The Health Insurance Portability and Accountability Act

Transcription

1 The Health Insurance Portability and Accountability Act Review of HIPAA Regulations, Parts 1 & 2 An In-service For Clinical Faculty, Supervisors and Researchers, as well as Administrative Support/Professional Staff (dealing with patient information) and Clinical Students rotating in patient care treatment areas.

2 Jessica J. Gardon Rose, PA, M.Ed. Privacy Officer HIPAA Resources at the CHP Director, Carls Center for Clinical Care & Education Office (989) Carla Wentworth Administrative HIPAA Coordinator, Carls Center Office HPB 1101 Reception Desk (989) Sept

3 What is HIPAA? What is HIPAA? The Health Insurance Portability & Accountability Act of 1996, is a Federal Regulation dealing with health records. Also known as the PRIVACY RULE, the purpose of the Act is to ensure the privacy and security of Protected Health Information with regard to patient records and research subject data. Sept

4 Why do we need to undergo HIPAA training? Since it is unlawful to share a client s personal health information inappropriately, we need to learn how to optimally ensure - patient privacy & confidentiality; - patient information security. Sept

5 Why do we need to undergo HIPAA training? As an academic institution, employer, healthcare service and research center, CMU is committed to protecting its employees, patients and subjects within our community. CMU places trust in you to follow HIPAA policies. This is not an option, it is required. Choosing not to follow these rules, could put You at risk. CMU at risk. Sept

6 So The right thing to do is to: Protect patient records and data. Protect business data. In order to. Promote patient confidence in CMU services; Reduce the risk of possible litigation; Reduce the risk of any bad public relations. FYI There are significant penalties associated with non-compliance to organizations and employees of those organizations. (Will be discussed later.)

7 Training Objectives 1. To help you understand What is the HIPAA privacy rule. Why it is important to you. Who must comply with HIPAA. How HIPAA affects your work, studies and/or clinical research. 2. To become familiar with CMU policies that provide guidance for complying with the HIPAA rules in regards to information privacy and security, and where to get help. 3. Ensure compliance with federal regulations. 7

8 This Presentation Provides a general overview on HIPAA regulations and privacy rulings. Serves as an guide to introduce you to key concepts regarding the law for ensuring optimal patient information privacy. Includes more information on HIPAA policy (including patient information privacy, security and medical records management requirements) which is needed by CMU clinicians, clinical faculty/staff and clinical support staff before they are involved in patient care. Closes with an online quiz to review your understanding of key HIPAA elements presented in this slide show. 8

9 This Presentation It does not contain all provisions relating to the rules, nor does this presentation serve as legal advice in regards to HIPAA laws. For detailed information on HIPAA compliance, please refer to CMU policies at and recognized websites such as for full guidance. Sept

10 HIPAA Components Covered What is HIPAA? Why Follow HIPAA? Who must be trained? Your Role! Patient Rights FERPA Business Associate Agreements (BAAs) CMU HIPAA Contacts HIPAA Definitions What is PHI? Reporting Violations Release of Information Identity Verification Documenting Disclosures Security Safeguarding Information Reporting Violations Sept

11 Who Needs Training CMU employees and contracted business associates who may come in contact with PHI are Federally required to attend training at the start of employ and d thereafter once a year. The months of August and September will be HIPAA review time for the CHP in order for us to ready for the Fall Semester each year. CHP EMPLOYEES & FACULTY, please note - Regardless when you started your employ, you will need to repeat your HIPAA review and testing during August of your recruitment year, in order to align training requirements with the once a year schedule. 11

12 Who Needs Training These slides include BOTH HIPAA training parts1&2! CMU Clinical Students Before starting patient observation sessions for coursework, undergraduate clinical students must undergo review of the HIPAA basics (Part 1) presentation, including the coverage of privacy rulings. Before hands on rendering of patient care services while under the direction of clinical supervisors, students must also undergo a more extensive HIPAA training review (Part 2, as previously discussed) including an overview of privacy and information security rulings. This training needs to be completed on an annual basis! FYI - Clinical internship sites may require additional training coordinated through their offices. 12

13 Who Needs Training CMU Employees (Faculty and Staff) Level of training will vary according to the individual employee s responsibilities and designated access levels needed, as determined by supervisors &/or departmental heads. Business Associates (Contracted Vendors) An annual review of HIPAA rulings and privacy training basics is also required for vendors who may have direct or indirect access to patient information! Sept

14 HIPAA Definitions HIPAA verses FERPA FERPA Protects the rights of students records; Is unique to university settings. Both HIPAA and FERPA are relevant to CMU s UHS, Sports Injury Clinic and the Carls Center! We service employees, students and members of student s families all as patients. When making determinations as to whether personally identifiable information from student health records maintained by the University may be disclosed, refer to FERPA and its requirements. 14

15 HIPAA-FERPA Overlap An eligible student is a student who is at least 18 years of age or who attends a post-secondary institution at any age. See 34 CFR 99.3 and 99.5(a). At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of education records if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 CFR 99.3 Education records. These records are commonly called treatment records.

16 Daily Dilemmas.1 with FERPA Under FERPA, may an eligible student inspect and review his or her treatment records? Under FERPA, treatment records, by definition, are not available to anyone other than professionals providing treatment to the student, or to physicians or other appropriate professionals of the student s choice. However, this does not prevent an educational institution from allowing a student to inspect and review such records. If the institution chooses to do so, though, such records are no longer excluded from the definition of education records and are subject to all other FERPA requirements. (

17 Daily Dilemmas.2 with FERPA Are all student records maintained by a CMU health clinic considered treatment records under FERPA? Not all clinic records on eligible CMU students are treatment records under FERPA, because many such records are not made, maintained, or used only in connection with the treatment of a student. For example, billing records that a university-run health clinic maintains on a student are education records under FERPA, the disclosure of which would require prior written consent from the eligible student unless an exception applies. (See 34 CFR ) In addition, records relating to treatment that are shared with persons other than professionals providing treatment to the student are education records under FERPA. Thus, to the extent a health clinic has shared a student s treatment information with persons and for purposes other than for treatment, such information is an education record, not a treatment record under FERPA.

18 Daily Dilemmas.3 with FERPA Does FERPA permit a student s treatment records to be disclosed to a third-party health care provider for treatment? An eligible student s treatment records may be shared with health care professionals who are providing treatment to the student, including health care professionals who are not part of or not acting on behalf of the educational institution (i.e., third-party health care provider), as long as the information is being disclosed only for the purpose of providing treatment to the student. In addition, an eligible student s treatment records may be disclosed to a third-party health care provider when the student has requested that his or her records be reviewed by a physician or other appropriate professional of the student s choice. See 20 U.S.C. 1232g(a)(4)(B)(iv).

19 Bottom Line, HIPAA Privacy Standards apply to anyone who: Conducts health care support operations (ex. - scheduling, reception, billing, legal, information technology, filing ) Observes, discusses, evaluates or treats clinical cases (ex. - UHS, Carls Center, Sports Injury Clinic, off site clinical and academic clinical rotation locations) Provides clinical consultation Conducts clinical research Sept

20 And HIPAA Privacy Standards also apply to anyone who: Provides support service in the health care environment (ex. facility maintenance, housekeeping, security ) Works through a contracted business associate/vendor, with potential access or exposure to PHI. 20

21 HIPAA Definition Business Associates Business Associate is a person or entity, who on behalf of a covered entity performs a function or activity that involves the use or disclosure of Protected Health Information (PHI) A covered entity may disclose PHI to its Business Associates if it obtains a written contract specifying that the Business Associate will appropriately safeguard the information.

22 Note - For Vendors HIPAA is relevant for those entities who may have direct or indirect access to patients and their health information. Example clinical service vendor, clinical scheduling system vendor, language interpreter, contracted housekeeping, paper shredding company The CMU HIPAA Privacy Task Force is responsible to review contracts of vendors interfacing with the Carls Center & other clinical services operating through CMU, in order to ensure that HIPAA training has been implemented. 22

23 HIPAA Compliance Working with Business Associates Other types of BAs Claims processing or administration Data analysis & utilization review Accounting Benefit Management Computer/IT services Auditing Legal Actuarial services Transcriptionists Accreditation work Cleaning service Consulting work Marketing Clinical software vendors Sept

24 What business entities need to comply with HIPAA laws? Health Plans Health Care Clearinghouses A health care provider who transmits any health information in electronic form Business Associates Sept

25 What business entities need to comply with HIPAA laws? And CMU, since it is a Hybrid Entity CMU has Covered Functions that are not its primary function. CMU s primary purpose is to educate. CMU also deals with healthcare related procedures. Sept

26 CMU as a Covered Hybrid Entity Departments Affected Human Resources (HR) Compensation and Benefits: Self-funded Dental & Prescription Plan HR is a covered entity because it manages employee health plans. University Health Services A covered entity because it is a healthcare provider maintaining PHI and bills electronically for care/devices. Carls Center (and any academic, clinical or support services working within its operations) Like UHS, the Carls is a covered entity because it is a provider service maintaining patient information and bills electronically for care/devices. Sept

27 CMU as a Covered Hybrid Entity And Internal support entities General Counsel Internal Audit Accounts Receivable Faculty Personnel Human Resources Employee Relations These areas deal either with disciplinary regulations, grievances, or healthcare related transactions It is not advantageous for these areas to receive prior authorization before reviewing a file. Sept

28 CMU operations outside the Hybrid and therefore are not covered CMU Information Technology Exception: CHP s IT team International Student Services, Office of International Education, Student Disability Services & Special Olympics Why? Since information is not received from or sent to a provider or plan, it is not considered PHI. Sept

29 HIPAA Privacy Rule Facts The rules apply to all oral, written, or electronic records. HIPAA prohibits the use of records for marketing without prior, specific authorization by the patient. PHI that has been de-identified is not subject to the Privacy Rule. Know how to get in touch with your HIPAA Team that is responsible for implementing the HIPAA compliance plan, including the receipt of complaints and monitoring patient contacts. (See later slides )

30 So what are we protecting? Protected Health Information (PHI) is any Individually Identifiable Health Information relating to past/ present/future conditions created, stored or transmitted in any form/medium such as - Verbal discussions (i.e. conversations or phone calls), so please Make sure that phone conversations are held in private areas; Avoid discussions about clients with colleagues, clinical students and family members in the elevators, hallways and stairwells, and move into a private office or examination room to ensure confidentiality. 30

31 So what are we protecting? Protected Health Information (PHI) is any Individually Identifiable Health Information relating to past/ present/future conditions created, stored or transmitted in any form/medium such as Written communications (i.e. medical chart entries, encounter/ router forms, prescriptions, referral forms, insurance EOBs (explanation of benefits) Electronic communications (fax, text, , FaceBook, etc.); Photographs or videos; Research databases; Computer applications/systems (i.e. electronic health record (EHR), scheduling/billing practice management system, etc.); Computer hardware/equipment (PCs, laptops, PDAs, mobile multifunctional smart phones, pagers, patient care devices, network servers, etc.). 31

32 PHI Includes: Items in the record, such as: Encounter/visit documentation Lab Results Appointment dates/times Invoices Radiology films and reports History and Physicals (H&Ps), progress notes Incoming fax reports and referrals, etc. Sept

33 PHI Includes Patient Identifiers PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. Sept

34 Individual Identifiers (Courtesy of 1. Name 2. Geographic subdivisions smaller than a State - Street Address - City - County - Precinct - Zip Code & their equivalent geocodes, except for the initial three digits 3. Dates, except year - Birth date - Admission date - Discharge date - Date of death 4. Telephone & Fax numbers 5. Addresses 6. Social Security numbers 7. Medical record numbers 8. Health plan beneficiary numbers 9. Account numbers 10. Certificate/license numbers 11. Vehicle identifiers and serial numbers, including license plate numbers 12. Device identifiers and serial numbers 13. Web universal resource locations (URLs) 14. Internet Protocol (IP) address numbers 15. Biometric identifiers, including finger and voice prints 16. Full face photographic images and any comparable data 17. Any other unique identifying number, characteristic, or code

35 Sources of PHI, example - Ask these questions when reviewing potential PHI Sept

36 More HIPAA Definitions Use: when we review or use PHI internally (audits, training, customer service, quality improvement). Disclose: when we release or provide PHI to someone (ex. an attorney, a patient, faxing records to another provider, etc.). Sept

37 HIPAA Definitions - Minimum Necessary PHI What does releasing the minimum necessary PHI mean? Only use, disclose or release the minimum information needed to accomplish the intended purposes of the use, disclosure, or request. Requests from employees at CMU (ex. accounting, legal, risk management, dean s office, etc.) Identify each workforce member who needs to access PHI. Limit the PHI provided on a need-to-know basis. Requests from individuals not employed at CMU: Check for information release authorization on file. Limit the PHI provided to ONLY what is needed to accomplish the purpose for which the request was made. 37

38 Minimum Necessary PHI Examples of Routine Requests & Disclosures Requester Purpose Disclosures Ambulance company Obtain demographic and insurance information for billing Face sheet with patient demo-graphics & insurance information Attorney Evaluate individual's medical condition in support of a lawsuit Specific information requested Coroner Investigate a suspicious death Specific information requested Disability determination Evaluate individual's medical condition in support of disability benefits Specific information requested Employer Evaluate utilization Plan summary information (aggregate info. not individually identifiable) Employer Evaluate drug usage for pre-employment screening Drug test results Insurance company Substantiate care provided for payment Specific information requested in claims attachment request (often anticipated and sent in advance with claim) Amatayakul, Margret; Brandt, Mary D.; and Dennis, Jill Callahan. "Implementing the Minimum Necessary Standard (AHIMA Practice Brief)." Journal of AHIMA 73, no.9 (2002): 96A-F. 38

39 Minimum Necessary PHI Examples of Routine Requests & Disclosures, continued Requester Purpose Disclosures Specific information requested National security Varies agencies (CIA, FBI, etc.) Police Investigate accidents or crimes Specific information requested Food and Drug Oversee the conduct of a clinical trial Information about clinical trial administration Researcher Treating a patient in a clinical trial Full access to the medical record for treatment purposes School Evaluate child's medical condition for school activities. Letter from physician or discharge summary State data commission Support a statewide registry File of specific data elements requested Workers' compensation Evaluate individual's medical information as requested & allowed by state law Discharge summary; other specific condition for benefits 39 Amatayakul, Margret; Brandt, Mary D.; and Dennis, Jill Callahan. "Implementing the Minimum Necessary Standard (AHIMA Practice Brief)." Journal of AHIMA 73, no.9 (2002): 96A-F.

40 Minimum Necessary PHI Examples of Non-Routine Requests & Disclosures 40

41 HIPAA Definitions - What is TPO? HIPAA allows us to Use and/or Disclose PHI for the purpose of: Treatment providing care to patients. Payment the provision of benefits and premium payment. Operations normal business activities (reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, etc.). These terms are collectively referred to as TPO. PHI used outside of TPO is not allowed without a signed authorization. TPO must be within the minimum necessary to perform our jobs.

42 Why Do We Need to Protect PHI? It s the law. To protect our reputation. To avoid potential withholding of federal Medicaid and Medicare funds. To build trust between providers and patients. If patients feel that their PHI will be kept confidential, then they will be more likely to share the information needed for their care & agree to participate in future research studies. 42

43 How is PHI Protected? By YOU! & By Our policies. Sept

44 Basic HIPAA Principles One has the right to know how his/her information is used (Notice of Privacy Practices) One has the right to control the use and disclosure of his/her information (Authorization) One has the right to access, amend, and/or copy his/her information (Patient Rights under HIPAA) Covered entities and their vendors/business associates bear the risk and responsibility for protecting the uses and disclosures of the information. As mentioned earlier, there are criminal penalties if HIPAA laws are violated. Sept

45 Three parts to HIPAA 3. Electronic data information (EDI) exchange 2. Security 1. Privacy Sept

46 HIPAA 1. The Privacy Rule Privacy refers to the protection of an individual s health care data. Outlines ways to safeguard Protected Health Information. Defines how patient information is used and disclosed. Sets boundaries on the use and release of health records, in particular it limits release of information to the minimum necessary. Supports patients privacy rights, enabling patients to - Find out how their health information may be used (and what disclosures of their information have been made to other parties); Examine and obtain copies of their own health records (and to request corrections). 46

47 HIPAA 2. The Security (IT) Rule Security means controlling: The confidentiality of electronic protected health information (ephi). How patient data is electronically stored. How patient data is electronically accessed. Sept. 2010

48 HIPAA 3. EDI Electronic Data Exchange (EDI) defines the standard format of electronic transfers of information between providers and payers to carry out financial or administrative activities relating to health care. Information includes coding, billing and insurance verification data. The goal of using standardized formats is to ultimately make the billing process more efficient and to consistently monitor trends impacting healthcare costs. Sept

49 EDI More about Transaction Standards & Code Sets Standardized code sets for medical data are required for diagnoses (ICD 9), procedures (HCPCS & CPT 10) and drugs Standardized electronic process; ex. - HCFA 1500 form National Provider Identifiers (NPI) for all health & clinical care providers to Guard data integrity, confidentiality, and availability; Reduce risk of fraud; Facilitate accuracy with electronic billing.

50 Privacy Rule Patient Rights Right to adequate notice of privacy practices Right to access health information Right to request amendment of health information Right to an accounting of disclosures Right to request restriction of uses and disclosures

51 Patients have the Right to File Privacy Complaints Direct all requests or complaints regarding these rights to the CHP Privacy Officer at [989] or anyone listed online on the CMU HIPAA Task Force at Sept

52 Patients have the Right to Access (Review & Copy) Their PHI Note - Situations where access may be denied or delayed: Psychotherapy notes. PHI compiled for civil, criminal or administrative action or proceedings. PHI subject to CLIA Act of 1988 when access would be prohibited by law. Access would endanger a person s life or safety based upon a professional judgment. A correctional inmate s request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution. A research study has previously secured agreement from the individual to deny access. Access is protected by the Federal Privacy Act. PHI was obtained under promise of confidentiality and access would reveal the source of the PHI. 52

53 Patients have the Right to Review and Amend Their PHI Right to Request an Amendment or Correct PHI. Situations where a request may be denied. CMU did not create the information. Information is not part of the CMU s core record; example outside lab results and/or consultants reports. Record is accurate according to the health care professional that wrote it. Sept

54 Patients have the Right to Alternate Communications Patients may request receiving communications by alternative means or at alternate locations. For example, The patient may request that a bill be sent directly to him instead his insurance company. The patient may request we contact him/her on her cell phone instead of at her home telephone number. 54

55 Patients have the Right to PHI Use Restrictions Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes). We are not required to approve the request, but must make reasonable efforts to approve it when possible. Sept

56 Patients have the Right to Receive an Accounting of Disclosures of PHI Disclosures requiring accounting include: Required by law For public health activities For education purposes Victims of abuse, neglect, violence Health oversight activities Judicial/Administrative proceedings Law enforcement purposes Workers compensation Organ/eye/tissue donations Research purposes To avert threat to health and safety For specialized government functions About decedents Releases made in error to an incorrect person/entity (i.e. breach) Sept

57 Patients have the Right to Receive an Accounting of Disclosures of PHI What are we required to document? Date of the disclosure The name of the person the PHI was released to (and address if known) A brief description of the PHI disclosed The purpose of the release Sept

58 Patients Have the Right to Receive an Accounting of Disclosures of PHI Disclosures NOT requiring accounting include disclosures made: For Treatment (to persons involved in the individual s care), Payment or Operations. To the individual subjects of the PHI. Incident to an otherwise permitted disclosure. Based on the individual s signed authorization. For national security or intelligence purposes. To correctional facilities or law enforcement on behalf of inmates. Sept

59 More about the Privacy Rule Consent: Notice of Privacy Practices The NPP states that we are required to abide by the terms of our current Privacy Notice. The NPP Informs patients that we will not release their PHI except as stated in our Notice. Instructs patients how to file a privacy complaint. Indicates how we will send information (mail, fax, electronic ). The NPP reflects our dedication to privacy and must be available for patient review Copies of the NPP are issued to patients; The NPP is posted at CarlsCenter.cmich.edu; A summary of the NPP is also displayed in our waiting rooms.

60 Notice of Privacy Practices Are we still required to request that patients sign the Notice of Privacy Practices (NPP) acknowledgment prior to their first visit? Yes. Please continue to ask patients to review the policy and sign the acknowledgment before they see providers for their first appointments. Rationale Patients sign the Acknowledgment of Receipt to confirm that they have been offered and/or received the NPP. Sept

61 HIPAA Dilemma.1 Regarding the NPP, Who Signs What & How Often? Once a patient gets a copy of the NPP and signs the acknowledgment, that signature is good for life. If a patient or legal guardian refuses to take If a patient or legal guardian refuses to take a NPP, this is their right. Do not force them to take one. If a patient or legal guardian refuses to sign the acknowledgment form, then document this on the form and in the system. NOTE: Once a patient turns 18, he/she must sign an acknowledgment form.

62 CMU HIPAA Documents & Forms In order to support HIPAA rules and patients rights, your supervisor will arrange for you to become familiar with any unique HIPAA forms relating to your service or operation. In the meanwhile, you must become familiar with CMU documents located at HIPAA Access or Receive a Copy of PHI - Attachment A HIPAA Request for Accounting of Disclosures of PHI - Attachment B HIPAA Restriction Requests on the U-Disclosure of PHI Attach. C HIPAA Authorization for Release of PHI BLANK - Attachment D HIPAA Amend PHI - Attachment E HIPAA Confidential Communication - Attachment F HIPAA Complaint Form - Attachment G HIPAA Client Notification of Amendment to PHI - Attachment H HIPAA Log of Disclosures - Attachment I HIPAA Log of Release of Disclosure Accounting Information - Attachment J HIPAA Employee Access Statement Form - Attachment K 62

63 Authorization Tracking Covered entities are required to Document and retain authorizations; Provide individuals with a copy of the signed authorization form. Sept

64 Consent & Authorization Consent A general document giving health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO). It gives permission only to the provider, and not to any other person or business associate. Not required, but optional. Authorization A customized document is more detailed, giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. Patients need to grant authorization in advance for each type of use or disclosure. It is time sensitive.

65 REMEMBER Privacy Rule - Consent Consent to use and disclose protected health information for treatment, payment, or health care operations (TPO) is not required, and optional for all covered entities. Sept

66 REMEMBER Privacy Rule - Authorization There are 6 essential elements that apply to any Authorization regardless of the purpose for the use or disclosure: 1. A description of what information will be used; 2. Who will use it; 3. To whom it will be disclosed; 4. For what purpose; 5. An expiration date, and 6. A patient's dated signature. The Authorization must also provide notice of a patient's right to revoke the Authorization. 66

67 Information Requests - When is an Authorization Required? 67

68 Information Release, Family and Friends Patient present and alert patient decides. Patient incapable to make wishes known inferred permission to discuss current care. Care or payment. Information needed for patient s care. Must clearly be involved in payment for care (involvement is obvious, patient stated so). Notify family or friend(s): When involved in their care. Of patient s general condition. Of patient s location. When patient s ready for discharge. Of patient s death. Note: paper copies may not be released under these examples without appropriate papers on file. 68

69 HIPAA Dilemma.2 Information Release to Legal Guardians An individual calls to discuss appointment information with you for a patient and states he is the patient s Legal Guardian, may I discuss this with the individual? Yes, after verifying the individual is the patient s Legal Guardian and has access rights to the type of records being requested. 69

70 HIPAA Dilemma.3 Information Release, Power of Attorneys Can information be released to or discussed with a patient s power of attorney for health care (POA-HC)? No. A POA-HC does not allow the POA-HC to have access to that individual s medical and/or billing information until the patient has been deemed incapacitated (except in rare cases). In addition, before providing access to billing information, review the POA-HC to confirm it specifically allows this access and/or verify a Durable POA document is in place. Basically, POAs don t have any more rights than any other individual to discuss a patient s care, billing, etc. until two physicians deem the patient incapacitated. If the patient has been deemed incapacitated, a document of incapacitation is to be filed. 70

71 HIPAA Dilemma.4 Individual Needs to Find Patient If an individual would like to find out if a patient is in our facility, but the patient is not in our patient registry: Do not confirm or deny the patient is here, until you Obtain the patient s name and requestor s name (& relationship to the patient). Inform the requesting individual that s/he will be informed once you verify the patient is in our system and the patient agrees to the information release. 71

72 HIPAA Dilemma.5 Voice Mail Messages Can I leave information on a patient s answering machine? Discretion is still the order of the day. While appointment reminders may be left, do not leave test results on an answering machine. 72

73 HIPAA Dilemma.6 Fax Communications Can I still fax things to other offices? Of course you can but be sure to use a cover sheet that has a confidentiality statement on it. Also, you should verify your fax numbers. Using auto fax numbers can lead to faxes going to other than the intended receiver, so check on these regularly. 73

74 HIPAA Dilemma.7 Challenges with Hard of Hearing Clients Mrs. JJ is a regular patient who comes in at least every month or so. She is very hard of hearing and we have to shout in order for her to understand. Are we breaching her privacy if other patients overhear something about his condition due to the loud conversational level? No, as long as you are making an effort to have him out of the main public areas when you converse; if overheard it would be considered an unintentional breach of privacy.

75 HIPAA Dilemma.8 What about regular visits by contractors? Are we required to have business associate contracts with bio-medical equipment technicians or contractors such as plumbers, electricians, or office machines repair individuals who provide repair services? No, such repair technicians do not require access to protected health information (PHI) to perform their services for a physician's office, so they do not meet the definition of a business associate. Under the HIPAA Privacy Rule, business associates are contractors or other non-workforce members hired to do work for you that involves the use or disclosure of PHI.

76 HIPAA Dilemma.9 Patient referrals Do I need to get a signed authorization in order to send records to another physician when the Carls Center made a patient referral to him/her? Technically the answer is no. A referral is considered treatment. You are not required to have an authorization to release records for treatment, payment, and health care operations (TPO) and of course, in an emergency. However, It is critical that only minimum information necessary is issued out, and it is to be documented what information was sent to that doctor in the interest of continuity of care. (Use LOG of DISCLOSURES form.) It is a best practice to attempt to always get a signed authorization prior to releasing records, but if the opportunity is missed à we are still covered in the interest of the Law.

77 Identity Verification Prior to releasing PHI Ask the requesting individual to provide you with enough information to properly identify the patient, such as: Name Date of Birth Address Other identifiers: Social security #, mother s maiden name And also attempt to verify who is requesting information on a patient and the nature of the relationship to the patient Check a physical signature &/or photo ID against a known one on file Ask for a business card Do a call-back to a known number Provide only the minimum necessary to safeguard PHI. 77

78 Privacy Rule Authorizations for Supporting Research All investigators, including faculty, staff or students, conducting human subject research that wish to access PHI for research purposes must Undergo review and approval through CMU s Institutional Review Board s IRBNet, Comply with HIPAA regulations; Comply with clinical department and clinical service policies. The regulation applies to clinical trials, behavior and social science studies, medical record reviews, epidemiological studies, as well as basic science research. 78

79 How May the Privacy Rule Affect Research? It depends on the type of information/data used, collected, received or released. Does this research involve a review of past, present, or future physical or mental health/ condition of subjects, provision of health care to subjects, &/ or payment for health care provided to subjects? If yes Please refer to CMU s Office of Research & Sponsored Programs ( & Institutional Review Board guidelines (

80 Exceptions for Needing To Obtain Signed Authorizations for Research 1. Data is fully de-identified, in accordance with Limited Data Set [45 CFR 164(e)(1)]; 2. Research on Decedent Information [45 CFR (i)(1)(iii)] 3. IRB waives the requirement for an authorization (and the waiver of authorization is submitted to the covered entity from which the investigator wants to receive the PHI); 4. Preparatory Reviews for Research Development [45 CFR (i)(1)(ii)] - In this case the investigator must assure the covered entity that (a) PHI use is sought solely to review health information as necessary for the research purpose &/or preparation for research protocol(s); (b) no PHI will be removed from the covered entity by the researcher in the course of the review. 80

81 Other HIPAA s Administrative Simplification, 4 components Transaction Standards & Code Sets To create a uniform method of electronic communication Security & Electronic Signature Standards To guard data integrity, confidentiality, and availability To ensure that Protected Health Information (PHI) is kept confidential National Provider Identifier Privacy Rule The concentration of this presentation Sept

82 Preparing for HIPAA Compliance Information Security The Security component of HIPAA is aimed at guarding data integrity, confidentiality and availability. Sept

83 Preparing for HIPAA Compliance & Information Security Administrative Procedures Procedures for selecting & executing information security measures Technical data security services Safeguards processes used to protect, control & monitor information access (ex. - assigned passwords for a patient scheduling system) Physical safeguards for data Protection of actual computer systems, building entry, equipment from theft, fire, intrusion, & other environmental hazards Sept Technical security mechanisms Methods used to prevent unauthorized access to data transmitted over a communications network (e.g.: secure network, firewall, encryption, etc.)

84 Examples - Preparing for HIPAA Compliance & Information Security Administrative Procedures Annual training Physical safeguards for data Computer log-ins & passwords Timed computer lock-outs Locked offices & treatment areas Monitor security screens Secured building (fobs/keys) Fax cover sheets Shredding PHI Technical data security services Assigned access to HIPAA-certified computers. 2 ND level log-in processes for accessing authorized clinical & clinical administrative databases. Technical security mechanisms Secure network (Carls Center clinicians and students are to file anything with PHI in the designate X-drive folders) Firewall, encryption, etc.

85 Examples - Preparing for HIPAA Compliance & Information Security Any time you leave your computer, either lock you office door or secure your computer by hitting the windows button L. Sept. 2010

86 Preparing for HIPAA Compliance 1. Vendors & Contractors need to (a) Undergo HIPAA training & (b) Include HIPAA/Business Associate contracting language in business agreements; 2. Written Policies & Procedures need to be reviewed & updated; 3. Optimal compliance with medical record management & documentation procedures 4. Conduct a site survey of your own area!

87 HIPAA Compliance Working with Vendors or Business Associates Covered entities are allowed to share PHI with a BA, providing that a written agreement safeguarding such information from misuse is signed by both the provider and vendor/service. NB - If an entity is subject to HIPAA, a contract may not be needed with another covered entity. 87

88 HIPAA Compliance Medical Record Management Documentation Procedures Maintain record logs Staff are to log Information given in response to patient authorization; Given in response to legal requests for PHI; Any patient requests for amendments or restrictions to PHI. PHI disclosures must be kept a minimum of 6 years (& longer for minors, in accordance with State policy). Limit release of information to the minimum necessary. 88

89 Preparing for HIPAA Compliance Conduct a Site Survey of Your Work Areas Walk through facility from the patient s point of view. Look for visible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines. Sept

90 Preparing for HIPAA Compliance Ask yourself Are patient records secure? Are there individual & unique passwords assigned for computer systems? Are you able to over hear conversations in the hallway when colleagues are discussing patients? (Or can you hear conservations during collection calls or calls regarding other PHI?) 90

91 Audit Trails of What I Access CMU conducts random audits of employee and provider access to determine: Appropriateness of access, and The Security regulations require this. If access is in compliance with CMU s policies. Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc. If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate. 91

92 Why should we care about the HIPAA rules? CMU is a hybrid entity: Some parts of the university must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable). As a single hybrid entity, if any one part of the university is found to be out of compliance, ALL other covered parts can be investigated. HIPAA is designed to empower the patient/ consumer. HIPAA ideally will minimize cost over the long term.

93 Intentional Violations If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: Disciplinary action, up to and including termination. Civil and/or criminal charges. Examples include: Accessing PHI for purposes other than assigned job responsibilities. Attempting to learn or use another person s access information. If you re not sure about a use or disclosure, check with your Supervisor or the Privacy Officer 93

94 It s Important to Report HIPAA Violations So they can be investigated, managed, and documented. So they can be prevented from happening again in the future. So damages can be kept to a minimum. To minimize your personal risk. In some instances, management may have to notify affected parties of lost, stolen, or compromised data. FYI - Incidental disclosures need not be reported, but if you re not sure, report them anyway. 94

95 Reporting HIPAA Violations If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. CMU may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistleblowing). Refer to the [CMU HIPAA web-page] for more examples of what to report. 95

96 Suspect that confidentiality has been breached? It is important to document all conversations with health care providers about your breach of privacy. Also, if you have any paper documentation that relates to the concern, you will want to hold on to those. Contact your state insurance commissioner to report fraud from private insurance organizations or call HHS-TIPS to report fraud and abuse in Medicare and Medicaid programs. Sept

97 Violations & Sanctions Suspected violations and patient complaints regarding HIPAA Privacy & Security policies must be reported to the CMU Compliance Officer and the Privacy Officer. Clients have the option of also reporting complaints to the Secretary of the U.S. Department of Health and Human Services by calling HHS-TIPS; Michigan State Insurance Commissioner at (517) to report suspect fraud and abuse in Medicare and Medicaid 97 programs.

98 Why should we care about the HIPAA rules? Criminal Penalties Failure to comply: $25K fine & possible exclusion from Medicare Wrongful Disclosure: $50,000, imprisonment of up to one year, or both Offense under False Pretenses: $100,000, imprisonment of up to 5 years, or both Offense with intent to sell information: $250,000, imprisonment of up to ten years, or both Sept

99 How May I Report a HIPAA Violation? Go directly to your Clinical or Departmental Director, who in turn reports the concern to the Privacy Officer for follow-up. Contact the Privacy Officer. Go to the online CMU HIPAA contact page to call the appropriate HIPAA officers or a question. 99

100 Our HIPAA Team HIPAA_Contacts.htm HIPAA Chief Privacy Officer Eileen Jennings CMU General Counsel HIPAA Security Officer Roger Rehm VP/Technology/CIO Office of Information Technology, CHP Privacy Officer Jessica Gardon Rose Carls Center Dir. (989) Sept

101 If you have questions, where else can you go? Sept

102 HIPAA Web Links Office for Research & Sponsored Programs - For researchers, see NIH resource, research.nih.gov/clin_research.asp & Office of Civil Rights resource at Regarding code sets and EDI, Whateelectronictransactionsandcodesets-4.pdf 102

103 More HIPAA Web Links www. cms.hhs.gov/hipaa html Sept

104 This concludes your HIPAA Training Please take your test to demonstrate understanding of HIPAA regulations and how to comply with HIPAA policies. for using clinical/ patient scheduling software, maintaining patient research and clinical data, &/or using video-streaming technology, additional paper-work processed by Clinical Directors &/or Departmental Chairs is required. Sept