hcc_hipaa hitech training_basic

© 2013 Copyright Health Compliance Consultants, LLC. All rights reserved.

HIPAA / HITECHPRIVACY AND SECURITY

TRAININGHealth Compliance Consultants© 2013 Copyright Health Compliance Consultants, LLC. All rights reserved.


LEGAL STATEMENT

No Part of this presentation may be copied or reproduced, modified or adapted, without the prior written consent of Health Compliance Consultants, LLC.

Commercial use and distribution of the contents of this presentation in not permitted without express and prior written consent of Health Compliance Consultants, LLC.



HIPAA OVERVIEWHealth Information Portability and Accountability Act (HIPAA)

- 1996

Administrative

Simplification

Transactions/Code

Sets/Identifiers (10/16/02-10/16/03)

Privacy (4/14/2003)

Security (4/20/2005)

HITECH (2009)Health Information Technology for

Economic and Clinical Health

Insurance Reform

Fraud and Abuse


DO I NEED HIPAA TRAINING?

• All Staff working at [Practice Name] should receive HIPAA (Privacy and Security training) at the time of hiring, and at least once every year thereafter.

• HIPAA Training is not job specific and is mandatory for all Staff.

• All staff have to complete the training, attain a passing grade in the training quiz and submit a completion certificate to Human Resources for record.

• Staff may be required to get additional training if a significant change in company infrastructure, administrative or operational environment takes place during the year.


WHAT ARE THE PRIVACY AND SECURITY CONCERNS

• Theft of Patient Data • Identity Theft• Stolen laptop

• Loss of Patient Data• Incorrect disposal• USB Drives

• Misuse of Patient Data• Privacy Breach


SHOULD I BE WORRIED(SOME REAL LIFE EXAMPLES)

THEFT• An employee from the Admissions Department at a prestigious NYC

hospital has been accused of stealing and selling information of nearly 50,000 patients

LOSS• CVS Caremark Corp. paid $2.25 million to settle allegations that it

dumped credit-card data, Social Security numbers and customer medical records into garbage containers outside a number of its stores.

MISUSE• 27 employees were disciplined for a privacy breach related to the

Octomom. Two were fired, nine were disciplined, and 16 resigned. The LA Hospital was also fined $250,000.


SOME BASIC HIPAA GUIDELINES

• Provide patients with the Notice of Privacy Practices

• Shred protected health information (PHI)

• Fax patient information utilizing a cover sheet

• Telephone Guidance – leaving messages and caller requests for info

• Verify patient at the time of new registration

• Avoid unintentional disclosure (telephone /privacy screens/ email / mail)

• Report Privacy Breaches & Complaints


DEALING WITH PATIENTS

• Notice of Privacy Practices (NOPP) must be offered to the patient at the time of their first visit.

On first visit only, not every visit.Whenever the NOPP is revised / updated.

• Tells patients their specific rights regarding their health information. This information is included in the NOPP.

• A signed acknowledgement must be placed in the patient’s medical record, this can be recorded electronically and inserted directly into the EMR.


WHAT’S IN THE NOPP

• Patients have the right to:Request restrictions on release of their PHIReceive confidential communicationsInspect and copy medical records (access)Request amendment to medical recordsMake a complaintReceive an accounting of any external releases.Obtain a paper copy of the Notice of Privacy Practices on request


USING OR DISCLOSING PHI

• Written Authorization required to release medical information

• Physician may share information with referring physician “patient in common” without an authorization

• Emergency request for medical information should be documented in the medical record.

• All access to or sharing of PHI must be documented / recorded in the patient’s medical records.


EMR AND PHI CONSIDERATIONS

• Information Security

• Access, Use and Disclosure

• Release & Disclosure

• Printing Medical Information

• Loss or theft

• Research

• Copies


MEDICAL RECORDS PRIVACY ISSUES

• Medical Record sent to wrong person

• Medical Record mailed to wrong address

• Medical Record given to wrong person

• Information sent is not consistent with the authorization signed by patient.


5 IMPORTANT CONSIDERATIONS REGARDING HIPAA SECURITY

1. Never share your password

2. Assure that you sign out of EMR after use, and lock you computer screen before leaving your station.

3. Secure (encrypt) portable electronic devices, if authorized, with patient, financial or research information.

4. Promptly Report loss or theft of electronic devices with protected health information and inform Privacy Officer of improper use/ privacy breach.

5. SS# number should not be used when not required.


PASSWORD SECURITY• Passwords are like underwear:

• Change them often• Don’t share with friends• Be mysterious• Longer the better• Don’t leave yours lying around


USE OF PORTABLE STORAGEHIPAA SECURITY

• Examples: USB thumb drives, external hard drives, SD cards, CDs/DVDs.

• Use only if authorized.

• All PHI stored on these devices should be encrypted.

• Report immediately if a portable device containing PHI is misplaced or lost.

• Wipe off PHI before discarding or loaning.


ACCESSING EMRSHIPAA PRIVACY

• Your access to EMR is recorded and subject to audit • Periodic audits are done and

access is monitored• If you access medical information

without a legitimate business purpose you will be disciplined

• Do not access the medical records of friends, family members coworkers or anyone else.


SECURING DOCUMENTS CONTAINING PHI• If you are using Microsoft Office programs and include any PHI in a

document, then make sure you encrypt the file:


EMAIL USAGEHIPAA SECURITY

E-Mail is like a “postcard.” It may pass through several post offices and are readable.

• Use secure, encrypted E-Mail software officially provided to you.• If you send an attachment with PHI: Encrypt the

file or do not send the attachment via e-mail!• Do not use individual names, medical record numbers

or account numbers in unencrypted e-mails• Forwarding or consolidating email with PHI on 3rd

party sites such as Google, Yahoo, or Hotmail is explicitly prohibited.


USE OF 3RD PARTY CALENDARS FOR SCHEDULING

• Use of 3rd party online calendars, such as Google Calendars, leads to the risk of PHI disclosure.

• Do not use these calendar systems for official purposes.

• Instead…use an internal calendar / scheduling system built into our EMR application.


WHAT IS PHI?• With a couple of exceptions, protected health information (PHI) includes

all individually identifiable health information that is transmitted or maintained in any form or medium. This includes demographic information that ties the identity of the individual to his or her health record. Examples are names, addresses, geographic codes smaller than state, all dates (except year) elements related to the person, telephone numbers, fax numbers, license numbers, social security numbers, etc. The information is protected if it can possibly identify the person.

• One notable exception involves disclosures of patient information that are required by law. For example, we are required by law to report communicable diseases to the appropriate authorities.


PHI SECURITY - REVISITED

Reminder:

• Only share PHI in accordance with company policies.

• Do not share PHI through unauthenticated websites.

• Do not email PHI unencrypted.

• Do not send PHI through unencrypted channels:• Examples include FTP, Telnet and HTTP• Use secure alternatives, such as sFTP , SSH and HTTPS

• Do not store PHI on online storage sites:• Examples include Dropbox, One Drive, iCloud, Google

Drive, etc.


NOW YOU KNOW HIPAA, BUT WHAT IS HITECH?

HITECH Act (ARRA): Health Information Technology for Economic and Clinical Health• New Federal Breach Notification Law – Effective Sept 2009• Applies to all electronic PHI or ePHI• Requires immediate notification to the Federal Government if more

than 500 individuals effected• Annual notification if less that 500 individuals effected• Requires notification to a major media outlet• Breach will be listed on a public website• Requires individual notification to patients• Criminal penalties - apply to individual or employee of a covered entity• Increased Enforcement & Fines for Breaches


INFORMATION SECURITY REVISITED

• Password protect all data and computer workstations

• Dispose off PHI properly

• Keep work area properly secured, no unauthorized person permitted

• Only use officially authorized messaging/email system for communicating patient information

• Only use officially authorized scheduling/calendar system

• Be wary of visiting unauthorized websites that may introduce viruses, spam ware and malware to your system

• Do not copy PHI onto portable storage media without proper authorization and without encryption

• Do not share your password with anyone. It is used to audit your activities.


AND THEN THERE IS OMNI BUS RULE

EFFECTIVE 3/26/2013• Main highlights:• Business Associates are now Covered Entities, and requires update

Business Associates Agreements.• Breach Notification standards revised: Each breach evaluated for:

• What information breached• To whom was the information exposed• Was the information actually accessed, used or disclosed• Any mitigation steps required and taken

• Patients right to access PHI revised:• If patient requests their PHI to be transmitted in an unsecure

way, they should be warned and transmitted as per their request if they still persist. This applies only to the individual whose PHI is being transmitted.


NEED MORE INFORMATION

• Contact Company Privacy Security Officer:• Name:• Phone:• Email:• Mailing Address:

hcc_hipaa hitech training_basic

Healthcare