The

Health Insurance
Portability and
Accountability Act
What is it?
&
How will it affect us?
Who Needs Training and Why
 Employees who come in contact with Protected
Health Information are Federally required attend
training
 Departments listed later
 This presentation is designed to
 Familiarize you with

HIPAA regulations


 Our policies and procedures regarding protected

health information (PHI)

 Ensure federal compliance

 Our policies will be listed at www.hipaa.cmich.edu

Summary of the Law
 To improve portability and continuity of health
insurance coverage in the group and individual
markets.
 To combat waste, fraud, and abuse in health
insurance and health care delivery.
 To simplify the administration of health insurance, and
for other purposes.
What Exactly is HIPAA?
 Public Law 104-191 (1996)
 Overseen by: Centers for Medicare and Medicaid
Services (CMS)
 A federal law designed to:
 Give patients control over all Protected Health Information
(PHI) that might be shared between health care providers &
other covered entities
 Ensure confidentiality of PHI
Protected Health Information
 Protected Health Information (PHI)
 Any Individually Identifiable Health Information (IIHI)
 Created or received by a health care provider, health

plan, employer or health care clearinghouse

 Relating to the past, present of future physical or

mental health or condition of an individual

 Transmitted in any form or medium

 Examples
 Medical charts
 Problem logs
 Photographs
 Communications between professionals
 Health insurance policy number
Individual Identifiers
Courtesy of www.hipaacow.com
1. Name 1. E-Mail Address
2. Geographic subdivisions smaller than a 2. Social Security numbers
State 3. Medical record numbers
- Street Address 4. Health plan beneficiary numbers
- City 5. Account numbers
- County 6. Certificate/license numbers
- Precinct 7. Vehicle identifiers and serial numbers,
- Zip Code & their equivalent including license plate numbers
geocodes, except for the initial 8. Device identifiers and serial numbers
three digits 9. Web universal resource locations
3. Dates, except year (URLs)
- Birth date 10. Internet Protocol (IP) address numbers
- Admission date 11. Biometric identifiers, including finger
- Discharge date and voice prints
- Date of death 12. Full face photographic images and any
4. Telephone numbers comparable data
5. Fax number 13. Any other unique identifying number,
characteristic, or code
 What entities are covered?

 Health Plans
 Health Care
Clearinghouses
 A health care provider who
transmits any health
information in electronic
form
CMU as a Covered “Hybrid” Entity
 Hybrid Entity
 A single legal entity that is a Covered Entity and whose
Covered Functions are not its primary functions.
 CMU’s primary purpose is to educate

 We also deal with healthcare related procedures

 This “theory” allows us to apply HIPAA to specific

areas
CMU as a Covered “Hybrid” Entity
 Departments Affected
 HR Comp and Benefits: Self-funded Dental
and Prescription Plan
 A covered entity because it is a health plan
 University Health Services
 A covered entity because it is a provider who bills
electronically for care and devices
 Communication Disorders: Speech Pathology
and Audiology
 A covered entity because it is a provider who bills
electronically for care and devices
HIPAA Inside the “Hybrid”
 Internal support entities
 General Counsel
 Internal Audit
 Accounts Receivable
 Faculty Personnel
 Human Resources- Employee Relations
 These areas deal either with disciplinary
regulations, grievances, or healthcare related
transactions
 It is not advantageous for these areas to receive
prior authorization before reviewing a file
HIPAA Inside the “Hybrid”
 Possible future covered entities:
1. Physician Assistant Program
2. Psychology clinic
3. Physical Therapy Program
 As of now they are not billing
electronically, therefore not covered
entities
HIPAA outside the “Hybrid”
Therefore not covered
 Information Technology
 Special Olympics
 International Student Services
 Office of International Education
 Student Disability Services
 Special Olympics
 Where does the information come from and/or
go to?
 If it is not received from or sent to a provider or
plan, then it is not considered PHI
HIPAA vs. FERPA
 FERPA – The Family Educational Rights and Privacy
Act
 Protects the rights of students records
 Unique to universities
 Especially relevant to CMU’s UHS and CDO

 We service employees, students, and members of

student’s families – all as patients
HIPAA vs. FERPA
 Disclosures are not consistent between the
two
 Must treat student records and all other
records differently
 This is extremely difficult, but do-able
 The necessary Directors will have a “Flow
Chart” regarding proper procedures for the
two
Four Components of HIPAA’s
Administrative Simplification
 Transaction Standards & Code Sets
 To create a uniform method of electronic
communication
 Security & Electronic Signature Standards
 To guard data integrity, confidentiality, and availability
 To ensure that Protected Health Information (PHI) is
kept confidential
 National Provider Identifier
 Privacy Rule
 The concentration of this presentation
Privacy Rule
 All covered entities
must be in compliance
by 4/14/03
 There are no exclusions
or extensions available
and no paperwork to
submit to prove
compliance
Privacy Rule
 Establishes safeguards to protect the
confidentiality of medical information
 Gives patients more control over their health
information
 Limits release of information to the minimum
necessary
 Sets boundaries on the use and release of
health records
Privacy Rule
 Enables patients to find out how their
information may be used and what
disclosures of their information have been
made to any business associates or other
parties
 Gives patients the right to examine and obtain
copies of their own health records, and to
request corrections
Privacy Rule - Consent
 The Privacy Rule was
most recently amended
on 8/14/02.
 Consent to use and
disclose protected
health information for
treatment, payment, or
health care operations
(TPO) is not required,
and optional for all
covered entities.
Privacy Rule - Consent
 A covered entity must make a “good faith
effort” to obtain a written
acknowledgment of receipt (from the
patient) of a facility’s Notice of Privacy
Practices (NPP) at the earliest possible
encounter. If the patient refuses to sign,
the provider needs to show that every
effort was made to obtain a signature.
 The NPP can be a summary statement
of the provider’s comprehensive NPP
with reference to the entire NPP being
available to the patient for examination.
 The NPP must be visibly posted at all
times.
Privacy Rule - Consent
 Covered entities are not prohibited from obtaining
consent and have complete discretion in designing
their individual consent process.
 State law requirements may be more stringent and
therefore supersede the federal requirements.
Notice of Privacy Practices
 The NPP reflects your dedication to privacy and
must be available for patient review
 Copies of NPP must be on display in each
waiting room
 Written copies of NPP must be available on
request
 Copy of NPP needs to be posted on web site
 The NPP informs patients that you will not
release their PHI except as stated in your Notice
 Notice of Privacy Practices
 The NPP states you are required to abide
by the terms of your current Privacy
Notice
 The NPP instructs patients how to file a
privacy complaint
 The NPP indicates how you will send
information (mail, fax, electronic, etc.)
 You must make a “good faith effort” to
obtain a patient’s written
acknowledgment of receipt of the notice.
Consent & Authorization
Consent
 A general document giving
health care providers
permission to use & disclose
all PHI for treatment,
payment or health care
operations (TPO)
 It gives permission only to
the provider, and not to any
other person or business
associate
 Not required, but optional
Authorization
 A customized document
giving covered entities
permission to use specified
PHI for specified purposes,
or to disclose specified PHI
to a third party. It is more
specific & detailed than
consent, and it is usually
time sensitive.
Authorization
 Authorization is required for uses and disclosures of
PHI for purposes that are not otherwise permitted or
required under the Privacy Rule.
Examples
3. Sale of patient mailing lists
4. Disclosing information to employers for employment
decisions
5. Disclosing information for life or disability insurance
Authorization
 Covered entities are required to document &
retain authorizations and to provide
individuals with a copy of the signed
authorization form.
 Patients will need to grant authorization in
advance for each type of use or disclosure.
HIPAA Privacy Rule Facts
 The rules apply to all oral,
written, or electronic records
of covered entities.
 HIPAA prohibits the use of
records for marketing without
prior, specific authorization
by the patient.
 PHI that has been de-
identified is not subject to the
Privacy Rule.
 A HIPAA team must be
appointed by each covered
entity
 The facility’s Notice of
Privacy Practices (NPP)
should be posted in public
(on web site & in waiting
rooms), with copies available
on request.
HIPAA Team
 Must assign a Privacy
Officer
 Should assign an
Electronic Transaction
officer
 Must assign a Security
Officer
HIPAA Privacy Officer
 Must have authority and independence
 Is responsible for developing and
implementing the HIPAA compliance plan
 Is responsible for enforcement & sanctions
 Designates contact persons responsible for
receiving complaints and monitoring patient
contacts
Campus Wide Planning
 Knowledge
 Initial Training of Workforce
 Policy revision and drafting:
the list is endless
 Firewall and software
development,
implementation and testing
 Ongoing analysis and
refinement
Preparing for HIPAA Compliance
1. Enter into new contracts with
Business Associates (BA)
2. Develop Written Policies &
Procedures
3. Documentation Procedures
4. Conduct a site survey of
your own facility
5. Site Survey Q’s for your own
facility
Preparing for HIPAA Compliance
Enter into new contracts with Business
Associates (BA)
 BA’s are persons who perform a function or activity
involving the use or disclosure of IIHI.
 Covered entities will be allowed to share PHI with a
BA, providing that a written agreement safeguarding
such information from misuse is signed by both the
provider and BA.
 If an entity is subject to HIPAA, a contract is not
needed with another covered entity.
Preparing for HIPAA Compliance
Enter into new contracts with Business
Associates (BA)
Types of Business Associates
 Claims processing or  Legal work
administration  Actuarial work
 Data analysis  Accounting work
 Processing or  Transcriptionists
administration  Accreditation work
 Utilization Review  Cleaning service
 Billing  Consulting work
 Benefit Management  Marketing
 Computer work
Preparing for HIPAA Compliance
Develop Written Policies & Procedures
 Decide who is responsible for determining
“minimum necessary” data
 Develop a records management plan
 Determine who will keep records
 Determine how records will be kept
 Teach proper documentation
Preparing for HIPAA Compliance
Documentation Procedures
 Create record logs
 Log information given in response to patient
authorization
 Log information given in response to legal requests for
PHI
 Log patient requests for amendments or restrictions to
your Privacy Policy
 PHI disclosures must be kept a minimum of 6
years
Preparing for HIPAA Compliance
Conduct a Site Survey of Your Own Facility
 Walk through facility from the patient’s point
of view. Look for visible or audible PHI,
including information on tables & desks, in
waste cans, on computer monitors, on fax
machines, or overheard on telephones.
Preparing for HIPAA Compliance
Site Survey Q’s for Your Own
Facility
 Are patient records secure?
 Are there individual & unique
passwords assigned for computer
systems?
 Are collection calls or calls
regarding other PHI made in a
private location?
Why should we care about the
HIPAA rules?
 CMU is a hybrid entity: Some parts of the university
must comply fully as a covered entity (e.g.: Speech &
Hearing Clinics), other portions are not affected at all
by HIPAA (e.g.: English Dept.), and other parts are
indirectly affected (e.g.: Accounts Receivable).
 As a single, hybrid entity, if any one part of the
university is found to be out of compliance, all other
covered parts can be investigated.
 HIPAA is designed to empower the patient/consumer.
 HIPAA ideally will minimize cost over the long term.
Why should we care about the
HIPAA rules?
Criminal Penalties
 Failure to comply: Fine &
possible exclusion from
Medicare
 Wrongful Disclosure:
$50,000, imprisonment of up
to one year, or both
 Offense under False
Pretenses: $100,000,
imprisonment of up to five
years, or both
 Offense with intent to sell
information: $250,000,
imprisonment of up to ten
years, or both
HIPAA Web Links
 www.hipaadvisory.com
 www.hipaacow.com
 www.cms.hhs.gov/hipaa
 www.hhs.gov/ocr/hipaa
 www.hcfa.gov/medlearn