HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

“HIPAA COMPLIANCE… …is a PROCESS, not a PROJECT

WHO SHOULD ATTEND Nursing Staff Nursing Assistants Staff from other depts. Generalized information for staff

PRESENTED Anderson Health Information Systems, Inc.

OBJECTIVES Will identify requirements for: –Notice of Privacy Practices –Personnel Designations –Minimum Necessary –What needs to be done, when and by who

OBJECTIVES -2 Will leave the workshop with information to protect the residents health information as that is your responsibility as an employee known in HIPAA as a member of the workforce. What Does HIPAA INCLUDE? PRIVACY PRACTICES –Notice of PRIVACY PRACTICES Resident RIGHTS –New Resident RIGHTS –Minimum Necessary –Minimum Necessary Policies and Procedures to use for training your staff –Privacy Official – Medical Record Designee

REFERENCE PRIVACY PRACTICES Notice of PRIVACY PRACTICES Use and Disclosures of Protected Health Information – Minimum Necessary – HIM Manual #7003 Use and Disclosures of Protected Health Information – Minimum Necessary – HIM Manual #7003

HIPAA CALENDAR You were in substantial compliance with the Privacy Rules before April 14, DOES THAT MEAN TO YOUR ORGANIZATION? –What DOES THAT MEAN TO YOUR ORGANIZATION? You now must stay in compliance. You now must stay in compliance. –Are you updating new staff in orientation? Are you holding at least annual update for all staff??? ASK FOR HELP FROM YOUR Consultant!! ASK FOR HELP FROM YOUR Consultant!!

PRIVACY

COMPONENTS OF THE RULE Notice of Privacy Practices Acknowledgment Process Minimum Necessary Authorization for Disclosure of PHI Administrative Requirements Business Associate Agreement MRD – Privacy Official

PRIVACY PRIORITIES Get to know the Rules Awareness –Are you training new staff as part of orientation? –Are you conducting or arranging for in- service for ALL staff with the HIM/Record Consultant at least annually??

PRIVACY PRIORITIES -2 Prepare Notice of Privacy Practices – given to the resident as part of the admission process. This is audited by MRD as part of the admission audit.

NOTICE OF PRIVACY PRACTICES Allows the individual control over how PHI is used and disclosed Describes practices related to use and disclosure of PHI Provide individuals with a privacy notice written in plain language

PRIVACY NOTICE -2 Notice must include: –Information regarding uses and disclosures –Explanation of individual’s privacy rights –Covered entities responsibilities under HIPAA

PRIVACY NOTICE -3 Indicates how the use and disclosure will be used for treatment, payment and operations. –How to file a complaint (Covered entity or Health and Human Services - Office for Civil Rights has been delegated as the responsible office) –Name, title and phone of contact person, privacy official –Effective date of notice

NOTICE - PROCEDURE REQUIREMENTS Post Notice at the facility, on the web Make copies available May use if Resident agrees Attempt to obtain acknowledgment of Notice of Privacy Practice -- at admit Provide notice for current residents

“SIX NEW Resident RIGHTS” Notice of Organizations “PHI” Privacy Practices Request Restrictions on Disclosures to Others of their “PHI” Request alternative means of communicating “PHI”

“SIX NEW Resident RIGHTS” -2 May inspect and get a copy of “PHI” May request Amendments to their “PHI” Must be given an accounting of organization’s disclosures of their “PHI”

ACKNOWLEDGEMENT Make good faith efforts to obtain written acknowledgment of Receipt of Notice of Privacy Practices – at time of ADMIT –“I ACKNOWLEDGE THAT I HAVE BEEN PROVIDED A COPY OF THE NOTICE OF PRIVACY PRACTICES, DATE, SIGN”

MINIMUM NECESSARY The facility shall limit the amount of PHI: –Disclosed or requested to documentation/related to protected health information that is reasonably necessary to carry out the job or fulfill the request for information. JOB DUTIES [what does this mean to you??] –To employees only to the extent they need the information to carry out their JOB DUTIES [what does this mean to you??]

MINIMUM NECESSARY -2 WHAT DOES THIS MEAN TO YOU? WHAT DOES THIS MEAN TO YOU? –Discuss those items that would be needed to know for different jobs, ie., Social Services needs access to all information that would impact the decisions re: advanced decisions for health care, transportation, family involvement health condition, etc., also as a team member she/he needs access too --- specify ….(identify additional info. needed)

MINIMUM NECESSARY -3 Examples –As a team member you would need access to the health information to make resident care plan decisions. –Certified Nursing Assistant – What information do you need to do your job?

MINIMUM NECESSARY -4 The facility shall limit the amount of PHI available to each employee –Employees shall be identified and a grid done as to what information they have available to them and under what circumstances.

MINIMUM NECESSARY -5 The facility shall limit the amount of PHI: –Used or disclosed…and only the entire record will be sent to the requestor only when needed and reasonably necessary to accomplish the request, ie., attorney requests information. –Also, all responses to requests shall consider – release of minimum necessary to carry out the specific reason for the request.

MINIMUM NECESSARY -6 Does NOT apply: –When sending to another health care provider; however, you only need to give the information that is needed! –Disclosure to the individual –Uses and disclosures made pursuant to an authorization –To Dept. of Public Health L & C, required for compliance, otherwise required by law, ie., law enforcement, public health, Office of Inspector General

PERSONNEL REQUIREMENTS

PRIVACY OFFICIAL Addressed in the Administrative Requirements 45 C.F.R –COVERED ENTITY (CE) must designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures of the entity

PRIVACY OFFICIAL -2 Health Information Designee Administrator, alternate DSD – Provides training and orientation with assistance from the ‘MRD’ an the HIM Consultant HIM-CONSULTANT The AHIS HIM-CONSULTANT

PRIVACY COMPLAINTS requires Facility to –Provide a process for individuals to make complaints regarding privacy violations(d) –File complaints without fear of retaliation (g) –Designate a contact person for receiving complaints(a)(1)(ii) –Document complaints received and their disposition

PRIVACY COMPLAINTS -2 Cooperate with Federal Investigations of complaints Sanction Members of the Workforce who violate privacy(e) Mitigate to the extent feasible any harm caused by the violation( f)

PRIVACY COMPLAINTS -3 What are other complaints that are happening in the facility from your residents/family, etc., that may extend to Privacy complaints. How are they handled? Are they discussed at standup? How are complaints reported? Are complaints followed up/resolution doc?

EXERCISES Conduct exercise here…

IMPLEMENTATION STRATEGIES TOGETHER WE PROTECT PHI

IMPLEMENTATION -2 Ongoing training, and specific training to key personnel as it relates to their duties NEW EMPLOYEES

DO YOU COMPLY???