cchap practice manager’s meeting hipaa guidelines and updates for primary care practices thursday...
TRANSCRIPT
CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices
Thursday October 24th 2013 Noon – 1:00PM
Instructions to join the meeting remotely:
1. Open a web browser and enter URL: www.readytalk.comEnter participant access code: 2093166
2. Phone in for the audio portion of the conference:
1-866-740-1260 - then enter the access code: 2093166
MEETING HANDOUTS: www.cchap.org/pmmeeting
CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices
Thursday October 24th 2013 Noon – 1:00PM
HIPAA GUIDELINES AND UPDATESKara Kohn, RN, [email protected]
MEETING HANDOUTS: www.cchap.org/pmmeeting
HIPAA
2013 Omnibus Rules and Updates
What is HIPAA?
Health Insurance Portability and Accountability Act was enacted in1996
Protects health insurance coverage when there is a change or loss of jobs for workers and their families
What is HIPAA?
Required national standards for electronic health care transactions
Gave rights to individuals 12-18 for their own privacy (including from parents)
Enacted privacy standards for PHI (Protected Health Information)
Key Terms and DefinitionsPrivacy: Patient’s right over the use and
disclosure of their own protected health information
Security: Specific measures a Covered Entity (your practice) must take to secure protected health information from unauthorized breaches of privacy
Protected Health Information (PHI): Any identifiable information which relates to an individuals past, present or future physical health or condition for which there is a reasonable cause to believe it can be used to identify that individual
Protected Health Information (PHI)
Name
Zip Code
Birth Date
Telephone Number
Fax Number
Account Number
Email Address
Social Security Number
Medical Record Number
Health Plan Numbers
Certificate/license number
Vehicle Identifiers and Serial Numbers
Device Identifiers and Serial Numbers
IP and URL address numbers
Biometric Identifiers (finger or voice prints)
Full Face Photos Images
Any other unique identifying number, characteristic or code
What is New?Requests for electronic medical charts
Request to not share information with health plans
Immunization information allowed to be shared
Restrictions for marketing, fundraising and sale of PHI
Genetic information and insurance
Business associates compliance
New notices of Privacy Practices
Chart RequestsPatients can ask for copies of their medical
information in electronic format
Patients can still ask for medical information via paper format
30 days to produce this information
No more 30 day extensions
Request by PatientsIf all services are paid in full, in person, during a
visit, a request can be made to not share information with their health plans
This includes the treatments that were received during that specific visit
Immunization RecordsIf a parent or guardian gives written permission,
your office can provide immunization information to a school
This is for schools that are required by law to have it
This process is more streamlined, making it easier for both parents and practices
Marketing, Fundraising and Genetic Information
Increased restrictions how patients information is used and disclosed to third parties for the use of marketing and fundraising
Patients can not have their personal information sold to outside parties with out a written consent from them to do so
Insurance companies cannot use genetic information for coverage and cost determinations
Business AssociateAll Business Associates must now adhere to all
HIPAA rules and regulations when in possession of PHI
A Business Associate is anyone that works in association with your practice and has access to patient information
Does not include doctor-to-doctor business, healthcare providers, insurance companies or pharmacies
Who is a Business Associate
Health Information Organizations
E-prescribing Gateways
Data Transmission Services (personal health record vendors)
Labs
Confirmation Services
Collection Agencies
Software Companies
IT Techs
Consultants
Sales Reps
After Hours Services
Business Associates cont.Any new Business Associates to your practice
should have a signed agreement by September 23, 2013
Existing Business Associates have until September 23, 2014 to sign the new agreement
You are not required to train your Business Associates
If they have a subcontractor assisting them, the Business Associates will need to have their own contract in place with their subcontractor
Increased Privacy Protection
It is now considered a breach if there is any disclosure of any PHI examples
This can include inadvertent release of PHI
Any suspected or known breach must be reported
Risk assessment must be completed and documented any time that a breach is reported
Fines of $50,000 for each violation, up to a limit of $1.5 million annually
Examples of a BreachAny posting of pictures or patient identification
onto social websites (Facebook, Twitter, Instagram, etc.)
Conversations in the waiting room disclosing PHI
Loss of office laptop containing patient information
Paperwork given to the wrong patient
Verbal communication via phone to someone who is not the patient or their parent/guardian
Examples of a Breach cont.
Permission is asked to share patient information with parents/guardians in room (age dependent)
Faxing patient information to the wrong number
Email communication sent to the wrong address or email group
Computer screen with patient information that can be viewed by other patients/families
Placing of PHI in a regular trash container
What Needs to Done in the Event of a Breach?
No longer report only a “Significant Risk”. All presumed risks are considered a breach.
Complete Breach Assessment Form
Report via HHS Website http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brin
struction.html
Potentially contact patients with knowledge of suspected or confirmed breach
How to PreventAny and all paperwork changing hands is
verified that each and every page belongs to the patient it is handed to
All patients are asked their permission to proceed speaking when there are visitors in the room that are not a parent/guardian/POA
All conversations are held at a reasonable tone and appropriate venues in the patient care area. Do not discuss patient care in hallways, waiting rooms, or exam rooms with doors open
How to PreventAll fax numbers are verified before hitting send, and a
fax cover sheet with a confidentiality statement is used at all times
All charts are maintained securely away from public view
All printouts with patient information are placed facedown when you step away from the desk
Computer screens are locked when you step away, even momentarily
Patient information is not thrown into a general trash can
Questions?Thank you