insurance Portability andAccountability Act 1996

Our Focus:

5

HIPAA Privacy Rule

Privacy Rule

Accountabilit

y

Privacy Rul e

Accountabilit

y

Porta

bilit

y

Our Focus:

6

HIPAA Privacy Rule

Enacted to:¨ increase the privacy protection of health

information identifying individuals who are living or deceased

7

What does HIPAA require?

• Use patient information for Treatment, Payment and routine business Operations (TPO) only

• Limit access to patient information to Minimum Necessary to perform job duties

• Provide patient right to view own medical record, obtain copies and request amendments

8

1) You cannot access or use patients’ identifiable health information without

their knowledge and consent.

Main Principles of HIPAA Privacy Rule

2) If you learn patients’ private health information, you must keep it

confidential.

9

Implications for you

Privacy Rule As a patient

As an employee

10

Goals of this sessionTo answer the following question:

• What is HIPAA?

• How does it affect me as a patient?

11

Your rights as a patient

¨ You have the right to view your own medical record, obtain copies and request amendments

¨ You have the right to receive notification as to how healthcare providers use your information

¨ You have to provide authorization for uses other than Treatment, Payment or routine business Operations

¨ You have the right to rescind that authorization

12

Goals of this sessionTo answer the following questions:

• What is HIPAA?

• How does it affect me as a patient?

• How does it affect me as an employee?

13

Milton S. Hershey Medical Center and College of Medicine are Covered Entities under HIPAA

14

Covered Entity

a health care provider

a health care

clearinghouse

a health plan

15

Your obligations as an employee of a covered entity

Respect the confidentiality of patients, co-workers, and Penn State Milton S. Hershey Medical Center/College of Medicine

Keep confidential information confidential

16

What is meant by “confidential information”?

• Patient healthcare and financial records

• Employee records and information

• Business or system information related to PSMSHMC/COM

17

Obligations of the employee

• All MSHMC/PSCOM employees are expected to follow the terms of the HMC Privacy Notice.

http://www.hmc.psu.edu/visitors/privacynotice.pdf

18

• Failure to follow the terms of the Privacy Notice will result in disciplinary action, including termination, expulsion, and possible pursuit of legal action!

• Signing and adhering to the conditions of the Confidentiality Statement are conditions of employment

• Report violations to Privacy Officer, Jim Bifano, x8059

Obligations of the employee

19

Special considerations for electronic communications

• Follow security policies on Infonet.• Keep your passwords private, hidden.• Do not open email of unknown origin.• Confirm e-mail address prior to sending.• Maintain current anti-virus software.• Report violations or concerns to:

Information Security OfficerMatt Weber x5904

20

How does this affect my work as an employee in Public Health Sciences?

I don't treat

patients!

21

Train future researchers

PHS

Design, conduct, and support research

22

HIPAA and Research

• Privacy Rule not originally enacted to regulate research; Code of Federal Regulations in place

• HIPAA does not apply to health information collected by a basic scientist solely for research purposes.

• Adoption of a common set of standards for patients and clinical research subjects

• Research at CoM treated the same as patient care with regard to privacy and confidentiality

• Oversight by the Human Subjects Protection Office

23

HIPAA Privacy Rule: Definitions

What is protected health information (PHI)?Any information created or received by a healthcare provider related to past, present, or future physical or mental health condition of an individual.Examples: history of cardiovascular

disease, measles, psychiatric illness,...

24

HIPAA Privacy Rule

Enacted to increase the privacy protection of health information of identifiable individuals who are living or deceased

25

Protection of Health Information Identifying Individuals

Health Information +

Identifier

Protected Health Information (PHI)

Subject to Privacy Rule

26

What is meant by “identifier”?

27

Individual Identifiers

1. Names 2. All geographic subdivisions smaller than a State• street address• city• county• precinct• zip code

28

Individual Identifiers (continued)

3. All elements of dates (except year):• birth date• admission date• discharge date• date of death

All elements of datesfor ages over 89

29

Individual Identifiers (continued)

4. Telephone number5. Fax number6. Email address7. Social security #8. Medical Record

Number9. Health plan

beneficiary #

30

Individual Identifiers (continued)

10. Account numbers

11.Certificate/license #s

12.Vehicle identifiers and serial #s, including license plates

13. Device identifiers & serial #s

31

Individual Identifiers (continued)

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address #s16. Finger & voice prints17. Full face photos18. Any other unique identifying

number, characteristic, or code

32

Breakdowns in Confidentiality

• Accessing PHI not directly related to your job

• Leaving confidential information unattended

• Conversations in public areas• Sending confidential information

unsecured • Co-mingling of confidential and general

information• Improper disposal of confidential

records, both paper and electronic

33

Implications of Privacy Rule For investigators

Does the study involve health information about human subjects?

Does the study involve health information

about human subjects?

34

HIPAA algorithm

35

HIPAA algorithm

Does the study involve health information about human subjects?

No

36

HIPAA algorithm

Does the study involve health information about human subjects?

No

No HIPAA issues

37

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issues

38

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issuesAre any of the18 identifiers present?

39

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issuesAre any of the18 identifiers present?

No

No HIPAA issues

40

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issuesAre any of the18 identifiers present?

No

No HIPAA issues

Yes

41

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issuesAre any of the18 identifiers present?

No

No HIPAA issues

Yes

HIPAA issues

42

HIPAA algorithm

Does the study involve health information about human subjects?

Yes No

No HIPAA issuesAre any of the18 identifiers present?

No

No HIPAA issues

Yes

HIPAA issues

43

What does this mean to investigators?

Health information + Identifier

44

What does this mean to investigators?

Does the study involve living human subjects?Health information + Identifier

45

What does this mean to investigators?

Does the study involve living human subjects?

Yes

HIPAA issues

Health information + Identifier

46

What does this mean to investigators?

Does the study involve living human subjects?

Yes

HIPAA issuesUse of non-living human subjects?

No

HIPAA issues only

Health information + Identifier

47

What does this mean to investigators?

Does the study involve living human subjects?

Yes

IRB and HIPAA issues

Use of non-living human subjects?

No

HIPAA issues only

Unsure?

Health information + Identifier

48

Is my research subject to the Privacy Rule?

health data+

personal identifiers

health data –

personal identifiers

NOT subject toPrivacy Rule

Subject to Privacy Rule

49

Quick Review

We know:• what HIPAA stands for• that the Privacy Rule of HIPAA is of utmost

concern to Milton S. Hershey Medical Center/Penn State College of Medicine

• what is meant by Confidentiality, Protected Health Information, and Identifiers

• the standards you are held to as an employee of Penn State College of Medicine

• that research at PSCoM is treated the same as patient care with respect to HIPAA regulations

50

When can an investigator use PHI?

When he/she:

1. Seeks authorization from study subject to use subject’s PHI

2. Seeks waiver of authorization from HSPO

because it would be impossible to get authorization from subject

3. Uses a limited data set4. Uses data only as preparation for

research project

51

Implications of Privacy Rule

• For investigators• For staff

52

PHS Employees who work with PHI

Study datasets:

• What PHI is contained?

• What identifiers are contained?

• Who has access to them?

53

Implications of Privacy Rule

• For investigators• For staff• For business associates

54

Business Associates

Person or entity that performs certain functions which involve the use or disclosure of

Protected Health InformationE.g., pulmonary function test quality control

over-reader

In this example, certain personal identifiers are required to determine age-correct values: date of birth, date of

service

Must sign Business Associate Agreement through Purchasing

Department

55

End of Presentation

Thank you. Thank you very much.