Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Health Insurance Portability andAccountability Act (HIPAA)
Compliance in the University Setting
Speech & Hearing Sciences
HIPAA
• The Health Insurance Portability andAccountability Act of 1996
• Federal law mandates compliance withpatient privacy rules designed to maintainconfidentiality of medical information
• No federal rules to protect privacy of healthinformation existed until Standards for Privacywere published 12/28/2000.
Purposes for HIPAA
1. Make health care more portable for
people changing employment
2. Transmit electronic health data more
efficiently (standardize formats)
3. Create a framework to guard the
privacy of health information.
Who Must Comply with HIPAA Privacy?
• Healthcare Providers who transmit anyhealth information in electronic form.
• “Covered entities” include health careproviders who conduct certain financialand administrative transactions such asbilling electronically.
• Lamar University is a covered entity.
Protected Health Information (PHI)
PHI means health information,in any form, collected or createdas health care is provided. Ifthat information includes anyidentifying factors (birth date,SSN, etc.) it is considered PHI.
PHI
• Social Security Number
• Health plan beneficiary numbersand other identifying information
• Account numbers
• Certificate of license numbers
• Vehicle identifiers and serialnumbers to include license platenumbers
• Device identifiers and serialnumbers
• Web Universal Resource Locators(URLs)
• Internet Protocol (IP) addressnumbers
• Full face photographic images andother comparable images
• Name
• Medical record numbers and clinicfile #s
• Geographic subdivision smaller thana state including street address,city, county, precinct, zip code
• Any and all dates (except the year),including birth date, encounter date,and date of death
• Telephone numbers
• Fax numbers
• E-mail addresses
• Any other unique identifyingnumber, characteristic or codes
• Biometric identifiers, Including fingerprints and voice prints
De-Identified Information is…
… not “protected healthinformation” as defined in theHIPAA Privacy Regulation.Information is consideredde-identified if all of the PHIis removed.
Safeguards
Must reasonably safeguardProtected Health Information(PHI) from an intentional or
unintentional use or disclosurethat is in violation of patient
privacy policies and applicablefederal and state law.
Client/Patient Files
• Clients will receive a copy of the LamarNotice of Privacy Practices (NPP)
• Client will sign the Acknowledgement thatthey have been given a copy of the LamarNotice of Privacy Practices (NPP)
• You must make a reasonable effort to havethe client sign the form. However, Client isnot required to sign the Acknowledgmentform.
Oral communications regarding PHI
• Do not disclose PHI when discussing clientwith caregiver in waiting room
• Do not discuss client outside of clinic
• Do not discuss client with anyone other thansupervisors, unless specified on Authorizationform
• Do not allow telephone calls discussing clientto be overheard by others
• Deidentify client for class discussions.
More information regarding PHI
• Telephone messages– May leave telephone messages and appointment
reminders on client’s answering machine if there isno link to medial information
• May identify clinic name and appointment time
• Exception - if client requested alternate means ofcommunication
• Sign-in Sheets - First Name only
• Cancellation board - Date, Time, Clinician,Supervisor, and Client Initials only
Sign-In Sheets
May SLP clinics and/or Physician offices use patient
sign-in sheets or call out the names of their patients
in their waiting rooms? - YES -
• You may use patient sign-in sheets or call out patient
names in waiting rooms, so long as the information
disclosed is appropriately limited.
• The sign-in sheet may not display medical
information (the type of speech or hearing problem
the patient is going to see the SLP for).
Client Records - Paper
• Do not remove client record from building
• Store record in locked file cabinet in securearea
• Lock record overnight
• Turn record face down when using ondesk/table
• De-identify working files
• Secure test protocols in file immediately afterevaluation session
Video/Audio Recordings
• Mark with client initials and date of
service only
• View or listen only in presence of
treatment team
• Erase tapes or return to clinical facility
E-mails
1. If you need to communicate with a patientand wish to use e-mail, you can send an e-mail asking the individual to contact you byphone at a particular time
2. Your e-mail should be general and notinclude confidential, diagnostic, or treatmentrelated information
3. Do NOT ever use SSN, diagnostic,treatment or any other protected healthinformation in any e-mails.
E-mails
4. Do NOT ever e-mail test results to a patient
5. It is OK to e-mail appointment reminders;
however the e-mail should be general and
should NOT include the patient’s name.
– Example: “This e-mail is to remind you of your
appointment at the Speech & Language Clinic
on September 5, 2009 at 10:00 am. If you
cannot keep the appointment, please call
880-8171.”
E-mails
6. You can also direct a patient to pick up an itemordered with the following email: “The item that wasordered for you has been received and is availablefor you to pick up at the Speech & Hearing buildingbetween 8:00 - 5:00. Please call 880-8171 if youhave any questions.
7. If a patient sends you an e-mail, it is preferred thatyou call them back. If you need to e-mail a reply,delete the patient’s original message and respondwith general information ONLY.
8. It is also recommended that you include aconfidentiality statement at the end of your e-mails.
Fax
• Use a cover sheet with
confidentiality statement
– Do not state any PHI on cover sheet
(e.g., client name, DOB, medical
record number, etc.)
Fax
• Sending faxes– Ensure correct fax number before transmission
– Call and verify any number in question before sending
– Verify correct fax number has been dialed
– Re-file faced information with fax cover sheet in client’srecord
– Document transmission in client record
• Receiving faxes– Remove transmission from tray immediately upon
completion of transmittal
– Count pages to ensure all have been received
– Place documents containing PHI in a sealed envelope in theappropriate person’s mailbox.
Paperwork & Mail
• PHI destruction– Paper PHI
• Shred all paper documents with PHI
– Electronic PHI
• Overwrite or reformat disk
• De-identify all information
• When writing reports, the client’s name should bereferred to as La. Kri. (Lata Krishnan)
• Mail - Campus & US– Place in sealed envelopes (no open envelopes to mail room)
Passwords
• Include a combination of letters andnumbers
• Do not reveal to anyone
• Do not post on or near workstations
• Change regularly according to securityprocedures
Visitors
• Visitors and clients
– Must be accompanied by members of theworkforce when in areas with PHI
• Parent, guardian, legal representative,or family member
– May observe a session relating only to theparent’s child or family member who isreceiving services.
Simultaneous sessions
• During simultaneous sessions inobservation rooms that allow viewinginto more than one treatment area:
1. These individuals may not observeunless accompanied by students, clinicsupervisors, or members of the treatmentor diagnostic team; and
2. Only one client may be observed during atreatment or diagnostic session.
Authorization Form
The client, parent, guardian, or legalrepresentative must sign theAuthorization for Use and Disclosure ofHealth Information form to allowobservations by individuals who are notuniversity students, clinic supervisors,or members of the treatment ordiagnostic team (i.e., teachers, casemanagers, etc.)
Observations
• Students must have received HIPAA training
– May observe clinic sessions for clinical training
purposes - must be trained in HIPAA
– Must follow procedures as stated in Clinic
Observation Policies
– Must keep observation information confidential
• Information may not be discussed with others who are
not part of the client’s treatment or diagnostic team.
HIPAA Enforcement
• Civil penalties: Up to $100 per violation, up to$25,000 per person, per year for identical violations
• Federal criminal penalties: up to $50,000 and oneyear in prison for obtaining or disclosing PHI, up to$1000,000 and up to 5 years in prison for obtaininghealth information under false pretenses
• Up to $250,000 and up to 10 years in prison forobtaining or disclosing PHI with intent to sell, transfer,or use it for commercial advantage, personal gain, ormalicious harm.
Compliance and Enforcement
• Since the compliance date in April
2003 there have been 27,070
HIPAA Privacy Complaints.
• 3/4 of the complaints have been
resolved
National Provider Identifier
• Unique health identifier for healthcareproviders
• Designed to improve the efficiency andeffectiveness of the healthcare systemand is part of the HIPAA legislation
• Compliance date: May 23, 2007
Who can have an NPI?
• Any healthcare provider
• Healthcare providers are
individuals and organizations
• Numbers will be assigned for life
Do you feel ready to take thequiz?
You must make a 90 to besuccessful on the quiz.
That means you must retakethe quiz if you make below 90.
Speech & Hearing Sciences
______________________________________
Has successfully completed training in theHealth Insurance Portability and
Accountability Act (HIPAA).
___________________ _________________SLP Graduate Student Signature Date
___________________ _________________LU Clinical Supervisor Date
Information about our patientsis strictly confidential and
should not be discussed inpublic places.
Thank you for respecting ourpatient’s privacy!