2. M
ANDAT
ORY
Completion of training is mandatory
under
H AA for the entire workforce of the
IP
M RB
H
Including volunteers, like yourselves.
3. What is HIPPA?
In 1996 President Clinton signed the Health Insurance
Portability and Accountability Act (HIPAA). This new
law was enacted as part of a broad congressional attempt at
incremental healthcare reform.
HIPAA has two primary purposes. One is to provide
continuous insurance coverage for workers who change
jobs, and the other is to “ reduce the costs and
administrative burdens of health care by making possible
the standardized, electronic transmission of many
administrative and financial transactions that are currently
carried out manually on paper” .
4. H AA W
IP
orkforce T
raining
HIPAA requires that the
MHRB create HIPAA policies
and procedures that may
affect your work as a Board
member.
5. T H AA T
his IP
raining
P
rogram will answer…
What does HIPAA do?
Who has to follow the HIPAA law?
What is Protected Health Information?
When do we start?
How does HIPAA affect you?
Why is HIPAA important?
6. W
hat does H P do?
IP A
H AA is the H
IP
ealth Insurance
P
ortability and Accountability Act of
1996. It is a federal law that…
– Protects the privacy of a client’ s personal and
health information
– Provides for electronic and physical security of
personal and health information
– Simplifies billing and other transactions
7. An Overview of the L
aw
H IP A A
H e a lt h I n s u r a n c e a n d P o r t a b ilit y A c t o f 1 9 9 6
T it le I
P o r t a b ilit y
T it le I I
A d m in is t r a t iv e
S im p lific a t io n
T it le I I I
M e d ic a l S a v in g s
A c c o u n ts
P R IV A C Y
EDI
S E C U R IT Y
U s e a n d D is c lo s u r e
of PHI
T r a n s a c tio n s
A d m in is tr a tiv e
P ro c e d u re s
In d iv d u a l
R ig h ts
Code
S e ts
P h y s ic a l
S a fe g u a rd s
A d m in is tr a tiv e
R e q u ir e m e n ts
Id e n tifie r s
T e c h n ic a l
S e c u rity
S e r v ic e s
T e c h n ic a l
S e c u rity
M e c h a n is m s
T it le I V
G r o u p H e a lt h P la n
P r o v is io n s
T it le V
R e v e n u e O ffs e t
P r o v is io n
8. HIPAA is the FLOOR
HIPAA regulations are the minimum
starting point for protecting health
information and do not supersede any rules,
regulations, or standards that are more
stringent. For example, if ODMH rules are
more stringent than HIPAA rules, we must
follow the ODMH rule.
9. Organizational and
Administrative Requirements
A Privacy Officer must be appointed to
implement and develop privacy policies and
procedures for the agency.
Must train all employees (current and new) on
privacy policies and procedures.
Must amend all business associate contracts
to establish the permitted and required uses
and disclosures of PHI.
Must verify the identity and authority of
person requesting PHI.
10. Organizational and
Administrative Requirements
Must disseminate a notice of our
privacy practices to existing clients and
all new clients and within 60 days of any
material revision.
Must notify clients every 3 years of the
availability of the notice.
A covered entity with a website must
post their notice on the web.
11. Organizational and
Administrative Requirements
Must document compliance with notice
requirements and keep copies of
notices issued.
Must document who is responsible for
receiving and processing client inquiries
regarding his/her PHI.
14. W Is Impacted?
ho
Health care providers – A provider of medical, psychiatric,
or other health services, and any other person or entity
furnishing health care services or supplies.
Health plans – an individual or group health plan that
provides or pays the cost of medical care.
Clearinghouses – A public or private entity that processes
or facilitates the processing of non-standard data elements
of health information into standard data elements and who
transmits any health information in electronic form in
connection with a transaction covered in the legislation.
Business Associates and Trading Partners
15. Business Associate
A person or entity to whom a covered entity
discloses protected health information, to
perform a function on behalf of or to
provide services to a covered entity.
Includes lawyers, accountants, consultants,
and accrediting agencies.
Must have a contract obligating them to
safeguard protected health information.
16. B
usiness Associate Contracts
Must establish the permitted and required uses and
disclosures of protected health information by the
business associate and may not authorize further
disclosure in violation of the regulations
If the covered entity knows of a practice or pattern
of activity that constitutes a material breach of the
business associate’ s obligations under the contract,
the covered entity must take reasonable steps to
ensure cure of the breach or terminate the contract
or report the problem to the Secretary of Health
and Human Services.
17. B
usiness Associate
Obligations
Must not use or disclose protected health information in
violation of the law or contract.
Implement safeguards against improper use or disclosure.
Ensure that any agents or subcontractors agree to fulfill
contractual and legal obligations.
Afford individual access to records; make available
records for amendment by the individual; account to the
individual for use or disclosure other than for payment,
treatment, or operations.
At termination of the contract, return or destroy protected
health information.
18. W
hat Is Impacted?
T
RANSACT
IONS
A transaction is the exchange of information
between two parties to carry out financial and
administrative activities related to health care. It
includes:
– H
ealth claims or encounter information,
– H
ealth care payment and E
xplanation of B
enefits
(E ),
OB
19. W
hat Is Impacted?
T
ransactions Continued
Coordination of benefits,
Enrollment/disenrollment in a health plan,
Eligibility for a health plan,
Health plan premium payments,
Referral certification and authorization,
First report of injury, and
Health claims attachments.
20. W
hat Is Impacted?
P
ROT CT D H AL H INF
E E E T
ORM ION
AT
Protected Health Information is defined as any information,
whether oral or recorded, in any form or medium, that(A) Is created or received by a provider, health plan, public
health authority, employer, life insurer, school, or
clearinghouse; and
(B) Relates to the past, present or future physical or mental
health or condition of an individual, the provision of health
care to an individual, or the past, present, or future
payment for the provision of health care to an individual.
21. What is considered
Protected Health Information?
A person’ s name, address, birth
date, age, phone and fax numbers, email address
Medical records, diagnosis, x-rays,
photos, prescriptions, lab work, test
results
Billing records, claim data, referral
authorizations, explanation of
benefits
Research records
22. The Board may create, use
and share a person’ s PHI for:
Treatment
Billing and Payment
Agency Business
Management and
Operations
Disclosures Required by
Law
Public Health and Other
Governmental Reporting
23. PHI Consent
Some uses and disclosures of PHI do not
require consent.
The use and disclosure of protected health
information relating to treatment, payment,
or health care operations does not require
prior written consent.
24. Minimum Necessary Rule
When using or disclosing Protected Health
Information (PHI) or when requesting PHI
from another covered entity, The Board
must make reasonable efforts to limit PHI
to the minimum necessary to accomplish
the intended purpose of the use, disclosure,
or request, unless an exception applies.
25. Minimum Necessary Rule
Exceptions
The minimum necessary requirement does not apply in the following
instances:
Disclosures to or requests by a health care entity for purposes of
treatment.
Uses or disclosures made to the individual who is the subject of the
PHI.
Uses or disclosures made pursuant to a valid authorization initiated by
the individual.
Disclosures to the secretary of the Department of Health and Human
Services
(HHS).
Uses or disclosures that are required by law.
Uses or disclosures required for compliance under HIPAA, including
compliance with the implementation specifications for
conducting standard data transactions.
26. Requests for Disclosure
The Board may rely on a request for disclosure as the minimum necessary
for the stated purpose when:
Making permitted disclosures to public officials, if the public official
represents that the information is the minimum necessary for the stated
purpose(s).
The information is requested by another covered entity.
The information is requested by a professional who is a member of
The Board’ s workforce or is a business associate of Board for the
purpose of providing professional services to The Board if the
professional represents that the information requested is the minimum
necessary for the stated purpose(s).
The information is requested for research purposes and the person
requesting the information has provided documentation or
representations to The Board verifying such intended purpose.
27. Using and Disclosing PHI
Without Consent
When a disclosure is required
by federal, state, or local law,
judicial or administrative
proceedings, or law
enforcement.
Disclosure without your
consent can occur in certain
emergency treatment situations.
To avoid harm.
For specific government
functions.
For workers'
compensation purposes.
Appointment reminders
and health-related benefits
or services.
For fundraising activities,
public health activities,
organ donations, and for
research purposes.
28. Verification
In certain instances, as permitted or required by law, The
Board can or must disclose an individual’s PHI, even
where there is no specific consent or authorization from
the individual to do so.
No PHI will be disclosed without precautions being made
to assure that the identity of the person requesting PHI
information is verified and that they have the authority to
have access to the information requested.
29. Verification of Identity
When the identity of the person seeking disclosure of an individual’s PHI is not known
to The Board, verification of the person’s identity is as follows:
If the request is made in person, presentation of an agency identification badge,
other official credentials, or other proof of government status.
If the request is in writing, the request is on the appropriate government
letterhead
or other accepted proof of identity is documented.
If the disclosure is to a person acting on behalf of a public official, a written
statement on appropriate government letterhead that the person is acting under
the governments’ authority or other evidence or documentation of agency, such
as a contract for services, memorandum of understanding, or purchase order,
that establishes that the person is acting on behalf of the public official.
30. Verification of Authority
To verify the authority of a public official, The Board may rely on any of the
following:
A written statement of the legal authority under which the information is
requested or,
2. if a written statement is impracticable, an oral statement of such legal
authority,
3. If a request is made pursuant to legal process, a warrant, subpoena, order,
or other legal process issued by a grand jury or a judicial or administrative
tribunal will be presumed to constitute legal authority.
31. Privacy Notice
Every client is provided with a Notice of Privacy
Practices upon enrollment at a contract agency
The Notice describes”
– How the MHRB can use and share protected health
information, and
– Every client’ s privacy rights
The privacy notice is also published on the
MHRB’ s web page.
Copies of the Notice of Privacy are available from
the Privacy Officer or Secretary.
32. Clients’ PHI Rights
One of the purposes of the new H AA rule is
IP
to give clients more control over their P I.
H
Such as:
The right to request limits on uses and disclosures
of their PHI.
The right to choose how the agency sends PHI to
them.
The right to view and obtain copies of their PHI.
The right to correct or update their PHI.
33. How do clients
exercise these rights?
Special forms to request changes,
corrections, copies, etc. are available from
the Privacy Officer.
34. What client information
must be protected?
We must protect a client’ s personal and
health information that:
– Is created, kept, filed, used or shared
– Is written, spoken, electronic or digital
As already stated HIPAA defines client
personal and health information as
Protected Health Information or “ PHI” for
short.
36. How will HIPAA
affect your duties?
If you currently see, use, share and/
or
create a person’s protected health
information as part of your job or
duties, H AA will change the way you
IP
work.
You must protect the privacy of the
client and M RB workforce protected
H ’s
health information.
37. When can you use PHI?
ONLY to do your job or duties!
At all other times, protect a client’ s
information as if it were your own
information!
38. H can you use P I?
ow
H
You may look at a person’ s
PHI only if you need it to do
your job or duties.
You may use a person’ s PHI
only if you need it to do your job or duties.
You may give a person’ s PHI to
others when it is necessary for them to do their jobs.
You may talk to others about a person’ s PHI only if it is
necessary to do your job or duties.
39. Why is HIPAA important?
P
rotecting privacy is important!
W all want our P I to be
e
H
private
Our clients want their P I to
H
be private
It’s the right thing to do
It’s the law
40. What can happen if we
don’ t follow HIPAA?
Someone who does not
protect a person’ s personal
and/or health care privacy
could:
– Lose his/her job
– Pay fines
– Go to jail
45. H AA Stories
IP
Please read the following two
HIPAA stories carefully as
you will be asked to discuss
them
on the quiz.
46. H AA Story #1: Annie
IP
After serving on the client’s rights appeal committee, I
ran into the customer Annie, who filed the appeal at the
grocery store. She came up to me and started talking
about her appeal, the medications she was placed on
and how she was not feeling any better. I told her I
could not discuss her appeal that it was confidential,
and that it takes time for some medications to work.
Did I do the right thing?
47. H AA Story #2: B
IP
arry
I happened to be using the copier in the MHRB office
when a fax arrived. I did not read any of the details
but recognized the client name on the incident report.
I did not do anything with the information and kept it
to myself.
Did I do the right thing?
48. W
here to F Out
ind
M
ore About H AA
IP
The Privacy Notice is on the agency’ s
Internet Website: www.whmhrb.org
Contact Kim Tapie, Compliance and
Privacy Officer with questions and/or
concerns
Review HIPAA materials in the Board’ s
Operations Manual