• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Final gygax training module_ attempt 2

Final gygax training module_ attempt 2






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Welcome to St. Francis Hospital’s basic training of HIPAA. We will discuss how all Employees can do their part to ensure HIPAA compliance. It is our goal to provide professional, quality, and a secure environment for all interactions involving patients, employees, and business associates.\n\n
  • Slide 2\nWe acknowledge that there are a variety of backgrounds and exposures to HIPAA at our facility .Our goal is to bring awareness and educate employees on sound processes to ensure we act and handle patient information appropriately. There may be those of you may not deal with patient information on a day by day basis, but it is important for everyone to know what HIPAA is, how to deal with PHI, and most importantly where to go if you have any questions or need additional information.\n \nFirst we will go over Basic HIPAA information, terms and definitions related to this topic.\n\nThe we will apply what we’ve learned in part 1, and examine some scenarios to get a sense of how to identify a violation, and how to avoid them by following HIPAA compliant processes.\n\n
  • Slide 3 \nTo start with, we should discuss a little bit about HIPAA. HIPAA was established in 1996 and implemented as the Health Insurance Portability and Accountability Act. The goal of HIPAA is for covered entities to provide standards for protecting patient health information. (3) \n\nThere are 2 rules under HIPAA, the Privacy rule and the Security Rule. The Privacy rule provides national standards for safeguarding protect health information, while the Security Rule provides a set of standards for electronic health information storage, management, and transactions. (3)\n\nToday’s training module will focus on The Privacy Rule.\n\n
  • Slide 4: WHO MUST COMPLY W/HIPAA\nAll covered entities must comply with HIPAA. This includes insurance companies, health care providers, and health care clearing houses. (3) There fore it is necessary for all healthcare employees at St. Francis Hospital to comply with HIPAA, to ensure that protected health information is properly safeguarded will maintaining best quality care practices and services, while taking public well-being into consideration as required. (3)\n\n
  • Slide 5\nNow that we know what HIPAA is, let’s discuss what information we are guarding. \n\nProtected Health information consists of 3 basic components: The individual can be identified, information pertains to a health condition and related information( such as legal proceedings) and last of all information is collected and held by a covered Entity.\n\n
  • To comply w/ HIPAA it is important to remember the basic principle as defined by US Dept of Health and Human Services. This states, “ the purpose is to define and limit the circumstances in which an individuals {PHI} is used or disclosed to CEs”\n\nThere are 6 permitted uses when a written authorization is not required:\nIf the individual (or representative) is present and verbally agrees to the opportunity\nIf it related to treatment purposes\nIf it pertains to one of the 12 public interest and benefit situations\nIf information is going to the individual patient\nIncidental disclosures , when minimum necessary information is provided for business operations ( eg. Calling out a patient’s name in the waiting room) (pg. 175 brodik)\n\nFinally, the when used in a limited data set. Direct identifiers are removed, and the data can only be used for public health, healthcare operations or research ( 175).\n\nProvided is a link to the Department of Health and Human Services, which includes additional information on uses and disclosures.\n\nAgain, always reference St. Francis Hospital’s policies and procedures for additional information or contact the Privacy Officer.\n\n
  • The Minimum necessary Requirement is part of the Privacy Rule. The essential idea is that information should only be shared to those who need it to preform their job functions, and only the minimum amount of information will be shared to complete the task at hand.\n\nAccess Controls are enabled by individual, role, and group based access to enforce minimum necessary standards. Access privileges are based on work role, and what information is needed for the individual to do their job. Parameters have been set to to grant viewing rights at different levels depending on what data in necessary.\n\nPlease check with your department’s specific policies and procedures for complete information that pertains to your role.\n\n
  • Slide 8\nBefore examining a couple scenarios, lets talk about release of PHI and guidelines that should be followed. \n\nBefore releasing information obligatory steps must be taken.\n1)confirm the person requesting information is authorized to receive it. \na.Verify their identity. \nb.Check the record to make sure there aren’t any restrictions, revocations, or anything that would keep you from disclosing information. \n2)Make sure you are enforcing the Minimum necessary standard. Only give what has been requested when permissible.\n3)Verify the date of the request is valid\n4)When completing a request make sure you are following the rules for the situation. If authorization is required make sure you have collected the correct form, (in most cases it will be written authorization, though there are some exceptions, please check the policies and procedures manual). \n5)Finally make sure you have documented the request\n\nAnd always use your professional judgment to make sure the request is valid, appropriate, and secure. \n\n
  • Now lets discuss 4 scenarios. These scenarios have been extracted from a recent audit done at St. Francis that reviewed the orgnazation’s processes and checked for HIPAA compliance. This section will act as a review and an educational tool to discuss modification of PHI-related processes.\n
  • Slide 10\nThe situation: You have an electronic health record.  When an error is made in the record, it is the policy of the facility to allow the person who has made the error, to totally delete it from the system\n\nThe problem: this violates the security rule\n\nLets review, as Brodnik states the goal of the security rule is to “protect ePHI from unauthorized access, alteration, deletion, and transmission.”\n\nIn this case the electronic health record is being altered. This affects the integrity, authenticity and non-repudiation of the record.\n\n
  • Slide 11\nHow can we rectify this situation?\nBy ensuring we follow electronic health record standard procedures:\nIn general, a record should never be deleted. If there is an error, or something needs to be modified follow the subsequent steps:\n- Identify the incorrect data\n- Flag it\n- And provide a link to it\n\nIn the rare instance that a deletion is called for please discuss this with your supervisor or contact the Privacy Officer.\n\n
  • Slide 12: scenario 1 solution part II\nFinally just be aware that access controls have been reviewed and modified to ensure only appropriate workforce roles have access to information need to accomplish their duties.\n\nIf you are trying to perform a task and are unable to, please contact your supervisor or HIM Manager \n\n
  • Slide 13 Scenario 2\nThe situation: Patients are allowed to amend the health record directly into the electronic health record with no supervision of staff\n\nThe problem: Patient’s have the ability to alter their health record affecting the integrity, authenticity and non-repudiation of the record. This is similar to the first scenario, but in this example it is the patient that is able to alter the record. This is a violation of the security rule.\n\n
  • Slide 14: Scenario 2 solution\nUnder HIPAA regulation, patients have the right to request amendments to their records. We are discontinuing the previous policy and in its place requiring that a written request must be completed, including the reason for the amendment. This will then be processed by the HIM department in a timely fashion. They will contact the individual once a decision has been made.\n\nPlease contact the HIM Department for any further questions or concerns.\n\n
  • Slide 15:Scenario 3\nThe situation: When a visitor is on a nurses station, the screens to the computers are visible and readable by the visitor leaving a patient PHI totally available to the public\n\nThe problem: Adequate measures are not being taken to enforce the Privacy rule, protecting patient health information.\n\n
  • Slide 16: SOLUTION\nWe have assessed the situation and have updated the workstation use and security policies to be in accordance with HIPAA standards. The following requirements have been implemented:\n\n♣Workstation locations are located in monitored areas\n♣Workstation screens have been adjusted away from public view\n♣Use of applicable screen devices such as protectors to block peripheral views recommended\n♣Auto-time outs have been enabled on all workstations\n♣Password re-entry is required \n♣Security training and awareness program completion is required for all employees who use workstations\n \n
  • Slide 17: Scenario 4\nthe situation: When on the elevator, physicians, nurses, a custodian, and a patient registrar, discussed patients by name, health care problem, and in one case, an ongoing litigation case about a malpractice suit.\n\nThe problem: the American Health and Information Management Association (AHIMA) identifies this situation as “breaches to the organization and Individual”.\n\nEmployees are discussing PHI outside of normal business operations. In this situation it is evident that not all roles need this information to complete routine duties. Though we don’t know the extent of why this information was being discussed, professionals should use best judgement , and discretion when relaying PHI.\n\n
  • Slide 18: SOLUTION\nLets review employee awareness key points:\nUnderstanding confidentiality and role responsibilities (1)\nRespecting patient privacy and taking active measures to protect confidentiality (1)\nFollowing guidelines that support HIPAA requirements and recommendations such as the minimum necessary and Privacy rule standards.\n\nAdditional Employee Awareness training is has been implemented and is now an annual requirement. An email notification will be sent with more details.\n\n
  • \nIt is important to note that there are penalties for noncompliance of HIPAA regulations. These include both civil and criminal penalties.\n\n
  • I would like to end today’s basic HIPAA training with a couple reminders. We all hold valuable roles in healthcare, and we need to know and understand our responsibilities to protect pation health information, informing patient’s of their rights, act ethically and abide by legal standards. This will benefit patient care and services, and create a more sound professional environment.\n
  • \n

Final gygax training module_ attempt 2 Final gygax training module_ attempt 2 Presentation Transcript

  • HIPAA COMPLIANCE How you can do your part
  • LECTURE OVERVIEW Basic HIPAA information............................... Slides 3-7 Training Scenarios....................................... Slides 8-18 Conclusion ................................................. Slide 19-20 References ................................................ Slide 21
  • WHAT IS HIPAA Health Insurance Portability and Accountability Act Established in 1996 2 Main parts: Privacy and Security Privacy Basics  Standards developed to “address the use and disclosure of individual’s health information or Protected Health information (PHI)” (3)
  • WHO MUST COMPLY WITH HIPAAALL employees of the organization must follow HIPAA Privacy Rules Figure 1
  • WHAT TO SAFEGUARD: PROTECTED HEALTH INFORMATION Basic Definition: identifiable health related information about an individual 3 elements of PHI(1):  Individual is identified  Health conditions or related information (e.g. Legal proceedings)  Information is held by a Covered Entity (CE)
  • HOW TO COMPLY WITH HIPAA US Dept of Health and Human Services states the Privacy Rule’s “Basic Principle”: (3)  “ ...purpose is to define and limit the circumstances in which an individuals [PHI] is used or disclosed by [CEs]…”  2 ways use and disclosure can be done:  Permitted Uses  To the individual  Treatment, Payment, Operations (TPO)  12 public interest and benefit situations  Individual agreement/objection of additional uses and disclosures  Incidental Uses or disclosures  Limited Data set  Authorized Uses Please visit the website for additional information: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html ***Contact the Privacy Officer with any questions or concerns***
  • MINIMUM NECESSARY Definition: A Privacy rule requirement that restricts access to PHI to those who need the information to complete the task it was meant for (1).  Information obtained is limited to the minimum necessary to complete the task.  Be familiar with your specific department’s policies and procedures as well as the organization’s.
  • RELEASE OF PHI GUIDELINES Ensure information:  is being released to an authorized person  fits the minimum necessary standard to complete the task  has a valid date  is available to be released  Written authorization  Oral authorization  Or qualifies under authorized exceptions  request has been documentedUse professional judgment: Make sure the information being requested will not cause: - individual harm - relationship damage between individual andorganization
  • PART II: TRAINING SCENARIOS We will now discuss 4 different scenarios: Identify the problem Discussion Implement the solution
  • SCENARIO 1Situation:You have an electronic health record.  When an error ismade in the record, it is the policy of the facility to allowthe person who has made the error, to totally delete itfrom the systemThe Problem: This breaks 3 Elements  Integrity- record is accurate and complete  Authenticity- record is authentic  Non-Repudiation- record is undeniable  Brodnik states the goal of the Security Rule is to “...protect ePHI from unauthorized access, alteration, deletion and transmission.” (1)
  • SCENARIO 1 SOLUTION General rules when dealing with an electronic health record:  Records should never be deleted  When revision is required: The individual making the correction needs to  identify the incorrect data  flag it  provide a link  Refer to Our Organization’s procedures and policies, in the rare instance a deletion would need to be made or contact the Privacy Officer
  • SCENARIO 1 SOLUTION Access Control List has been established Establishment of access controls to categorize which roles have the authorization to delete records. Parameters have been put in place by categories organized by roles and groups. Access rights have been implemented to identify the user and certify that the user has the rights to complete the request. If you do not have sufficient authorization rights for the task at hand please discuss how to proceed with your supervisor or the HIM manager
  • SCENARIO 2Situation:Patients are allowed to amend the health record directlyinto the electronic health record with no supervision ofstaffThe Problem: Patient’s have the ability to change theirhealth records affecting:  Integrity  Authenticity  Non-repudiation
  • SCENARIO 2 SOLUTION In compliance with HIPAA regulations, individuals must have the right to request amendments to their records. Patient Amendment Process:  Patient must complete an official request  Written form  Reason for amendment  HIM department will process the request and contact the patient
  • SCENARIO 3Situation:When a visitor is on a nurses station, the screens to thecomputers are visible and readable by the visitor leavinga patient PHI totally available to the publicThe Problem: Adequate measures are not being taken tosecure patient records privacy.
  • SCENARIO 3 SOLUTION Workstation Use and Security Policies have been updated to include the following requirements:  Workstation locations must be in monitored areas  Workstation screens need to be adjusted away from public view  Use of applicable screen devices such as protectors to block peripheral views recommended  Auto-time outs have been enabled on all workstations  Password re-entry is required  Security training and awareness program completion is required for all employees who use workstations
  • SCENARIO 4Situation:When on the elevator, physicians, nurses, a custodian,and a patient registrar, discussed patients by name,health care problem, and in one case, an ongoinglitigation case about a malpractice suit.The Problem: Breaches have occurred and Organizationaland Individual level Employees have failed to protect the privacy of PHI The minimum necessary standard has been violated
  • SCENARIO 4 SOLUTION Employee Awareness Standards Employees abide by Minimum Necessary Rule and HIPAA Privacy rule
  • PENALTIES FOR NONCOMPLIANCE It is important to note that there are penalties for non compliance  Civil Penalties: range from $100/ violation to $25,000 max per calendar year  Criminal Penalties: range from $50,000 fine and 1 year imprisonment to $250,000 fine and 10 years imprisonment
  • THINKS TO REMEMBER Closing thoughts:  We must uphold the responsibility of ensuring patient information (PHI) is protected and that patients know their rights.  We must respect individuals, workforce members and the organization to act respectfully, and in accordance to standards 20
  • REFERENCESREFERENCES1) Brodnik, MS, McCain, MC, Rinehart-Thompson, LA, Reynolds, RB. Fundamentals of Law for HealthInformatics and Info Mgmt. Chicago: AHIMA Press, 2008. p. 134, 140, 159, 176, 179, 182, 214-5, 217, 222.2) Hughes, G. Laws and regulations governing the disclosure of health information (updated). AHIMA 2002 Nov [ cited 2012 May 21]; Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/ bok1_016464.hcsp?dDocName=bok1_0164643) The HIPAA privacy rule’s right of access and health information technology. Available from: URL: http://www.hhs.gov/ ocr/privacy/hipaa/understanding/special/.../eaccess.pdf4) The five Ws of HIPAA. Available from: URL: som.ucsd.edu/webfm_send/46655) Health and Human Services Website. Available from: URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html6) Wiedemann LA, Hjort B. HIPAA Privacy and Security Training (Updated). AHIMA 2010 Nov [cited 2012 May 20]; [1 screen]. Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509Fiigure 1: University of Southern Alabama [Online Image] Available at: http://www.southalabama.edu/healthprofessions/ 21