Embed Size (px)
Citation preview
1
How to Boost your Value:Aligning your Operations with HIPAA/HITECH Act
Sharon R Williams,
Williams Jaxon Consulting, LLC
2
Welcome
3
Everything you always wanted to know about HIPAA Privacy but were afraid to ask…
Learning Objectives:
Overview of the Privacy Rule-HIPAA & HITECH Act
Implications for affected healthcare organizations
Covered Entities & Business Associates
Key components of Privacy compliance for your organization
4
HIPAA Privacy
Title II of the Health Insurance Portability and Accountability Act Administrative Simplification
Enacted 2002, compliance required by 2003
Augmented in 2009 per Health Information Technology for Economic & Clinical Health Act (HITECH)
5
HIPAA Privacy Objectives
Three Key provisions in the Title II HIPAA amendments
Privacy Protect individual rights re: use/disclosure, and access to healthcare
data
Transaction Improve efficiency & effectiveness of US healthcare system by
standardizing the electronic exchange of administrative and financial data
Security Establish safeguards or the protection of individual healthcare data
6
Key Provisions of Privacy Rule
Strong federal protections for privacy rights
Establishes baseline for definition of Individually Identifiable Health Information (Protected Health Information-PHI)
• Identifies roles
responsibilities of
Covered Entities &
Business Associates
• Addresses allowable data
disclosures for health
care operations (TPO)
• Establishes penalties for
violations under authority
of the HHS Office of Civil
Rights
7
Privacy Rule Protection of PHI
PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.
A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity. Individually identifiable health information that is held by anyone other than a covered entity...is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule.
There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure.*
*National Institutes of Health
8
Protected Health Information:
Any Individually Identifiable Health Information such as:
SSN# Photographs
Name Dates of birth, death, discharge
Address Driver’s License #
Zip code Email Address/URL
Medical Record # City/County
Biometric identifiers, including voice/fingerprints
9
Disclosures of PHI
Allowable disclosures of PHI: As de-identified for public health, research purposes
As required for law enforcement, etc.,
Shared between healthcare entities for treatment, payment and healthcare operations
10
More HIPAA Alphabet Soup
1. TPO
2. CE
3. BA
4. BAA
5. OCR
6. NPP
7. MND
1. Treatment, Payment & HealthCare operations
2. Any person or entity who furnishes, bills, or is paid for health care in the normal course of business, directly or through a Business Associate: Hospitals, providers, health plans and other health care organizations
3. Person or entity who performs a service/function on behalf of a of CE using PHI
4. BAA-agreement between CE/BA re requisite utilization/protection of PHI
5. HHS Office of Civil Rights-has authority to oversee/audit/sanction for HIPAA compliance/violations
6. Notice of Privacy Practices-Covered Entities must provide same to individuals receiving
7. Minimum Necessary Disclosure-provision that requires sharing only data necessary to conduct business
11
HITECH Act
Subsection of American Recovery and Reinvestment Act, 2009
Strengthens Privacy Rule protections − especially reporting unintentional disclosures
Highlights use of electronic health information − Electronic Health Records (EHR); establishes standards/incentives for Meaningful Use
Meaningful Use--use of certified EHR technology to improve quality, safety, efficiency and reduce health disparities, maintain privacy & security of PHI, increase transparency, etc.
12
Implications of HITECH on the Privacy Rule
Mandates that HIPAA security standards are equally applicable to CEs/BAs. These entities must:
Comply/adhere to the administrative, physical, and technical security requirements of HIPAA
Implement appropriate policies and procedures
Document their security activities.
13
Implications of HITECH on the Privacy Rule
Establishes new security breach notice requirements.
Requires CEs/BAs that discover a breach of the PHI to notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach.
Business Associates must give notice of data breaches to the CE.
Entitles individuals to electronic copies of health information.
Prohibits CEs/BAs from receiving payment for an individual's protected health information without authorization from the individual.
14
Privacy Rule Amendments
Regarding breaches, CE/BA Privacy p&p must include provision for: Identification/reporting of breaches
Workforce retraining
Corrective action
Sanctions for violations by individuals/BAs Up to and including termination
15
Components of Privacy Compliance
Implement compliant privacy/security policies/procedures
Use/disclose/store & destroy PHI per federal/state standards
Update computer access consistent w/ Rule
Provide comprehensive & routine staff training
Establish ongoing monitoring/auditing controls
Report/cure breaches
Conduct Security walk throughs
Enter into BAAs
Designate a Privacy Official
16
Privacy & Security compliance are integral to your business plan
As a BA, you are responsible for compliance with the HIPAA/HITECH Acts standards
To mitigate risk (sanctions) you must establish a strong Privacy/Security infrastructure
Ensure that your network (subcontractors) is prepared for compliance
The strength of your compliance program is valuable to relationships with healthcare organizations — risk mitigation!!
Use of EHR supports data integration/sharing/reporting
17
Bibliography US Department of Human Services/Office of Civil Rights
www.dhhs.gov/ocr
Health IT www.healthit.gov
US DHHS-National Institutes of Health https//privacyruleandresearch.nih.gov
Public Law 104-191, HIPAA, Title II Administrative Simplification
Public Law 111-5, American Recovery and Reinvestment Act, 2009
18
THANK YOU!!!
Sharon R. Williams
Chief Executive Officer
Williams Jaxon Consulting, LLC
313-516-3326
19
Important information re: the Ad Council In order to receive volunteer prospects, please take these
important steps.
SUPPLY A VOLUNTEER EMAIL CONTACT: Please provide us with the email address you use for volunteer inquiries and management so that we can send you prospects who come in through the campaign. Simply email [email protected] with this contact information.
SUBMIT YOUR SERVICE AREA ZIP CODES: Please submit the zip codes that define your service area by emailing [email protected] today.
