Reviewed & Revised - April 2014

Hertford CountyPublic Health Authority

HIPPAEmployee Annual

Training Presentation

Presented by:Renée DavenportHCPHA’sPrivacy Officer

Acronyms HIPAA – Health Insurance Portability and Accountability Act of 1996 PHI – Protected Health Information IIHI – Individual Identifiable Health Information EIHI – Electronic Identifiable Health Information EMR/EHR – Electronic Medical Records/Electronic Health Records NOPP – Notice of Privacy Practices CE – Covered Entity BA - Business Associate BAA – Business Associates Agreement HITECT - Health Information Technology for Economic and Clinical Health AARA – American Recovery and Reinvestment Act of 2009 OMNI – Omnibus Rule GINA – Genetic Information Nondiscrimination Act of 2008 DHHS – Department of Health and Human Services OCR – Office of Civil Rights

The Health Insurance Portability and Accountability ACT (HIPAA) was passed by Congress and signed into law

by President Clinton in 1996. It was divided into 2 titles:

• PortabilityTitle I provides consumers with the ability to transfer or continue health coverage for themselves and their families when they change or lose jobs.

• Privacy, Administrative SimplificationsTitle II of HIPAA details privacy and confidentiality requirements and mandates industry-wide standards for the electronic distribution of health records and billing.

Title II cont’d.

• Title II of HIPAA is the title that specifically applies to healthcare providers and other covered entities, such as insurance companies and third-party billing agencies.The US Department of Health and Human Services (HHS) has mandated 5 rules under Title II which covered entities must comply: The Privacy Rule The Transactions and Codes Sets Rule The Security Rule The Unique Identifiers Rule The Enforcement Rule

WHO IS AFFECTED?

The law applies to covered entities. Covered entities are individuals, businesses or agencies that transmit any information in electronic form in connection with a transaction for which HHS has adopted a standard in connection with a transaction for which HHS has adopted a standard such as: health care providers health care clearinghouses health plans

The law also applies to certain business associates of covered entities. WHO HAS TO FOLLOW THE LAW?

Hertford County Public Health Authority (All departments and staff handling PHI) Hertford-Gates Home Health Agency (Billing department and staff handling PHI) All business associates that handle PHI.

Privacy Rule - provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. 

Security Rule - specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

Enforcement Rule - contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

TCS Rule -The HIPAA Transactions and Code Set Standards are rules to standardize the electronic exchange of patient-identifiable, health-related information., which allow the electronic exchange of information from computer to computer without human involvement.The Centers for Medicare & Medicaid Services (CMS) responsible for enforcing the electronic transactions and code sets.

TRANSACTIONS AND CODES SET STANDARDS

The four unique identifiers are:

• The Standard Unique Employer Identifier - is the standard Employer number found on our W-2 forms.

• The National Provider Identifier (NPI) – is the number to identify health care providers.

• The National Health Plan Identifier (NHI) - is a CMS proposed identifier to identify health plans and payers.

• The National Individual Identifier - As the government has stopped endorsing the development of NII, related to compromising individual privacy can be seen as the reason for discarding the NII.

Unique IdentifiersThe Centers for Medicare & Medicaid Services (CMS) introduced four unique identifiers which promise to standardize the identification numbers for providers, employers, and ensure future consistency and ease of use.

Unique Identifiers Cont’d• Under HIPAA, if a covered entity conducts one of the

adopted transactions electronically, they must use the adopted standard. Covered entities must adhere to the content and format requirements of each transaction.  

• Under HIPAA, HHS also adopted specific code sets for diagnoses and procedures to be used in all transactions.  The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10 (As of October 1, 2014) and NDC (National Drug Codes) codes with which providers and health plan are familiar, are the adopted code sets for procedures, diagnoses, and drugs.

Enforcement Rule

The Enforcement Rule involves Investigations of breaches and resulted penalties.

What is a “Breach”?

A breach is, generally, an unauthorized acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputation, or other harm to the affected individual .

What information must be protected?

Personal and health information that can be identified to a specific individual must be protected.

HIPAA calls this information PHI.PHI includes all written, spoken and electronic information that relates to the health of an individual and is..

Created, kept, filed, used, or shared by your department…. And includes at least one of several personal identifiers.

Examples of PHI“Protected Health Information”

• Medical records, diagnosis, test results, clinical notes, prescriptions

• Billing records, claim data, referral authorizations, explanation of benefits

Personal Identifiers are …– Names– Geographic subdivisions smaller that a state, including street address, city, count, zip code (except if

by combining all zip codes with the same initial three digits, there are more than 20,000 people.– Name of relatives and employers– All elements of dates (except year), including DOB, admission date, discharge date, date of death;

and all ages over 89 and all elements of dates including year indicative of such age except that such ages and elements may be aggregated into a single category of age 90 or older;

– Telephone numbers– Fax numbers– Email addresses– Social Security Number (SSN)– Medical Record Numbers– Health plan beneficiary number– Account numbers– Certificate/License Number– Vehicle identifiers, including license plate numbers– Devise ID and serial number– Uniform Resource Locator (URLs)– Identifier Protocol (IP) addresses– Biometric identifiers (finger and voice prints)– Full face photographic images and comparable images– Any other unique identifying number characteristic or code.

Why is Privacy important?

• As storage and transmission of records move to electronic format; the possibility of unintentional disclosure and intentional misuse increases.

• We all want our privacy protected when we are patients or clients….its the ethical thing to do.

• HIPAA and North Carolina laws require us to protect a persons privacy.

Things to Be Aware Of:

• Sharing “PHI” about clients with staff . Staff should not discuss information about clients with other staff members unless it is pertaining to their job.

• Having telephone conversations using the speaker phone and relaying “PHI” when others may be in the hallway, next office, etc. and can hear the information (staff, visitors, etc.).

• Discussing “PHI” in the hallways or open areas.

• Leaving patient information open on desk when you are away from you desk. (Need to cover)

Safeguard PHI! Secure PHI! Do not share or give anyone

your password

Do not log onto your computer and allow someone else to use it in your absence.

Log off computers (control, alt, delete) when finished and secure paper records that contain PHI.

Shred documents containing PHI prior to disposal or use shredding containers.

Privacy and Security

• The laws have been updated so as to combine the Privacy and Security rules as well as enforce that covered entities use electronic medical records.

• This also makes it necessary to ensure that PHI is protected and secured since there could be more availability to access.

HIPAA Security Guidance

• There have been a number of security incidents related to the use of laptops, other portable and/or mobile devices and external hardware which store, contain or are used to access Electronic Protected Health Information (EPHI).

• All covered entities are required to be in compliance with the HIPAA Security

Rule1, which includes, reviewing and modifying, where necessary, security policies and procedures on a regular basis. This is particularly relevant for organizations that allow remote access to EPHI through portable devices, on external systems or hardware not owned or managed by the covered entity.

• The devices and tools about which there is growing concern because of their vulnerability, include the following examples: laptops; home-based personal computers; PDAs and Smart Phones; hotel, library or other public workstations and Wireless Access Points (WAPs); USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access Devices (including security hardware).

Security Cont’d

• In general, covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. Some examples of appropriate business cases might include: A home health nurse collecting and accessing patient data using

a PDA or laptop during a home health visit; A physician accessing an e-prescribing application on a PDA, while out of the office, to respond to patient requests for refills; A health plan employee transporting backup enrollee data on a media storage device, to an offsite facility.

• Specifically, with respect to remote access to or use of EPHI, covered entities should place significant emphasis and attention on their: Risk analysis and risk management strategies; Policies and procedures for safeguarding EPHI; Security awareness and training on the policies & procedures for safeguarding EPHI.

ARRA – the American Recovery and Reinvestment Act. The three immediate goals of the Recovery Act are: Create new jobs and save existing ones Spur economic activity and invest in long-term growth Foster unprecedented levels of accountability and transparency in

government spending

HITECH Act - Health Information Technology for Economic and Clinical Health

This was enacted as part of the American Recovery and Reinvestment Act to promote the adoption and meaningful use of health information technology.

It addresses the privacy and security concerns associated with the electronic transmission of health information, It also gives enforcement authority to the State Attorney General (SAG) to protect state residents whose HIPAA protections and rights have been violated.

The provisions are specifically designed to work together to provide the assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies and assure the workforce is properly trained and equipped to be meaningful users of certified Electronic Health Records (EHRs).

The act stipulates that, as of 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of electronic health records. Incentives will be offered until 2015. After that point, penalties may be charged for failing to demonstrate such use. The act also established grants for training centers for the personnel required to support a health IT infrastructure.

HITECH cont’d:

• HITECH is the first “Federal” breach notification law.

• Basically it means that “upon the discovery of a breach of unsecured PHI, covered entities (HCPHA) and business associates must make required notifications.

• All breaches need to be reported to the Office of Civil Rights (OCR) that are not considered a low probability/risk of harm. All breaches involving more that 500 people will be reported to the media.

“Breach Exceptions”

There are three exceptions to the definition of “breach.” 

• The first exception applies to the unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate.  

• The second exception applies to the inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate.  In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.  

• The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Terms to Understand

• Concept of Knowledge – Information/situation involved must be with the knowledge and understanding that a HIPAA violation took place.

• Willful Neglect – Failure or reckless indifference to HIPAA security compliance obligations.* Malicious Intent – Was it willful, consciously reckless?* Intent – Unintentional, didn’t mean any harm?

• Reasonable Cause – HIPAA violations that occur under circumstances that would make it unreasonable to have occurred through any other means.

The OCR will investigate all cases of possible willful neglect; and will impose penalty on all violations due to willful neglect.

HITECH Enforcement Tiers

Violation Category

Each Violation All Identical Violations per Calendar Year

Did Not Know $100 –$ 50,000

$1,500.000

ReasonableCause

$ 1,000 –$ 50,000

$ 1,500,000

Willful Neglect-Corrected

$ 10,000 –$ 50,000

$ 1,500,000

Willfull Neglect – Not Corrected

$ 50,000 $ 1,500,000

What does this all mean?New Patient Rights

• Medical practices must provide patients with an updated copy of the Notice of Privacy Practices showing the new patients rights.Patients can order healthcare providers not to tell

their health insurer about services they elect to pay for out of pocket.

Providers cannot sell a patient’s protected health information (PHI) without his or her explicit authorization. (fundraisers, marketing, etc.)

If a patient’s PHI accidentally goes public, the provider must notify the patient of the breach.

Patients can request a copy of their entire medical records, except psychotherapy notes.

The U.S. Department of Health and Human Services released the (HIPAA) omnibus final rule on January 17, 2013. The final rule took

effect on March 26, 2013 and covered entities and business associates are required to comply with the

applicable requirements of the final rule by September 23, 2013.

The “Omnibus Rule”Modifies the HIPAA Privacy, Security, and Enforcement regulations in the

following ways:• Makes business associates and subcontractors of business

associates of covered entities directly liable for compliance HIPAA Privacy & Security rules.

• Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization

• Expands an individual’s rights to receive electronic copies of his or her health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full

• Requires modifications to a covered entity’s Notice of Privacy Practices

• Adopts the Enforcement Rule, particularly regarding privacy breaches and penalties.

• Creates an increased and tiered civil money penalty structure for security breaches.

• Modifies and clarifies the definition of what constitutes a reportable privacy breach and the factors covered entities and business associates must consider when determining whether a reportable breach has occurred.

What Is a “Business Associate”?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.

Business associate functions and activities include: Claims processing or administration Data analysis, processing

or administration Utilization review Quality assurance Billing Benefit management Practice management Reprising  

Business associate services are: Legal Actuarial Accounting Consulting data aggregation Management Administrative Accreditation Financial.

Examples of Business Associates.  A third party administrator that assists a health

plan with claims processing.  A CPA firm whose accounting services to a health

care provider involve access to protected health information. 

An attorney whose legal services to a health plan involve access to protected health information. 

A consultant that performs utilization reviews for a hospital. 

A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 

An independent medical transcriptionist that provides transcription services to a physician. 

A pharmacy benefits manager that manages a health plan’s pharmacist network. Under the new laws Business Associates and their sub-contractors

will be held accountable for breaches and must notify theCovered Entity even if a Business Associates contract is not in place.

How HIPAA affects HCPHA

• HIPAA requires Hertford County Public Health Authority to….– Give each person seeking services from a

provider department a Notice of Privacy Practices that describes:• How the Agency can use and share PHI• The individual’s privacy rights and rights of access

– Ask each new (& annually visited) person to sign a written acknowledgment that they have received the Notice of Privacy Practices.

What’s Been Added So Far at HCPHA???

• New NOPP – located on the HCPHA intranet for Staff to print, copy and give to client.

• Staff are now required to sign a HIPAA Violations Sanctions Policy Acknowledgment, along with the HCPHA Technology Appropriate Use Policy.

• New Business Associates Contract – located on the intranet for Staff. A guide sheet to defining a Business Associate is located on the intranet. (Department Heads need to review the definition of Business Associates; and make a list of facilities, businesses, and individuals that will need to signed the contract). The Privacy Officer will follow up with this.

HCPHA – HIPAA Training Employees are required to comply with all updates on privacy and

security rules as they develop. New HIPAA Privacy/Security policies and procedures will be

added to the intranet as they are approved by HCPHA administration and the BOH.

The revised training quiz is located on our intranet website at: Please complete and return to your Privacy Officer.

This is to ensure that we are in compliance with HIPAA in keeping

information confidential (HR Policies): HIPAA Workforce Sanctions Policy (New)

This ensure that we are in compliance with HIPAA in using our office equipment

as well (HR Policies). Technology Usage Policy