hipaa training presentation for management workforce 1 hipaa for general workforce what you need to...

Post on 15-Dec-2015

213 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

HIPAA Training Presentation for Management Workforce

1

HIPAA

For General Workforce

What you need to know

The Catholic Health Initiatives Mission

Catholic Health Initiatives continues the journey begun by our foundresses. Like these women religious, we continue the healing ministry of Jesus Christ through the provision of health care in our many communities. Our core values of reverence, integrity, compassion and excellence guide us on this journey. We build relationships based upon these core values. These relationships enable us to assume the challenging role of caring for those most in need, those least able to care for themselves.

Our core values and standards of conduct are the principles that guide us in navigating the complexity of providing health care. At a minimum, we are expected to follow all laws related to our responsibilities. However, following the law is not enough. Our values call us to live by an ethical standard that is greater than the law. We are responsible for ensuring the privacy of an individual’s health information and are entrusted with that information in order to provide the necessary care and services. We have a duty to prevent the inappropriate use or disclosure of an individual’s health information.

Course Objectives/Navigation

The objectives of this course are:– To foster and maintain a culture of integrity. – To develop individual and team character and virtue in the workplace. – To foster compliance with applicable federal and state laws and

regulations. – To understand the policies and procedures in order to protect health

information.  

Navigating this course:Each course contains Cases to Consider, which are designed to help

improve your understanding of the course material. At the end of each course you will take a Section Test. The Section Test is designed to measure your understanding of the course material and is scored. You will be required to successfully pass the Section Test.

You can use the arrows at the top and bottom of your screen to move forward and backward through the course. For most people, this course should take approximately 1 hour.

Education Objectives

Understand the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations

Understand the penalties for not complying

Understand patients’ rights and health care workers’ role in protecting them

Understand your responsibilities under HIPAA-related policies and procedures

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is a federal law imposed on all health care organizations, including:

Hospitals, physician offices, home health agencies, nursing homes, and other health care providers

Clearinghouses

HMOs, private health plans, and public payers such as Medicare and Medicaid

The above organizations are considered Covered Entities under HIPAA.

HIPAA

• HIPAA consists of five main sections, or “titles.” The most important title for health providers is Title II, Administrative Simplification.

• The three main components of Title II include the following standards: Privacy Security Electronic Data Interchange

• The Privacy and Security standards will be reviewed in this module.

HIPAA Training Presentation for Management Workforce

7

HIPAA Privacy Rule

HIPAA Privacy Rule

Compliance date of April 14, 2003

Gives patients federal rights to gain access to their medical records and restrict who sees their health information

Requires organizations to take measures to safeguard patient health information

Requires organizations to train members of the workforce on patients’ rights to privacy and control over their health information

Punishes individuals and organizations that fail to keep patient health information confidential

The Privacy Official

A Privacy Official has been appointed by each covered entity to:

Manage the development of the organization’s privacy standards, policies, and procedures

Oversee training and education of workforce

Enforce the rules and investigate violations

Myths about HIPAA

Patients cannot be paged

Organizations must get rid of all their semi-private rooms and put up sound barriers

Organizations cannot put patient names outside their doors or use white boards

HIPAA does not require the above measures and these myths are not true.

Quiz Question

What type of rule is HIPAA?

a. a state law imposed only on hospitals b. a federal law imposed on all health care organizations c. a guideline set forth by the American Medical Associationd. an accreditation requirement

b. HIPAA is the first federal regulation that gives patients rights to gain access to their medical records and restrict who sees their health information.

 

Safeguarding Health Information

What is Confidential?

Name Address Age Social Security number Phone number E-mail address

Diagnosis Medical history Medications Observations of health Medical record number And more...

Any information about a patient written on paper, saved on a computer, or spoken, is protected health information (PHI), including:

Protect Patient Privacy “Do’s”

Log off the computer when you’re finished

Dispose of health information only by shredding or storing in locked containers for destruction

Notify Security if you see an unescorted visitor in a private area

Protect Patient Privacy “Don’ts”

Don’t leave patient records lying around

Don’t discuss a patient in public areas such as elevators, hallways, and cafeterias

Don’t look at information about a patient unless you need it to do your job

Rules for Computers “Do’s”

Keep your password a secret Turn computer screens away from

public view Change your password every 180

days or as required by internal policy

Do not log into the system using someone else’s password

Do not remove equipment, disks, or software without permission

Quiz Question

When are you free to repeat a patient’s private health information that you hear on the job?

a. after you no longer work at the organization

b. after a patient dies

c. if you know the patient would not mind

d. when your job requires it

Quiz Question

Which of the following is protected health information under HIPAA?

a. the patient’s address

b. the patient’s allergies

c. the patient’s medical record number

d. all of the above

Quiz Question

Which of the following types of information does HIPAA’s privacy rule protect?

a. patient information in electronic form

b. patient information communicated orally

c. patient information in paper form

d. all of the above

Do You Need to Know?

The Minimum Necessary Standard

Do You Need To Know?

HIPAA requires health care workers to use the minimum amount of health information they need to do their jobs efficiently and effectively.

Ask yourself:

Do I need this information to do my job and provide good service?

What is the least amount of information I need to do my job?

Do You Need to Know?

Coders and billers need to look at certain portions of records to code and bill correctly

Professional health care workforce members such as doctors, nurses, and therapists need to look at their patients’ records to care for them

Housekeeping staff do not need to look at patient records to perform their job

Quiz Question

What question should you ask yourself before looking at health information?

a. Would the patient mind if I looked at this?

b. Do I need to know this to do my job?

c. Can anyone see what I’m doing?

d. Am I curious?

Quiz Question

Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do?

a. ask a nurse on the floor how the patient is doing and pass the information along to your sister

b. log in to the computerized record system and read the patient’s record to find information for your sister

c. explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members

d. none of the above

Authorization

Authorization

Organizations must obtain authorization from a patient before using or sharing protected health information (PHI) for reasons other than treatment, payment, or health care operations.

Reasons other than treatment, payment or health care operations include:

– Marketing – Fundraising – Research – Employment determinations

•A patient may revoke an authorization at any time by making a written request.

Examples of Treatment, Payment and Health Care Operations

Treatment: doctors and nurses caring for patients; technicians performing tests

Payment: billers sending out claims; coders applying codes to procedures

Health care operations: quality assurance staff performing reviews; transcriptionists typing reports

Authorization Exceptions

An authorization is not necessary for uses or disclosures mandated by law such as:

Reporting births, deaths, and communicable diseases to state agencies

Giving certain information to the police for investigations, searches for missing people

Responding to a court order, subpoena, or other lawful process

Workers’ compensation

Specialized government functions

External health oversight agencies

Public health activities

Quiz Question

When is the patient’s authorization to release information required?

a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations

b. upon admission

c. when information is to be shared among two or more clinicians

d. when information is used for billing a private insurer

Marketing and Fundraising

Marketing

In most cases, we may not use or disclose protected health information (PHI) to market a product or service without obtaining a valid authorization.

Defining Marketing

The following are not considered marketing under HIPAA and do not require an authorization:

Descriptions of the organization and whether products or services are provided or covered

Explanations of treatment alternatives

Case management or care coordination

Recommendations of alternative treatments, therapies, providers, or settings

Reminders and disease management and wellness programs

Fundraising

We can use only the following information for fundraising purposes without patient authorization:

Demographic information

Dates of service

Opting Out

A patient has the right to revoke his/her authorization and opt out of receiving future fundraising or marketing communications

The Facility Directory

The Facility Directory

Unless a patient has asked not to be included in the directory, you may disclose the following information to visitors and callers who ask for a patient listed in the directory by name:

Location (room number)

General condition (e.g. stable, critical)

Directory Disclosures to Clergy

Clergy who have signed the Clergy Confidentiality Agreement do not have to ask for a patient by name and may receive:

Names of patients listed in the directory with the same religious affiliation of the clergy making the request

Locations

General conditions

Quiz Question

What information about a patient who is listed in the directory can be disclosed to someone who asks for the patient by name?

A. room number and name of doctorB. room number and general condition C. general condition and prognosisC. D. nothing

 

Individual Rights

Individual Rights

Patients have the following rights under HIPAA: To know who has access to their health information and how it is used (Notice of

Privacy of Practices)

To access and request an amendment to their health records in the designated record set (Access and Amendment)

To request a list of people and organizations who have received his/her health information (Accounting of Disclosures)

To request that we communicate with them by alternative means (Confidential Communications)

To request restrictions for the use and disclosure of their health information (Request Restrictions)

To complain to a covered entity, to the Secretary of HHS, or to the Office for Civil Rights (OCR)

Notice of Privacy Practices

Provides individual notice of the ways the organization uses and shares an individual’s health information

Explains an individual’s rights to confidentiality and access to his/her health information

Is posted prominently in the organization

Right to Access

A patient has the right to inspect and obtain a copy of his/her designated record set, which includes protected health information (PHI) used in whole or in part to make decisions about the patient.

Designated Record Set

A designated record set is a group of records that may include:

Health care provider medical and billing records Health plan enrollment, payment, claims adjudication and

case or medical management records

Right to Request Amendments

A patient has the right to request amendments to his/her designated record set. However, organizations are not required to automatically make whatever changes the patient requests.

Personal Representatives

Persons who have the authority (under federal and state laws) to act on behalf of a patient in making health care decisions may have access to the patient’s health information as his/her personal representative.

Personal Representatives for Minors

Parents, guardians, and others who have authority (under federal and state laws) to act on behalf of a minor in making health care decisions may have access to the minor’s health information as his/her personal representative

Accounting of Disclosures

A patient has the right to request a list of people and organizations who have received his/her health information.

The list does not have to include disclosures:

For treatment, payment, and health care operations

Authorized by the patient

To the facility directory

For national security

Of “limited data set” information

Confidential Communications

A patient may ask to receive correspondence at an alternate location or by an alternate means.

Organizations must honor all reasonable requests such as:

Sending mail to a P.O. Box or alternative location

Calling the patient at work instead of home

Using sealed envelopes instead of postcards

Complaints and Grievances

The Notice of Privacy Practices includes information on filing complaints:

The name of the designated representative or department for handling grievances

The representative’s phone number

The steps for filing a formal complaint

The Formal Grievance Process

If a patient or personal representative complains about a breach of confidentiality or a violation of a HIPAA rule, notify your supervisor and contact the representative listed on the Notice of Privacy Practices.

Quiz Question

What should members of the workforce do if a patient complains that her privacy was violated during her stay?

a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices

b. Ask the patient to provide proof

c. Nothing—it’s not their job to handle complaints

d. None of the above

Quiz Question

Which of the following does the complaints section of the Notice of Privacy Practices include?

a. the name of the designated representative or department for handling grievances

b. the representative’s phone number

c. the steps for filing a formal complaint

d. all of the above

Confidentiality Agreement

and Penalties

Confidentiality Agreement

By signing you agree to:

Dispose of health information properly Follow the organization’s policies and procedures Use computers and information systems only for

performing job duties Use confidential information only in performing job duties Share confidential information only with those who need

the information to do their jobs Handle health records carefully to preserve individual

privacy

Penalties for Breaking the Privacy Rules

Criminal penalties under HIPAA: Maximum of 10 years in jail and a $250,000 fine for serious offenses

Civil penalties under HIPAA: Maximum fine of $25,000 per violation

Organization actions: Employee disciplinary actions including suspension and/or termination for serious violations of the organization’s policies and procedures

HIPAA Security Rule

HIPAA Security Rule

Compliance date of April 20, 2005 Applies to the same covered entities described in

the Privacy Rule section. Applies to protected health information (PHI) that is

electronically sent from one location to another or stored by the facility.

Identifies steps to take to secure electronic PHI.

Information Security

A Security Official has been appointed with responsibility to: Make sure the covered entity complies with the

security standards, and Provide training to all system users at the facility.

Information Security

The Security Rule has three key areas that work together to protect PHI. These include: Physical safeguards Technical safeguards Administrative safeguards

Physical Safeguards

The purpose of physical safeguards is to help protect the physical computer systems and related buildings and equipment from unauthorized access, fire, and other natural and environmental hazards.

Some physical safeguards were discussed in the privacy section of this course. These included access to computer systems, workstations, and the use of passwords.

Technical Safeguards

Technical safeguards focus on the steps and procedures that must be in place to:

Protect the integrity of electronic PHI Control access Record and examine system activity Validate the identity and authorization of users Protect electronic PHI transmitted over a communications

network

Technical Safeguard Examples

– Unique user IDs– Reliable user authentication – typically passwords– Authorization to access information– Automatic computer logoff (inactivity timeout)– Firewalls– Log capture and monitoring

Password usage:• Generic User IDs are not permitted except in special

circumstances.

• User ID access must be changed immediately upon a User’s transfer to a different role in the organization.

• All User ID passwords must change at least once every 180 days or as required by policy. Systems should be set to automatically force password changes.

• When changing passwords, a User must not create passwords that are identical to his or her previous eight passwords.

Passwords, the First Layer of Protection

Password Syntax Rules • Passwords must be at least six characters in length

and– have a minimum of four alphabetic characters. – have a minimum of two numeric characters (0 through

9).• Passwords may include no more than two

consecutively repeated characters.

• NOTE: The use of control characters and other non-printing characters is not permitted because they may cause network or system problems.

Passwords, the first layer of protection

Passwords, the First Layer of Protection

Examples of passwords:

• Good / strong passwords:– 15djOth (15 dogs jumped over the house)– Cft6vgy& (keyboard pattern)

• Poor / weak passwords:– Orange– Skipper– BobH

Password Selection Rules• Choose passwords that are difficult to guess. • Passwords must not be related to the user’s job or personal life.

For example, do not use names of family members or pets as a password.

• Personal information that is easily obtainable, including date of birth, license plate number, telephone number, Social Security number, make of automobile or home address must not be used as a password.

• The first, middle or last name of the user should not be used to construct a password.

• User IDs must not be used as a password in any form.

Passwords, the First Layer of Protection

Administrative Safeguards

Under the Security Rule, policies and procedures must be in place that define the steps to address:

Adding, changing or deleting user access based on job responsibilities or if user terminates employment

Use and assignment of individual user IDs and passwords How to access the computer system and/or electronic PHI in

the event of an emergency

Quiz Question

Which of the following is NOT a key area of the HIPAA Security Rule?

a. Physical safeguards

b. Technical safeguards

c. Documentation safeguards

d. Administrative safeguards

 

Quiz Question

When is it acceptable to share your password?

a. when your co-worker forgets his password

b. when it saves time

c. when you know you can trust the person to use it appropriately

d. never

Quiz Question

Which of the following choice of passwords is best to use?

a. AlSm!th

b. 15djOth

c. Terry

d. 12345678

What Should You Do?

Case #1

You are called to work in a patient’s room to perform a routine job. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient’s condition or medication. What should you do?

Case #1 Answer

If you must do the job immediately ask whether you can interrupt. If the job can wait, explain that you are there to perform a routine job and will return in 15 or 20 minutes. This protects the patient’s privacy by allowing him/her to openly discuss his/her condition without being overheard.

Some patients may say that it is acceptable for you to stay in the room

during the conversation. But remember that patients may not feel comfortable sharing everything about their symptoms or medical history while you are in the room. They also might not feel comfortable asking you to leave.

Case #2

A visitor tells you she is at the organization to work on the computers and wants you to point the way to the system. How do you respond?

Case #2 Answer

The best response is to ask the repairwoman who at the organization contacted her. Find that person. He or she can take the repairwoman to the appropriate work area.

Case #3

You are walking by a trash can and notice a pile of photocopied health records has been laid on top of the trash can. How should you handle this?

Case #3 Answer

Gather the records and take them to your supervisor. He or she will report it to the organization’s Privacy Official to determine why the records were not destroyed.

Case #4

You are working on a nursing unit and see the name of a friend on a white board. Should you stop by her room?

Case #4 Answer

If you learned of your friend’s stay only by looking at the white board, you should not go to her room unless your job responsibilities take you there.

If you find out from the patient or her family member that she is a patient at the facility, feel free to visit her. Be sure to follow the visitor policies.

Case #5

A co-worker is having trouble logging in to the organization’s system. She asks for your login name and password so she can use them. Should you share them with her?

Case #5 Answer

No. The HIPAA security standards require the use of individual passwords for each workforce member with access to health information stored in the computer system. The organization keeps track of the records you gain access to based on the login name and password you use to enter the system. If you let others use your name and password, you are breaking HIPAA’s rules and the organization’s policy, and you may be held responsible if the co-worker gains access to patient information inappropriately.

Case #6

You have a hard time remembering your password for the computerized record system. Should you jot it down on a piece of paper and stick it in your desk drawer?

Case #6 Answer

No. Even if your desk drawer remains locked, it is not appropriate to keep it in your desk.

If you have a hard time remembering your password, select a password that meets your organization’s criteria, but is easy for you to remember.

Test Your Understanding

Question #1

A man comes into the organization and tells you he is supposed to work on the computers and wants you to open a door for him or point the way to a workstation. How should you respond to this request?

a. provide him with the information or access he needs

b. ask him who at the organization hired him and find that person for assistance

c. call the police

d. none of the above

Question #2

Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do?

a. ask a nurse on the floor how the patient is doing and pass the information along to your sister

b. log in to the computerized record system and read the patient’s record to find information for your sister

c. explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members

d. none of the above 

Question #3

When are you free to repeat a patient’s private health information that you hear on the job?

a. after you no longer work at the organization

b. after a patient dies

c. if you know the patient would not mind

d. when your job requires it

Question #4

You see an open recycling bin full of paper. You can see names, addresses, and diagnoses on the paper. What should you do?

a. nothing

b. bring it to your supervisor or the Privacy Official so he or she can dispose of it properly and determine why it was put there

c. read the report and try to figure out what workforce member disposed of it improperly

d. none of the above

Question #5

What question should you ask yourself before looking at patient information?

a. Would the patient mind if I looked at this?

b. Do I need to know this to do my job?

c. Can anyone see what I’m doing?

d. Am I curious?

Question #6

When is the patient’s authorization to release information required?

a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations

b. upon admission

c. when information is to be shared among two or more clinicians

d. when information is used for billing a private insurer

Question #7

When is it acceptable to share your password?

a. when your co-worker forgets his password

b. when it saves time

c. when you know you can trust the person to use it appropriately

d. never

Question #8

Which of the following is protected health information under HIPAA?

a. the patient’s address

b. the patient’s allergies

c. the patient’s medical record number

d. all of the above

Question #9

Which of the following types of information does HIPAA’s privacy rule protect?

a. patient information in electronic form

b. patient information communicated orally

c. patient information in paper form

d. all of the above

Question #10

What should members of the workforce do if a patient complains that her privacy was violated during her stay?

a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices

b. Ask the patient to provide proofc. Nothing—it’s not their job to handle complaintsd. None of the above

 

Question 11

Which of the following does the complaints section of the Notice of Privacy Practices include?

a. the name of the designated representative or department for handling grievances

b. the representative’s phone numberc. the steps for filing a formal complaintd. all of the above  

Question #12

Which of the following choice of passwords is best to use?

a. AlSm!th

b. 15djOth

c. Terry

d. 12345678

Course Summary

This course linked your everyday job functions with their effect on the organization’s privacy and security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA requirements discussed throughout this course included:

– Understanding the purpose of HIPAA regulations. – Safeguarding written, oral and electronic information. – Knowing the steps to protect privacy. – Understanding the role of the Privacy and Security Officials in your organization.

The intent of this course was to educate staff members and make them more aware of how their everyday activities affect their organization’s HIPAA compliance. Through this course, you were empowered to protect the privacy of those we serve and prevent violations of confidentiality.

Our purpose for asking you to take this course was not only to help you become familiar with some of the current laws and regulations associated with HIPAA, but also to reinforce the mission of Catholic Health Initiatives (CHI). CHI is built upon a foundation of integrity. All of the women and men who have gone before us tried to ensure that, regardless of the challenges they faced, CHI would truly minister to and be worthy of trust by their communities. It is our ethical duty to continue this mission at CHI. Knowledge from this course is one tool that assists us in fulfilling that mission.

Thank you for taking this course. Please click here to take the Final Test.

top related