Published on October 23, 2007
HIPAA TRAININGPRIVACY: HIPAA TRAINING PRIVACY Slide2: HIPAA is an acronym which stands for the Health Insurance Portability and Accountability Act. This act was passed by Congress in 1996. Five titles of HIPAA: Five titles of HIPAA Title I: Health Insurance Access, Portability, and Renewal Title II: Preventing Healthcare Fraud and Abuse Title III: Tax Related Provisions Title IV: Group Health Plan Requirements Title V: Revenue Offsets Slide4: TitleI: Health Insurance Access, Portability, and Renewal Title II: Healthcare Fraud and Abuse Title III: Tax Related Provisions Title IV: Group Health Plan Requirements Title V: Revenue Offsets H I P A A Electronic Transaction Standards Standard Code Sets Unique Health Identifiers Electronic Signature Standards Privacy Security Subtitle F: Administrative Simplification What is privacy?: What is privacy? Privacy is an individual’s claim to limit access by others to some aspect of their personal life. Health information privacy is an individual’s claim to control the circumstances in which personal health information is collected, used, stored, and transmitted. Who must comply with HIPAA?: Who must comply with HIPAA? Health care plans (including Coordinated Care, Healthy Palm Beaches, Florida Healthy Kids and Trauma) Health care providers (District Home and Pharmacy) Health care clearinghouses Slide7: The Health Care District is both a provider and a plan. It must follow the regulations for both types of organizations. What information is protected by HIPAA?: What information is protected by HIPAA? Health information that allows an individual to be identified It includes demographic information Relates to treatment, payment or health care operations Uses: Uses Uses are the ways that information is used inside the Health Care District. This includes sharing between departments, utilization, examination, or analysis of information. An example of a Use: An example of a Use The HCD uses a medical diagnosis to make a determination if a referral to a specialist is appropriate. A member would have a consult denied to see a dermatologist for the diagnosis of acne under the Coordinated Care Program. The reason is this is not a covered benefit. Disclosures: Disclosures A disclosure is any release, transfer, or provision of access to information held by the Health Care District to any person, organization or entity outside the Health Care District. An example of a Disclosure: An example of a Disclosure A resident of the District Home is diagnosed with West Nile Virus. This diagnosis is reported to the Palm Beach County Health Department. This constitutes a disclosure. Minimum necessary: Minimum necessary For any use or disclosure, only the minimum amount of information needed should be used or released. In treatment situations, the entire medical chart is appropriate to release. An example of minimum necessary: An example of minimum necessary A member is seeking legal action against a former employer because of a carpal tunnel surgery. Claims records are requested by several attorneys. In the system, the member also has had a hysterectomy and has been treated for hypertension. Only the minimum necessary amount of information related to the carpal tunnel surgery claims should be released. Notice: Notice All members must be given notice about Health Care District Privacy practices The notice is a statement paper that tells how information is used and gives specific examples. A copy is given or mailed to members on enrollment A signature is not required Consent: Consent A consent is a general statement that the member agrees to the uses and disclosures of protected health information. Required for health care providers, optional for plans Must be signed and dated Members who refuse to sign will not be eligible for services. Copies kept for six years Authorization: Authorization An authorization is a specific document Allows for a use or disclosure of protected health information that was not addressed by the consent Treatment, Payment, and Health Care Operations do not require authorization Members are still eligible if they refuse to sign Must be signed and dated Copies kept for six years An example of a kind of disclosure that requires an authorization: An example of a kind of disclosure that requires an authorization A member is participating in a research project and needs a list of all the medications that have been prescribed by all their providers in the past year. An authorization is needed to get the information from the pharmacy benefits manager and release it to the research project. Restrictions: Restrictions A restriction puts limits on the protected health information that may be used or disclosed Members have the right to request a restriction The restriction should be noted in writing May be revoked at a future date An example of a restriction: An example of a restriction A resident of the District Home does not want their medical condition discussed with their sister. This restriction would be documented on the record. Verification: Verification HCD employees will need to verify identity and authority for access when they disclose protected information to someone other than the member This will be overseen by the Privacy Officer An example of verification: An example of verification A person who claims to be a member’s power of attorney asks to have a print out of all claims that have been paid for the member’s medical care. This request is forwarded to the Privacy Officer. The Privacy Officer asks the person to come in person and bring the legal documents that verify the power of attorney. They Privacy Officer also asks for a photo ID to verify the person’s identity. Facility Directories: Facility Directories Allows for general information to be disclosed while a resident at the District Home Can give location, general status, and room number when a person requests this by the resident’s name Clergy may be given names by religious affiliation An example of a facility directory: An example of a facility directory A person comes to the District Home to visit a friend but doesn’t know the room number. They go to the Switchboard and ask for the resident by name. The room number is given to the person. Privacy Officer: Privacy Officer The Health Care District will have a person responsible for privacy issues This Privacy Officer will make decisions about specific privacy issues Personnel: Personnel Each job classification contains a statement regarding access to protected health information These levels include Level A – no access Level B – access to Welligent only Level C – access to HCD only Level D – access to HCD and HPB Level E – access to HCD employee health information Employees who breach privacy will be disciplined or sanctioned. Accounting: Accounting An accounting is a list of disclosures The Health Care District will keep an accounting of all disclosures made of protected health information The Privacy Officer will coordinate this accounting Records of disclosures must be kept for six years An example of an accounting: An example of an accounting A member makes a request in writing to obtain an accounting of disclosures from their record. There are three instances in the record of release of payment information to an attorney representing them in a slip and fall, personal injury case at Wal-Mart. Each time this information was released because a subpoena for records was served. Access: Access Access is when a member looks at or reviews their record Members have the right to access their record Members must be allowed to review and obtain a copy of their records Access to records will be coordinated by the Privacy Officer An example of access: An example of access A member requests to review “everything” in their record. The Privacy Officer arranges a time to meet. The information in the record includes claims and payment information. A printout of this information is reviewed with the member who also asks for a copy. Amendment: Amendment An amendment is a change, deletion or addition to a record Members have the right to request an amendment to their record The Health Care District does not have to grant this request for amendment Amendments will be coordinated by the Privacy Officer An example of an amendment: An example of an amendment The same member who asked to review his claims and payments requests an amendment to his record. The diagnosis given on the claims is Hepatitis B, but the member states he was treated for Hepatitis A. The Privacy Officer reviews the medical records from the provider and indeed finds the claim was miscoded. An amendment is made to the record and a note made on each claim with the incorrect diagnosis that references the amendment. Complaints and Grievances: Complaints and Grievances Members have the right to make a complaint or grievance if they feel their privacy has been breeched. Complaints and grievances will be routed through Customer Service. Complaints can also be filed with the Secretary of HHS An example of a privacy complaint: An example of a privacy complaint A member calls Customer Service with a complaint about a HCD employee. The employee, who is a neighbor of the member, has been telling everyone in the neighborhood that the member has a “bad heart.” The member has never discussed their medical problems with the employee and feels their privacy has been violated. The Privacy Officer investigates and appropriate action is taken by Human Resources. Effective Date: Effective Date These regulations have an effective date of April 14, 2003. The Health Care District plan is for compliance by April 14, 2002. ANSWERS TO HIPAA TRAINING ASSESSMENT: ANSWERS TO HIPAA TRAINING ASSESSMENT #1. HIPAA stands for Health Information Privacy and Access Act: #1. HIPAA stands for Health Information Privacy and Access Act False HIPAA stands for Health Insurance Portability and Accountability Act #2. The Coordinated Care Program does not need to be compliant with HIPAA because it is a health plan.: #2. The Coordinated Care Program does not need to be compliant with HIPAA because it is a health plan. False Health plans must comply with the HIPAA regulations. #3. The District Home does not need to be compliant with the HIPAA regulations because it is a health provider.: #3. The District Home does not need to be compliant with the HIPAA regulations because it is a health provider. False Health Providers must be compliant with the HIPAA regulations. #4. A person’s name is considered protected health information.: #4. A person’s name is considered protected health information. True Demographic information is considered protected health information. #5. Notice means we tell our members and patients how we will use their protected health information.: #5. Notice means we tell our members and patients how we will use their protected health information. True. A notice is a document that tells how protected health information is used and disclosed. #6. A consent is obtained for a specific use of protected health information that is not mentioned in the notice.: #6. A consent is obtained for a specific use of protected health information that is not mentioned in the notice. False. Consent is a statement that the member consents to the notice of privacy practices. An authorization is obtained for a specific use of health information not mentioned in the notice. #7. A member has the right to request incorrect information in their records be corrected. This is called a rectification. : #7. A member has the right to request incorrect information in their records be corrected. This is called a rectification. False An amendment is a change in medical records. A member has the right to request an amendment if they find incorrect information in their records. #8. A member has no right to see what information is contained in their record.: #8. A member has no right to see what information is contained in their record. False. A member may have access to their record. There may be some limitations on this access. #9. A Privacy Officer is a law enforcement official who will make sure the District follows the privacy regulation.: #9. A Privacy Officer is a law enforcement official who will make sure the District follows the privacy regulation. False A Privacy Officer is not a law enforcement official, however s/he does have the responsibility of compliance to the privacy regulations. #10. Only the employees of the District that act as health care practitioners need to be trained on HIPAA regulations.: #10. Only the employees of the District that act as health care practitioners need to be trained on HIPAA regulations. False Any employee who has access to protected health information must be trained on the regulations.