Transcription
HIPAA PRIVACYPOLICIES &PROCEDURESDepartment of Behavioral Healthand Developmental ServicesDBHHDSGENERAL AWARENESS TRAININGMarch 2012
HIPAA Humor(North Dakota Dept of Health)2HIPAA-Ectomy - the removal of individual identifiable healthinformation from recordsHIPAA-Glycemia – a low level of understanding of the HIPAAregulationsHIPAA-Phobia – a morbid fear of HIPAA regulationsHIPAA-Thermia – the unexplained chill that is running down theback of anyone associated with HIPAA
Please Note:3This summary/overview is not intended to becomprehensive.You must:Review our complete policies & procedures referenced laterwithin this presentation; Consult with the agency’s privacy officer forguidance/clarification on specific HIPAA-related issues. When in doubt – ASK!
Federal Health Information Privacy &Security Provisions include:4Privacy Rules – effective since April 14, 2003, to: Keep protected health information (PHI) confidential, and Discipline individuals who fail to keep patient informationconfidentialSecurity Rules – effective since April 21, 2005, to: Ensure the confidentiality, integrity, and availability of allelectronic protected health information, and Ensure compliance by the workforce
Privacy & Virginia Laws5In addition to federal laws, the Code of Virginia alsoaddresses health privacy laws. Many provisions are found in sections 32.1-127.1:03 and 32.7121.1:04. There are also other Code sections that may impact health informationprivacy in specific circumstances. The Virginia Human Rights regulations also include privacy protectionsfor individual health information. The Office of the Attorney General works with the Privacy Officer toclarify when federal preemptions may apply, and when state lawsprovide more stringent privacy protections.
Goals of HIPAA6Strike a balance between government interest in health informationand individual rights to maintain controlAllow individuals more control over their personal health informationImpose accountability for breaches of confidentiality or securitySet boundaries for providers regarding patient’s privacy andconfidentialityRequire safeguards to protect against reasonably anticipatedunauthorized uses or disclosures of health informationEncourage use of electronic record-keeping systems for health data,while protecting against reasonably anticipated threats or hazardsto the security or integrity of the information
Privacy & Security Rules Are Necessarybecause 7Look at some recent headlines: “Identity Theft is America’s fastest growing crime” “Hospital fires employees for leaking VIP info tomedia” “Hackers steal tens of thousands of ID numbers frompopular websites ” “Contract employees accused of stealing PHI” “Personal info being collected and sold (usingtelephone numbers)” “Internet connects sperm donors with offspring.”
Privacy & Security Officials8Denise A. Dunn – Chief Privacy OfficerCentral Office Room 1134 804-371-2181 John Willinger – Department Acting Security OfficerCentral Office Room 511 804-786-4143
All Staff Must Review the DBHDS PrivacyProvisions9Our Privacy, Policies & Procedures for the Use andDisclosure of Protected Health Information consist of ten subject-specific chapters with moredetailed requirements for workforce compliance withHIPAA and related confidentiality rules & regulations Goto CODIE, click on Instructions and Policies Scroll to and click on DI 1001 (PHI)03
Safeguarding Private Information IsEveryone’s Responsibility at DBHDS10If you have access to any patient or personalinformation in any format, you are responsible forkeeping it safe and confidential.There are consequences for individuals who violateprivacy of security regulations.Consequences may include disciplinary actions as wellas civil and criminal penalties.
Bottom Line – Privacy is Just GoodCustomer Service11Keeping each individual’s best interestsfirst,While striving to preserve theirprivacy rights. and then it’s good Record Management: Keeping records accessible, but safe and secure at thesame time, while Preserving the integrity of each record.
How Do Individuals Know What TheirPrivacy Rights Are?12The DBHDS Notice of Privacy Practices must be given to each individualupon admission into our system. It is posted on our website, and tells themhow: PHI may be used or disclosed by the care provider To access their personal medical records To request to correct their records if they appear incorrect To request alternative communications of their medical information thatare more confidential To request restrictions on release of personal health information To request an accounting of certain disclosures of personal healthinformation To object to certain disclosures of personal health information
Let’s Think About It 13Mrs. Brown calls her husband’s physician and asks for his labtest results. She says that Mr. Brown is at work and askedher to call. The test results are positive for a sexuallytransmitted disease. The physician declines to give theresults to Mrs. Brown and asks her to get her husband tocall personally for the lab results. Mrs. Brown is irate andstates “HIPAA laws say you can share health informationwith a family member.” Who is right in this case? Mrs. Brown The Physician
14 The Physician
So What Is PHI?15PHI (Protected Health Information) any healthinformation that links an identifiable person with hisor her health condition. Some identifiers include: NamesDatesNumbersAddressesGraphicsEvery identifier listed in the HIPAA regulations isoutlined in DI 1001 (PHI)03
PHI Comes In All Kinds of Formats16Paper or “hard-copy”: records, labels, correspondenceElectronic: computerized, digitized, video, audioCommunications: verbal, sign language, etc.If all the identifiers are removed, the information is nolonger PHI It is de-identified
General Rule Regarding PHI17PHI may not be used ordisclosed except aspermitted or required bylaw
Required PHI Disclosures 18To the individual who is the subject of the PHI –when requestedWhen required by the Secretary of Health andHuman Services
Permitted PHI Disclosures 19To the individual who is the subject of the PHIFor treatment, payment and healthcare operations(TPO) as defined by the HIPAA regulationsAs otherwise permitted or agreed (in keeping withHIPAA regulations)As AUTHORIZED by the individual or their legalrepresentative
Treatment Defined(45 CFR 164.506)20The provision, coordination, or management ofhealth care and related services among healthcare providers or by a health care provider and athird party, consultation between health careproviders regarding a patient, or the referral of apatient from one health care provider to another
Payment Defined (45 CFR 164.501)21The various activities of health careproviders to obtain payment or bereimbursed for their services
Health care operations (45 CFR 164.501)22Certain administrative, financial, legal, and qualityimprovement activities of a covered entity that arenecessary to run its business and to support thecore functions of treatment and payment
PHI Uses & Disclosures – When NoAuthorization Required 23Uses & disclosures required by lawUses & disclosures for public health activitiesDisclosures about victims of abuse, neglect, ordomestic violence to law enforcement and otherappropriate authorities & officialsUses & disclosures for legally authorized healthoversight activities
PHI Uses & Disclosures – When NoAuthorization Required 24Disclosures for Judicial and AdministrativeProceedings Courtorders SubpoenasDisclosures for law enforcement purposes
PHI Uses & Disclosures – When NoAuthorization Required 25Uses & disclosures about decedents Coroners,medical examiners, funeral directorsUses & disclosures for organ donation purposesUses & Disclosures for certain research purposes
PHI Uses & Disclosures – When NoAuthorization Required26Uses & disclosures to avert a serious threat to healthor safetyUses & disclosures for specialized governmentfunctions (i.e. coordination of agency benefits forsame or similar populations)Disclosures for workers’ compensation purposes
Uses & DisclosuresWhen Authorization IS REQUIRED 27For all uses and disclosures notexpressly permitted, or notexpressly identified as requiringno authorization
Minimum Necessary Rule28When using, disclosing or requesting PHI. We must make reasonable efforts to limit PHI to theminimum necessary to accomplish the intendedpurpose of the use, disclosure or request
When Minimum Necessary Rule DoesNOT Apply 29Disclosure to or requests by providers for treatmentUses or disclosures made to the individualUses or disclosures made pursuant to anauthorization
When Minimum Necessary Rule DoesNOT Apply 30Disclosures to the Secretary of Health and HumanServicesUses or disclosures required by lawUses or disclosures required for compliance withHIPAA
Business AssociateAgreements31Who Is A Business Associate? Aperson who On behalf of DBHDS performs or assists inA function or activity involving the use or disclosure of PHIThis includes claims processing or administration, data analysis,processing or administration, utilization review, quality assurance,billing, benefit management, practice management, andrepricing, or
Who Is A Business Associate? (cont’d)32 any other function or activity regulated by HIPAAprovisions; or that provideslegal, actuarial, accounting, consulting, dataaggregation, management, administrative, accreditation, orfinancial services to or for DBHDS where the provisions ofthe service involve the disclosure of PHI
Business Associates (cont’d)33We may disclose PHI to a business associate if wefirst receive satisfactory assurances that the businessassociate will appropriately safeguard theinformation.Satisfactory assurances require: BusinessAssociate Contract, or Memorandum of Understanding
Business Associates (cont’d)34HITECH Act (Health Information Technology forEconomic and Clinical Health Act) Changesregarding Business Associates:For the first time, business associates must complydirectly with many of HIPAA’s Security Rules, whichrequire:
Business Associates (cont’d)35Appointing a security officer,Developing written policies and procedures,Training the workforce on how to protect electronicprotected health information (“EPHI”)
Business Associates (cont’d)36Business associates also will need to follow HIPAA’sSecurity Rules relating to:Physical safeguardsTechnical safeguardsAdoption of written policies and proceduresFailure to do so will subject a business associate to civilmonetary penalties and criminal penalties.
37Privacy ViolationsConsequencesHIPAA Privacy Rules are enforced by the Office ofCivil Rights (OCR)Violations can result in personal liability, either civilor criminal sanctions, including fines, jail time or bothDBHDS sanctions may include disciplinary actions ortermination
Let’s Review 38Individual Health Information is considered deidentified if data such as names and social securitynumbers are removed, but other information such asdates of service and zip codes do not have to beremoved. True False
39 False
Let’s Think About It 40A drug company wants to send information about anew drug to individuals with a certain diagnosis.They ask one of our facilities or Central Office unitsfor a list of names and addresses of these persons.We do not need to get authorization to releasethis information.True False
41False
Speaking of Confidentiality42How Much Is Enough? HowMuch Is Too Much?Three Types of ProblemDisclosures Incidental Accidental Intentional
Incidental Disclosures43If you are taking reasonableprecautions to safeguard anindividual’s healthinformation, and someonehappens to hear or see PHIthat you are using, you arenot necessarily responsiblefor that type of disclosure.
Reasonable Precautions to Avoid IncidentalDisclosures 44Speak in as low a voice as possibleMove to as private an area as possible within thecircumstances at handAsk individuals if they are comfortable with the setting (andoffer alternatives if possible)Cover documents and shield computer screens in public areasto make them as secure as possible
Examples ofIncidental Disclosures45A visitor or someone else sees or hears while you are Reviewing records & orally coordinating services at an assessmentstation or appointment desk Viewing and discussing lab results, satisfaction survey results, or apersonal complaint with an individual or other provider in a sharedworking space Discussing an individual’s condition or treatment with him or her, orwith family in a semi-private room Discussing an individual's condition with students or other trainees duringrounds in an academic institution or other training settingEach of these situations still require you to take reasonable precautions!
Accidental Disclosures46Mistakes Happen If you discloseprivate data in error to an unauthorizedperson Acknowledge the mistake, notify yoursupervisor or Privacy Officerimmediately Learn from the error --- changeprocedures or practices as needed Assist in correcting or recovering fromthe error ONLY if instructed to do so –don’t try to cover it up or “make itright” on your own.Immediately report Accidental disclosures toPrivacy Officer!
Intentional Disclosures47If you ignore the rules andcarelessly or deliberately use ordisclose protected healthinformation inappropriately, youcan expect the possibility of:Disciplinary action Civil liability Criminal charges
Intentional Violations: Examples48Improper Use of Passwords can become Intentional Violations Sharing, posting or distributing personal password oraccount access information Allowing co-workers to use your login Knowledge of unauthorized use of passwords by coworkers, and failure to report Attempting to acquire or use another person’s accessinformation or authorization
Intentional Violations:More Examples49Improper use of Computers can become IntentionalSecurity Violations Failingto secure your workstation which contains PHI Emailing PHI outside of the DBHDS network system Posting PHI on the Internet without authorization, or withinadequate security measures
Intentional Violations:Even More Examples50Accessing PHI outside of your “professional need to know”capacity - either from personal curiosity or as a favor forsomeone elseAccessing PHI at home and leaving it visible to otherrelatives, friends, roommates, etc.Selling or inappropriately releasing PHI to the mediaDiscussing PHI in public hallways, elevators, etc. withouttaking reasonable precautions
When To Report Violations51All Accidental and Intentional violations, known andsuspected, must be reported immediately So they can be investigated and managed So they can be prevented from happening again So damages can be kept to a minimum To minimize your personal risk Incidental disclosures do not need to be reported to thePrivacy Office – but if you’re not sure, report anyway!
Let’s Review 52You’re walking in the hallway behind a staff member who istalking on his cell phone. You can clearly hear his conversation,which includes references to several individuals receivingtreatment in our system names, locations, and conditions. Atone point he says, “you won’t believe who was referred herefor treatment ”Are you required to report this as a privacy breach? Yes No
53 Yes
54Administrative Safeguards Availableto You:Policies & Procedures - about using &disclosing electronic data, and assigningresponsibilities for securing e-data,including PHI, during disastersPrivacy & Security Officers- to consultfor policy interpretations and to managecomplaints & incidentsEducation & Training - to inform allworkforce members of the privacy andsecurity rulesInternal Audit Tools -to determineroutine compliance with privacy &security rules and regulations
Physical Safeguards55Identification All staff, visitors, volunteers, etc. should display approved IDbadges in all areas where PHI documents are accessibleLocks, Doors and other Barriers Lock offices, workspaces, treatment areas, labs, conferencerooms, storage rooms, etc. where there are PHI documentsDocument Covers Protect all paper documents containing PHI in folders,binders, etc. Transport documents with PHI in a manner to avoidinappropriate disclosures
PHI in E-Mails56Individual to Care Provider: If an individual who isreceiving, has received, or is seeking services withinour system wishes to exchange email messages withyou Inform him or her of the risks for accidental andunauthorized disclosures when using email You can receive emails from these individuals,but never use PHI in emails to them withoutwritten authorizationProvider/Staff to Provider/Staff Use emails only within the DBHDS network system
PHI Disposal57Disposing of document or other formatscontaining PHI Preferred Method: Shred, deface, etc. or destroyimmediately Next Best: Place in secure container in secure placeFollow DBHDS policies for destruction of records All records must be retained or destroyed inaccordance with HIPAA regulations and Library ofVirginia guidelines
Think Fast58Your coworker has forgotten his password and needs to enter some criticaldata in the system before going home, so you let him use your log-on andpasswordWhile in the system, he looks up some personal identification information aboutanother co-worker. Later, that co-worker complains that she suspectssomeone has accessed her PHI. If an audit is performed, who will beresponsible for the authorized access?My friendI will Both of usNo one, it was work-related
59 I will
HIP HIPAA HOORAY!!!60You have successfully completed the HIPAA Privacy Awareness Training!There may be lots more information you need to know based on your jobresponsibilities.Review your EWP with your supervisor for further guidance and be certainto understand the PHI Access Level assigned to you.Consult with the privacy officer as you proceed on projects impacted byHIPAA.Again, If in doubt . ASK!!!!
University of Florida HIPAA PrivacyAwareness Training61Some portions of this this presentation were adaptedfrom the University of Florida HIPAA PrivacyAwareness Training y/instructions.shtml
HIPAA-Ectomy - the removal of individual identifiable health information from records HIPAA-Glycemia - a low level of understanding of the HIPAA regulations HIPAA-Phobia - a morbid fear of HIPAA regulations HIPAA-Thermia - the unexplained chill that is running down the back of anyone associated with HIPAA
