1	HIPAA Learning Module The following is an educational Powerpoint presentation on the HIPAA rules and regulations. If you are associated with UMHS (University of Michigan Health System), and did NOT access this course through MLearning, you will not get credit unless you log in to MLearning, and take the course there. Log in to MLearning, search for “HIPAA” and enroll for the appropriate course. If you DID access this through MLearning or are NOT associated with UMHS, continue with this module. To navigate, use the arrows or click “Slide Show” at bottom right, or click on the titles in the table of contents on the left.
2	THE HIPAA PRIVACY RULE … THE BASICS
3	OUR COMMITMENT TO PRIVACY The University of Michigan is committed to protecting the privacy and integrity of our patients’ health information. The HIPAA Privacy Rule recognizes the importance and value of this commitment. Protecting Patient Health Information is the responsibility of all of us.
4	BACKGROUND Regulations The Privacy Rule was adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The date for compliance is April 14, 2003.
5	OVERVIEW
6	OVERVIEW Patient Rights The Privacy Rule gives patients the right to: have their PHI protected; inspect and copy their records; request that PHI in their records be corrected or changed; ask for limits on how their PHI is used or shared; ask that they be contacted such as at work and not at home; get a list of disclosures made of their PHI.
7	GENERAL RULES Notice of Privacy Practices Health care providers and health plans will give out a Notice of Privacy Practices (NPP) that describes how we use and share PHI, the patients’ rights, their responsibilities regarding PHI, and who to contact for more information. You can access our NPP by going to our HIPAA web site www.med.umich.edu/u/hipaa. It is important that you know our patients’ rights and our responsibilities.
8	KEY TERMS What is Protected Health Information? (PHI)
9	KEY TERMS Protected Health Information, Use and Disclosure Protected Health Information (PHI) includes information: sent or stored in any form; that identifies the patient or can be used to identify the patient; that is created or received by a covered entity; that generally is about a patient’s past, present and/or future treatment and payment of services. Use: generally refers to how PHI is handled by us. Disclosure: generally refers to how PHI is shared externally.
10	KEY TERMS Covered Entities “Covered entities” is a term under the regulations that includes: Health plans like M-Care; Health care providers at UMHS, including doctors, nurses, therapists, and people who transmit information electronically and where they work, such as hospitals and clinics; Health care clearinghouses like Blue Cross/Blue Shield’s DENIS system, WebMD and Envoy.
11	KEY TERMS Treatment, Payment and Health Care Operations (TPO) Treatment: various activities related to patient care. Payment: various activities related to paying for or getting paid for health care services. Health Care Operations: generally refers to day-to-day activities of a covered entity, such as planning, management, training, improving quality, providing services, and education. NOTE: Research is not considered TPO. See the education program on research for more information.
12	TREATMENT Written Permission IS NOT Needed There are many myths about when patient permission is needed. Written permission is not needed: to use or share PHI to treat a patient, get paid for treatment or to evaluate the person who provided treatment (TPO); to share PHI with that patient; for public health purposes, such as to report births and deaths; for disclosure to our vendors for TPO under a written contract.
13	GENERAL RULES
14	GENERAL RULES When Written Permission IS Needed Patient permission or “authorization” is needed to use or share PHI for certain marketing and fund-raising activities. For example: A doctor cannot give a diaper company the names of pregnant patients without an authorization. NOTE: See the education program on marketing and fundraising for more information.
15	GENERAL RULES When Written Permission IS Needed - cont’d. Patient permission or “authorization” is needed to use or share PHI for research. For example: A researcher cannot enroll a patient in a study without an authorization that includes what the PHI will be used for, who can use it and for how long. NOTE: See the education program on research for more information.
16	GENERAL RULES When the Patient Needs the Option to Decide Patients are allowed to decide (written permission is not needed) if they want some or all of their PHI to be used or shared, such as: for patient directories; and to friends and family members involved in patient care or payment.
17	GENERAL RULES Minimum Necessary Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. For example: When a billing company bills for a blood test, it does not need the patient’s complete medical record. In some cases, this rule does not apply, such as when PHI is shared among health care providers for treatment.
18	GENERAL RULES Minimum Necessary Workers should have only such PHI as their job responsibilities require. For example: Someone who delivers food trays to patients may need PHI about the patient’s diet, but does not need to know why the patient is in the hospital.
19	GENERAL RULES Incidental Disclosures Take steps or reasonable safeguards to secure and protect PHI. For example: Speak in soft tones when discussing PHI; Do not discuss PHI in public hallways or in elevators; Use (but do not share) computer passwords; and Lock cabinets that store PHI.
20	GENERAL RULES Incidental Disclosures Incidental Disclosure: generally refers to a sharing of PHI that occurs related to an allowable disclosure of PHI. An “incidental disclosure” is allowed if steps are taken to limit them. For example, visitors may hear a patient’s name as it’s called out in a waiting room or overhear a clinical discussion as they are walking down a hallway on the unit.
21	GENERAL RULES What About Other Laws? We already follow many other laws, rules and guidelines to protect privacy. Generally, the Privacy Rule supersedes contrary state law, but there are times when Michigan law controls. In many cases, both must be followed. In cases where Michigan law provides more protection, Michigan law should be followed. For example in AIDS/HIV or for mental health records Michigan law should be followed. If you have questions about a particular law please contact hipaaquestions@umich.edu.
22	GENERAL RULES Business Associates Any non-employed vendor providing a service for us where they need have access to PHI must sign an agreement called a business associate agreement promising to keep PHI confidential. For example: a company developing order entry software must see actual PHI so they would need a written agreement. Employees, volunteers, trainees and others whose work we control are not considered business associates, and therefore, no business associate agreement with them is needed. NOTE: See the education program on business associates for more information.
23	GENERAL RULES Penalties for Violating the Privacy Rule The privacy regulations penalties include: Civil penalties of $100 per person for each violation, with a $25,000 limit per calendar year Criminal penalties up to $250,000 and 10 years in jail. UMHS policies include disciplinary action up to and including discharge.
24	QUESTIONS? Please visit http://www.med.umich.edu/u/hipaa/contact.htm if you have any questions about the Privacy Rule. For more information about the Privacy Rule, please visit these websites: www.med.umich.edu/u/hipaa www.hhs.gov/ocr/hipaa and www.cms.hhs.gov/hipaa.
25	Continue to next section You must complete the next section, “Frequently Asked Questions.” To continue to the FAQ section, click HERE. Non-UMHS people: be sure to click on the last slide when finished, to get a certificate and credit.