Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010 rb
© 2010 APS Healthcare, Inc. 2 Disclaimer Information or education provided by the HCQU is not intended to replace medical advice from the individual’s personal care physician, existing facility policy or federal, state and local regulations/codes within the agency jurisdiction. The information provided is not all inclusive of the topic presented. Certificates for training hours will only be awarded to those who attend a training in its entirety. Attendees are responsible for submitting paperwork to their respective agencies.
© 2010 APS Healthcare, Inc. 3 Note of Clarification While mental retardation (ID/DD) is still recognized as a clinical diagnosis, in an effort to support the work of self-advocates, the APS SW PA HCQU will be using the terms intellectual and/or developmental disability (ID/DD) to replace mental retardation (ID/DD) when feasible.
© 2010 APS Healthcare, Inc. 4 Objectives The Participant will be able to: –Define Protected Health Information (PHI) –Describe safeguards to protect PHI –List individual rights afforded by HIPAA –Describe how the Privacy Rule affects an individual with intellectual and developmental disabilities ID/DD
© 2010 APS Healthcare, Inc. 5 What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 Four Primary Purposes of this Act –Guarantee health insurance access, portability, and renewal –Reduce healthcare fraud and abuse –Enforce standards for health information –Guarantee security and privacy of health information Privacy Rule –Controls the use and disclosure of protected health information (PHI)
© 2010 APS Healthcare, Inc. 6 HIPAA History August, 1996 – Final HIPAA bill passed by Congress December, 2000 – Privacy Rule was published August, 2002 – Final version with modifications published April 14, 2003 – Deadline for Compliance
© 2010 APS Healthcare, Inc. 7 Why is HIPAA Needed? No uniform laws existed regarding –the privacy of health information –individual rights with regards to their health information Rapid evolution of health information systems –Made health care information available to unauthorized persons
© 2010 APS Healthcare, Inc. 8 Why is HIPAA Needed? Maximize the effectiveness of protections while not compromising availability or quality of medical care Can promote higher quality care by assuring health information will be protected from inappropriate uses and disclosures
© 2010 APS Healthcare, Inc. 9 Who Must Comply? Health Plans Health Care Clearinghouses Health Care Providers
© 2010 APS Healthcare, Inc. 10 Who Must Comply? Business Associates –Contractors or Vendors who perform service for a covered entity –Attorneys –Accountants –Accreding bodies –Billing Companies –Answering Services –Collection Agencies –Laboratories
© 2010 APS Healthcare, Inc. 11 What is PHI? Protected Health Information –Information that the provider receives or creates that relates to the past, present, or future physical or mental health of an individual, and identifies or is likely to identify the individual
© 2010 APS Healthcare, Inc. 12 PHI Includes Paper Records Electronic Records Oral Communication
© 2010 APS Healthcare, Inc. 13 Necessary Safeguards Administrative Safeguards Technical Safeguards Physical Safeguards
© 2010 APS Healthcare, Inc. 14 Disclosure of PHI PHI may be used or disclosed without individual authorization for –Treatment –Payment –Operational Purposes
© 2010 APS Healthcare, Inc. 15 Disclosure of PHI Public health activities Child abuse reporting Response to court order or legal process Coroner pursuant to official duties
© 2010 APS Healthcare, Inc. 16 Valid Authorizations Consents to use or disclose PHI that must include: –A description of the PHI to be disclosed –Name of releasing entity –Name of entity where PHI is to be sent –Description of the purpose for the release
© 2010 APS Healthcare, Inc. 17 Valid Authorizations Expiration date for the authorization Individual must sign and date Individual has the right to revoke authorization Statement regarding redisclosure State that signing authorization will not be a condition of treatment
© 2010 APS Healthcare, Inc. 18 Personal Representatives A person authorized by law to act on behalf of a individual to make healthcare decisions. Health Care Power of Attorney Legal Guardian
© 2010 APS Healthcare, Inc. 19 To receive a copy of the Privacy Notice To make a complaint about privacy violations To request restrictions on use of PHI To make reasonable requests concerning how their PHI is communicated to them To have access to their PHI To request amendments to their PHI To have an accounting of disclosures of their PHI Individual Rights
© 2010 APS Healthcare, Inc. 20 Privacy Notices Individuals –have the right to receive written notice of a covered entity’s privacy notice –should acknowledge that they have received the notice
© 2010 APS Healthcare, Inc. 21 Complaint Process Individuals –Have the right to make complaints regarding privacy violations without fear of intimidation or retaliation –May file a complaint directly with the entity or with the Secretary of Health and Human Services
© 2010 APS Healthcare, Inc. 22 Request Restrictions An individual has the right to request restrictions on the use of PHI
© 2010 APS Healthcare, Inc. 23 Confidential Communications Individuals –Have the right to make reasonable requests concerning how PHI is communicated to them Providers –Must permit individuals to place the request –Must accommodate reasonable requests –May not ask individual to explain reason for request –May ask that request be put in writing –May require payment information and method of contact
© 2010 APS Healthcare, Inc. 24 Access to PHI Individuals have a right to have access to their PHI If written request is required, it must be stated in the Privacy Notice Requests must be acted on within 30 days of receipt of request Extra 30 days granted if individual is informed
© 2010 APS Healthcare, Inc. 25 Denial of Access An individual may be denied access to PHI Denial without review rights may be given if specific circumstances exist –Individual participating in a research study –Information was obtained from someone other than a provider
© 2010 APS Healthcare, Inc. 26 Denial of Access Denial of access with review rights required may occur –Access is likely to be harmful to the individual –Often tied to instances where PHI refers to abuse If individual requests a review of a denial –Provider must designate a reviewing official who is a licensed health care provider –This person must not have participated in decision to deny access
© 2010 APS Healthcare, Inc. 27 Amendment Requests Individuals have the right to request amendments to their PHI Individual must be informed if the provider accepts or denies the amendment
© 2010 APS Healthcare, Inc. 28 Accounting of Disclosures Individuals have a right to an accounting of disclosures made of their PHI Providers do not have to account for disclosures made for treatment, payment, or operations to individuals for their own PHI, or for any disclosures made with a valid authorization
© 2010 APS Healthcare, Inc. 29 Penalties Civil penalties are imposed whenever there is a violation of the Privacy Rule without intent Civil penalties are imposed whenever there is a violation of the Privacy Rule without intent.
© 2010 APS Healthcare, Inc. 30 HIPAA Compliance Records must be retained for a period of 6 years –Due diligence records –On-going documentation
© 2010 APS Healthcare, Inc. 31 What Can You Do? Look at your space and secure it Look at your habits and make necessary changes
© 2010 APS Healthcare, Inc. 32 What Can You Do? Disclose PHI only when authorized Help each other to maintain individual privacy Make certain you are familiar with The Privacy Rule
© 2010 APS Healthcare, Inc. 33 HIPAA and People with ID/DD It gives them new rights regarding the use and disclosure of PHI. It decreases their vulnerability for misuse of their PHI. It adds to the concept of self-determination. It gives them added privacy protection.
© 2010 APS Healthcare, Inc. 34 HIPAA Outcomes Compliance –78% Providers compliant/18% non-compliant –90% Payers compliant/6% non-compliant Privacy Breaches –60% Providers –66% Payers Complaints –10,785 (thru Jan. 31, 2005) –62% resolved
© 2010 APS Healthcare, Inc. 35 HIPAA Outcomes Caused a short term increase in costs to the covered entities Improved consumer privacy More informed employees and individuals
HIPAA DISCUSSION QUESTIONS What Should You Do?
© 2010 APS Healthcare, Inc. 37 Conclusion HIPAA is on-going process –Education / Reeducation –Monitoring –Identification of problems –Changes
© 2010 APS Healthcare, Inc. 38 References Health Information Privacy. Retrieved September 27, 2010 from Annual Report to Congress on the Implementation of the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act. Retrieved September 27, 2010 from
© 2010 APS Healthcare, Inc. 39 To register for future trainings, or for more information on this or any other physical or behavioral health topic, please visit our website at
© 2010 APS Healthcare, Inc. 40
Evaluation Please take a few moments to complete the evaluation form found in the back of your packets. Thank You!
Test Review There will be a test review after all tests have been completed and turned in to the Instructor.