Transcription
HIPAA PRIVACY TRAINING FORASSOCIATESHAYS MEDICAL CENTERCHRISTY STAHL, CPCCOMPLIANCE MANAGER&PRIVACY OFFICER
HIPAAHaysMed’s PrivacyOfficer is Christy Stahl.She is responsible forthe oversight ofHaysMed’s compliancewith the HIPAA privacyregulations. She alsoinvestigates any allegedprivacy violations.
AssociatesYou will notice the term “Associates” is used throughout thistraining. “Associates” is a broad term that represents all thefollowing individuals who are associated with HaysMed: EmployeesVolunteersStudentsOther traineesMembers of the Board of DirectorsLocum TenensContract StaffIndependent ContractorsOther persons whose conduct is under the direct control ofHaysMed (whether or not they are compensated by HaysMedfor such services)
HIPAALESSON ONEWelcome to the introductory lesson on theHIPAA Privacy and Security Rules
HIPAACOURSE RATIONALEIn this course, you will learn about: Federal regulations concerning patientconfidentiality and computer security How those regulations impact your jobduties/training at HaysMed
HIPAACOURSE GOALSAfter completing this course, you should know the rules regarding the use and disclosure ofprotected health information Understand safeguards to protect patient privacy Appreciate the importance of computer security
HIPAACOURSE OUTLINELesson 1 – this introductory lesson gives you the courserationale, goals, and outlineLesson 2 – provides an overview of the HIPAA Privacy andSecurity RulesLesson 3 – explains the rules regarding use and disclosure ofpatient informationLesson 4 – addresses patients’ rights concerning their healthinformationLesson 5 – talks about safeguards to protect patient privacyand security
HIPAALESSON 2Overview of the HIPAA Privacy and SecurityRules
HIPAAWelcome to Lesson 2 for an overview of the HIPAAPrivacy and Security RulesAfter completing this lesson, you should:– Understand where the rules came from– Appreciate why we have these rules– Know the consequences of violating the rules
HIPAA HIPAA stands for the Health InsurancePortability and Accountability Act of 1996 HIPAA is a federal law that was enacted by Congressand signed by the President in 1996
HIPAAAs part of the HIPAA law, Congress directed theU.S. Department of Health and Human Services(DHHS) to develop regulations that would:protect patient privacyprotect the security of health information storedand transmitted electronically
HIPAAThe final HIPAA Privacy Rule became effective inApril 2003The final HIPAA Security Rule became effective inApril 2005These rules regulate the way covered entities handleprotected health information
HIPAAThe HIPAA Privacy and Security Rules only apply to coveredentitiesWe refer to covered entities as CEsThere are three types of CEs:Health Care Providers (e.g., hospitals, physicians, nursinghomes, pharmacies)Health Plans (e.g., health insurance companies, employeesponsored health plans)Healthcare Clearinghouses (organizations that processinsurance claims)HaysMed is a CE, so the hospital, its physician clinics, and Associatesmust comply with the HIPAA Privacy and Security Rules
HIPAAThe HIPAA Privacy and Security Rulesregulate how we safeguard, use, anddisclose Protected Health Information orPHI.PHI includes all individually identifiable healthinformationPHI is not limited to paper documents. It includesdata and oral communications
HIPAAHealth information includes:- Past, present, or future physical or mental health orcondition of an individual- Provision of health care to an individual; or- Past, present, or future payment for the provision ofhealth care to an individual.Information is protected regardless of how sensitive it may be
HIPAAHealth information is individually identifiableif:- identifies an individual- provides some basis from which someone could identifyan individual if they really wanted to
HIPAAExamples of information that is considered“identifying”:- name, address, telephone number, fax number, emailaddress- birth date, admission date, discharge date- social security number, medical record number, accountnumber- information about relatives, employers, etc.- vehicle ID number, URL address
Examples of PHIAll of the following constitute PHI:-A lab test report that lists only the patient’s medical record number-A conversation between two nurses about the patient in Room 202-A message on an answering machine asking John Doe to call hisdoctor’s office-A receipt for payment of an office visit co-payment
Examples of PHI-Patient Photos-Status boards in the Electronic Medical Record-Emails containing patient information-Patient Discharge Instructions
HIPAAConsequences of violating the HIPAA Privacy andSecurity Rules- Significant government fines and penalties against HaysMed- Up to 50,000 per violation- Criminal penalties against the individuals involved in theviolation- Expensive civil lawsuits brought by individuals against HaysMedand its Associates- Damage to HaysMed’s reputation in the community- For licensed individuals (e.g., nurses, therapists), disciplinaryaction by their licensing board
HIPAA Consequences of violating HaysMed’sHIPAA policies:- For HaysMed employees, disciplinary action byHaysMed, up to and including termination- For students, termination of their training at HaysMed- For contracted individuals, termination of their contractwith HaysMed- Understand that HaysMed is obligated to reportlicensed Associates to their licensing agencies when theAssociate violates HIPAA
HIPAAYou have completed Lesson 2 on the purposeof the HIPAA Privacy and Security Rules
HIPAARemember: The HIPAA Privacy and Security Rules regulate the way coveredentities safeguard, use, and disclosure protected health informationPHI is any information relating to a person’s health, healthcare, orpayment for healthcare services that contains something that could beused to identify the person PHI is not limited to paper documents. It includes electronic data and oralcommunications The consequences of violating these rules can be severe for HaysMed andits Associates
HIPAALesson 3Uses and Disclosures of PHI
HIPAAWelcome to Lesson 3 on uses and disclosuresof PHIAfter completing this lesson, you should be able to:- List uses and disclosures of PHI allowed under theHIPAA Privacy Rule- Recognize what must be included in written permissionfor uses and disclosures- Define “minimum necessary” use or disclosure
HIPAACompeting InterestsThe HIPAA Privacy Rule tries to balance two competinginterests:- No. 1: protect patient privacy- No. 2: allow the flow of PHI when needed toensure high quality healthcare and protectpublic health
HIPAAA CE cannot use or disclose PHI without thepatient’s authorization unless an exception appliesExceptions are based on the purpose of the use ordisclosure, as opposed to the type of PHI involvedLets look at some of those exceptions
HIPAATreatment, Payment, Health Care OperationsUse and disclosure of PHI is permitted without patientauthorization if the purpose of use or disclosure is- treatment- payment- health care operations
HIPAATreatmentHaysMed may use and disclose PHI to treat itspatientsHaysMed may disclose PHI to other healthcareproviders for them to treat their patients
HIPAAPaymentHaysMed may use and disclose PHI to obtainpayment for services it provides.HaysMed may disclose PHI to another CE asnecessary for that CE’s payment purposes
HIPAAHealth Care OperationsHaysMed may use and disclose PHI for health care operations, whichinclude:- management functions necessary to support treatment or payment- quality assurance activities- utilization review activities- audits- credentialingResearch activities and marketing do not qualify as health care operationsHaysMed may disclose PHI to another CE for that CE’s health careoperations only if that CE has a pre-existing treatment relationshipwith the patient
Opportunity to Opt OutHaysMed may use or disclose PHI in the followingways without a written authorization if theindividual has the opportunity to agree to orprohibit or restrict the use or disclosure:- HaysMed may use a patient’s name, location in the facility,religious affiliation, and condition described in general terms tomaintain a facility directory. HaysMed may disclose thisinformation to clergy or, with the exception of religiousaffiliation, to other persons who ask for the person by name
HIPAABusiness Associates (BAs) Third parties that access or create PHI on behalf of HaysMed forpurposes other than treatment Must have written Business Associate Agreement (“BAA”) withHaysMed regarding use of PHI BAs subject to certain provisions of HIPAA Privacy and SecurityRules HaysMed liable for BA if BA acts as HaysMed’s agent
HIPAA- HaysMed may disclose to a patient’s family member, closepersonal friend, or other person identified by the patient PHIdirectly relevant to such person’s involvement with the patient’scare or payment for services- HaysMed may use or disclose PHI to notify a family member,a personal representative of the individual, or other personresponsible for the individual’s care
HIPAAOther Permitted Uses and Disclosures WithoutWritten AuthorizationThe HIPAA Privacy Rule includes several otherexceptions that permit use and disclosure of PHIwithout written authorization- as specifically required by law- for public health activities (e.g., reporting disease or injury)- to report victims of abuse, neglect, or domestic violence- for health oversight activities by the government- in judicial and administrative proceedings
HIPAAContinued:- for law enforcement purposes- to disclose information to coroners, including medicalexaminers, or for the purpose of cadaveric organ, eye andtissue donations- to avert a serious threat to health and safety- to a funeral director as necessary to carry out duties withrespect to decedent- for specialized governmental functions- for workers compensation claims
HIPAASpecial Rules for Certain Types ofDisclosuresUse and disclosure of PHI for the following purposewithout an authorization is permitted in limitedcircumstances- marketing- fundraising- research
HIPAASpecial Rules for Certain Types of PHICertain types of PHI are subject to specialprotections under state and federal law- HIV/AIDS information- records of treatment in a federally-assisted drug and alcoholtreatment program- information relating to patients of community mental healthcenters, community service providers, psychiatric hospitals,or state institutions for the mentally retardedEven if a particular use or disclosure is permitted without an authorization under theHIPAA Privacy Rule, such use or disclosure may be prohibited under these rules
HIPAAAuthorizationsIf no exceptions applies, HaysMed must obtain awritten authorization from the patient (or personalrepresentative) before using or disclosing thepatient’s PHI
Authorization Required ElementsTo be effective, a written authorization must include:-Description of PHI to be used or disclosedDescription of the purpose of the use or disclosureDescription of the persons or class of persons that may use PHI or towho the PHI may be disclosedRevocation and re-disclosure instructionsNotice that HaysMed must treat the patient regardless of whetherauthorization is givenExpiration date or triggering eventIndividual’s signature or personal representative’s signature andauthorityHaysMed has a standard Authorization Form it uses to release PHI.
Role-Based Restrictions You may access or discuss PHI only to extent necessary toperform job duties Electronic audit trails track each time you access a record(including status boards) If you access or discuss any patient’s PHI without a legitimatejob-related reason for doing so, you will be disciplined,including possible termination– Regardless of location (at work, at home, in a social setting)– Includes friends and family members
HIPAA Breach Notification– If a patient’s PHI is breached, HaysMed must providespecific written notice of such breach to that patient within60 days of discovery– Must submit annual reports to the government– Breach improper use or disclosure potential for harm tothe individual– HaysMed must review every improper use or disclosure todetermine if it constitutes a breach– Failure to document such review HIPAA violation Associates must report all improper uses ordisclosures of PHI to HaysMed’s Privacy Officer
Enhanced Enforcement Department of Health and Human Services must investigate any complaintwhich may involve willful neglect State Attorneys General may bring action to enjoin violations or obtaindamages Penalties reinvested in enforcement activity Individual harmed by violation eligible for portion of any penalty
Five Factors For Breech Evaluation1. Nature and extent of violation2. Nature and extent of harm resulting fromviolation3. History of prior compliance and violations4. Financial condition of violator5. Such other matters as justice may require
Civil Monetary PenaltiesTier 1Violation not known orreasonably knownTier 2Violation due toreasonable cause, butnot willful neglectTier 3Violation due to willfulneglect, if correctedTier 4Violation due to willfulneglect, if not correctedAt least 100 perviolation, 25,000 maxfor identical violations incalendar yearAt least 1,000 perviolation, 100,000 maxfor identical violations incalendar yearAt least 10,000 perviolation, 250,000 maxfor identical violations incalendar yearAt least 50,000 perviolation, 1.5 millionmax for identicalviolations in calendaryear
Criminal Penalties Employees and other agents may be heldcriminally liable for HIPAA violations
Lessons Learned No laptops at meetings if viewing patient information Do not view/work on medical records where other cansee the patient’s information Lock down computer monitors Be cautious in selecting a patient’s name when printingdocuments from Access E-Forms Obtain assistance before communicating with lawenforcement Remove patient history information before handing theclipboard to the next patient Double check fax numbers before faxing
Minimum Necessary RuleAny use or disclosure must be limited to theminimum amount of information necessary toaccomplish the specific purpose of the use ordisclosure.
HIPAAThe minimum necessary rule does not apply to:- uses and disclosures for treatment purposes- uses and disclosures made pursuant to anauthorization- disclosures to the person who is the subject of theinformation- disclosures required by law
Associate Access to PHIAn Associate may access or discuss any patient’sPHI only to the extent necessary to performhis/her job dutiesAn Associate who accesses or discusses anypatient’s PHI (including family members) withouta legitimate job-related reason for doing so will besubject to discipline up to and includingtermination
HIPAAWhat To Do If You Have QuestionsThe rules concerning use and disclosure of PHI canbe confusingIf you have a question concerning these rules,contact HaysMed’s Privacy Officer, Christy Stahl- 785-623-2188 work #- 785-623-1821 cell #- Christy.stahl@haysmed.com
HIPAAYou have completed Lesson 3 on uses anddisclosures of PHI
HIPAARemember:--you cannot use or disclose PHI without written authorization unless anexception appliesuses and disclosures for treatment, payment, and health care operationsare permittedthere are several other exceptions that apply in specific circumstancesa written authorization must contain specific information to be validAll improper uses or disclosures of PHI must be reported to thePrivacy Officer to determine if breach notification is requiredan associate who uses or discloses a patient’s PHI without a job relatedreason for doing so will be disciplinedSeek guidance from your supervisor or the Privacy Officer beforedisclosing any protected healthcare information to a police officerif you have questions concerning uses and disclosures of PHI, contactHaysMed’s Privacy Officer
HIPAALesson 4Patients’ Rights Concerning Their PHI
HIPAAWelcome to Lesson 4 on patients’ rightsconcerning their PHIAfter completing this lesson, you should be able to:- identify patients’ rights concerning their PHI- assist a patient who wants to exercise one of those rights
HIPAARight to Access PHIHaysMed must give a patient access to inspect andcopy his or her PHI maintained in a designatedrecord setA patient wanting access must submit a writtenrequest to the Medical Records Department
HIPAARight to an AccountingA patient may request accounting of HaysMed’s uses anddisclosures of the patient’s PHI made within the last 6yearsSuch an accounting does not include uses or disclosures fortreatment, payment, or health care operations or uses anddisclosures authorized by the patientA patient wanting an accounting must submit a writtenrequest to the Privacy Officer
HIPAARight to Request AmendmentsA patient can request that PHI be amended if he orshe believes it is not accurateHaysMed can deny such request if the information isaccurate and complete or not created by HaysMedA patient seeking an amendment must submit awritten request to the Privacy Officer or to theMedical Records Department
HIPAARight to Request RestrictionsA patient may request HaysMed restrict those usesor disclosures permitted without authorizationSuch request must be made in writing to the PrivacyOfficer or to the Medical Records DepartmentHaysMed is not required to agree to such request
HIPAARight to Receive ConfidentialCommunicationsA patient may request that HaysMed communicate with himor her by alternative means or at alternative locations (e.g.,only contact the patient at a certain telephone number)HaysMed must abide by all reasonable requestsIf a patient makes such a request to you, make sure suchrequest is communicated to the appropriate people anddocumented appropriately
HIPAAYou have completed Lesson 4 on patients’rights concerning their PHI
HIPAARemember:A patient has the right to:- access his/her PHI- obtain an accounting of HaysMed’s disclosures of his/herPHI- request an amendment to his/her PHI- request restrictions on uses and disclosures permittedwithout an authorization- receive confidential communications
HIPAALesson 5Administrative Requirements
HIPAAWelcome to Lesson 5 on administrativerequirementsWhen you complete this lesson, you should be ableto:- identify the administrative requirements the HIPAAPrivacy Rule imposes on HaysMed- understand the importance of following safeguards toprevent improper disclosures of PHI
HIPAANotice of Privacy Practices HaysMed must give all of its patients a writtenNotice of Privacy Practices Patients are requested to sign an acknowledgementof receipt A copy of the Notice is available on HaysMed’swebsite, www.haysmed.com
SafeguardsAll Associates must follow safeguards to preventimproper uses and disclosures of PHIAs part of your work, you will have conversationswith patients, family member, co-workersinvolving PHI. You must take care to avoid othersoverhearing those conversationsNever leave documents containing PHI unattendedwhere they could be accessed by unauthorizedpersons
SafeguardsNever share your computer password with anyoneelseNever allow anyone else to use your computerpasswordIf you have reason to believe the security of yourpassword has been compromised, notify thePrivacy Officer immediately
SafeguardsAlways wear name badges to prevent unauthorizedindividuals from having access to PHIConfirm identity of person with whom speakingand follow procedures when leaving messagesKeep all PHI within HaysMed’s facility unless jobduties specifically require otherwise (this is therule, not the exception)
SafeguardsAlways lock doorsBe cautious when stuffing envelopes withpatient informationDouble check fax number before sendingPHI and always use a fax cover sheet
Everyday Safeguards Lock down your computer before leaving it– Alt Q– Ctrl Alt Delete Do not get caught in a phishing attack Beware of social engineering Do not plug an unknown USB into yourcomputer
Phishing AttackEmail has become a vital tool for communication in today’s healthcare delivery environment. This tool, however, does not come without risks.First off, it is extremely easy to send Protected Health Information in near real time. This is very valuable when done correctly. We are tryingto remind associates, when it is necessary to send any sensitive data to a non-HaysMed email account, be sure to send it securely. This isaccomplished by using the word “secure” in square brackets anywhere in the “Subject:” line of the email (e.g. [secure] ). This will allowthe recipient to retrieve the email through a secure website.Secondly, this note is a caution to users that email is a favored mechanism of “bad-actors” with malicious intent who are continually trying tocompromise HaysMed’s network resources. Associates need to always remain vigilant with messages they receive. Exercise extremecare when clicking website links received via email; as a general rule, you should never click an unsolicited link and you should nevergive your login information if prompted after clicking these types of links (see example malicious email message below).Dear Account Owner,We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of yourmailbox. CLICK HERE to upgrade your account to Outlook Web Apps 2015. If your settings is not updated today, your account willbe inactive and cannot send or receive message any longer.Sincerely,-IT DepartmentMicrosoft Corporation. All rights reservedSecurity of the HaysMed network is everyone’s responsibility and we look to you to help to keep our data secure.Scott RohlederHays Medical .com
Phishing AttackSecondly, this note is a caution to users that email is a favored mechanism of “bad-actors” withmalicious intent who are continually trying to compromise HaysMed’s networkresources. Associates need to always remain vigilant with messages they receive. Exerciseextreme care when clicking website links received via email; as a general rule, you shouldnever click an unsolicited link and you should never give your login information if promptedafter clicking these types of links (see example malicious email message below).Dear Account Owner,We want to upgrade all Microsoft Exchange email account scheduled for today as part of ourduty to strengthen security of your mailbox. CLICK HERE to upgrade your account toOutlook Web Apps 2015. If your settings is not updated today, your account will be inactiveand cannot send or receive message any longer.Sincerely,-IT DepartmentMicrosoft Corporation. All rights reserved
Safeguarding Electronic PHI (e-PHI)Computer Security Measures: Passwords and access codes Audit logs Physical location of equipment Firewalls, virus detection Password-protected screensavers Removal and destruction User profiles Encryption Data back-up
HIPAAYour duties and responsibilitiesDo not disclose password or access code to any person (exceptauthorized IT staff)Do not ask anyone to disclose his/her password or access codeDo not store PHI on any hard drive (both work and personal devices)Do not transmit any PHI (e.g., e-mail) unless properly encrypted(Contact IT Department for directions on encrypting messages)
HIPAAMobile devices (CDs, flash drives, memorycards, cell/smart phones)Restrict use of mobile devices for storage or transmission of e-PHITo the extent possible, password protect mobile devicesReturn mobile devices for proper destruction to IT Department
Social Media Includes Facebook, Twitter, LinkedIn, schoolblogs, etc. You are personally and legally responsible forcontent you post on any social networking site Even when using privacy settings, you shouldtreat all postings as public information
Social MediaAn Associate shall adhere to all provisions ofthe Confidentiality Agreement when postingon any social networking site. An Associateshall not post to any social networking siteduring work hours, unless an Associate’s jobdescription requires such posts to be made aspart of maintaining a Hays Medical Centersponsored social networking page.
Social Media – Three Rules1. Do not post any information about a HaysMed patient,even if you do not identify the patient by name orotherwiseFriends and family members --only if your knowledge ofsuch person’s condition is based solely on personalexperience2. Do not blog or post comments, messages, or other contentanonymously when commenting about HaysMed or anyHaysMed physician or employee3. When blogging or posting comments, messages, or othercontent regarding HaysMed, you must affirmatively state thatyour views are not those of HaysMed
HIPAAOther Administrative RequirementsTo comply with the HIPAA Privacy Rule, HaysMedmust:- discipline Associates, Vendors, and Agents that violate theHIPAA Privacy Rule- maintain a complaint/grievance process for complaintsabout HIPAA Privacy Rule violations- take action to mitigate any bad effect of inappropriatedisclosure or use of PHI to the extent possible
HIPAAReporting ConcernsIf you believe there has been a violation of theHIPAA Privacy Rule, report that information tothe Privacy Officer as soon as possible
HIPAAImmediately report any of the following to Christy Stahl,HaysMed Privacy Officer: Any lost or stolen device (laptop, cell phone, memory card, etc)Any lost or stolen paper recordsAny potential compromised passwordAny suspected unauthorized access to PHIAny postings of PHI to any websiteAny unauthorized disclosure of PHI (no authorization form, noapplicable exception)
HIPAAProhibition on Waiver and RetaliationHaysMed will not require any person to waive his orher rights under the HIPAA Privacy Rule as acondition of treatment or payment of benefitsHaysMed strictly prohibits any sort of retaliation,intimidation, or discrimination against personsexercising their rights under the HIPAA PrivacyRule
HIPAAYou have completed Lesson 5 on the HIPAAPrivacy Rule’s administrative requirements
HIPAARemember:- you must act to protect patient confidentiality- you will be disciplined if you do not follow propersafeguards- you must report suspected violations of thePrivacy Rule to HaysMed’s Privacy Officer
Your Responsibilities Comply with the HIPAA Privacy RulesFollow the Confidentiality AgreementDo not take any PHI out of the facilityDo not access your medical record or the medical record ofyour family members on your own – make request at theMedical Records Department (Health InformationManagement) Do not access any medical records unless your job/trainingrequires you to access a patient’s medical record Do not have an Associate, Physician, or any other personaccess a record for you Never use PHI in an educational presentation unless thepatient has signed an Authorization
Your Responsibilities Do not view patient status boards for other departmentsNever text any information about a patientDo not discuss patients with persons outside HaysMedDo not discuss your training experience at HaysMed onFacebook, MySpace or Twitter .even if you donot mention patient names Associates that are students must de-identify allinformation used, unless your HaysMed supervisor givesyou approval to obtain an authorization from the patient Never take a picture of a patient or a patient’s informationwith your cell phone Never give any documents to a patient until you verify theidentity of the patient and verify the documents
Associates You will notice the term "Associates" is used throughout this training. "Associates" is a broad term that represents all the
