hipaa privacy & security training module 1. what we want to accomplish understand hipaa privacy...
TRANSCRIPT
What we want to accomplish
Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI
Define PHI Identify how and when it is used and disclosed Identify the right amount of PHI to use or disclose
Talk about patient rights under HIPAA Understand a breach Review responsibilities and safeguards
2
What is HIPAA?
3
Health Insurance Portability and Accountability Act of 1996 Federal law Comprised of Five Sections
Administrative Simplification Electronic Transactions and
Code Sets Rule Privacy Rule Security Rule
Privacy Rule v. Security Rule
Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information
Security Rule defines how to protect protected health information in electronic form, called ePHI
4
Education
5
The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered:
Electronic Protected Health Information Electronic Protected Health Information
User IdentityUser Identity
Password ManagementPassword Management
Appropriate Use of Computing Devices Appropriate Use of Computing Devices
Security PoliciesSecurity Policies
Security Officer Security Officer
Reporting Security Concerns Reporting Security Concerns
Protected Health Information Protected Health Information
Minimum NecessaryMinimum Necessary
Patient RightsPatient Rights
Notice of Privacy Practices Notice of Privacy Practices
Privacy PoliciesPrivacy Policies
Privacy Officer Privacy Officer
Reporting Privacy Concerns Reporting Privacy Concerns
HIPAA PRIVACY HIPAA SECURITY
HIPPA Privacy Officer
Maintains appropriate measures to guard against unauthorized access to PHI.
Ensures compliance through adequate training programs and periodic audits.
Maintains HIPAA policies and procedures.
Other important rules
HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act Breach Notification Rule
HIPAA Omnibus Rule Changed the Breach Notification Rule
Don’t forget about state law!
8
What is the Privacy Rule?
Personal health information must be safeguarded by organizations and the individuals who work there
Patients have rights to gain access to their medical records and restrict who sees their health information
Organizations must train their workforce on the privacy requirements
Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed
Punishes individuals and organizations that fail to keep patient information confidential
9
Who is Covered?
Health Plans
Healthcare Clearinghouses
Healthcare Providers that conduct standard transactions in electronic form that involve PHIKnown as “Covered Entities”
10
Business Associates (BA)
11
Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI) Law firm Pharmacist consultant Medical Director Record Storage Company
Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA
What is Protected Health Information (PHI)?
Individually identifiable health information
That relates to an individual’s past, present or future health care, or
That relates to health care services provided to the patient, or
That relates to payment for care
Created or received by a Covered Entity or Business Associate
In any form: paper, electronic or oral
12
Individual Identifiers of PHI
13
Name Address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Account Number
Names of relatives Names of employers Fax number Birth date/admission &
discharge dates Photographic images/X-
rays Medical record number Account Number Email, IP address, web URL
Notice of Privacy Practices (NPP)
Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity.
NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity.
NPP for health care providers must be: Distributed at the first instance of
service, Posted at the service site, Posted on the website if one exists.
All employees should be aware of the NPP. 14
When does HIPAA allow use or disclosure of PHI?
Permitted by law Treatment Payment Health Care Operations Public interest and public
benefit Permission by the
resident/patient Authorization
15
Incidental Uses and Disclosures
Incidental use or disclosure Occurs as a by-product of a permissible
use or disclosure using reasonable safeguards
Cannot be reasonably prevented Must use reasonable safeguards
Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it
16
Accidental Uses and Disclosures
Accidental use or disclosure Potential breach Attempt to retrieve it, or limit
exposure or risk to the information Report the incident immediately
Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage
17
Minimum Necessary
Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.” Example: An insurance company requests a
patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent.
Minimum necessary does not apply when PHI is used or disclosed: For treatment purposes, To the individual, When you obtained an authorization, When required by law.
18
Need to know
Determine the information you need to know to do your job
Access information only if you have a need to know it
Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit.
19
Patient Rights
Receive a Notice of Privacy Practices
Right to Access Right to an Accounting of
Disclosures Restriction of Use of PHI Confidential
Communications Request Amendment File Complaint (Covered
Entity and Office of Civil Rights)
20
What would you do?
A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public.
A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record.
You notice a list of names and current medications in the trash can.
21
Disclosure that must be tracked
Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request.
The following disclosures need to be tracked: Required by law (i.e. reports of abuse to a public health
authority) Required for public health activities (i.e. reporting of
disease) For health oversight activities (i.e. audits by an oversight
agency) Reports of abuse (i.e. to the police, medical staff) For law enforcement purposes (i.e. to identify the
perpetrator of a crime) To the coroner (i.e. for identifying a deceased person) To avert a threat of serious injury (i.e. disclosure to a
person who can prevent the threat or to law enforcement) Unlawful or unauthorized disclosure (i.e. inadvertent
disclosures) 22
What is a breach?
An impermissible use or disclosure that compromises the security or privacy of the PHI.
A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment.
24
Examples of Possible Breaches
Throwing PHI in the trash or dumpster (without being shredded);
Sharing PHI with those who do not have a need to know;
Posting another person’s PHI on your Facebook page;
Faxing a document containing PHI to the wrong fax number;
PHI that has been lost or stolen.
25
What if a breach occurred?
Report incidents to your supervisor as soon as they occur or are discovered
LPO investigates to determine if the incident is a breach
26
Breach Notification
A breach requires notification within a required time from the date the breach was discovered or should have been discovered: Individual, within 60 days HHS – OCR, within 60 days if > 500
individuals involved HHS – OCR, annually within 60 days of the
end of the calendar year if < 500 individuals Media, within 60 days if more than 500
individuals involved
27
OCR Audits / Investigations
Permanent audits in planning stage
Complaints can trigger an investigation
A breach can trigger an investigation
28
Penalties for Non-Compliance
Individual can be responsible, not just the Covered Entity or Business Associate Civil Money Penalties
Violation but you did not know or could not have known $100 per violation with annual maximum of
$25,000 for repeat violations Violation due to reasonable cause and
not due to willful neglect $1,000 per violation with an annual
maximum of $100,000 for repeat violations Violation due to willful neglect but
corrected within required time period $10,000 per violation with annual maximum
of $250,000 for repeat violations Violation due to willful neglect and not
corrected $50,000 per violation with annual maximum
of $1.5 million 29
Penalties, cont.
Criminal Penalties Knowingly committed the offence
Up to $50,000.00 Up to one year in prison
Committed under false pretenses $100,000 Up to five years in prison
Committed for financial gain or malicious harm $250,000 Up to ten years in prison
30
Headlines, Reported Breaches
Southwest General Health Center Notified 480 patients that a binder containing
their personal and health information had gone missing
Phoenix Cardiac Surgery Appointments were available to the public
on internet-based calendar Paid $100,000 to settle claims of lack of
HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients
Nursing Assistant in Florida sentenced for HIPAA crime Former nursing assistant of assisted living
facility in sentenced to 3 years in prison for stealing and selling patient information
Ordered to pay $12,000 in penalties
UCLA School of Medicine Researcher terminated and in retaliation
accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times
Sentenced to 4 years in prison
31
General Safeguards
Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data When you talk about it When you fax it When you store it When you use it When you disclose it When you dispose of it
Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know
32
General Safeguards, cont.
Confidential verbal conversations should be conducted away from others who do not have a need to know.
Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so.
Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby.
33
General Safeguards, cont.
Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash!
Keep information you hear about a resident to yourself. Share only with those who have a need to know.
Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know.
34
General Safeguards, cont.
Notify security if you see an unescorted visitor in a private area. Computer screens where PHI is viewed
should be turned away from the view of visitors.
Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.
35
36
HIPAA Security Rule Security Rule defines how to
protect protected health information in electronic form, called ePHI
HIPAA: Security Rule Four Requirements of Security:
Ensures confidentiality, integrity, and availability of electronic PHI.
Protects against possible threats and hazards to the information. Hackers, viruses, natural disasters or system failures.
Protects against unauthorized uses or disclosures. Ensures compliance by the workforce through security regulations and policies/procedures.
Three Components of Security: Administrative Safeguards Physical Safeguards Technical Safeguards
HIPAA: Security RuleAdministrative Safeguards:
Documentation kept for 6 years. Internal system audits minimize security violations.
Logins, file accesses, and or security incidents. Information access management:
Access to PHI based on what is needed to preform the job. Once computer access is requested, it will take 48-72
hours to implement due to complexity of security system. Security awareness and training:
Security updates, incident reporting, log-in, and password management.
Security incidents will be reported if suspected or if there is an actual breach.
HIPAA: Security Rule
Physical Safeguards:
Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. Workstations positioned so monitor screens/ keyboards are
not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel.
Workstation use and security. Log on as themselves. Log off prior to leaving the workstation, Inspect the last logon information, report any discrepancies. Comply with all applicable password policies and procedures. Close files not in use.
HIPAA: Security Rule
Technical Safeguards: Access controls:
User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access.
User passwords reset every 180 days. All passwords must consist of at least eight (8) alphanumeric characters
(numbers and letters). Passwords cannot be reused until after three (3) different generations
have been used. Six (6) failed logon attempts will cause the user account to be locked out.
The account is locked out for (30) minutes and then reset. Computer Desktops automatically lock after 17 minutes of inactivity. Citrix sessions automatically close after 30 minutes of inactivity. CareVoyant sessions automatically close at different intervals depending
on place within the program. CareTracker sessions automatically close at different intervals depending
on place within the program
HIPPA Security Officer
* Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards.
* Oversees and/or performs on-going security monitoring of organization information systems.
* Ensures compliance through adequate training programs and periodic security audits.
* Ensures security standards comply with statutory and regulatory requirements.
* Maintains HIPAA security policies and procedures.
Who is responsible for HIPAA?
EVERYONE at Elmcroft:
* Support Center Staff:* IT Staff:
* Implement safeguards for the computer systems.
* Local Privacy Officer:* Clinical Staff and Physicians:
* Create and access the majority of resident information.
* Managers and Supervisors: * Develop and implement policies and procedures that relate to security and
ensure their staff are trained properly.
* Clerical Staff: * Create and access resident information.
* Volunteers:* Have access to resident information in various settings
* Vendors and Contractors* May have access to resident information
Tips for HIPAA Security Compliance
Log on and off the network appropriately. Never let others use your ID or work under your ID. Do NOT disable anti-virus software or install
unapproved software. Never introduce new hardware or media.
E-mail may be, but is not always, a secure form of data transmission. Do NOT e-mail PHI unless using encrypted means.
Use caution in opening e-mail files from unknown sources.
Do NOT access non-permitted information or give non-permitted information to unauthorized employees.
Be aware of, and report, security threats to the Security Officer.
Tips for HIPAA Security Compliance
Passwords must be treated as sensitive and confidential information.
Never share your password with anyone for any reason.
Passwords should not be written down, stored electronically, or published.
Be sure to change initial passwords, password resets and default passwords first time you log in.
Use different passwords for your different accounts.
Create passwords that are not common, avoid common keyboard sequences, do not contain personal information, such as
pets, birthdays or kid’s names.
Tips for HIPAA Security Compliance
Tips for HIPAA Security Compliance
Protect sensitive information on lists and reports with social security numbers (SSNs).
Limit access to lists and reports with SSNs to those who specifically need SSNs for official business.
Never store SSNs or use lists with SSNs on laptops or home computers.
Save and store sensitive information only on Elmcroft servers managed by IT staff.
Tips for HIPAA Security Compliance
Never copy sensitive data to CDs, disks, or portable storage devices.
Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.).
Lock printed materials with sensitive data in drawers or cabinets when you leave at night.
When done with printed sensitive material, shred them.
Tips for HIPAA Security Compliance
Remove sensitive materials from printer right away.
If problem with printer, turn off printer to remove sensitive material from printer’s memory.
Personally deliver sensitive materials to recipient or distribute information electronically using the email system.
Arrange for shared electronic files that requires user ID and password.
What do we do?
Complete initial and annual HIPAA training
Read the Notice of Privacy Practices (NPP)
Understand how HIPAA regulations impact your job function and responsibility
Check with your supervisor if you are uncertain
Ask for additional training if required
It is our responsibility to ensure confidentiality of our
residents’ health information.
50
Resources
Susan Dawson, Privacy OfficerElmcroft Senior Living
9510 Ormsby Station Road, Suite 101Louisville, KY 40223
Office: 502.753.6000E-Mail: [email protected]
53
Your Local Privacy/Security Officer (Administrator/Executive Director)
Bob Dooley, VP Information Systems
Elmcroft Senior Living9510 Ormsby Station Road, Suite 101
Louisville, KY 40223
Office: 502.714.7435
E-Mail: [email protected]
Bob Dooley, VP Information SystemsElmcroft Senior Living
9510 Ormsby Station Road, Suite 101Louisville, KY 40223
Office: 502.714.7435E-Mail: [email protected]