HIPAA Basic Privacy Training - MedPro

1 2015 HIPAA Basic Privacy Training22015 ObjectivesBy the end of this program, participants should beable to: Discuss the background and purpose of theHealth Insurance Portability and AccountabilityAct ( HIPAA ) Privacy Rule Identify the ways in which HIPAA applies to healthcare providers Review Basic HIPAA definitions Apply HIPAA basics in the practicesetting32015 What is HIPAA ? HIPAA is a federal law enacted in original intent of HIPAA was to reduce costs,simplify administrative processes, and improve theprivacy and security of individuals health informationin the healthcare has five major s Privacy Rule was enacted to protect theconfidentiality of patients health (CE)Healthcare providers, health plans, and healthcareclearinghouses who electronically transmit any (PHI)Information the CE creates or receives that identifies thepatient, including demographic information ( ,addresses, phone numbers, etc.)

2 PHI can relate to thepast, present, or future physical or mental health orcondition of a (BA)A person or entity that performs certain functions oractivities that involve the use or disclosure of PHI onbehalf of, or provides services to, a impermissible use or disclosure of PHI thatcompromises the security or Privacy of Whom Does HIPAA Apply? HIPAA applies to all staff(including temporary staff,students, and volunteers)and any vendors (businessassociates) that haveaccess to responsibilitiesAll staff members have a duty to: Maintain the confidentiality of patients PHI as required byHIPAA Use, view, or discuss patients PHI only as required by jobresponsibilities Understand HIPAA policies Immediately notify the organization s Privacy officer ofany suspected or actual breach of patients PHI Direct questions or concerns to the organization s privacyofficerNOTE:Never informally discuss or make comments HIPAA in the Practice Setting The Notice of Privacy Practices sets forth how anorganization will use and disclose patients PHI(including examples).

3 All patients arerequired to have anopportunity to obtainand read a copy ofthe organization sNotice of PrivacyPractices and sign anacknowledgement form on their first visit of Privacy Practices82015 Releasing Patients PHI Patient RightsPatients have a right to: View and receive a copyof their medical records Request amendments orchanges to their medicalrecords Request restrictions tothe use or disclosure oftheir PHI Request an accounting ofthe disclosures of theirPHI92015 Releasing Patients PHI Basic RulesPatients information can be released withoutauthorization if the purpose is for treatment, payment, orhealthcare of patients PHI for anything other thantreatment, payment, or healthcare operations requirescompletion of an exceptions exist for public health monitoringactivities ( , disease reporting), government oversight,and some law enforcement investigations.

4 However, staffshould always consult with the Privacy officer to ensureproper of PHI to BAsAuthorizations are not required for BAs who performcertain functions for the of BAs include billing companies, transcriptionservices, IT vendors, and authorizations are not necessary for BAs; however,business associate agreements which set out the dutiesrequired of the BA to protect patients PHI are is the Minimum Necessary Standard?Whenever patients PHI is used or disclosed, whether toanother CE or BA, only the information necessary toaccomplish the intended purpose should be : The practice uses a collection agency that hasrequested billing information on several patients. Thepractice sends the billing information, but also includespatients diagnostic information.

5 The collection agencydoes not need the diagnostic information to perform itstasks; thus, the practice has violated the minimumnecessary Notification ExamplesNOTE:Staff should immediately notify a supervisor or Privacy officer ifthey suspect or discover a breach has at aneighbor s medicalrecord out of curiosityMailing billinginformation to thewrong patientLosing anunencrypted thumbdriveTalking to a familymember about apatientProviding records toan attorney withoutauthorizationLost or stolencomputer thatcontains PHI132015 Civil Monetary Penalties Failure to comply with policies and procedures mayresult in corrective action. CEs (including individual employees) and BAs aresubject to civil monetary penalties (fines) and ConductPenaltyKnowingly obtaining or disclosing PHIwithout authorizationUp to $50,000 fine and1 year in prisonIf done under false pretensesUp to $100,000 fine and5 years in prisonIf done with intent to sell, transfer, or usethe information for commercial advantage,personal gain, or malicious harmUp to $250,000 fine and10 years in prison42 1320d-5(d)Criminal Penalties152015 Frequently Asked Questions Yes, as long as the patient does I call a patient sname in the waitingroom?

6 You can provide the information only ifthe patient has listed his/her spouse as aperson who may receive their patient s spouse callsto ask about recent testresults? Can I providehim/her with thisinformation? Yes, if the patient designates faxing ormailing as the way he/she wants toreceive a copy of the record. The patientshould sign an authorization to provide arecord of the I fax or mail a copyof a patient s medicalrecord?162015 Frequently Asked Questions You should never release the originalrecord, which is the property of thehealthcare organization. HIPAA stipulatesthat patients may receive a copy. Youcan offer to allow the patient to inspectthe original record onsite with patient asks forhis/her original I provide theoriginal? Yes, you are required to comply with therequest as long as the patient pays forthe services out of patient hasrequested that we donot provide informationto his/her insurancecompany.

7 Can wehonor that request?172015 SummaryBe familiar with HIPAA policies in your organization and how theyspecifically affect your job patients rights in relation to reviewing, requesting,and releasing rules in relation to the release of PHI to BAs, aswell as the concept of minimum necessary standard. Promptly report any suspected t hesitate to ask questions.