Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA BASIC TRAINING MODULE 1C – Overview (For all staff including those who do not generally create Protected Health Information) RHONDA L. ANDERSON,

Published byArthur Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA BASIC TRAINING MODULE 1C – Overview (For all staff including those who do not generally create Protected Health Information) RHONDA L. ANDERSON,"— Presentation transcript:

1 HIPAA BASIC TRAINING MODULE 1C – Overview (For all staff including those who do not generally create Protected Health Information) RHONDA L. ANDERSON, RHIA PRESIDENT, AHIS, INC. 1

2 TRAINING OBJECTIVES Will identify elements of the following: Privacy Rule / Notice of Privacy Practices HIPAA RIGHTS Privacy Official Complaint Process 2

3 WHAT IS HIPAA? Protection of the privacy and security of health information Enforcement and Breach; Notification Rules Improvement of continuity of health insurance coverage and transfer of information about a person 3

4 WHAT IS HIPAA? -2 Federal law signed in 1996 authorizing development of regulations that: Relates to how we bill for a resident. How we protect the resident’s private health information; more than the medical record, i.e. Social Security #, insurance #, birth-date, etc. 4

5 THIS HIPAA TRAINING FOCUSES ON… The Privacy Regulation Requires steps that must be taken to protect health information Sets standards for resident’s access to their medical record whether manual or electronic and release or disclosure information based on authorizatioin.to restrict, limit and account for access to individual health records How information can be restricted and when – when paying for full services and products; the Health Maintenance Organization or Health Plan does not have to be notified of the services 5

6 THIS HIPAA TRAINING FOCUSES ON… -2 The Privacy Regulation (cont.) Accounting for disclosures to the protected health information Amendment of record – may be requested but that does not mean the health agency/covered entity has to amend the record The person/resident/patient may present data to be included or even that could be re-evaluated based on the situation Sets standards to restrict, limit and account for access to individual health records 6

7 THIS HIPAA TRAINING FOCUSES ON -3 The Privacy Regulation (cont.) 2013 Expands access to the resident record by indicating they also can have access to the electronic health record in a media of their choice 7

8 OMNIBUS – HIPAA 2013 What is different- electronic focus, the rights to access both manual and electronic 8

9 COMLIANCE DEADLINES Compliance deadlines started in 4/2003 and still required in 2012 – Still required in 2013 Largest focus is on the Breach (impermissible use of health information, enforcement and fines, increased focus on the resident’s right to access the electronic record) 9

10 LET’S SET THE HIPAA STAGE HIPAA in 2003, 2005, 2009, 2010, 2011 and 2013 – Updates minor and major HITECH and Security being the most dramatic which really focused on BREACHES (impermissible use of health information) Business Associate Changes 10

11 LET’S SET THE HIPAA STAGE -2 Finalizes: The Breach Notification Rule Genetic Information – Nondiscrimination Act – GINA HITECH Enforcement Rule HITECH ACT Privacy and Security HITECH ACT – Accounting of disclosures/Access Report Rule 11

12 MINIMUM NECESSARY Guidance on Minimum Necessary This means you only should have access to that information you need to carry out your job 12

13 NEW HIPAA RULES Covered Entities (CE) are now permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent. Prior to death, unless doing so is inconsistent with any prior expressed preference of the individual KNOWN TO THE CE!! 13

14 LET’S SET THE HIPAA STAGE Notice of Privacy Practice – revised/redistributed Restriction Health Plan and $$ paid by patient Access to Electronic PHI Form and format of Electronic Copies Timeliness for paper and e-records Fees Breach Notification – assessment Genetics Excludes Long term care plans from underwriting prohibition 14

15 DEATH RECORD – 50 YRS. Death records after 50 yrs. Individually Identifiable data is allowed to be 15

16 NEW HIPAA RULES NEW and not so new Business Associate (BA) was always included, just changed some Marketing had restrictions – now required an authorization if you plan to use the names and PHI – and there are exceptions And there are other provisions that really do not affect 16

17 NEW HIPAA RULES -2 Notice of Privacy Practice Changes Some Key Changes and maybe more When authorizations required, i.e., research, any marketing PHI after 50 years. (Individually Identifiable Information vs. that had PHI) When pay in full =Health Plan does not have to be notified and you can request restriction Opt out of fundraising letters (this does not have to be included in the NPP) – you can inform otherwise – probably just a good idea to have the information all in one place 17

18 NEW HIPAA RULES -3 Special requirements if have psychotherapy notes – If none-does not have to be in the NPP Uses and disclosures not described in the Notice of Privacy Practice will require an authorization Right to be notified of a breach of unsecured PHI in the vent they are affected Fees for Paper and Electronic Copies 18

19 APPLICABILITY HIPAA applies to: All Covered Entities Your Business Associates, i.e., anyone who contracts w/ you who uses Protected Health Information (PHI) and who subcontracts with the BA Vendors who may have access to PHI- you may not “think of” Also the fact they are all under the HIPAA requirements Must Comply with some of the Privacy Rule and provisions of BAA 19

20 PRIVACY RULE APPLIES TO Health Care Providers Your facility is a health care provider Health Plans Blue Shield, Kaiser, HMOs and Medi-Cal 20

21 CONTINUING CULTURAL CHANGE Impact of Privacy Rule Implementation including facility’s changes to: POLICIES PROCEDURES PRACTICES – i.e., conversations; care where medical records or other resident documents are kept 21

22 FUNDAMENTAL PURPOSE OF PRIVACY RULE Establish standards for Protection of Health Information Relates to past / present / future physical or mental health conditions Identifies the individual OR information that can be used to identify the individual 22

23 FACILITIES ARE REQUIRED By federal and state law to : Maintain the privacy of health information Provide notice of facility’s privacy practices TO THE RESIDENT, CONSERVATOR, REPRESENTATIVE 23

24 PHI - PROTECTED HEALTH INFORMATION Includes PHI transmitted/maintained Electronically – computer, e-mail In any other form or medium – disk, fax, paper, and orally Can you identify other records that might be seen by staff who do not need the information to do their job duties? 24

25 PRIVACY PRACTICE 25

26 PRIVACY – A WELL ESTABLISHED ‘ RIGHT’… The HIPAA Privacy Regulation grants six rights to individuals regarding their health information: Confidential Communication Access to and copies of health information May request amendments to their health information 26

27 PRIVACY – A WELL… -2 The HIPAA Privacy Regulation grants six rights to individuals regarding their health information (cont.): Upon request, must be given an accounting of disclosures of their health information to others. Upon request, must be given a paper copy of the Notice of Privacy Practices. May request restrictions on the uses and disclosures of health information 27

28 RIGHTS PRACTICE SESSION You are working near the nursing station and find resident documents on the floor what should you do? Confidential resident information is destroyed how? 28

29 RIGHTS PRACTICE SESSION -2 You are working and can overhear a conversation about a resident. What should you do? Let the staff know that you can hear. Close the door, if possible Leave the area. 29

30 RIGHTS PRACTICE SESSION -3 The nursing staff are discussing a resident’s behavior and medications at an open nursing station where you can over hear the conversation and visitors are in a nearby room and may overhear. 1. Is this protection of health information? 2. What should be done? 30

31 PRACTICE SESSION You see paper in the trash can with names on it and some other writing. What would you do? 31

32 PRACTICE SESSION -2 You over hear the kitchen staff person talking about a resident’s illness and special food requirements. What would you do? Was this o.k.? Why? 32

33 PRIVACY OFFICIAL Addressed in Administrative Requirements A Privacy Official has been designated for each Facility A Contact Person/Department The Privacy Official is responsible for the oversight of resident privacy under HIPAA regulations and other state/federal regulations 33

34 PRIVACY NOTICE REVIEW COMPLAINT PROCESS May file a complaint with either: Facility Privacy Official Health and Human Services Office of Civil Rights Complaint must be in writing and filed within 180 days of identifying the complaint 34

35 HIPAA COMPLIANCE FOR CLINICIAN TEXTING Text or SMS Texting can offer providers numerous advantages for clinical care Fastest and most efficient means of sending information in a given situation Texting to communicate clinical information, whether authorized to do so or not – How to control? Texting between clinician members of the workforce How to ensure safer texting practices 35

36 RISKS OF TEXT MESSAGING – HIPAA BREACH Represents a different set of risks Text messages may reside on a mobile device indefinitely Exposed to unauthorized third parties due to theft, loss, or recycling of the device Can be accessed without any level of authentication Text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages is done with inexpensive equipment 36

37 RISKS OF TEXT MESSAGING – HIPAA BREACH -2 HIPAA Privacy Rule Designated record set includes PHI used, in whole or in part For the Covered Entity to make decisions Text messages used to make decisions about resident care Risk of compliance with the privacy rule if the Covered Entity cannot provide residents with access 37

38 TEXTING IN COMPLIANCE PROGRAMS HIPAA security rule text messaging risk analysis and management strategy Identify where electronic PHI, or ePHI, is created, received, maintained, and transmitted Identify and document any reasonable anticipated threats to PHI 38

39 TEXTING IN COMPLIANCE PROGRAMS -2 Security measures already in place (e.g., an existing policy on texting) including threat, potential impact Theft or loss of the mobile device Improper disposal of the device Interception of transmission of ePHI by an unauthorized person Lack of availability of ePHI to persons other than the mobile device user 39

40 TEXTING IN COMPLIANCE PROGRAMS -4 Examples of security controls Annotation of the medical record with any ePHI that is received via text and is used to make a decision about a resident Retention period requiring immediate deletion Use of alternative technology, vendor supplied secure messaing 40

41 COMPLIANT TEXTING Further consideration texts Stored indefinitely on a third party’s server, such as when a text is sent to an email account of a member of the workforce; email account is administered by a third party, associate contract with the third party may be required Address the use and disclosure of ePHI privacy policies and training Consider sanctioning members of the workforce PHI are subject to the HIPAA accounting of disclosures 41

42 TEXTING IN COMPLIANCE PROGRAMS -3 Examples of security controls Administrative policy prohibiting texting of ePHI or limiting the type of information Limiting condition-specific or information identifying the resident Workforce training use of work-related training Password protection and encryption for mobile devices Inventory of all mobile devices used for texting Proper sanitation of mobile devices upon retirement of the device 42

43 THANK YOU!!! Contact Information Rhonda Anderson, RHIA President, AHIS, Inc. 714-558-3887 office@ahis.net 43

Download ppt "HIPAA BASIC TRAINING MODULE 1C – Overview (For all staff including those who do not generally create Protected Health Information) RHONDA L. ANDERSON,"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google