HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

WHAT IS HIPAA?  Protect privacy and security of health information  Improve continuity of health insurance coverage and transfer of information about the person

WHAT IS HIPAA? -2  Federal law signed in 1996 authorizing development of regulations that: Relates to how we bill for a resident. Relates to how we bill for a resident. How we protect the resident’s private health information; more than the medical record, i.e. Social Security #, insurance #, birth-date, etc. How we protect the resident’s private health information; more than the medical record, i.e. Social Security #, insurance #, birth-date, etc.

THIS HIPAA TRAINING FOCUSES ON…  The Privacy Regulation Steps that must be taken to protect individually identifiable health information Steps that must be taken to protect individually identifiable health information Sets standards to restrict, limit and account for access to individual health records Sets standards to restrict, limit and account for access to individual health records Compliance deadline of 4/03 Compliance deadline of 4/03 Steps that must be taken to protect individually identifiable health information Steps that must be taken to protect individually identifiable health information

THIS HIPAA TRAINING FOCUSES ON -2  The Privacy Regulation Sets standards to restrict, limit and account for access to individual health records Sets standards to restrict, limit and account for access to individual health records Compliance deadline of 4/03 and still required today -- Compliance deadline of 4/03 and still required today --

PRIVACY RULE APPLIES TO  Health Care Providers Your facility is a health care provider Your facility is a health care provider  Health Plans Blue Shield, Kaiser, HMOs and Medi-Cal Blue Shield, Kaiser, HMOs and Medi-Cal

CONTINUING CULTURAL CHANGE  Impact of Privacy Rule Implementation including facility’s changes to: POLICIES POLICIES PROCEDURES PROCEDURES PRACTICES – i.e., conversations; care where medical records or other resident documents are kept PRACTICES – i.e., conversations; care where medical records or other resident documents are kept

FUNDAMENTAL PURPOSE OF PRIVACY RULE  Establish standards for Protection of Health Information Relates to past / present / future physical or mental health conditions Relates to past / present / future physical or mental health conditions Identifies the individual OR information that can be used to identify the individual Identifies the individual OR information that can be used to identify the individual

FACILITIES ARE REQUIRED  By federal and state law to : Maintain the privacy of health information Maintain the privacy of health information Provide notice of facility’s privacy practices TO THE RESIDENT, CONSERVATOR, REPRESENTATIVE Provide notice of facility’s privacy practices TO THE RESIDENT, CONSERVATOR, REPRESENTATIVE

PHI - PROTECTED HEALTH INFORMATION  Includes PHI transmitted/maintained Electronically – computer, Electronically – computer, In any other form or medium – disk, fax, paper, and orally In any other form or medium – disk, fax, paper, and orally Can you identify other records that might be seen by staff who do not need the information to do their job duties? Can you identify other records that might be seen by staff who do not need the information to do their job duties?

PRIVACY PRACTICE

PRIVACY – A WELL ESTABLISHED ‘ RIGHT’…  The HIPAA Privacy Regulation grants six rights to individuals regarding their health information: Confidential Communication Confidential Communication Access to and copies of health information Access to and copies of health information May request amendments to their health information May request amendments to their health information

PRIVACY – A WELL… -2  The HIPAA Privacy Regulation grants six rights to individuals regarding their health information (cont): Upon request, must be given an accounting of disclosures of their health information to others. Upon request, must be given an accounting of disclosures of their health information to others. Upon request, must be given a paper copy of the Notice of Privacy Practices. Upon request, must be given a paper copy of the Notice of Privacy Practices. May request restrictions on the uses and disclosures of health information May request restrictions on the uses and disclosures of health information

MINIMUM NECESSARY  The facility shall limit the amount of PHI: Disclosed or requested to documentation/related to protected health information that is reasonably necessary to carry out the job or fulfill the request for information. Disclosed or requested to documentation/related to protected health information that is reasonably necessary to carry out the job or fulfill the request for information. To employees only to the extent they need the information to carry out their JOB DUTIES [what does this mean to you??] To employees only to the extent they need the information to carry out their JOB DUTIES [what does this mean to you??]

MINIMUM NECESSARY -3  Examples As a team member you would need access to the health information to make resident care plan decisions. As a team member you would need access to the health information to make resident care plan decisions. Certified Nursing Assistant – What information do you need to do your job? Certified Nursing Assistant – What information do you need to do your job?

MINIMUM NECESSARY -6 Does NOT apply: When sending to another health care provider; however, you only need to give the information that is needed! When sending to another health care provider; however, you only need to give the information that is needed! Disclosure to the individual Disclosure to the individual Uses and disclosures made pursuant to an authorization Uses and disclosures made pursuant to an authorization To Dept. of Public Health L & C, required for compliance, otherwise required by law, ie., law enforcement, public health, Office of Inspector General To Dept. of Public Health L & C, required for compliance, otherwise required by law, ie., law enforcement, public health, Office of Inspector General

RIGHTS PRACTICE SESSION  You are working near the nursing station and find resident documents on the floor what should you do?  Confidential resident information is destroyed how?

HITECH & HIPAA ACCESS HITECH HIPAA SB 541 BREACHES Privacy and Security

Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR Effective Date 2003 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR Effective Date 2003 HIPAA SB 541 HITECH ACT

HITECH Vocabulary  Breach – the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information  Unsecured PHI – PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals.  Acceptable methodologies – Encryption as specified in the HIPAA security rule  Shredding or destroying of non-electronic PHI

No Safe Harbor  California covered entities are still required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 days to comply with SB 541 – which has been in effect since January 2009

Penalties  SB-541 – failure to report within 5 days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000. $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000.

RIGHTS PRACTICE SESSION -2  You are working and can overhear a conversation about a resident. What should you do? Close the door if possible. Close the door if possible. Leave the area. Leave the area. Let the staff know you can hear. Let the staff know you can hear.

RIGHTS PRACTICE SESSION -3  The nursing staff are discussing a resident’s behavior and medications at an open nursing station where you can over hear the conversation and visitors are in a nearby room. 1.Is this protection of health information? 2. What should be done?

PRIVACY OFFICIAL  Addressed in Administrative Requirements  A Privacy Official has been designated for each Facility who is: MRD  A Contact Person/Department The Privacy Official is responsible for the oversight of resident privacy under HIPAA regulations and other state/federal regulations

PRIVACY NOTICE REVIEW COMPLAINT PROCESS  May file a complaint with either: Facility Facility Privacy OfficialPrivacy Official Health and Human Services Health and Human Services Office of Civil RightsOffice of Civil Rights  Complaint must be in writing and filed within 180 days of identifying the complaint