introduction phi rights protecting phi investigating & reporting hipaa training shelly vrsek...

Introduction PHI Rights Protecting

PHIInvestigating & Reporting

HIPAA TrainingShelly VrsekDirector of Quality

Privacy Officer



Today you will learn about the Health Insurance Portability and Accountability Act (HIPAA) and how to implement our HIPAA policies in your work



What HIPAA is

Why it is important to you

How persons served control their personal health information, and the related rights, exceptions, and disclosures

The education and protection of the rights of persons served

How we investigate and report breaches of confidentiality



Because you are

a covered function

Why are you

attending this HIPAA training?

HIPAA is a set of standards

for the protection of certain

health information



3. Elected Covered Entity

A program we have voluntarily elected as a covered entity, for the

purposes of information sharing in our

continuum of care

Examples at LSSM include:

The Terraces and HCA

2. Business Associate

We may sign a Business Associate Agreement with another covered entity if either party is doing work

that includes health information of shared clients

Examples at LSSM include: TRS as well as any program

doing business with Community Mental Health

1. Covered Entity

You are a program that directly bills medical

insurance for services that you provide

Examples at LSSM include: Home Health,

Skilled Nursing, Occupational Therapy,

and Outpatient Therapy

Covered functions must follow HIPAA

policies

Let’s learn the 3 ways at LSSM that you

can be considered a covered function



The rights of those we serve, to view and

change their records

How we communicate those

rights

How we investigate and report

unauthorized disclosures

Covered

functions have

expectations related to



Now that we know about covered functions, let’s define some new terms that will be helpful as we learn about how HIPAA impacts those we serve

1. Protected Health Information (PHI)

2. Authorization

3. Uses and Disclosures

4. Minimum Necessary



1. Protected Health Information (PHI)

Individually identifiable health information relating to:

• The past, present, or future physical health condition of a person served,

• Provision of health care to a person served, or

• Payment for the provision of health care to a person served.



PHI is considered identifiable if it contains any of the following:

Names Addresses Dates Telephone Numbers

Fax Numbers

Email Addresses

Social Security Numbers

Medical Record Numbers

Health Plan Beneficiary Numbers

Account Numbers

Certificate / License Numbers

Vehicle Identifiers & Serial Numbers

Device Identifiers & Serial Numbers

Web Universal Resource Locators

Internet Protocol Address Numbers

Biometric Identifiers

Full Face Photographic Images

Any Other Unique Identifying Number, Characteristic, or Code



2. AuthorizationsPermission to release PHI.

3. Uses and DisclosuresInstances where we release PHI with or without authorization.

3. Minimum NecessaryEmployees must only access, request and disclose what they need to know or what is absolutely necessary to carry out their duties. This does not apply when a person served is requesting his/her own information.



Now let’s learn about how persons served may control their PHI and the related rights, exceptions, and disclosures



Inspect and obtain copies of their PHI

Request to change their PHI

Request an accounting of certain disclosures of their PHI

Request to restrict the use or disclosure of their PHI

Receive PHI communications confidentially

File complaints concerning the use or disclosure of their PHI

1.

3.

2.

5.

4.

6.

Persons Served by a Covered Program Have the Right to:

The 6 rights of persons served,

regarding their PHI



The chart includes genetic

information

The chart identifies

individuals who have reported

abuse, per the law

The chart includes PHI of others,

including family members

The chart includes the identity of any records related to foster care or adoption, per applicable

laws

The request includes psychotherapy notes that are kept separately from the chart by the therapist

In some cases, persons served do not have the right to review information in their records, and information cannot be released to others for the following reasons:The 5 exceptions to the rights of persons served, regarding their PHI



A director, administrator or the Privacy

Officer will make decisions about many of these requests

Notify your supervisor right away

What should you do if a person served

makes a request or

complaint regarding

their PHI?



Now let’s learn the ways that we may

disclose PHI

With authorization

Written

Verbal

Without authorization



In most situations, we

must have written

authorization from persons

served to disclose or use their

PHI

They provide written authorization by signing an Authorization to Disclose

Health and Service Information

form

Disclosing PHI with Written Authorization



In some situations,

persons served can verbally

authorize, object to, or restrict

the disclosure of their PHI

These situations could include

• For inclusion in a facility directory

• When third parties are present (PHI can be shared with family and friends)

Disclosing PHI with Verbal Authorization



To other covered functions for the

purpose of treatment

For payment of healthcare operations

To report abuse, neglect or

domestic violence

To report a crime For disaster planning

For public health activities

When the person served cannot agree

(and a representative is not

available)

In other unusual situations, per the

approval of our Privacy Officer

Disclosing without written or verbal authorization is allowable in the following situations:



It is our responsibility to protect the PHI of persons served and to educate them about their rights

Let’s learn how we do this



LSSM protects the PHI of

persons served and educates

persons served about their PHI

rights by

Ensuring that staff understand HIPAA and the rights of persons

served

Utilizing the Notice of Privacy Practices

Utilizing Business Associate Agreements

Assessing and mitigating risk



Ensuring that staff understand HIPAA and the rights of persons served

1. We require staff to complete this HIPAA training and review and adhere to our HIPAA policy

2. We require staff to complete our Confidentiality training and review and adhere to our Confidentiality and Information Technology (IT) policies



Utilizing the Notice of Privacy Practices (NOPP)

1. This document outlines all of the rights of persons served under HIPAA, and how they can access assistance

2. We must make a good faith effort to have the person served or a personal representative sign the NOPP at the start of service

3. If we cannot obtain a signature, we must make a note on the NOPP to explain the circumstances, and send it to the next of kin

4. We cannot deny treatment if the person served or personal representative decline to sign the NOPP



Utilizing Business Associate Agreements 1. When we use a contractor for services, it may be

necessary for them to use or disclose the PHI of those we serve • Examples: software for medications or charting,

food service providers, or landlords

2. Each contractor with access to PHI must sign a Business Associate Agreement with us. This ensures that they know to comply with HIPAA.



Assessing and Mitigating Risk1. The Risk Management Team reviews

incident reports, training, and situations 2. The IT team monitors security, and limits

access to our data3. Breach assessment investigations are

conducted each time staff report a situation (verbally or through our Incident Reporting system)



We are at financial and reputation risk for breaches

The government can fine our organization as well as our individual employees

Fines are mostly assessed for intentional breaches for personal gain, or in situations where the PHI of many

persons is releasedIn ever case, LSSM must notify anyone affected, which

could result in legal consequences

In cases where more than 500 individuals are affected, we must also notify the media

The risks for persons served could involve

compromised dignity, loss of work, identity theft

or other personal situations

Breaches of Confidentiality



1. Immediately report it to your supervisor, then to the Privacy Officer

2. Enter the information into the Incident Reporting System

What should you do if you

suspect a breach of

confidentiality?



Privacy Officer

The Privacy Officer will work with you

and your supervisor to investigate the

breach



Reports the breach to the proper authorities

Works with you to notify the

persons served who may be affected

Works with you and your team to prevent

this type of breach from happening again

Privacy Officer



We’ve learned about:Types of covered

functions6 PHI rights5 PHI exceptions3 PHI disclosures4 ways we protect and

educate about PHIReporting and

investigating breaches



To Do:1. Review the HIPAA

policies2. Complete the

Confidentiality training3. Review the

Confidentiality policies4. Review the IT policies

introduction phi rights protecting phi investigating & reporting hipaa training shelly vrsek...

Documents