Hipaa Compliance

Health Insurance Portability and Accountability Act

HIPAA

PROGRESSIVE CORPORATE SERVICES

101-102, Sheraton House, Ambavadi, Ahmedabad, Gujarat, India - 380015

HIPAA

It is a Federal law passed in 1996.

It specifies what is required to protect the privacy of personally identif iable health care information.



Time Lines for HIPAA Compliance

Three separate and independent timelines required for HIPAA compliance.





Privacy Rule compliance required by April 14, 2003




Transaction Code Set Rules (TCS) compliance required by October 16, 2002 or October 16, 2003 if you fi led for an extension





Security Rule compliance

deadline Apri l 21, 2005




Covered Entities

To be considered a covered entity, the organization must be either a health care provider, a health plan, or a health care clearinghouse.

Covered entit ies provide services directly to the patient.



An ambulance service is considered to be a health care provider.

Covered Entities



Covered Entities

To be considered a covered entity, you must engage in electronic transactions.This includes bil l ing.



Protected Health Information (PHI)

When PHI enters an organization, whether it is from a patient, a bystander, a fr iend, a family member or a dispatch agency, all privacy and security rules apply.



What is PHI?

Individually identif iable information

Information regarding past, present, or future physical or mental health



What is PHI? Information regarding

provision or payment of care to an individual. Includes any material that is

written, verbal, electronic, scanned, photographic, etc.



Examples of PHIPatient care reports (PCRs)

Dispatch records

Bil l ing information Incident reports with

patient information.Physician Certif ications



Three Allowed Uses of PHI

Treatment

Payment

Health Care OperationsThese are allowed without prior patient authorization.



Treatment You may share PHI with other health care providers involved in treating the patient.

First Responders may share patient information while on the scene.

You may share information with emergency department personnel without the patient’s permission.

Facil i t ies may share information to providers for treatment purposes.



Payment

Providers may use PHI to send invoices and fi le claims.

Emergency Departments may supply “face sheet” information to services for bil l ing purposes.



Operations

QA/CQI, Internal Audits

Patient names and addresses must be omitted if using PHI for research or education.



Business Associates

A business associate is a person or an entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.



Business Associates

Covered entities must have formal “business associate” agreements in place with business associates to meet compliance guidelines under HIPAA.



Business Associates

Examples of business associates are: Collection Agencies Billing Companies Computer Software Companies that

may have access to PHI Legal Counsel, etc.



Business Associates

In other words, business associates are those entities that do not perform services directly to the patient but instead provide services to covered entities



Privacy Rule-What Is Required?

• Designation of a privacy officer

• Securing of patient records and l imiting access so that they are not available to those personnel who do not have a “need to know”



Examples of Security Safeguards

Include a confidentiality statement on all e-mails, fax cover sheets and web pages.

Web page notices must be printable.

Keep patient care reports restricted.



Keep fax machines which receive PHI in a secure location and l imit access. Obtain reasonable assurances that those who receive your faxes do the same.

Examples of Security Safeguards



What is the Transaction Code Set Rule? (TCS)

Requires providers to submit electronic claims in an approved format.Requires payers to accept transactions that are submitted in the standard formats.



The Steps to HIPAA Compliance

Conduct a “gap analysis”.

Identify existing privacy related policies and procedures and review them for accuracy and compliance.




Adopt a formal privacy practice.You may use samples from any source, but make sure you have all policies, forms, and agreements reviewed by your attorney.




Develop and provide a notice to each patient concerning your privacy practices and make good faith effort to obtain a signed acknowledgement from the patient that he or she has received it.




Develop a policy that protects PHI and distribute only the necessary parts of the PHI to entit ies that have a “need to know”.




Identify all members of your organization who need to access Protected Health Information (PHI) by their job descriptions and identify what parts of PHI they need to access. Develop a policy that contains this specific information.




Develop a policy that allows patients or their designated representatives access to their PHI




Develop a Designated Record Set which wil l determine what information is released when it is requested.




Develop a policy that identif ies the method by which a patient or designee may amend their PHI.




Identify business associates.

Develop and execute business associate agreements.

Coordinate with vendors.




Appoint a privacy officer. This person may have other duties within the organization.




Ensure that al l required HIPAA policies, procedures and agreements have been developed.




Provide HIPAA training to al l members of the organization by Apri l 14, 2003. These members may include, but are not l imited to: crew members, office personnel, board of directors, administrative personnel, etc.



Continued Compliance

Monitor and revise policies as needed.



Very Important

You must not only safeguard written PHI, but also verbal PHI!

There must be a written policy banning all inappropriate banter about specif ic patients. Penalt ies for such behavior must be included in the policy.



What You Must Have!



- Notice of Privacy Practices

- Business Associate Agreements

- Accounting Log-“Minimum Necessary” Policies- Who needs access to what?

You MUST Have



- Designated Record Set Policy- Policy regarding uses and disclosures

- Training documents

You MUST Have



- Amendment forms

- Written designation of privacy off icials- Documents regarding any penalties given for privacy violations

You MUST Have



What Would It Be Nice to Have?



- Privacy Officer Job Description

- Request for Access form

- Request for Amendment form

- Request for Restriction form

You Should Have



You Should Have

-Complaint Policy

-Password Authorization form

-Record Release Policy

-Confidentiali ty Policy



If you choose to use sample forms, agreements or policies from any source, review each of them with your attorney.



Healthcare

Hipaa Compliance