1

Privacy Training: Privileges, CMIA, HIPAA

Windstone Training

2015

2

What You’ll Do in This Session

Learn about areas covered by Code of Conduct

Overview of healthcare privacy;

Learn about physician/patient confidentiality rules;

Learn about Federal law—HIPAA (Health Information Portability and Accountability Act); and

Learn about California state law-CMIA (Confidentiality of Medical Information Act);

3

Gift giving and receiving Harassment and discrimination Environmental standards Health and safety Personal use of company resources Relationships with contractors, vendor,

etc Substance abuse Fair dealing Workplace violence

Areas covered by Code of Conduct

4

Areas Covered by Code of Conduct

Gift Giving and Receiving Windstone employees are prohibited from

accepting or asking for bribes, kickbacks, gratuity of other forms of payment.

Employees or other business affiliates may not offer anything to influence business or to gain special treatment as a representative of Windstone.

Harassment and Discrimination Windstone is committed to providing a work

environment free of discrimination and harassment.

The company will not tolerate any form of harassment at any level of organization.

5

Areas Covered by Code of Conduct

Environmental Standards Health care facilities produce wastes of various

types. We are committed to safe and responsible disposal of waste products and the compliance with all applicable environmental laws and regulations.

Health and Safety We maintain an Injury and Illness Prevention

Program (IIPP) to assist in providing a safe and healthy work environment.

Each employee is expected to obey safety rules and to exercise caution in all work-related activities.

6

Areas Covered by Code of Conduct

Personal Use of Company Resources Company resources must be maintained and utilized

according to the rules and regulations. We reserve the right to inspect all property to ensure

compliance.

Relationships with contractors, vendors, etc We strive to employ the highest ethical standards in all

business practices and maintain integrity and excellent rapport with all business relations.

Selection criteria will be objectively based upon quality, service, price, technical excellence and the overall ability to meet our business needs and will not be determined by personal relationships and friendships.

7

Areas Covered by Code of Conduct

Substance Abuse We are committed to providing a drug and alcohol-

free work environment to protect the interests of all individuals involved.

The use of alcohol, illegal drugs, or controlled substances, whether on or off the job, can adversely affect an employee’s work performance, efficiency, safety and health.

Fair Dealing We are dedicated to providing quality healthcare

services to our community by maintaining the utmost ethical, legal and business standards.

Employees are expected to conduct business honestly and fairly without misrepresentation of material facts.

8

Areas Covered by Code of Conduct

Work Environment Violence Its is our intent to assure a safe work

environment and a comfortable, secure atmosphere for our customers and members.

We have zero tolerance for violent acts or threats of violence.

9

Disciplinary Action

Failure to comply with this Code or Compliance plan may result in disciplinary action or termination.

Disciplinary decisions can vary depending on the severity and the frequency of the misconduct.

10

Preventing Misconduct

In an effort to prevent misconduct, Windstone requires all employees and practitioners to: Know and comply with our policies and

procedures Participate in annual Code of Conduct

and all required compliance trainings Report incidents experienced directly or

witness Cooperation with investigations

11

Physician/Patient Confidentiality

Long-time legal rule called a privilege”– a special entitlement or immunity

Communication between physician/patient is CONFIDENTIAL

Modern rule—also applies to psychotherapists-- which is defined to include MDs, NPs, psychologists, licensed social workers, and MFTs

Applies to agents (people who work for the clinicians)

12

Physician/Patient Confidentiality

WHAT DOES THIS MEAN FOR YOU?

Be aware of legally-required privacy considerations in all communications, written and verbal, regarding a member.

Refer to the Provider Manual for specific policies and procedures

13

The Health Insurance Portability and Accountability Act (HIPAA)

Federal legislation that was originally enacted on 8/21/1996 to make it easier for people to move from one health insurance plan to another

Balances concerns over the need to access health information with the patient’s desire for privacy

Prevents misuse and abuse of confidential medical information

14

Who must comply?--Covered Entities

Any organization that is required to comply with HIPAA: Health care providers: i.e. WBH and

our clinicians as well as WBH contracted medical groups

Health plans: i.e. the entities with which WBH contracts under

15

Who Must Comply? --Business Associates

Businesses that contract with WBH and have access to PHI must maintain the confidentiality of medical records.

Practitioners, Photocopy service, janitorial service, accountants, attorneys, and others.

16

California Law--CMIA

Confidentiality of Medical Information Act California was one of the first states to

enact laws to protect privacy of all medical information and to give patients rights to access and protect their medical record.

Provides that all medical information is private and that patients have rights such as obtaining copies of medical record.

17

California Law--CMIA

Can disclose information for certain purposes:

1. To clinicians for purposes of diagnosis and treatment

2. To billing companies3. To quality committees/peer review4. To insurance plans

18

California Law-CMIA

Special rules for psychotherapy Usually requires authorization by patient that

1) sets forth the specific information to be released,

2) the length of time that the information will be kept before being destroyed, and

3) a statement that information will not be used for any other purpose

Can always be used for diagnosis and treatment

19

What does this mean for you?

● Speak with a lowered voice so others cannot overhear—NEVER use a speaker phone or accept calls during sessions.

● Be very careful when leaving messages that can be replayed or overheard by others.

●Document authorization to release records/progress notes in members medical record

20

What is covered?--Protected Health Information (PHI)

PHI means PROTECTED HEALTH INFORMATION

PHI is private and protected.

PHI concerns the:

• health status of an individual, and/or

• identifies the individual (18 identifiers including name, DOB, health condition, address, telephone number, e-mail, SSN etc.)

21

Examples of Protected Health Information (PHI)

Names

All geographic subdivisions smaller than a state

All elements of dates (except year)

Telephone, fax numbers

Email addresses

Social Security numbers

Medical Record numbers

Health plan beneficiary numbers

Account numbers

Certificate/License numbers

Vehicle ID’s including plates and serial numbers

URLs, IP

Biometric ID’s incl. finger and voice prints

Full face photographs

Any other unique identifying number or characteristic

22

What actions are covered? --Use and Disclosure

Use Internal Sharing, employing, applying,

utilizing, examining, or analyzing information

Disclosure External Release, transfer, allowing access to,

or divulging information outside the organization

23

Use and Disclosure for TPO

Covered Entities can use and disclose PHI without patient authorization for TPO purposes: Treatment: providing, coordinating,

and managing health care, including consultation and referrals

Payment: paying or being paid for health care services

Operations: administrative, legal, quality, training, planning, contracting, and other necessary business functions

24

Use and Disclosure for TPO (cont.)

Section 3.26 C Medical and Administrative Records.

Please refer to your Windstone contract for medical record audit requests. Professional will adhere to all current CMS coding and documentation requirements for Medicare beneficiaries. Professional agrees to participate in medical record audits by state agencies, plans, medical groups and WBH to assure CMS standards are met.

25

Minimum Necessary Standard

Health care employees should use and disclose only the minimum necessary PHI required to perform their jobs.

26

How WBH Ensures Minimum Necessary Use and Disclosure

Make the minimum number of printouts/copies

Inform others on a need-to-know basis—provide only selected portions of medical record

What is the minimum others need to know to do their jobs?

There is no “minimum necessary” requirement for treatment

27

Use of Power of Attorney (POA)

Remember, confidentiality requirements apply to family members

DO NOT disclose to member’s spouse or children without a POA or, in limited situations, the express documented permission of the member

28

Use of Power of Attorney (POA) At WBH, wife of member called asking to speak to

clinician regarding issue with husband’s medication. WBH immediately calls clinician to give them wife’s cell phone number. Outcome: Clinician refused to speak with wife--stated

husband had expressly told clinician that he didn’t want wife involved in his treatment.

Small town hospital, woman’ pregnancy test was positive. Lab tech sees woman’s sister that night at local restaurant and congratulates her. Woman wasn’t married and wasn’t going to disclose to family. Outcome: Sues and wins judgment against lab tech

and hospital.

29

Incidental Use and Disclosure

Some uses/disclosures are “incidental” Made in the course of routine operations

(talking about a member to another office clinician and someone else overhears)

Limited in nature (it occurred as the other person waited to talk to clinician)

Could not be reasonably prevented Allowed IF:

The “minimum necessary standard” is followed

Reasonable safeguards are in place (Clinician stopped and asked person if they could help them)

30

Incidental/Accidental Use and Disclosure

DO NOT DESTROY ANY DOCUMENTS, E-MAIL MESSAGES, VOICE-MAIL MESSAGES

OR ANYTHING ELSE RELATING TO THE DISCLOSURE

A violation of PHI is considered a breach as soon as it occurs.

31

HIPAA Gives Members the Right to:

ACCESS their PHI including inspecting and obtaining a copy of PHI unless clinician deems that this would be harmful to the member

AMEND incorrect records—a member can request an amendment

An ACCOUNTING of disclosures—a member can request an accounting

AUTHORIZE, or refuse to authorize, the use or sharing of PHI

Designate someone to ACT on the patient’s behalf regarding PHI

ALTERNATIVE means—member can request receipt of PHI by alternative means and at alternative locations, where routine communications could endanger the individual

File a complaint about a possible breach of privacy

32

Safeguarding Member Privacy: Administrative, Physical and Electronic Procedures

Three types of safeguards:

1. Administrative

2. Physical

3. Electronic

33

Administrative Safeguards

Disclosures should include Confidentiality agreement

Maintain Confidentiality/HIPAA protocols per WBH Provider Manual and Centers for Medicare and Medical guidelines

34

Physical Safeguards

Pick up printouts and copies promptly from printers, fax machines, and copiers.

Every day at close of business, ensure all medical records and PHI is maintained in a secured and confidential manner

Lock file cabinets and drawers at close of business.

Use fax software to send/receive PHI. Never include PHI in emails

35

Electronic Safeguards

Protect the confidentiality of transmitted electronic confidential information, including but not limited to electronic Protected Health Information (ePHI), by using a secure fax or a secured file portal

Never share or open attached files from an unknown source

36

PHI

E-mail

PHI should NEVER be emailed outside of your organization’s firewall. If you are a solo clinician, never email PHI to another individual.

PHI is allowed to be faxed and the coversheet should include a disclaimer to protect the PHI (disclaimer information-next)

37

Fax Confidentiality Warning

This facsimile transmission, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.  If you have received this facsimile transmission in error, please notify the sender immediately and destroy all copies of the communication, including attachments.

38

Responsibilities for PHI

Follow the privacy rules discussed previously Abide by WBH Confidentiality policies and

procedures found in the provider manual Do NOT send e-mails containing PHI Always ask, “Do I need this PHI to complete my

work?” Use professional judgment—err on the side of

caution Refer complaints and concerns regarding PHI

related to a WBH member to WBH’s Compliance Officer Lisa Casey,RN or Security Officer John Wright

39

HIPAA Violations in the News

Rite Aid--$ 1million fine for disposing of prescriptions and pill bottles in regular trash containers.

UCLA--$ 865,500 fine due to employees improperly accessing celebrity patients’ medical records.

In Alabama, a leader of a counterfeit prescription fraud scheme was sentenced to six years in prison for HIPAA violations and identity theft.

Cignet Health Center, a group of clinics in Maryland, was fined $ 4.3 million for failing to release medical records to patients requesting them.

40

Penalties for HIPAA Violations

HIPAA civil penalties include:

$100 / person / violation

$25,000 / year for multiple violations

41

Penalties for HIPAA Violations

HIPAA criminal penalties include: $50K and/or 1 year imprisonment: for

knowingly or wrongfully disclosing or receiving PHI

$100K and/or 5 yrs imprisonment: commit offense under false pretenses

$250K and/or 10 years imprisonment: for intent to sell PHI or client lists for personal gain or malicious harm

42

HIPAA Complaints

You are always free to speak with the Security Officer or the Compliance/Privacy Officer—your complaint will be kept confidential

You may contact the Office of Civil Rights of the Department of Health and Human Services or the Office of the Inspector General

HIPAA prohibits retaliation of any kind for filing a complaint

43

Privacy Officer

Person within WBH who is responsible for monitoring patient privacy and enforcing the HIPAA Privacy Rule.

Lisa Casey, RN

800.577.4701 ext. 212

44

Security Officer

Person within WBH who is responsible for monitoring the storage and transmission of electronic PHI.

John Wright; 800.577.4701, ext. 283