Disability Services Agencies Briefing On HIPAA 11/21/2018 2:56:15 PM

Who is this for? This Training is for the entire DSA workforce to provide an overall awareness of “What is HIPAA?” Additional training will be provided to more specifically address how HIPAA impacts the functions that are performed by the following areas: Providers Case Managers/ Counselors Administrative/Support Staff Medical Records Admissions 11/21/2018 2:56:15 PM

History Each time a person sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. Congress recognized the need for national patient record privacy standards, when they approved the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final rule took effect on April 14, 2001. As required by the HIPAA law, most covered entities have two full years – until April 14, 2003 - to comply with the final rule's provisions. The law gives the Department of Health and Human Services (HHS) the authority to make appropriate changes to the rule prior to the compliance date. 11/21/2018 2:56:15 PM

Brief Introduction to HIPAA Health Insurance Portability & Accountability Act of 1996 (HIPAA) Public law 104-191 Portability: Transfer of healthcare when employees change jobs COBRA – A program that ensures continuous health plan coverage Accountability: Fraud/Abuse & Administrative Simplification PRIVACY, SECURITY, TRANACTIONS AND CODE SETS 11/21/2018 2:56:15 PM

HIPAA has four parts Transactions = Billing Rules Unique Health Identifiers and Standard Medical Code Sets Security Standards Privacy 11/21/2018 2:56:15 PM

TODAY WE WILL COVER PRIVACY Privacy in Effect on 4/14/03. HIPAA training will occur annually. Additional training will also be provided for Security and Transactions. 11/21/2018 2:56:15 PM

Who does HIPAA Apply to? Covered Entities – are either Health Care Providers, Health Plans or Clearinghouses. In the DSA only WWRC is a Covered Entity. Business Associates – are all others that may receive, transmit or store Protected Health Information from a covered entity. All other agencies in the DSA may be Business Associates. 11/21/2018 2:56:15 PM

Who does HIPAA Apply to? (cont) Covered Entities must enter into a contract with Business Associates, requiring that Protected Health Information be kept confidential by the Business Associate receiving information from or on behalf of the covered entity. Business Associates are not permitted to use or disclose protected health information in ways that the covered entity can not. 11/21/2018 2:56:15 PM

What does HIPAA apply to? Information relating to an individual’s health, health care treatment, or payment for health care, is called Protected Health Information (PHI) under HIPAA. Protected Health Information (PHI) Relates to a person’s physical or mental health, the provision of health care, or the payment of health care; It identifies, or could be used to identify the person who is the subject of the information i.e. by name, Is created or received by a covered entity; and Is transmitted or maintained in any form or medium. 11/21/2018 2:56:15 PM

What does HIPAA do? Provides Individual’s Rights Right to receive written notice of information practices from health plans and providers Right to access their own health care information Right to request an amendment or correction of protected health information that is inaccurate or incomplete Right to receive accounting of when information had been disclosed for purposes other than treatment, payment and health care operations 11/21/2018 2:56:15 PM

Consent vs. Authorization Consent - is required for all clients, it provides us the authority to share Protected Health Information for the purposes of Treatment, Payment and HealthCare Operations( i.e. business processes necessary to provide services to our clients). Authorization – is needed anytime PHI is shared and it is for reasons other than Treatment, Payment, or HealthCare Operations (TPO). Example – Financial Institution has requested PHI. An authorization will be needed to provide this information. The request for this information would be outside of the scope of TPO. Disclosures without patient authorization Purposes of effecting treatment, payment operations, and health care operations. Certain federal, state, and other oversight activities, public health, emergencies, judicial proceedings, banking and payment processes, and health research. Disclosure of PHI for research must be approved by an Institutional Review Board or Privacy Board. 11/21/2018 2:56:15 PM

What do we have to do? Must generally obtain the patient’s consent prior to using or disclosing PHI to carry out Treatment, Payment, or health care Operations (TPO). Obtain an authorization for any disclosure outside of TPO. Develop mechanism for accounting for all disclosures outside of TPO. Accommodate requests for amendments or corrections. Designate a Privacy Officer responsible for privacy activities. Provide Training to all staff who have access to PHI. Establish administrative, technical, and physical safeguards. Establish Policies and Procedures, and Privacy Notice. Develop and apply sanctions from re-training to reprimand to termination for HIPAA privacy violations. Have available documentation with the regulation requirements. Develop methods to disclose minimum amount of PHI. Develop and use contracts with business associates. 11/21/2018 2:56:15 PM

Penalties and Enforcement The federal penalties are $25,000 - $250,000 fines and/or 1 to 10 years imprisonment, dependant on the type of violation. Employee Sanctions for inappropriate disclosures 11/21/2018 2:56:15 PM

WAYS THAT YOU CAN HELP When disposing of paper copies of patient records, they should be shredded for disposal. Ensure that workstations can’t be viewed by visitors. Avoid discussing client information in public places such as elevators, cafeterias, and waiting rooms. Ensure that all Facsimile copies that are sent contain a cover page with the disclaimer statement. Change your password regularly Don’t use generic passwords and log-on names Secure your workstation when unattended. 11/21/2018 2:56:15 PM

THINGS YOU MAY NOTICE Ongoing privacy training for workforce Privacy notices and new authorization process New Policy and Procedures Privacy Office to answer HIPAA related questions. Consent and Authorization forms revised Email and Fax Disclosure statements 11/21/2018 2:56:15 PM