Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Training

for County Employees

Training Objectives

Employees will have a general understanding of the core elements of the HIPAA privacy provisions.

Employees will know who the County’s HIPAA Privacy Officer is and how to contact the Privacy Officer.

Employees will have a general understanding of the County’s HIPAA Privacy Policies and Procedures.

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996.

Administrative Simplification:– Transactions and Code Sets– Security– Privacy

Terminology

PHI Covered Entities Business Associate Minimum Necessary Designated Record Set

HIPAA Privacy Requirements

To comply with HIPAA the county must: Adopt written policies and procedures. Adopt Notice of County Privacy Practices. Designate privacy officer. Designate employees with access to PHI. Train employees on HIPAA. Be in compliance with privacy provisions by

April 14, 2003.

Penalties for Noncompliance

Criminal penalties – Up to $50,000 and one year in prison for

obtaining or disclosing PHI.– Up to $100,000 and up to five years in prison

for obtaining PHI under false pretenses– Up to $250,000 and up to ten years in prison

for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage or personal gain or malicious harm.

Penalties for Noncompliance

Civil Penalties– A county that violates the privacy standards

will be subject to civil liability which includes fines of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.

County Sanctions for Noncompliance

[insert county sanctions for noncompliance]

State Law Preemption

HIPAA preempts contrary state law unless the state law provides greater protection.

[insert county name] HIPAA Privacy Officer

[insert name]

[insert address]

[insert phone number]

[insert email]

Individual Privacy Rights: Notice of Privacy Practices

Individuals have the right to receive the county’s “Notice of Privacy Practices.”

The Notice of Privacy Practices explains to the individuals how the County routinely manages its confidential data including how PHI is used and disclosed.

Individual Privacy Rights: Access to PHI

Individuals have the right to request access to certain medical records.

Individuals have the right to copy certain medical records.

Individuals have the right to receive a decision within 30 days of the request.

If access denied, the Individual has the right to receive written description of denial.

Individual Privacy Rights:Restriction on Use and Disclosure

Individuals have a right to request restriction on uses and disclosures about treatment, payment or health care operations.

Individuals have the right to request that the county restrict disclosures to family members.

Individual Privacy Rights:Confidential Communications

Individuals have the right to receive communications of PHI by alternate means or at alternate locations.

The county must accommodate reasonable requests for alternate means or alternate locations.

Individual Privacy Rights:Right to Request Amendments

Individuals have the right to request revisions or corrections to any part of the record that the individual believes is incorrect.

Some requests may be denied. Individuals have the right to receive a

decision within 60 days.

Individual Privacy Rights:Accounting of Disclosures

Individuals have the right to an accounting of disclosures, other than treatment, payment or operation, made by the county.

The county is not required to account for disclosures made to the individual or made with a signed authorization.

Individuals have the right to receive a decision within 60 days.

Individual Privacy Rights:Right to File Complaint

Individuals have the right to file a complaint if they believe their rights have been violated.

County Responsibilities:Minimum Necessary

The county must make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.

County must identify those employees who need access to carry out their duties. The county must make reasonable efforts to limit the access of each identified employee.