health insurance portability and accountability act 1996...what is hipaa? hipaa is a federal law...
TRANSCRIPT
HIPAA
Health Insurance Portability
and
Accountability Act
1996
What is HIPAA?
HIPAA is a federal law that gives a member rights over
their health information and sets rules and limits on
who can look at and received protected health
information. These laws affect:
Doctors Public Health and Welfare
Nurses Activities
Pharmacists Your Family
Other Medical Providers You!
Insurance Personnel
HMO Staff Members Examples of PHI: Information created
and received by UCP relating to our
members care
Policy: Use and Disclosure of Protected Health Information
What is PHI?
Protected Health Information (PHI) is individually
identifiable health information created or received by UCP.
When a person’s identity and the individual’s health
information are linked together, it has the potential to
become PHI.
Policy: Use and Disclosure of Protected Health Information
• What Information is considered PHI?
Name
Address
Zip Code
Age
Gender
Blood Pressure
Drug Name
Doctor’s Name
Doctor’s Specialty
Diagnosis codes: Diagnosis codes are
codes used by medical providers to
identify a sign, symptom or condition
Procedure codes: Procedures codes
indicate the actions the medical
provider is taking in reference to a
medical condition.
Prescription codes: Prescription codes
or National Drug Codes (NDC) are
alphanumeric codes used by pharmacies
to indicate the type of drugs that are
being dispensed.
Policy: Use and Disclosure of Protected Health Information
How we may be exposed to PHI in our daily work:
Medical or health records
Computer screens
Paper documents, memos, faxes, files
Case files or reports
Telephone conversations
Case management meetings
Conversations with co-workers and members
Assessments
Casual conversations in the hallway or break room
Policy: Use and Disclosure of Protected Health Information
Some ways PHI can be compromised:
• Sending unencrypted emails
• Leaving information on desks
• Sending faxes without cover pages
• Leaving faxes and items on the printer
• Leaving files out in the open
• Sharing passwords with others
• Allowing access to your work area
• Positioning computer monitors so that others
can see the screen in public areas.
HIPAA standards apply only to:
• Health care providers including doctors, clinics,
hospitals, dentists, nursing homes and pharmacies.
• Health plans
• Health care clearinghouses: translates data
between health plans and providers.
• Anyone contracted with the State of Arizona to provide
services through Division of Developmental
Disabilities
Who are Covered Entities?
What is a Business Associate?
• Business Associate (BA) is a person or entity
that performs certain functions or activities that
involve the use or disclosure of PHI on behalf of,
or provides services to, UCP.
• A member of UCP’s workforce is not a business associate.
Use and Disclosure of PHI Related to Health Care
The following may share PHI with one another without
patient authorization to conduct business on behalf of UCP:
• Care providers may share medical info with the
individual and other people the individual would like to
be involved in his/her care (i.e., family members, friends,
etc.). If possible, care providers should obtain the
individual’s permission.
• UCP may disclose a decedent’s PHI to family members
and others involved in the care of the individual.
Use and Disclosure of PHI Related to Healthcare
• UCP may disclose PHI for the treatment activities of a
health care provider.
• UCP may disclose PHI to another covered entity or a
health care provider for the payment activities of the
entity that receives the information.
You Decide
Mary, a UCP employee, is having some lunch in the
common area lunch room. Another UCP staff member
comes in and Mary asks “how did Johnny’s treatment go
today?” Johnny’s therapist goes into great detail on the
tremendous progress he’s made and the new techniques
she is using. Upon hearing this exciting news, Mary is
thrilled! There are several other people in the lunch room at this time, including parents and visitors.
Is this a violation of HIPAA?
Why is Confidentiality So Important to UCP?
Our members need to trust us before they will feel
comfortable enough to share any personal
information with us. In order for us to provide
quality care, we must have this information. They
must know that whatever they tell us will be kept
private and limited to those who need the
information for treatment, payment and health care
options.
Minimum Necessary
When using, disclosing or requesting PHI, staff
shall make reasonable efforts to limit PHI to
the minimum necessary to accomplish
the intended purposes of the use,
disclosure or request.
What is Minimum Necessary?
In order to comply with HIPAA, we need to think about just
what specific information is required to meet a request.
Additionally, the Minimum Necessary principle requires that
an organization designate the category of personnel who
must access health information to perform their job, the
extent of the information that will be accessed, and any
other conditions that pertain to the use or disclosure of
health information by that category of personnel.
Minimum NecessaryExceptions
HIPAA allows us to access or disclose information if it is….
• Used for treatment purposes
• Required by law
• Made to the individual
• Made to the secretary of HHS (Health and Human
Services) for enforcement purposes
• Made for compliance with applicable federal regulations
The 18 Identifiers of PHI
• Member names
• Geographic subdivisions
(smaller than state)
• Telephone numbers
• Fax numbers
• Social Security numbers
• Vehicle identifiers
• E-mail addresses
• Web URLs & IP addresses
• Dates (except year)
• Names of relatives
• Full face photographs or images
• Healthcare record numbers
• Account numbers
• Biometric identifiers
(fingerprints or voiceprints)
• Device identifiers
• Health plan beneficiary numbers
• Certificate/license numbers
• Any other unique number, code,
or characteristic that can be
linked to an individual.
De-Identification of PHI
De-identifying PHI means removal of certain
identifiers so that the individual’s PHI may no
longer be identified.
• Application of statistical method or
• Stripping of listed identifiers such as:
Names
Geographic subdivisions < state
Social security numbers
PHI Exclusions
• Protected health information (PHI) excludes individually
identifiable health information of a person who has been
deceased for more than fifty (50) years.
• Protected Health Information (PHI) excludes education
records covered by the Family Educational Rights and
Privacy Act (FERPA) and employment records held by
UCP in its role as employer.
Policy: Accounting of Disclosures of PHI
UCP, upon written request, shall provide members with a
list of individuals/organizations to which their PHI has been
disclosed for the six (6) years preceding the request for an
accounting or, with respect to certain disclosures of PHI
made through UCP’s electronic health record (EHR) for the
three (3) years preceding the request for an accounting.
Policy: Patient’s Rights to Access PHI
It is the policy of UCP that individuals have the right to
request access to inspect and/or obtain a copy of their PHI,
for as long as the PHI is maintained by UCP.
UCP will act on requests for access within 30 days of
receipt, or within 60 days if there is an unavoidable delay
and if, within 30 days of receipt, the requester is given
written notice of the reasons for the delay and the date on
which UCP will complete action on the request.
Policy: Amendment of PHI
A patient has the right to request that UCP amend
his/her PHI maintained in the Designated Record
Set for as long as the PHI is maintained. UCP shall
respond to a request for amendment of PHI in
accordance with the HIPAA Privacy Rule.
Policy: Transporting Protected Health Information
All PHI in paper or electronic form must be
transported or stored in a secure manner to
safeguard it against improper disclosure
and/or loss.
Policy: Facsimile Transmissions of PHI
• UCP shall use facsimile (fax) transmissions in a manner
that will safeguard private and confidential information to
the extent possible.
• Department administration shall determine what
information entrusted to their department is private
and/or confidential and shall communicate methods of
protecting that information.
Policy: Vendors
• Vendors/sales reps play an important role as providers of
information and services to UCP.
• Departments shall not provide vendors access to any
confidential information, including PHI and proprietary
info, unless the info is necessary to perform services on
behalf of UCP.
Policy: Breach Notification Compliance Plan
A breach is the unauthorized acquisition, access or use of PHI in a
manner not permitted under the HIPAA Privacy Rule and that
compromises the security or privacy of the PHI.
All UCP workforce members and agents are responsible for
reporting an actual or suspected breach of PHI to the Privacy Officer
as soon as possible.
Business Associates of UCP are also required to report breaches of
PHI to UCP in accordance with the timeframe specified in the
applicable Business Associate Agreement.
The Privacy Officer will receive, document and investigate all actual
or reasonably suspected breaches of PHI in a timely manner, in
accordance with this policy.
Policy: Mitigation of Improper Disclosures
UCP will mitigate, to the extent practicable,
any harmful effect that becomes known to it
as a result of use or disclosure of PHI in
violation of UCP’s policies and procedures or applicable law.
Policy: Training of Workforce Members on Privacy Policies and Procedures
It is UCP’s policy to implement certain human resource
requirements to protect against the wrongful use of
disclosure of PHI. UCP will accomplish this by:
Training all members of its workforce
Apply sanctions against members of its workforce
Policy: Review and Resolution of Complaints
It is UCP’s policy to comply with applicable rules requiring it to
effectively receive, investigate and resolve complaints regarding UCP’s
privacy practices.
Complaints to UCP: UCP shall provide the individual with an
Information Privacy Complaint Form, which will be given immediately to
the Privacy Officer.
Complaint Investigation: UCP shall cooperate with an investigation of
UCP’s privacy practices by the United States Department of Health and
Human Services. The Privacy Officer shall coordinate UCP’s response
to such an investigation.
Contractual obligations vary by department. Check with your
supervisor for specific guidelines.
Things to Think About
How are you currently sharing PHI?
Who has access to your information?
With whom do you share info?
30
HIPAA & ITHealth Insurance Portability
and
Accountability Act and How
it Applies to UCP’s Technology
Accessing PHI
Do not look up patient information if it is not
needed for medical reasons - even if it’s for
birthdays, sending flowers, etc.
PHI should only be accessed in the name of
administering therapy and business needs.
31
Protecting PHI
• Do not download PHI onto UCP machines
unless absolutely necessary.
• Do not download new programs without
IT’s permission.
• Do not open suspicious email
attachments.
32
Mobile Devices
• Make sure these devices are secure outside of
UCP - this is your responsibility.
• If accessing PHI outside of UCP, make sure
other people are not looking at your screen.
33
Passwords and Logins
• Log in with your username and password.
• Do not log in with someone else’s username and
password.
• Do not enter data under someone else’s name.
• Do not share your password. Your profile is
meant to be accessed by you only.
• Change your password every 90 days.
34
In The Field and Office
Keep your monitor hidden from the public.
Do not print and forget. If you print PHI, go get the
information immediately.
35
Viruses!
• Report all errors from virus scanning programs.
• Do not open attachments which end in:
.exe
.zip
.bat
36
Unauthorized Users
• Promptly report the loss or theft of hardware. All UCP
workforce members are responsible for reporting an
actual or suspected breach of PHI to the UCP HIPAA
Privacy Officer as soon as possible.
• If a non-UCP employee needs to access the system,
contact IT.
37
Kitchen Sink
• Always lock your system after leaving your desk.
There is a way to make it automatically lock after
10 minutes. This is recommended.
• The UCP website does not contain PHI.
38
In Short…
PHI rules for technology can be simple to follow and must be enforced to protect our clients and therapists!
39
Let’s Review
1. HIPAA is a federal law that gives members rights over their health
information and sets rules and limits on who can look at and
receive this health information.
2. Protected Health Information is individually identifiable health
information created or received by UCP.
3. A Covered Entity is a health care provider, health plan, health care
clearinghouse or anyone contracted with the State of Arizona to
provide services through DDD.
4. A Business Associate is a person or entity that performs certain
functions or activities that involve the use or disclosure of PHI on
behalf of, or provides services to, UCP.
Let’s Review
5. UCP may disclose PHI for the treatment activities of a health care
provider, or to another covered entity or health care provider for
payment activities.
6. UCP shall enter into a Business Associate Agreement with outside
entities performing services on its behalf that require PHI to
perform the services.
7. Minimum necessary means staff must make reasonable efforts to
limit the use or disclosure of, and requests for, PHI to the minimum
amount necessary to accomplish the intended purpose.
8. De-Identification of PHI means removal of certain identifiers so that
the individual’s PHI may no longer be identified.
Let’s Review
9. Departments shall not provide vendors access to any confidential
information, including PHI and proprietary info, unless the
information is necessary to perform services on behalf of UCP.
10. It is the policy of UCP that individuals have the right to request
access to inspect and/or obtain a copy of their PHI, for as long as
the PHI is maintained by UCP.
11. UCP implements certain human resource requirements to protect
against the wrongful use of disclosure of PHI. UCP will accomplish
this by training all members of its workforce and apply sanctions,
including termination of employment.
Quiz Time
Please refer to the HIPAA Privacy & Security Quiz on the intranet under Training Opportunities and take the quiz. Print out the quiz, complete it and return to Melinda Campbell-Weber or Daniela Serrano by fax, email or mail.
Thank you!
Questions?
Carlos and Stephen can provide support for any and all IT questions. Thank you!
General Questions?
Please feel free to contact us with any questions or concern you may have.
E-mail: [email protected] or [email protected]
Phone: 602-682-1871 or602-682-1807
44
This training material has been created for the exclusive use of UNITED CEREBRAL PALSY OF CENTRAL ARIZONA and may not be used for
any other purpose without the express written consent of UNITED CEREBRAL PALSY.