![Page 1: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/1.jpg)
Health Insurance Portability and Accountability Act (HIPAA)
CCAC
![Page 2: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/2.jpg)
2
Learning Outcomes
• Define HIPAA
• Describe Privacy Rule/Covered Entities
• Define Protected Health Information (PHI)
• Know When to Use and Disclose PHI
• Define De-identified PHI
• Describe Need to Comply With HIPAA
![Page 3: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/3.jpg)
3
What is HIPAA?
• Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996
• Department of Health and Human Services (DHHS) administers the Act
![Page 4: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/4.jpg)
4
HIPAA Primary Objectives
• Improve portability and continuity of health insurance coverage
• Combat waste, fraud and abuse in health care
• Promote the use of medical savings accounts
• Improve access to long-term care services
• Simplify administration of health insurance
![Page 5: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/5.jpg)
5
Why the Need for HIPAA?
• Advancements in Technology
Allows greater access to protected health information (PHI)
Increased use of electronic transmission of patient data
![Page 6: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/6.jpg)
6
HIPAA Privacy Rule
• Published in Federal Register December 28, 2000
45 CFR: Part 160: General Administrative Requirements
45 CFR: Part 162: Administrative Requirements
45 CFR: Part 164: Security and Privacy
• http://www.hhs.gov/ocr/hipaa
![Page 7: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/7.jpg)
7
Covered Entities
• Health Plan
• Health Care Clearinghouse
• Health Care Provider
![Page 8: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/8.jpg)
8
Covered Entities
• Business Associate
• Hybrid
![Page 9: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/9.jpg)
9
Protected Health Information (PHI)
• Individually Identifiable Health Information held or transmitted by a covered entity or its business associate
in any form or media
whether electronic, paper or oral
![Page 10: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/10.jpg)
10
Individually Identifiable Health Information
• Past, present or future physical or mental health condition or payment for provision of health care, or
• Provision of health care identifying the individual by
Name
Address
Birth date
Social Security Number
![Page 11: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/11.jpg)
11
• Electronic
Computer Systems
• Oral
Formal and Informal Presentations, Discussions
• Written
Medical Records, Reports, Publications, Letters, Faxes
Protected Health Information (PHI)
![Page 12: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/12.jpg)
12
Permitted Uses and Disclosures
• Without an individual’s authorization:
Treatment, Payment, and Health Care Operations
Opportunity to Agree or Object
Incidental to otherwise permitted use
Public Interest and Benefit Activities
Limited Data Set
![Page 13: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/13.jpg)
13
Permitted Uses and Disclosures
• May Not use or disclose except either as the:
Privacy Rule permits or requires, or
Individual or personal representative authorizes in writing
• Must disclose in two situations:
To individuals when requested
DHHS in compliance investigation or review or enforcement action
![Page 14: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/14.jpg)
14
Minimum Necessary
• Covered entity must:
Make reasonable effort to disclose minimum amount of information to meet the purpose
Develop and implement policies and procedures for reasonable limit
Not use, disclose, or request the entire medical record unless it can justify whole record is reasonably needed for the purpose
![Page 15: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/15.jpg)
15
Individual’s Rights
• Know who may use and/or disclose PHI and to whom PHI is disclosed and for what purpose
• Know the duration of the use/disclosure of PHI
• Revoke the use and/or disclosure of PHI at any time in writing
• Have access to inspect and obtain a copy of own PHI
• Provide Written Authorization for use and/or disclosure of PHI
![Page 16: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/16.jpg)
16
Limited Data Set
• Certain, specified direct identifiers removed
• Used and disclosed for
Research
Health care operations
Public health purposes
• Recipient promises safeguards
![Page 17: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/17.jpg)
17
De-Identified Health Information
• No restrictions on use or disclosure
• Neither identifies or provides a reasonable basis to identify an individual
• Two ways to de-identify
1. Formal determination of qualified person
2. Removal of specified identifiers
![Page 18: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/18.jpg)
18
HIPAA Exercise #1
• What are specified identifiers?
List on a flipchart
![Page 19: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/19.jpg)
19
Specified Identifiers
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
![Page 20: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/20.jpg)
20
Specified Identifiers
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
• ________________
![Page 21: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/21.jpg)
21
Authorization
• Who provides?
• What is included?
• When is it necessary?
• Who is involved in the process?
![Page 22: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/22.jpg)
22
Authorization
• Provided by individual in writing
• Written in specific terms
May allow use and disclosure by covered entity or third party
Written in plain language
![Page 23: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/23.jpg)
23
• Contains specific information
Description of information to be used/disclosed in specific and meaningful fashion
Persons disclosing and receiving
Expiration date or “none”
Right to revoke
Individual’s signature and date
Authorization
![Page 24: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/24.jpg)
24
Authorization
• Covered Entity and Individual
• Privacy Board
• Institutional Review Board (Research)
• Copy provided to individual
• Examples of required use
![Page 25: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/25.jpg)
25
Authorization Required
• Psychotherapy Notes
• Marketing with following exceptions:
Face-to-face between covered entity and individual
Covered entity’s provision of promotional gifts of nominal value
• If direct or indirect remuneration from a third party, fact must be revealed
![Page 26: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/26.jpg)
26
Authorization in Research
• Waiver or Authorization Required
• Review and Approval by a Privacy Board or IRB
Statement identifying Board and Date of Approval
Signed by Chair or designee
![Page 27: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/27.jpg)
27
Privacy Practices Notice
• Covered entities must provide since April 14, 2003
• Notice to contain certain elements
• Deliver to patients
• Posted at each service deliver site
• Available on request
• On Website
![Page 28: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/28.jpg)
28
Privacy Practices Notice
• Obtain written acknowledgement from patients of receipt
• Document reason for failure to obtain written acknowledgement
![Page 29: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/29.jpg)
29
Enforcement of HIPAA
• Office of Civil Rights (OCR) is responsible
• Covered entity investigated after a complaint is received
• Process may include
Investigations and Compliance Reviews
![Page 30: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/30.jpg)
30
Compliance with HIPAA
• Processes for Filing Complaints
• Covered Entities to provide
records
compliance reports
• Cooperate with and permit access to information
![Page 31: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/31.jpg)
31
Penalties
• General Penalty: $100 per person per violation up to $25,000/year
• Wrongful Disclosure Penalties
Enforced by Department of Justice
Fined up to $50,000, imprisoned not more than 1 year or both
![Page 32: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/32.jpg)
32
Penalties
• Wrongful Disclosure Penalties
Fined up to $100,000, imprisoned not more than 5 years or both for obtaining PHI under false pretenses
Fined up to $250,000, imprisoned not more than 10 years for obtaining PHI with intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm
![Page 33: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/33.jpg)
33
HIPAA Exercise #2
• Handout in binder
• Fill in the blanks with the number preceding the correct answer
• Some numbers may be used more than once
![Page 34: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/34.jpg)
34
Summary
• HIPAA and the Privacy Rule
• Covered Entities Responsibilities
• Individually Identifiable Health Information
• Use and Disclosure of PHI
• Authorizations
• De-Identified PHI
• Compliance with HIPAA
![Page 35: Health Insurance Portability and Accountability Act (HIPAA) CCAC](https://reader030.vdocuments.us/reader030/viewer/2022032805/56649ee85503460f94bf9214/html5/thumbnails/35.jpg)
35
References
• OCR Privacy Rule Summary Revised 05/03
• HIPAA Privacy Rule
Annotated to Reflect August 14, 2002 Modifications; HIPAA Advisory.com/Courtest of William MacBain, MacBain & MacBain, LLC
• Public Law 104-191, August 21, 1996, An Act
• http://www.hhs.gov/ocr/hipaa