Your SlideShare is downloading. ×
0
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Data Security & Privacy Practices - Student/Resident Training
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Data Security & Privacy Practices - Student/Resident Training

3,623

Published on

Providing Care With Respect and Dignity Through Data Security & Privacy Practices - HIPPA Student/Resident Training

Providing Care With Respect and Dignity Through Data Security & Privacy Practices - HIPPA Student/Resident Training

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,623
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Providing Care With Respect and Dignity Through Data Security & Privacy Practices Springfield Clinic Student/Resident HIPAA Review 9/23/13 Presented by: The Privacy Office
  • 2. Core Elements of this Review 1. Accessing PHI (Protected Health Information) beyond the scope of your duties is a violation of HIPAA’s “Minimum Necessary” Rule”. 2. It also violates Clinic Policy, and can lead to immediate termination of your rotation here. 3. HIPAA requires you to report privacy/security incidents or suspected violations. Contact the Privacy Office at ext. 14216. 4. You are not allowed to copy, transmit or print patient information for your own use or for your school. Any documentation that you feel you need to send external for completion of your duties should be de-identified by the ROI Services Manager in Health Information Management (ext. 43742). 5. Sharing Passwords or user ID’s is strictly prohibited. 6. Please keep all patient-related conversations out of patient areas. Our patients perceive a lack of privacy when this happens – even if names are not used.
  • 3. The Overview HIPAA is a Federal Law named “The Health Insurance Portability and Accountability Act”. • HIPAA was enacted in 1996 to standardize electronic health insurance transactions. Its primary purpose was to reduce the gap in health insurance coverage occurring with change of employment, thereby reducing America’s personal bankruptcy rates as most of these were related to lack of medical insurance. • HIPAA targets the uses and disclosures of Protected Health Information. PHI is any patient-identifiable health and/or billing information. • Investigations and fines are handled by the Office for Civil Rights (OCR). • Cases are referred to the Dept. of Justice for prosecution (500+ cases to date).
  • 4. Health Insurance Portability & Accountability Act HIPAA Privacy Rule gave patients 6 new civil rights. Requires delivery of a Notice of Privacy Practices before the first service, contractual agreements for privacy between Organizations, and mandatory internal and government reporting with mitigation of violations. HIPAA Security Rule focuses on the Confidentiality, Integrity, and Availability of patient-identifiable electronic health and billing information. There are Organizational requirements, and safeguards include administrative, physical and technical safeguards. HITECH expands penalties, requirements, and enforcement capacity. Expands the definition and responsibilities of a Business Associate (BA) to the same level as CE (Covered Entity). Requires HHS proactive auditing of CE’s. Adds patient right to Cash Restrictions. Requires patient notification within 60 days of PHI breach with potential harm. Requires that any breach over 500 patients is reported to HHS, media outlets, and patients. It also provides Meaningful Use incentives for Providers to use electronic records. OMNIBUS The “Final Rule” expands requirements for BA’s and their subcontractors, increases penalties, expands HHS audit numbers, and audit scope where evidence of willful negligence is found. Huge increases in fines. It requires the CE to audit compliance of its Business Associates. BA’s are directly liable for their breaches. It changes the definition of Business Associate and “breach notification”. Lack of BA contract does not prevent the BA designation. State Attorneys General are given “private right to action” to prosecute on a patient’s behalf (the state gets a percentage). Genetic information is now PHI. Decedent info is no longer PHI 50 years after death. Documented Risk Analysis is now required for incidents not reported to HHS due to low probability that PHI was “compromised”. Patients can ask for records in electronic format and must accommodate if reasonable. Entities that create, receive, maintain or transmit ePHI for CE’s are now BA’s. BA’s must provide an accounting of disclosures if requested. Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS. It’s been updated several times!
  • 5. 10 Transactions that Define a “Covered Entity” 1. Health Care claims or equivalent encounter information 2. Health care payment and remittance advice 3. Coordination of benefits 4. Health care claim status 5. Enrollment and disenrollment in a health plan 6. Eligibility for a health plan 7. Health plan premium payments 8. Referral certification and authorization 9. First report of injury 10. Health claims attachments Note: HHS generally considers all providers, sites, and services within an Organization or System to be one CE.
  • 6. Who Is A HIPAA Covered Entity? • A Covered Entity (CE) is someone with a direct (face-to-face) patient care relationship. No authorization is required for PHI release for purposes of treatment, payment and CE operations. • Everyone at Springfield Clinic is considered part of the same covered entity. Internally releasing patient information without patient consent is allowed.
  • 7. Who Is A Covered Entity Outside the Clinic? • Any Provider with either a face-to-face patient relationship or who processes transactions using electronic patient information • Any Health Care Plan paying for patient services • Any Clearinghouse providing healthcare billing services • Interpreters; Dentists; NP’s, PA’s, Counselors, Therapists • Medical Benefits Coordinator for ANY residential facility including: – Prisons – Law enforcement officials holding prisoner in custody – Residential, Group & Nursing homes • Pharmacists • School Nurses (only when evaluating students or administering medications)
  • 8. De-identifying PHI is the only legal way to transmit in an unsecured transmission. Consult with I.T. before using ePHI on personal devices. To de-identify information, call the ROI Services Manager in HIM Correspondence.HIPAA Protects Patient-identifiable Health and/or Billing Information, So What Constitutes Identifiers? 1. Name 2. Street address 3. SSN 4. DOB 5. All dates (admit/discharge, DOS, date of death) 6. First 3 digits of zip only (if population > 20,000) 7. any geographic divisions smaller than state 8. age (if 90 or more, report age as “90+”) 9. Telephone, cell, or other personal number 10. Fax Number 11. URL and IP addresses (e-mail/internet) 12. VIN and serial numbers (vehicle) 13. Full face photos 14. Tattoos and any unique physical anomalies 15. Medical Record Number 16. Account Number 17. Insurance plan numbers 18. Device identifiers and serial numbers 19. Biometrics including fingerprint, voice, iris 20. Certificate/License Numbers De-identifying PHI is considered a “safe harbor” for transport or storage. However there must be a procedure in place, to de-identify and re-identify accurately. Encryption is more commonly used.
  • 9. Fines/Violations Degree of Culpability/ “State of Mind” Potential Penalty Per Violation Maximum Annual Cap for All Violations of Identical HIPAA Provision Violation was not known and could not have been discovered with reasonable diligence $100 - $50,000 $1,500,000 Reasonable cause for violation, not due to willful neglect $1000 - $50,000 $1,500,000 Violation due to willful neglect, but corrected in 30 days $10,000 - $50,000 $1,500,000 Violation due to willful neglect, not corrected in 30 days $50,000 $1,500,000 •Violations are counted up “based on the nature of the … obligation to act or not to act.” New factors - # of persons affected by the violation, potential harm to those persons’ reputations and finances. •Generally, monetary penalties will be tallied on a per person and per day basis. A violation should be corrected promptly within 30 days. Delaying beyond the timeframe will foreclose certain defenses that could decrease monetary penalty amounts. •The maximum annual cap of $1.5 million is applied on a “per provision” basis. •Monetary penalty system is as follows:
  • 10. HIPAA Rule: Provide Minimum Necessary Information Per Business Transaction • It is the individual’s responsibility to provide no more than the “minimum necessary” patient information to satisfy a request or to complete a transaction. • The only exception to minimum necessary is releasing health and/or billing information to another Provider.
  • 11. Patient Rights Under HIPAA • If we accept terms or conditions requested by the patient they must be accepted Clinic-wide. • Please contact the Privacy Office when patients assert the civil rights reviewed on the following slides.
  • 12. The Right To Review their Health and/or Billing Information • Patients may ask to sit with us and review their medical and billing records, which is a Health Information Review. – (Call the Privacy Office Staff) • They may ask for paper or electronic copies in any preferred format and we generally must provide this (Behavioral Health Records may be an exception – Provider’s choice). – (Call Health Information Mgmt. - Correspondence)
  • 13. The Right To Request Amendment of Their Health Or Billing Information • When the patient disagrees with statements in the record, it is their right to ask the author to change the item. – (Refer them to the Privacy Office) • The provider may refuse the amendment if he/she feels that the content is “complete and accurate” as it is, or if the information came from another source (transferred record). • The Privacy Office assists the patient in adding a rebuttal letter to the disputed content if amendment is denied.
  • 14. The Right To Request Confidential Communications • When a patient asks us to change our normal method of communicating with him or her. • HIPAA states that where we can we should. Remember that this type of request applies to all Clinic computer systems and offices. Let the Privacy Office handle it.
  • 15. The Right To Request Privacy Restrictions When a patient asks us to change the way we internally flow their PHI through our transaction processes. – (It is critical to call the Privacy Office) – Examples: • Don’t give my records to the worker’s Comp Carrier • Don’t let the receptionist ay my doctor’s office see my information (she’s my ex sister-in-law) • Don’t send information to my other doctors
  • 16. The Right To An Accounting Of Disclosures • When a patient asks “Where have you sent my information without my authorization”? – (Call the Privacy Office) • We must supply a listing of 6 years of past transactions. • With an EHR, we must include all electronic transactions as of 1/1/14.
  • 17. The Right to a Paper Copy of the Notice of Privacy Practices • HIPAA requires that patients receive the Notice of Privacy Practices (NPP) before their first service with a covered entity. • The purpose is to: – Assist the patient in choosing a provider based on our uses and disclosures of their PHI – Inform them of their privacy rights under the law – Provide a contact to complain to when they feel their rights have been violated. • If anyone asks for a privacy notice, please take them to the nearest reception desk for an NPP (Notice of Privacy Practices) booklet.
  • 18. Purpose Of The NPP • Intent of a public notice • To help patients choose between covered entities • To explain rights given to individuals • To inform a patient where to complain if rights are violated
  • 19. The Right to Receive Their PHI Electronically in Their Preferred Format • Patients now have the right to ask for their PHI in their preferred electronic format. We must accommodate if reasonable to produce. • We must provide a reason why if we decline and ask for another preference.
  • 20. The Right to Request a HITECH Cash Restriction • Any patient may request that today’s services not be submitted to insurance, and if he/she meets conditions, we must allow it. • In order to allow this cash restriction, the patient must request it before the visit is completed, and pay up front total charges for today. • When those conditions are met, we must never release this information to the insurer (even in the future).
  • 21. HIPAA Says: No Snooping! Five medical workers have been fired over patient data breaches at Cedars-Sinai Medical Center. The audit was triggered by Kim Kardashian’s delivery of daughter North West on June 15, 2013. Kim’s family suspected a leak of information at Cedars-Sinai after media reports included undisclosed details of the stay. Four of the workers logged onto the hospital’s information system to access patient records, as employees of local physicians with staff privileges at the hospital. The others included a Medical Assistant, a Foundation employee, and a volunteer student research assistant. After “Octomom’ was discharged, Kaiser Permanente fired 15 employees and disciplined 8 more for inappropriate access. After Fashion Designer Gianni Versace passed away, 5 employees were fired for inappropriate access. UCLA paid $865,500 for breach of celebrity privacy. The audit was 2005-2009 where breaches had been reported on dozens of celebrities, including Britney Spears, Farrah Fawcett, and Maria Shriver. • Extra sensitivity for well-known patients is required. Access audits are likely on VIP’s, such as celebrities, politicians, or recent news stories. • Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.
  • 22. • Clinic Policy states that all health and health- related services and programs provided by the Clinic are available and accessible equally to patients who are hearing impaired, and to those with limited English proficiency (“LEP”). • Interpreters shall receive payment for services performed only upon submitting a Clinic form invoice, which is verified or endorsed by a Clinic Manager. Interpreter Services
  • 23. May I discuss treatment information with a visitor present in the exam room? • The patient has implied consent to discuss treatment-related information by allowing them in the treatment room. • Include the visitor by name and relationship in your dictation. • Best practice is always to ask the visitor to step out at some point and ask the patient if there is anything they wish to discuss privately at this time. Also inquire as to social history and any potential abuse issues.
  • 24. Good to Know! • A visitor brought to the exam room is only allowed to be privy to the discussion during the exam. For an adult patient, even a parent’s presence does not provide access to any additional information later, regarding that visit (or any other encounter) without a signed patient authorization.
  • 25. Authorized Patient Representatives May I release information to a patient’s healthcare power of attorney? – Watch this! Typically a POA for healthcare may only access a patient’s information after the patient is deemed incapacitated. However, some forms state they are effective on the date signed. – You must read the form to see if it is activated. – This is different from a non-healthcare POA. – Protect yourself and do not act on a POA unless the document is in patient’s record!
  • 26. Business Associate • A Business Associate is defined as a business or person who is hired to assist with daily operations, and whose job requires them to have access to PHI. • HIPAA requires written contracts with legally specific language which requires that BA to handle all PHI according to HIPAA rules even when subcontracting.
  • 27. Is It Okay to E-mail Patient Information to Another Provider? • Students are not allowed to do this at Springfield Clinic. • Please discuss any need to disclose PHI with the ROI Services Manager in Health Information Management.
  • 28. How Can I Reach the Privacy Office? The phone directory lists us under Privacy Office. • Information Privacy Officer – Linda Meadows ext. 14540 • Privacy Operations Manager – Nancy Cardinale-Lower ext. 14216 • Privacy Operations Analysts: – Dawn Kane ext. 14245 – Farrah Reagon ext. 14217 – Danielle Dellaquila ext. 14278 • Privacy Support Specialist – Safron Squires ext. 14198
  • 29. Let’s Test Your Skills • Answer each of the following questions. Click here to access the quiz. • Be sure to click on SUBMIT THE QUIZ in order to meet your training requirement. • Thank you!
  • 30. Thank You for completing this HIPAA primer! Helping to educate our students about privacy and security rules is part of the Clinic’s ongoing mission to provide the highest quality of healthcare to the people of Central Illinois!

×