Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees
Training Objectives n Employees will have a general understanding of the core elements of the HIPAA privacy provisions. n Employees will know who the County’s HIPAA Privacy Officer is and how to contact the Privacy Officer. n Employees will have a general understanding of the County’s HIPAA Privacy Policies and Procedures.
What is HIPAA? n Health Insurance Portability and Accountability Act of n Administrative Simplification: – Transactions and Code Sets – Security – Privacy
Terminology n PHI n Covered Entities n Business Associate n Minimum Necessary n Designated Record Set
HIPAA Privacy Requirements To comply with HIPAA the county must: n Adopt written policies and procedures. n Adopt Notice of County Privacy Practices. n Designate privacy officer. n Designate employees with access to PHI. n Train employees on HIPAA. n Be in compliance with privacy provisions by April 14, 2003.
Penalties for Noncompliance n Criminal penalties – Up to $50,000 and one year in prison for obtaining or disclosing PHI. – Up to $100,000 and up to five years in prison for obtaining PHI under false pretenses – Up to $250,000 and up to ten years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage or personal gain or malicious harm.
Penalties for Noncompliance n Civil Penalties – A county that violates the privacy standards will be subject to civil liability which includes fines of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
County Sanctions for Noncompliance n [insert county sanctions for noncompliance]
State Law Preemption HIPAA preempts contrary state law unless the state law provides greater protection.
[insert county name] HIPAA Privacy Officer [insert name] [insert address] [insert phone number] [insert ]
Individual Privacy Rights: Notice of Privacy Practices n Individuals have the right to receive the county’s “Notice of Privacy Practices.” n The Notice of Privacy Practices explains to the individuals how the County routinely manages its confidential data including how PHI is used and disclosed.
Individual Privacy Rights: Access to PHI n Individuals have the right to request access to certain medical records. n Individuals have the right to copy certain medical records. n Individuals have the right to receive a decision within 30 days of the request. n If access denied, the Individual has the right to receive written description of denial.
Individual Privacy Rights: Restriction on Use and Disclosure n Individuals have a right to request restriction on uses and disclosures about treatment, payment or health care operations. n Individuals have the right to request that the county restrict disclosures to family members.
Individual Privacy Rights: Confidential Communications n Individuals have the right to receive communications of PHI by alternate means or at alternate locations. n The county must accommodate reasonable requests for alternate means or alternate locations.
Individual Privacy Rights: Right to Request Amendments n Individuals have the right to request revisions or corrections to any part of the record that the individual believes is incorrect. n Some requests may be denied. n Individuals have the right to receive a decision within 60 days.
Individual Privacy Rights: Accounting of Disclosures n Individuals have the right to an accounting of disclosures, other than treatment, payment or operation, made by the county. n The county is not required to account for disclosures made to the individual or made with a signed authorization. n Individuals have the right to receive a decision within 60 days.
Individual Privacy Rights: Right to File Complaint n Individuals have the right to file a complaint if they believe their rights have been violated.
County Responsibilities: Minimum Necessary n The county must make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. n County must identify those employees who need access to carry out their duties. The county must make reasonable efforts to limit the access of each identified employee.