hipaa training presentation for management workforce 1 hipaa for general workforce what you need to...
TRANSCRIPT
HIPAA Training Presentation for Management Workforce
1
HIPAA
For General Workforce
What you need to know
The Catholic Health Initiatives Mission
Catholic Health Initiatives continues the journey begun by our foundresses. Like these women religious, we continue the healing ministry of Jesus Christ through the provision of health care in our many communities. Our core values of reverence, integrity, compassion and excellence guide us on this journey. We build relationships based upon these core values. These relationships enable us to assume the challenging role of caring for those most in need, those least able to care for themselves.
Our core values and standards of conduct are the principles that guide us in navigating the complexity of providing health care. At a minimum, we are expected to follow all laws related to our responsibilities. However, following the law is not enough. Our values call us to live by an ethical standard that is greater than the law. We are responsible for ensuring the privacy of an individual’s health information and are entrusted with that information in order to provide the necessary care and services. We have a duty to prevent the inappropriate use or disclosure of an individual’s health information.
Course Objectives/Navigation
The objectives of this course are:– To foster and maintain a culture of integrity. – To develop individual and team character and virtue in the workplace. – To foster compliance with applicable federal and state laws and
regulations. – To understand the policies and procedures in order to protect health
information.
Navigating this course:Each course contains Cases to Consider, which are designed to help
improve your understanding of the course material. At the end of each course you will take a Section Test. The Section Test is designed to measure your understanding of the course material and is scored. You will be required to successfully pass the Section Test.
You can use the arrows at the top and bottom of your screen to move forward and backward through the course. For most people, this course should take approximately 1 hour.
Education Objectives
Understand the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations
Understand the penalties for not complying
Understand patients’ rights and health care workers’ role in protecting them
Understand your responsibilities under HIPAA-related policies and procedures
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA is a federal law imposed on all health care organizations, including:
Hospitals, physician offices, home health agencies, nursing homes, and other health care providers
Clearinghouses
HMOs, private health plans, and public payers such as Medicare and Medicaid
The above organizations are considered Covered Entities under HIPAA.
HIPAA
• HIPAA consists of five main sections, or “titles.” The most important title for health providers is Title II, Administrative Simplification.
• The three main components of Title II include the following standards: Privacy Security Electronic Data Interchange
• The Privacy and Security standards will be reviewed in this module.
HIPAA Training Presentation for Management Workforce
7
HIPAA Privacy Rule
HIPAA Privacy Rule
Compliance date of April 14, 2003
Gives patients federal rights to gain access to their medical records and restrict who sees their health information
Requires organizations to take measures to safeguard patient health information
Requires organizations to train members of the workforce on patients’ rights to privacy and control over their health information
Punishes individuals and organizations that fail to keep patient health information confidential
The Privacy Official
A Privacy Official has been appointed by each covered entity to:
Manage the development of the organization’s privacy standards, policies, and procedures
Oversee training and education of workforce
Enforce the rules and investigate violations
Myths about HIPAA
Patients cannot be paged
Organizations must get rid of all their semi-private rooms and put up sound barriers
Organizations cannot put patient names outside their doors or use white boards
HIPAA does not require the above measures and these myths are not true.
Quiz Question
What type of rule is HIPAA?
a. a state law imposed only on hospitals b. a federal law imposed on all health care organizations c. a guideline set forth by the American Medical Associationd. an accreditation requirement
b. HIPAA is the first federal regulation that gives patients rights to gain access to their medical records and restrict who sees their health information.
Safeguarding Health Information
What is Confidential?
Name Address Age Social Security number Phone number E-mail address
Diagnosis Medical history Medications Observations of health Medical record number And more...
Any information about a patient written on paper, saved on a computer, or spoken, is protected health information (PHI), including:
Protect Patient Privacy “Do’s”
Log off the computer when you’re finished
Dispose of health information only by shredding or storing in locked containers for destruction
Notify Security if you see an unescorted visitor in a private area
Protect Patient Privacy “Don’ts”
Don’t leave patient records lying around
Don’t discuss a patient in public areas such as elevators, hallways, and cafeterias
Don’t look at information about a patient unless you need it to do your job
Rules for Computers “Do’s”
Keep your password a secret Turn computer screens away from
public view Change your password every 180
days or as required by internal policy
Do not log into the system using someone else’s password
Do not remove equipment, disks, or software without permission
Quiz Question
When are you free to repeat a patient’s private health information that you hear on the job?
a. after you no longer work at the organization
b. after a patient dies
c. if you know the patient would not mind
d. when your job requires it
Quiz Question
Which of the following is protected health information under HIPAA?
a. the patient’s address
b. the patient’s allergies
c. the patient’s medical record number
d. all of the above
Quiz Question
Which of the following types of information does HIPAA’s privacy rule protect?
a. patient information in electronic form
b. patient information communicated orally
c. patient information in paper form
d. all of the above
Do You Need to Know?
The Minimum Necessary Standard
Do You Need To Know?
HIPAA requires health care workers to use the minimum amount of health information they need to do their jobs efficiently and effectively.
Ask yourself:
Do I need this information to do my job and provide good service?
What is the least amount of information I need to do my job?
Do You Need to Know?
Coders and billers need to look at certain portions of records to code and bill correctly
Professional health care workforce members such as doctors, nurses, and therapists need to look at their patients’ records to care for them
Housekeeping staff do not need to look at patient records to perform their job
Quiz Question
What question should you ask yourself before looking at health information?
a. Would the patient mind if I looked at this?
b. Do I need to know this to do my job?
c. Can anyone see what I’m doing?
d. Am I curious?
Quiz Question
Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do?
a. ask a nurse on the floor how the patient is doing and pass the information along to your sister
b. log in to the computerized record system and read the patient’s record to find information for your sister
c. explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members
d. none of the above
Authorization
Authorization
Organizations must obtain authorization from a patient before using or sharing protected health information (PHI) for reasons other than treatment, payment, or health care operations.
Reasons other than treatment, payment or health care operations include:
– Marketing – Fundraising – Research – Employment determinations
•A patient may revoke an authorization at any time by making a written request.
Examples of Treatment, Payment and Health Care Operations
Treatment: doctors and nurses caring for patients; technicians performing tests
Payment: billers sending out claims; coders applying codes to procedures
Health care operations: quality assurance staff performing reviews; transcriptionists typing reports
Authorization Exceptions
An authorization is not necessary for uses or disclosures mandated by law such as:
Reporting births, deaths, and communicable diseases to state agencies
Giving certain information to the police for investigations, searches for missing people
Responding to a court order, subpoena, or other lawful process
Workers’ compensation
Specialized government functions
External health oversight agencies
Public health activities
Quiz Question
When is the patient’s authorization to release information required?
a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations
b. upon admission
c. when information is to be shared among two or more clinicians
d. when information is used for billing a private insurer
Marketing and Fundraising
Marketing
In most cases, we may not use or disclose protected health information (PHI) to market a product or service without obtaining a valid authorization.
Defining Marketing
The following are not considered marketing under HIPAA and do not require an authorization:
Descriptions of the organization and whether products or services are provided or covered
Explanations of treatment alternatives
Case management or care coordination
Recommendations of alternative treatments, therapies, providers, or settings
Reminders and disease management and wellness programs
Fundraising
We can use only the following information for fundraising purposes without patient authorization:
Demographic information
Dates of service
Opting Out
A patient has the right to revoke his/her authorization and opt out of receiving future fundraising or marketing communications
The Facility Directory
The Facility Directory
Unless a patient has asked not to be included in the directory, you may disclose the following information to visitors and callers who ask for a patient listed in the directory by name:
Location (room number)
General condition (e.g. stable, critical)
Directory Disclosures to Clergy
Clergy who have signed the Clergy Confidentiality Agreement do not have to ask for a patient by name and may receive:
Names of patients listed in the directory with the same religious affiliation of the clergy making the request
Locations
General conditions
Quiz Question
What information about a patient who is listed in the directory can be disclosed to someone who asks for the patient by name?
A. room number and name of doctorB. room number and general condition C. general condition and prognosisC. D. nothing
Individual Rights
Individual Rights
Patients have the following rights under HIPAA: To know who has access to their health information and how it is used (Notice of
Privacy of Practices)
To access and request an amendment to their health records in the designated record set (Access and Amendment)
To request a list of people and organizations who have received his/her health information (Accounting of Disclosures)
To request that we communicate with them by alternative means (Confidential Communications)
To request restrictions for the use and disclosure of their health information (Request Restrictions)
To complain to a covered entity, to the Secretary of HHS, or to the Office for Civil Rights (OCR)
Notice of Privacy Practices
Provides individual notice of the ways the organization uses and shares an individual’s health information
Explains an individual’s rights to confidentiality and access to his/her health information
Is posted prominently in the organization
Right to Access
A patient has the right to inspect and obtain a copy of his/her designated record set, which includes protected health information (PHI) used in whole or in part to make decisions about the patient.
Designated Record Set
A designated record set is a group of records that may include:
Health care provider medical and billing records Health plan enrollment, payment, claims adjudication and
case or medical management records
Right to Request Amendments
A patient has the right to request amendments to his/her designated record set. However, organizations are not required to automatically make whatever changes the patient requests.
Personal Representatives
Persons who have the authority (under federal and state laws) to act on behalf of a patient in making health care decisions may have access to the patient’s health information as his/her personal representative.
Personal Representatives for Minors
Parents, guardians, and others who have authority (under federal and state laws) to act on behalf of a minor in making health care decisions may have access to the minor’s health information as his/her personal representative
Accounting of Disclosures
A patient has the right to request a list of people and organizations who have received his/her health information.
The list does not have to include disclosures:
For treatment, payment, and health care operations
Authorized by the patient
To the facility directory
For national security
Of “limited data set” information
Confidential Communications
A patient may ask to receive correspondence at an alternate location or by an alternate means.
Organizations must honor all reasonable requests such as:
Sending mail to a P.O. Box or alternative location
Calling the patient at work instead of home
Using sealed envelopes instead of postcards
Complaints and Grievances
The Notice of Privacy Practices includes information on filing complaints:
The name of the designated representative or department for handling grievances
The representative’s phone number
The steps for filing a formal complaint
The Formal Grievance Process
If a patient or personal representative complains about a breach of confidentiality or a violation of a HIPAA rule, notify your supervisor and contact the representative listed on the Notice of Privacy Practices.
Quiz Question
What should members of the workforce do if a patient complains that her privacy was violated during her stay?
a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices
b. Ask the patient to provide proof
c. Nothing—it’s not their job to handle complaints
d. None of the above
Quiz Question
Which of the following does the complaints section of the Notice of Privacy Practices include?
a. the name of the designated representative or department for handling grievances
b. the representative’s phone number
c. the steps for filing a formal complaint
d. all of the above
Confidentiality Agreement
and Penalties
Confidentiality Agreement
By signing you agree to:
Dispose of health information properly Follow the organization’s policies and procedures Use computers and information systems only for
performing job duties Use confidential information only in performing job duties Share confidential information only with those who need
the information to do their jobs Handle health records carefully to preserve individual
privacy
Penalties for Breaking the Privacy Rules
Criminal penalties under HIPAA: Maximum of 10 years in jail and a $250,000 fine for serious offenses
Civil penalties under HIPAA: Maximum fine of $25,000 per violation
Organization actions: Employee disciplinary actions including suspension and/or termination for serious violations of the organization’s policies and procedures
HIPAA Security Rule
HIPAA Security Rule
Compliance date of April 20, 2005 Applies to the same covered entities described in
the Privacy Rule section. Applies to protected health information (PHI) that is
electronically sent from one location to another or stored by the facility.
Identifies steps to take to secure electronic PHI.
Information Security
A Security Official has been appointed with responsibility to: Make sure the covered entity complies with the
security standards, and Provide training to all system users at the facility.
Information Security
The Security Rule has three key areas that work together to protect PHI. These include: Physical safeguards Technical safeguards Administrative safeguards
Physical Safeguards
The purpose of physical safeguards is to help protect the physical computer systems and related buildings and equipment from unauthorized access, fire, and other natural and environmental hazards.
Some physical safeguards were discussed in the privacy section of this course. These included access to computer systems, workstations, and the use of passwords.
Technical Safeguards
Technical safeguards focus on the steps and procedures that must be in place to:
Protect the integrity of electronic PHI Control access Record and examine system activity Validate the identity and authorization of users Protect electronic PHI transmitted over a communications
network
Technical Safeguard Examples
– Unique user IDs– Reliable user authentication – typically passwords– Authorization to access information– Automatic computer logoff (inactivity timeout)– Firewalls– Log capture and monitoring
Password usage:• Generic User IDs are not permitted except in special
circumstances.
• User ID access must be changed immediately upon a User’s transfer to a different role in the organization.
• All User ID passwords must change at least once every 180 days or as required by policy. Systems should be set to automatically force password changes.
• When changing passwords, a User must not create passwords that are identical to his or her previous eight passwords.
Passwords, the First Layer of Protection
Password Syntax Rules • Passwords must be at least six characters in length
and– have a minimum of four alphabetic characters. – have a minimum of two numeric characters (0 through
9).• Passwords may include no more than two
consecutively repeated characters.
• NOTE: The use of control characters and other non-printing characters is not permitted because they may cause network or system problems.
Passwords, the first layer of protection
Passwords, the First Layer of Protection
Examples of passwords:
• Good / strong passwords:– 15djOth (15 dogs jumped over the house)– Cft6vgy& (keyboard pattern)
• Poor / weak passwords:– Orange– Skipper– BobH
Password Selection Rules• Choose passwords that are difficult to guess. • Passwords must not be related to the user’s job or personal life.
For example, do not use names of family members or pets as a password.
• Personal information that is easily obtainable, including date of birth, license plate number, telephone number, Social Security number, make of automobile or home address must not be used as a password.
• The first, middle or last name of the user should not be used to construct a password.
• User IDs must not be used as a password in any form.
Passwords, the First Layer of Protection
Administrative Safeguards
Under the Security Rule, policies and procedures must be in place that define the steps to address:
Adding, changing or deleting user access based on job responsibilities or if user terminates employment
Use and assignment of individual user IDs and passwords How to access the computer system and/or electronic PHI in
the event of an emergency
Quiz Question
Which of the following is NOT a key area of the HIPAA Security Rule?
a. Physical safeguards
b. Technical safeguards
c. Documentation safeguards
d. Administrative safeguards
Quiz Question
When is it acceptable to share your password?
a. when your co-worker forgets his password
b. when it saves time
c. when you know you can trust the person to use it appropriately
d. never
Quiz Question
Which of the following choice of passwords is best to use?
a. AlSm!th
b. 15djOth
c. Terry
d. 12345678
What Should You Do?
Case #1
You are called to work in a patient’s room to perform a routine job. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient’s condition or medication. What should you do?
Case #1 Answer
If you must do the job immediately ask whether you can interrupt. If the job can wait, explain that you are there to perform a routine job and will return in 15 or 20 minutes. This protects the patient’s privacy by allowing him/her to openly discuss his/her condition without being overheard.
Some patients may say that it is acceptable for you to stay in the room
during the conversation. But remember that patients may not feel comfortable sharing everything about their symptoms or medical history while you are in the room. They also might not feel comfortable asking you to leave.
Case #2
A visitor tells you she is at the organization to work on the computers and wants you to point the way to the system. How do you respond?
Case #2 Answer
The best response is to ask the repairwoman who at the organization contacted her. Find that person. He or she can take the repairwoman to the appropriate work area.
Case #3
You are walking by a trash can and notice a pile of photocopied health records has been laid on top of the trash can. How should you handle this?
Case #3 Answer
Gather the records and take them to your supervisor. He or she will report it to the organization’s Privacy Official to determine why the records were not destroyed.
Case #4
You are working on a nursing unit and see the name of a friend on a white board. Should you stop by her room?
Case #4 Answer
If you learned of your friend’s stay only by looking at the white board, you should not go to her room unless your job responsibilities take you there.
If you find out from the patient or her family member that she is a patient at the facility, feel free to visit her. Be sure to follow the visitor policies.
Case #5
A co-worker is having trouble logging in to the organization’s system. She asks for your login name and password so she can use them. Should you share them with her?
Case #5 Answer
No. The HIPAA security standards require the use of individual passwords for each workforce member with access to health information stored in the computer system. The organization keeps track of the records you gain access to based on the login name and password you use to enter the system. If you let others use your name and password, you are breaking HIPAA’s rules and the organization’s policy, and you may be held responsible if the co-worker gains access to patient information inappropriately.
Case #6
You have a hard time remembering your password for the computerized record system. Should you jot it down on a piece of paper and stick it in your desk drawer?
Case #6 Answer
No. Even if your desk drawer remains locked, it is not appropriate to keep it in your desk.
If you have a hard time remembering your password, select a password that meets your organization’s criteria, but is easy for you to remember.
Test Your Understanding
Question #1
A man comes into the organization and tells you he is supposed to work on the computers and wants you to open a door for him or point the way to a workstation. How should you respond to this request?
a. provide him with the information or access he needs
b. ask him who at the organization hired him and find that person for assistance
c. call the police
d. none of the above
Question #2
Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do?
a. ask a nurse on the floor how the patient is doing and pass the information along to your sister
b. log in to the computerized record system and read the patient’s record to find information for your sister
c. explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members
d. none of the above
Question #3
When are you free to repeat a patient’s private health information that you hear on the job?
a. after you no longer work at the organization
b. after a patient dies
c. if you know the patient would not mind
d. when your job requires it
Question #4
You see an open recycling bin full of paper. You can see names, addresses, and diagnoses on the paper. What should you do?
a. nothing
b. bring it to your supervisor or the Privacy Official so he or she can dispose of it properly and determine why it was put there
c. read the report and try to figure out what workforce member disposed of it improperly
d. none of the above
Question #5
What question should you ask yourself before looking at patient information?
a. Would the patient mind if I looked at this?
b. Do I need to know this to do my job?
c. Can anyone see what I’m doing?
d. Am I curious?
Question #6
When is the patient’s authorization to release information required?
a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations
b. upon admission
c. when information is to be shared among two or more clinicians
d. when information is used for billing a private insurer
Question #7
When is it acceptable to share your password?
a. when your co-worker forgets his password
b. when it saves time
c. when you know you can trust the person to use it appropriately
d. never
Question #8
Which of the following is protected health information under HIPAA?
a. the patient’s address
b. the patient’s allergies
c. the patient’s medical record number
d. all of the above
Question #9
Which of the following types of information does HIPAA’s privacy rule protect?
a. patient information in electronic form
b. patient information communicated orally
c. patient information in paper form
d. all of the above
Question #10
What should members of the workforce do if a patient complains that her privacy was violated during her stay?
a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices
b. Ask the patient to provide proofc. Nothing—it’s not their job to handle complaintsd. None of the above
Question 11
Which of the following does the complaints section of the Notice of Privacy Practices include?
a. the name of the designated representative or department for handling grievances
b. the representative’s phone numberc. the steps for filing a formal complaintd. all of the above
Question #12
Which of the following choice of passwords is best to use?
a. AlSm!th
b. 15djOth
c. Terry
d. 12345678
Course Summary
This course linked your everyday job functions with their effect on the organization’s privacy and security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA requirements discussed throughout this course included:
– Understanding the purpose of HIPAA regulations. – Safeguarding written, oral and electronic information. – Knowing the steps to protect privacy. – Understanding the role of the Privacy and Security Officials in your organization.
The intent of this course was to educate staff members and make them more aware of how their everyday activities affect their organization’s HIPAA compliance. Through this course, you were empowered to protect the privacy of those we serve and prevent violations of confidentiality.
Our purpose for asking you to take this course was not only to help you become familiar with some of the current laws and regulations associated with HIPAA, but also to reinforce the mission of Catholic Health Initiatives (CHI). CHI is built upon a foundation of integrity. All of the women and men who have gone before us tried to ensure that, regardless of the challenges they faced, CHI would truly minister to and be worthy of trust by their communities. It is our ethical duty to continue this mission at CHI. Knowledge from this course is one tool that assists us in fulfilling that mission.
Thank you for taking this course. Please click here to take the Final Test.