fcsrmc hipaa privacy amp security presentation
play

FCSRMC HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a - PowerPoint PPT Presentation

FCSRMC HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a Delaware limit ed liabilit y part nership, is t he U.S . member of BDO Int ernat ional Limit ed, a UK company limit ed by guarant ee, and forms part of t he int ernat ional


  1. FCSRMC – HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a Delaware limit ed liabilit y part nership, is t he U.S . member of BDO Int ernat ional Limit ed, a UK company limit ed by guarant ee, and forms part of t he int ernat ional BDO net work of independent member firms. BDO is t he brand name fo r a th g e B D O net work and for each of t he BDO Member Firms. P e 1

  2. What is HIPAA? HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA) Federal law enacted August 1996: Privacy Rule April 2001: S ecurity Rule April 2005 February 2010: HITECH Act March 2013: HIP AA Omnibus (Final) Rule Page 2

  3. HIPAA Privacy Rule HIPAA’s Privacy Rule:  Addresses the use and disclosure of an individual’s health informat ion regardless of how it is communicat ed (electronically, verbally, or writt en).  Establishes standards for an individual to underst and and control how their health informat ion is used.  Assures that health informat ion is properly protected while allowing the flow of health informat ion needed to provide and promot e high quality health care and to protect the public‘ s health and well being. Page 3

  4. Covered Entity (CE) A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers). Examples: • Physician Practices • Dentists • Hospitals • Diagnostic S ervices (lab, radiology) • Nursing Homes • Pharmacies • Home Health Agencies • Health Plans Page 4

  5. Covered Entity (CE) FCS RMC is considered a Covered Entity (Group Health Plan) and it’s member colleges act as the plan sponsor. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERIS A. This may include:  hospital and medical benefit plans  dental plans  vision plans  health flexible spending accounts  employee assistance plans Page 5

  6. Business Associate A Business Associate is a person or ent it y t hat performs certain funct ions or act ivities t hat involve t he use or disclosure of Prot ect ed Healt h Information (PHI) on behalf of, or provides services t o, a Covered Ent it y. Examples include vendors, cont ract ors and subcontract ors such as: ● Billing Company ● At t orney ● Transcription S ● Accountant ervice ● Pract ice Management S ● Consult ant ystem ● Document S ● EMR/ EHR S torage Company yst em ● Collect ion Agency ● I.T . Vendor Business Associat es are accountable for prot ect ing t he privacy/ security of PHI and are direct ly liable for criminal and civil penalt ies for violations. Page 6

  7. Protected Health Information (PHI) Protected Health Information (PHI) is: *individually identifiable healt h informat ion t hat has been t ransmitted or maintained in any medium (paper, verbal, elect ronic). *creat ed or received by t he organization, relat es t o t he healt h of an individual or payment for healt h services, and identifies t he individual.  Employee Name  Medical Record Number  Complete Address  Certificate/ License Number  All Elements of Dates  Vehicle Identifiers (License Plate Number)  Telephone Numbers  IPAddress  Fax Numbers  Biometric Identifiers (voice and fingerprint)  E-Mail Address  Full Face Photographic Images  S ocial S ecurity Number  Any Other Unique Identifying Number/ Code  Health Plan Beneficiary Number  Account Numbers Page 7

  8. De-Identified Health Information De-identified healt h informat ion refers t o informat ion t hat cannot be used t o identify an individual. Examples include informat ion t hat has been redacted from documents cont aining healt h informat ion, or report s t hat do not identify a specific individual. Uses: • Research (market analysis) • Financial Report s • S t at ist ical Report s • Demographic S t udies • Report s for Public Healt h Purposes • Qualit y Improvement Act ivities • Healt h Care Operations Page 8

  9. Notice of Privacy Practices The Covered Entity must provide a Notice of Privacy Practices to each individual. It is brief, written in plain language, and includes:  a description of the types of uses and disclosures that the Covered Entity is permitted to make for treatment, payment and healthcare operations.  a description of other purposes for which the Covered Entity is permitted or required to disclose PHI without the individual’s written authorization.  a description of the types of uses and disclosures that require an authorization.  a statement outlining the Covered Entity’s duties to maintain the privacy of PHI.  a statement that individuals may complain to the covered entity if they believe their privacy rights have been violated. The Privacy Notice is provided by the Group’s Health Plan TPA (Florida Blue) to the Group Health Plan participants (FCSRMC). Page 9

  10. Notice of Privacy Practices FCS CSRM RMC C and d it’s t’s mem ember er c colle lleges es have a e adop opted a ed a HIPAA A Pri rivacy acy Polic olicy y Stateme ment nt. . The The Priv ivacy P y Polic olicy y shou ould b ld be e revie iewed ed with th new ew staff a at t the t e tim ime of n of new w hire re or orien ientation. . Emplo ployees ees s shou ould ld sig ign n th the e acknowledg ledgem emen ent fo form i indic dicating t they h y have r e receiv eived ed and h d have h e had d an n oppor opportunit ity y to o rea ead t the e HIP IPAA A Pri rivacy acy Polic olicy. . Page 10

  11. Consent and Authorization Covered Ent ities cannot share PHI wit hout t he individual's awareness of t heir privacy right s. To use and disclose PHI for purposes ot her t han t reat ment, payment and healt h operat ion purposes, Covered Ent ities must obt ain a st andard consent or aut horization wit h a few exceptions. Consent can be revoked by an employee/ individual (pat ient) in writ ing. It is t he policy of FCS RMC and it ’s member colleges t hat individuals have a right t o request t hat no disclosure be made of PHI. FCS RMC or it ’s member colleges is not obligat ed t o grant t he request. Page 11

  12. When Consent and Authorization is NOT Required Permitted PHI disclosures without an authorization: Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/ from pharmacy or diagnostic center Payment – Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies Health Operations – Fraud/ abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities • Public health activities • Victims of abuse, neglect or domestic violence • Law enforcement purposes • To comply with Workers’ Compensation • To avoid serious threat to health or safety Page 12

  13. When Consent and Authorization IS Required An authorization is required for: o Use and disclose PHI for purposes other than treatment, payment and health operation purposes o Releasing psychotherapy notes o Marketing, research, sale of PHI, and fundraising o Releasing PHI to the patient’s employer An authorization must include:  Description of the information to be disclosed  Names of persons to whom the information is t o be given  Purpose of t he disclosure  An expiration date for the use of the information Page 13

  14. Individual’s Rights Right t to o Res estric ict t Di Discl closures s Right o of f Acce ccess s Right t to o Amend ndment nt Right t to o Acco ccount nting g Di Discl closures s Request s for t he above should be direct ed t o, and processed by, t he Group’s Healt h Plan TP A. Page 14

  15. Individual’s Rights S taff can file a written complaint if they believe their privacy has been violat ed. Complaint s should be directed to the college’s privacy contact, and any intimidating or retaliatory acts are prohibited . It is import ant for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintent ional use or disclosure that is in violat ion of the HIP AA Privacy Rule. Page 15

  16. “Minimum Necessary” “Minimum Necessary” is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose.  Y our facility should evaluate who should be accessing PHI (documented in j ob descriptions).  Only staff who need access to PHI to perform their j ob duties should be granted access to these areas (a unique sign-on and password, access to paper files, etc.). Minimum Necessary does not apply to requests/ disclosures to the staff or another healthcare provider for treatment purposes. Page 16

Recommend


More recommend