Presented by Capture Billing and Consulting, Inc. Katie Jennings, RN and Michelle Ivanchukov, CPC, CCS-P

10/1/20152 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Refresher 101 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to improve the efficiency and effectiveness of our healthcare system by establishing federal standards and requirements. It is an amendment to the Internal Revenue Service Code of Established federal portability requirements for all group health plans, non-discrimination requirements and restricted preexisting condition exclusion limitations. Designed to prevent inappropriate use and disclosure of individual health information and to require those organizations which use it to protect that information and their systems that store, transmit and process it.

10/1/20153 Health Insurance Portability and Accountability Act (HIPAA) Health care access, portability and renewability (requires employers and health plans to allow a new employee’s medical coverage to remain continuous without regard to pre-existing conditions) Title I: Preventing health care fraud and abuse; administrative simplification, medical liability reform (defines new requirements for privacy and security of individually identifiable patient information) Administrative simplification (reduces the administrative component of health care costs through the implementation of electronic data interchange (EDI) standards) Title II: Tax-related health provisions (standardizes the savings amount per person in a pre-tax medical savings account) Title III: Application and enforcement of group health plan requirements (broadened information on insurance provisions) Title IV: Revenue offsets (regulations on how employers can deduct company-owned life insurance premiums for income tax purposes) Title V: HIPAA Legislative Act HIPAA Public Law is composed of the following:

10/1/20154 Health Insurance Portability and Accountability Act (HIPAA) The provisions of the Administration Simplification required the Department of Health and Human Services (HHS) to adopt the following: Electronic Health Care Transactions and Data Standardization of Medical Code Sets Unique Health Identifiers (Standard Unique Employer Identifiers (EINs) and National Provider Identifiers (NPIs) Security Administrative Simplification

10/1/20155 Health Insurance Portability and Accountability Act (HIPAA) In order to maintain the privacy of health information utilizing electronic transmission, Congress incorporated mandated Federal privacy protections for individually identifiable health information. Privacy Rule: National standards for the protection of individually identifiable health information by covered entities Security Rule: National standards for protecting confidentiality, integrity and availability of electronic protected health information Administrative Simplification These rules are enforced by the Office for Civil Rights (OCR) of the HHS

10/1/20156 Health Insurance Portability and Accountability Act (HIPAA) The HIPAA Privacy and Security Rules provide specific requirements that must be followed by the following covered entities who transmit health information in electronic form: Health Care Providers Doctors, Psychologists, Dentists, Chiropractors (and their billing services) Clinics, Nursing Homes Pharmacies Health Plans Health Insurance Companies HMOs Company Health Plans Government programs (Medicare, Medicaid, Military/Veterans) Health Care Clearinghouses Entities that process and convert information they receive from another entity Business Associates Person or organization that performs certain functions or activities on behalf of a covered entity (including legal, accounting, consulting, data aggregation, accreditation) Covered Entities

According to the HHS “a major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being”. Finalized December 28, 2000 with final modifications published August 14, 2002 Requires appropriate safeguards to protect the privacy of personal health information (protected health information [PHI]) Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization Provides patients rights concerning their health information, including ability to examine, obtain a copy and request corrections 10/1/20157 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

10/1/20158 Health Insurance Portability and Accountability Act (HIPAA) PHI is considered individually identifiable health information held or transmitted by a covered entity or its business associate. Individually identifiable health information is any information including demographic data that relates to: The individual’s past, present or future physical or mental health or condition The provision of health care to the individual The past, present, or future payment for the provision of health care to the individual Protected Health Information (PHI)

10/1/20159 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities Covered entity may not use or disclose PHI unless Covered entity may not use or disclose PHI unless : As the Privacy Rule permits or requires As the individual or personal representative authorizes use or disclosure in writing To the HHS in the event of a compliance investigation or review or enforcement action Use and Disclosure Limitations

10/1/ Health Insurance Portability and Accountability Act (HIPAA) A Covered Entity is permitted to use and disclose PHI without an individual’s authorization for the following purposes or situations: To the Individual Treatment, Payment and Health Care Operations (provider coordination of care, reimbursement) Opportunity to Agree or Object (directory of patient contact information or location in a facility, family disclosure/coordinat ion of care) Incident to an otherwise permitted use and disclosure (ex. Hospital visitor may overhear a provider discussing information with another provider in order to provide prompt and effective healthcare) Public Interest and Benefit Activities (required by law/court order, FDA, abuse, law enforcement) Limited Data Set for the purposes of research, public health or health care operations (with a data use agreement) Permitted Use and and Disclosure Disclosure

10/1/ Health Insurance Portability and Accountability Act (HIPAA) Notice of Policy Practices Use and disclosure of PHI permitted and used by the covered entity Duties to protect privacy Notice of Privacy Practices and terms to abide by Individual’s rights and grievance process if rights have been violated Point of contact for further information and to receive complaints Must distribute to each individual no later than the first service encounter, by automatic and contemporaneo us electronic response, by prompt mailing Posted on covered entity website Covered Entities must provide a notice of its Privacy Practices to include:

10/1/ Health Insurance Portability and Accountability Act (HIPAA) Guidelines vary depending on the size of the covered entity but should include some of the following solutions: Written Privacy Policies and Procedures (policy manual) Designated Privacy Official or Security Officer to designate and implement policies and procedures Workforce Training and Management Mitigation (disclosure of any harmful effect of violation of privacy policy) Data Safeguards (encryption, shredding) Complaint procedure Retaliation and Waiver Documentation and Record Retention (must maintain for at least six years after creation of record) Administrative Requirements

10/1/ Health Insurance Portability and Accountability Act (HIPAA) De-identification Individually Identifiable Health Information can be de-identified to ensure compliance and reducing risk by removing identifiers such as: Name Geographic identifiers smaller than a state (except for the first 3 digits of the zip code) Telephone or fax numbers, addresses Birth date (except year) Admission or discharge dates Social Security or Medical Record Numbers Account numbers

10/1/ Health Insurance Portability and Accountability Act (HIPAA) Enforcement and Compliance The OCR is responsible for administering and enforcing standards and may conduct complaint investigations and compliance reviews Covered Entities that fail to comply voluntarily may be subject to Civil Money Penalties Violations occurring on or after 2/18/2009:  Penalty Amount $100 to $50,000 or more per violation  Calendar Year Cap of $1,500,000  Penalties may not be imposed in certain circumstances Failure to comply was not due to willful neglect and was corrected during a 30-day period after entity knew or should have known failure to comply occurred Department of Justice has imposed a criminal penalty for failure to comply

10/1/ Health Insurance Portability and Accountability Act (HIPAA) Criminal Prosecution Violations of the Privacy Rule may be subject to criminal prosecution. A person who knowingly obtains or discloses PHI in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year imprisonment. Criminal penalties increase up to $100,000 and up to five years imprisonment if wrongful conduct involves false pretenses Can increase up to $250,000 and up to 10 years imprisonment if wrongful conduct involves the intent to sell, transfer or use identifiable PHI for commercial advantage, personal gain or malicious harm

10/1/ Health Insurance Portability and Accountability Act (HIPAA) HHS Case Examples Hospital staff person left a message on a patient’s home phone answering machine failing to accommodate patient’s request that PHI communication be made via her cell or work phone. Hospital had to retrain an entire Department with Privacy Rule requirements. Complainant both an employee and patient of a hospital filed a complaint that her PHI was disclosed to her supervisor. Further investigation revealed that it was impermissible disclosure and staff was disciplined and retrained. Patient was not given access to her medical records because of an outstanding balance. Practice did not release records. Privacy Rule states that the covered entity must provide an individual access within 30 days of the request.

10/1/ Health Insurance Portability and Accountability Act (HIPAA) HIPAA Violations Found on the web… Nurses Fired Over Cell Phone Photos Of Patient – Case Referred To FBI For Possible HIPAA Violations Team 4 Uncovers HIPAA Records Violations Cignet fined $4M for HIPAA violation  Cignet Health of Prince George’s County has been fined a total of $4.3 million for alleged violations of the Health Insurance Portability and Accountability Act of The Department of Health and Human Services Office of Civil Rights alleges Cignet violated 41 patients’ rights in 2008 and 2009 by not providing them access to their medical records in a reasonable amount of time. Two to plead guilty to fraud, HIPAA violations UCLA Medical Center agrees to settle HIPAA violation charges for $865K Local psychiatrist faces federal charges in HIPAA case

10/1/ References Department of Health and Human Services: Department of Medical Assistance Services: h ttp:// Highmark Blue Cross Blue Shield: Department of Labor: