Training Guide:
Objective: To provide a complete overview of what HIPAA means for you, your organization, and your patients as well as ensure that you are knowledgeable and comfortable with the regulations and organizational policies that YOU are responsible for in regards to the safeguarding of Protected Health Information (PHI).
This Training Guide is designed to walk you through the pertinent HIPAA regulations you will be responsible for in your day to day operational duties. Our goal is to make you an expert in protecting the privacy information our patients and clients trust us with every day. So, let’s get started! Be on the lookout for this symbol ** , it will assist in pointing out some key points to keep in mind!
Let’s start with the most obvious question. What is HIPAA anyway, and what is the purpose?
**HIPAA is an acronym and stands for the Health Insurance Portability and Accountability Act of 1996. Its purpose is to provide a framework for the establishment of nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information.
HIPAA Awareness should be promoted at the very beginning of the Compliance Process.
The key to HIPAA compliance is Education! Penalties for non-compliance can be Civil and Criminal.
**The following are implications of non-compliance with HIPAA:
**Under HIPAA an Individual has the right to request:
**PHI stands for Protected Health Information, and includes protected health information stored on any form of media which is referred to as ePHI. Some examples of ePHI include:
**An authorization is required to release PHI for any and all Non-routine disclosures. Please refer to our company’s policy guidelines to determine if authorization is required. If you are unsure whether authorization is required, ask. Never guess. It is better to be safe than sorry!
Privacy refers to the protection of an individual’s health care data.
The Privacy Rule was enacted April 14, 2003 and gives patients privacy rights and more control over their own health information as well as defines how patient information is used and disclosed. The Privacy Rule also outlines ways to safeguard PHI.
**Requirements of HIPAA Privacy include:
The Administrative Simplification section of HIPAA consists of standards for the following areas:
What are Business Associates?
**Business Associates are any company or entity that we are contracted with to assist in the performance of a function or activity involving the use or disclosure of PHI or ePHI. You can obtain a Business Associate Agreement by contacting our Privacy Officer. Some examples of a Business Associate are:
If a Business Associate discovers PHI was improperly used or disclosed they are obligated to notify the Covered Entity.
Examples of a Covered Entity:
To ensure HIPAA Compliance, the following is true about Business Associate Contracts:
**The HIPAA Security Rule is a technology neutral, federally mandated “floor” of protection whose primary objective is to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form when it is stored, maintained, or transmitted.
**The main purpose for Standardized Transactions and Code Sets under HIPAA is to provide a common standard for the transfer of healthcare information.
HITECH/Omnibus/ARRA:
**HITECH stands for Health Information Technology for Economic and Clinical Health.
**The Omnibus Rule:
Objective: To provide a complete overview of what HIPAA means for you, your organization, and your patients as well as ensure that you are knowledgeable and comfortable with the regulations and organizational policies that YOU are responsible for in regards to the safeguarding of Protected Health Information (PHI).
This Training Guide is designed to walk you through the pertinent HIPAA regulations you will be responsible for in your day to day operational duties. Our goal is to make you an expert in protecting the privacy information our patients and clients trust us with every day. So, let’s get started! Be on the lookout for this symbol ** , it will assist in pointing out some key points to keep in mind!
Let’s start with the most obvious question. What is HIPAA anyway, and what is the purpose?
**HIPAA is an acronym and stands for the Health Insurance Portability and Accountability Act of 1996. Its purpose is to provide a framework for the establishment of nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information.
HIPAA Awareness should be promoted at the very beginning of the Compliance Process.
The key to HIPAA compliance is Education! Penalties for non-compliance can be Civil and Criminal.
**The following are implications of non-compliance with HIPAA:
- Financial Penalties
- Public exposure that could lead to loss of Market Share
- Loss of Accreditation (JCAHO, NCQA, etc.)
- Litigation damages
- Imprisonment
**Under HIPAA an Individual has the right to request:
- Access to their PHI
- A copy of their PHI
- A correction to their PHI
- An accounting of where their PHI has been disclosed
**PHI stands for Protected Health Information, and includes protected health information stored on any form of media which is referred to as ePHI. Some examples of ePHI include:
- Electronic Medical Records (EMR)
- Computer Databases with Treatment History
- Electronic Claims
- Digital X-rays
**An authorization is required to release PHI for any and all Non-routine disclosures. Please refer to our company’s policy guidelines to determine if authorization is required. If you are unsure whether authorization is required, ask. Never guess. It is better to be safe than sorry!
Privacy refers to the protection of an individual’s health care data.
The Privacy Rule was enacted April 14, 2003 and gives patients privacy rights and more control over their own health information as well as defines how patient information is used and disclosed. The Privacy Rule also outlines ways to safeguard PHI.
**Requirements of HIPAA Privacy include:
- Designating a Privacy Officer
- Business Associate Contracts
- Policies, Procedures, and Systems
- Ongoing Training for Staff and Agents
- The HIPAA Privacy Standards provide a “Federal Floor” for healthcare privacy and security standards and do NOT override more strict laws which potentially requires providers to support two systems and follow more stringent State Law.
The Administrative Simplification section of HIPAA consists of standards for the following areas:
- Transactions, Code Sets, Identifiers
- Privacy
- Security
What are Business Associates?
**Business Associates are any company or entity that we are contracted with to assist in the performance of a function or activity involving the use or disclosure of PHI or ePHI. You can obtain a Business Associate Agreement by contacting our Privacy Officer. Some examples of a Business Associate are:
- Medical Billing and Collections Company
- Data Storage Company
- IT Consultant
- Companies that Transmit PHI to a Covered Entity
- Medical Transcription Company
- Subcontractors to Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate
If a Business Associate discovers PHI was improperly used or disclosed they are obligated to notify the Covered Entity.
Examples of a Covered Entity:
- Healthcare Provider
- Health Plan
- Healthcare Clearinghouse
- Is required between a Covered Entity and the Business Associate if PHI will be shared between the two.
- It is a written assurance that a Business Associate will appropriately safeguard PHI they use or have disclosed to them from a covered entity
- Defines the obligations of a Business Associate
- Can be either a new contract or an addendum to an existing contract.
To ensure HIPAA Compliance, the following is true about Business Associate Contracts:
- Both Covered Entities and Business Associates are required to ensure that a Business Associate Contract is in place to be in compliance with HIPAA
- Business Associates are required to ensure that Business Associate Contracts are in place with any of the Business Associates’ Subcontractors
- Covered Entities are required to obtain ‘satisfactory assurances’ from Business Associates that PHI will be protected as required by HIPAA
**The HIPAA Security Rule is a technology neutral, federally mandated “floor” of protection whose primary objective is to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form when it is stored, maintained, or transmitted.
- Only Covered Entities or Business Associates that do not create, receive, maintain or transmit ePHI are exempt from the HIPAA Security Rule
- Any person or organization that stores or transmits individually identifiable health information electronically must comply with the Security Rule
- Name
- Medical Record Number
- Social Security Number (most controversial)
- Telephone Number
- Email address
- Their size, complexity, and capabilities
- Their technical infrastructure, hardware and software security capabilities
- The costs of security measures
- The probability and critical nature of potential risks to ePHI
- Their access to, and use of ePHI
- Protect the integrity, confidentiality, and availability of health information
- Protect against unauthorized uses or disclosures
- Protect against hazards such as floods, fire, etc.
- Ensure members of the workforce and Business Associates comply with such safeguards
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Policies and Procedures
- Training
- Internal Audits
- Door locks
- Screen savers/Locks
- Fireproofed and Locked Record Storage
- Passwords
- Security Logs
- Firewalls
- Data Encryption
- It is NEVER ok to walk away from your computer or work station without locking it and/or logging off.
- YOU are responsible for your username/password when accessing the computer system as well as all information accessed under this login.
- As part of Insurance reform, individuals can transfer jobs and not be denied health insurance because of pre-existing conditions.
**The main purpose for Standardized Transactions and Code Sets under HIPAA is to provide a common standard for the transfer of healthcare information.
- HIPAA Standardized Transactions are standard transactions to streamline the major health insurance processes.
- Code Sets are standards for describing diseases, symptoms, injuries, and actions.
- Decreased administrative costs
- Accurate and timely processing
- Elimination of the inefficiencies of handling paper documents
- Improvement of overall data quality
- Streamlining business to business transactions
HITECH/Omnibus/ARRA:
**HITECH stands for Health Information Technology for Economic and Clinical Health.
- HITECH also provides the establishment of a nationwide framework for the protection of patient confidentiality, security of electronic systems, and the electronic transmission of data.
**The Omnibus Rule:
- The Omnibus Rule is meant to strengthen and modernize HIPAA by incorporating provisions of the HITECH and the Gina Act as well as finalizing, clarifying, and providing detailed guidance on many previous aspects of HIPAA.
- Became effective on March 26, 2013.
- Covered Entities and Business Associates had until September 23, 2013 to comply.
- One of the major purposes of the HITECH Act was to stimulate and greatly expand the use Electronic Health Records (EHR) to improve efficiency and reduce costs in the healthcare system and to provide stimulus to the economy
- It includes incentives related to health information technology and specific incentives for providers to adopt EHR’s
- It expands the scope of privacy and security protections available under HIPAA in anticipation of the massive expansion in the exchange of ePHI
- Increased penalties and enforcement
- Expanded privacy guards for individuals
- Direct enforcement of Business Associates
- Breach Notification of unsecured PHI
- Business Associate contract required
