Annual HIPAA Compliance Training

1
Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Doctor and HIPAA
Keeping Patient Data Confidential. Image courtesy of LL28/Getty

T he Health Insurance Portability and Accountability Act was enacted in 1996. It is enforced by the Office of Civil Rights of the United States Government. It is a set of federal guidelines created to allow employees to take their medical insurance with them if they leave an employer, allow people access to medical insurance despite pre-existing conditions (under some conditions), and to establish privacy standards for a patient’s health information. 

  • The HIPAA Privacy Rule protects the privacy of individually identifiable health information.
  • The HIPAA Security Rule sets national standards for the security of electronic health information.​​

It is required by law to provide HIPAA education and training to individuals working in the healthcare industry to ensure accountability for the privacy and security of protected health information. Covered entities must train all members of the workforce on HIPAA policies and procedures.

2
HIPAA Privacy Rule

Patient Records
Keep Patient Records Secure. Image courtesy of youngvet/Getty

The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) was designed to specifically address the protection of an individual's personal health information. It is important for the vitality of your medical office to maintain HIPAA compliance.

Who Is Covered by the Privacy Rule?

  • Health Plans
  • Health Care Providers
  • Health Care Clearinghouses

 A covered entity, as defined in HIPAA, can be a health insurance plan, a health care clearinghouse or a healthcare provider that transmits protected health information electronically and can be organizations, institutions or persons.

Physicians and other healthcare professionals that work with patients and their confidential medical records must adhere to the policies, procedures, and laws designed to protect patient privacy and confidentiality. All healthcare providers have a responsibility to keep their staff trained and informed regarding HIPAA compliance. Whether intentional or accidental, unauthorized disclosure of PHI is considered a violation of HIPAA.

  • Business Associates

A business associate, as defined by HIPAA, is any person or entity that conducts business involving the use or disclosure of protected health information on behalf of a covered entity and is not an employee of the covered entity. 

What Information Is Protected?

PHI or Protected Health Information refers to any individually identifying information included in a patient's medical record that is transmitted or maintained in any form. 

Uses and Disclosures

A covered entity may use or disclose protected health information (PHI) without authorization in under certain conditions.

  1. To the Individual
  2. Treatment, Payment, and Healthcare Operations
  3. Uses and Disclosures with Opportunity to Agree or Object
  4. Incidental Use and Disclosure.
  5. Public Interest and Benefit Activities
  6. Limited Data Set for the purposes of research, public health or health care operations

Privacy Practices Notice

Health care providers have an obligation to provide their patients with a Notice of Privacy Practices. This notice, as required by the HIPAA Privacy Rule, gives patients the right to be informed about their privacy rights as it relates to their protected health information (PHI).

The notice should describe certain information in easy to understand terms:

  • How the provider will use and disclose their PHI
  • The rights patients have regarding their own PHI
  • A statement informing the patient of laws requiring the provider to maintain the privacy of their PHI
  • Who patients can contact for further information regarding the provider's privacy policies

Enforcement and Penalties for Noncompliance

 Civil Money Penalties

  • $100 per failure to comply
  • $25,000 maximum per year for multiple violations of the same requirement

Criminal Penalties (for knowingly obtaining or disclosing PHI in violation of HIPAA)

  • $50,000 fine and up to one-year imprisonment
  • $100,000 fine and up to five years imprisonment (if violation involves false pretenses)
  • $250,000 fine and up to ten years imprisonment (if violation involves intent to sell, transfer, or use PHI)

3
HIPAA Security Rule

Image courtesy of office.microsoft.com.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule)

HIPAA security refers to establishing safeguards for PHI in any electronic format. This includes any information used, stored or transmitted electronically. Any facility defined by HIPAA as a covered-entity has the responsibility to ensure the privacy and security of its patient’s information as well as maintaining the confidentiality of their PHI.

Who Is Covered by the Security Rule?

  • Health Plans
  • Health Care Providers
  • Health Care Clearinghouses

 A covered entity, as defined in HIPAA, can be a health insurance plan, a health care clearinghouse or a healthcare provider that transmits protected health information electronically and can be organizations, institutions or persons.

  • Business Associates

A business associate, as defined by HIPAA, is any person or entity that conducts business involving the use or disclosure of protected health information on behalf of a covered entity and is not an employee of the covered entity.

What Information Is Protected?

Electronic PHI or Protected Health Information refers to any individually identifying information included in a patient's medical record that is transmitted or maintained in any form. The security rule excludes PHI transmitted orally or in writing.

Administrative Simplification

The administrative simplification provisions of HIPAA establishes national standards for the security of electronic protected health information. This includes the rules and standards for transactions and code sets and identifiers for employers and providers.

Transactions and Code Set Standards

Standard transactions for the Electronic Data Interchange (EDI) of health care data includes claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment.

Standard code sets for diagnosis, procedure, and drug codes include the HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10 (As of October 1, 2015) and NDC (National Drug Codes) codes.​​

Identifier Standards for Employers and Providers

Standard identifiers include The Employer Identification Number (EIN) and The National Provider Identifier (NPI). The EIN is used to identify employers on the standard transactions. The ​​National Provider Identification or NPI is a 10 digit, unique identification number used to take the place of provider identifiers such as a Unique Provider Identification number (UPIN) in HIPAA standard transactions. Health care providers are required by regulation of HIPAA to obtain an NPI.

The rules for maintaining HIPAA security include safeguards for three key areas.

Administrative Safeguards

  1. Develop a formal security management process including the development of policies and procedures, internal audits, contingency plan and other safeguards to ensure compliance by medical office staff.
  2. Assign responsibility of security to a designated person to manage and supervise the use of security measures and the conduct of the staff.
  3. Implement features that ensure the staff has proper training and proper authorization to access PHI.
  4. Define levels of access for all staff and how it is granted
  5. Require that all medical office staff including management undergo security training and have periodic reminders and user education.

Physical Safeguards

  1. File PHI in a secure location and workspace for employees (this includes the use of locks, keys, and badges that unlock doors) that restrict access to unauthorized persons and intruders.
  2. Develop policies for verifying access authorizations, equipment control, and handling visitors. Develop and provide documentation including instructions on how your medical office can help to protect PHI (for example, logging off the computer before leaving it unattended)
  3. Provide protection against fire and other hazards

Technical Safeguards

  1. Establish unique user identification including passwords and pin numbers
  2. Adopt an automatic logoff control
  3. Record and examine system activity for auditing purposes
  4. Utilize encryption controls to protect transmitted data over a network

 Enforcement and Penalties for Noncompliance

 Civil Money Penalties

  • $100 per failure to comply
  • $25,000 maximum per year for multiple violations of the same requirement

Criminal Penalties (for knowingly obtaining or disclosing PHI in violation of HIPAA)

  • $50,000 fine and up to one year imprisonment
  • $100,000 fine and up to five years imprisonment (if violation involves false pretenses)
  • $250,000 fine and up to ten years imprisonment (if violation involves intent to sell, transfer, or use PHI)

4
Tips to Avoid Violating HIPAA

Image courtesy of Kristian Sekulic/Getty Images. Kristian Sekulic/Getty Images

  1. Take the necessary steps to keep from disclosing information through routine conversation. Avoid disclosure of information through routine conversation; discussing patient information in waiting areas, hallways or elevators; proper disposal of PHI; and access to information be strictly limited to employees whose jobs require that information. Basic information can seem so insignificant that it can easily be mentioned in routine conversation but should only be shared on a need to know basis.
  2. Avoid discussing patient information in waiting areas, hallways or elevators. Sensitive information can be overheard by visitors or other patients. Also be sure to keep patient records out of areas that are accessible to the public. ​Since check-in desks and nurses stations are out in the open, go the extra mile to ensure computers are secured at all times. Chart holders should be mounted and the front panel covered according to HIPAA standards.
  3. PHI should never be disposed of in the trash can. Any document thrown in the trash is open to the public and therefore a breach of information. There are many ways to dispose of PHI. Proper disposal of paper PHI includes burning or shredding.  Electronic PHI can be disposed of by erasing, deleting, reformatting, incinerating, melting, or shredding.
  4. There are a number of available technologies designed to secure patient data. Be selective in choosing devices and software that secure data over a wireless connection including firewalls, anti-virus, anti-spyware, and intrusion detection technology. Use extreme caution when accessing data over a remote connection. IT specialists suggest using a two-factor authentication system with security tokens and passwords.

Continue Reading