Your SlideShare is downloading. ×
0
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
MHS HIPPA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

MHS HIPPA

538

Published on

AFMOA HIPAA Information

AFMOA HIPAA Information

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
538
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Air Force Medical Operations Agency Excellent Healthcare, Clinical Currency HIPAA Privacy and Security 1
  • 2. What HSA Students needs to know about HIPAA n  To provide an introductory overview of HIPAA and how it affects you as a TOPA or future Systems Flight Commander n  INTERNAL - This presentation focuses on how the HIPAA Privacy and Security Rule impact the Privacy Officer in TOPA, the Security Officer in Systems Flight, and you as a medical member of the Covered Entity. n  EXTERNAL – How HIPAA affects your interaction with Wing ‘Line” commanders n  It is not intended to provide you with a comprehensive understanding of the entire Privacy and Security Rule, nor is it intended to address all the various requirements your Medical Group must observe in order to be in compliance with the rule Excellent Healthcare, Clinical Currency
  • 3. General Overview of HIPAA n  Public Law 104-191 -  -  -  n  The overarching purposes of HIPAA are to: -  -  -  -  n  Also known as the Health Insurance Portability and Accountability Act (HIPAA) Primary AF Guidance for HIPAA Privacy includes AFI 41-210 and DoD 6025.18-R Primary AF Guidance for HIPAA Security includes AFI 41-217 Improve the portability and continuity of health insurance coverage Combat waste, fraud, and abuse in health insurance and health care delivery Simplify the administration of health insurance Standardize all electronic transaction code sets (EDI) HIPAA is much more than just privacy and security: several functions within the healthcare industry needed to be overhauled or standardized in order to meet the mandates of HIPAA -  Transaction and Code Set Standards – ICD-9, CPT -  National Identifier Standards – National Provider Identifier (NPI) -  Security Standards Excellent Healthcare, Clinical Currency
  • 4. Medical Group Improve HIPAA and Sustain Program •  Complete the MDG medical mission and comply with HIPAA requirements •  Make HIPAA IMPROVE the combat operations capability of AFB ‘Line” Units •  Secure PHI •  Get needed Protected Health Information (PHI) to Wing Excellent Healthcare, Clinical Currency
  • 5. Military Command Authority (MCA) n The Military Command Authority (MCA) Exemption permits disclosure of PHI to a member’s commander in order to determine fitness for duty to conduct the mission. But, this exemption applies only to the PHI of Active Duty ARMED FORCES MEMBERS. n  Excellent Healthcare, Clinical Currency
  • 6. A Unit Commander wants to know their airman’s condition. n  The member’s authorization is NOT required; AND n  Only the “Minimum Necessary” information will be disclosed (Similar to “OPSEC” rules) ALL DISCLOSURES MUST BE DOCUMENTED BY THE MTF Excellent Healthcare, Clinical Currency
  • 7. Military Command Authority (MCA) n  to determine the member’s fitness for duty, n  to determine the member’s fitness to perform any particular mission, assignment, order, or duty, including compliance with any actions required as a precondition to performance of such mission, assignment, order, or duty. n  to carry out activities under the authority of DoD Directive 6490.2, “Joint Medical Surveillance,” August 30, 1997. n  to carry out any other activity necessary to the proper execution of the mission of the Armed Forces. n  Appropriate military command authorities are considered all commanders who exercise authority over an individual who is a member of the Armed Forces. n  The use may be by the Commander or his/her designee. Excellent Healthcare, Clinical Currency
  • 8. MCA Impact n  ‘Line’ commander’s perceive HIPAA as a barrier to obtain medical information on the airmen under their command n  The MDG must maintain and update a MCA roster of commanders and their designees. This roster must include Medical Commanders and their Designees. n  ‘Line’ commanders must educate their staff that only the commander and his/her designee may obtain Protected Health Information (PHI) from the MDG n  Many of the AF Health and Human Services (HHS) complaints have resulted from the MDG disclosing PHI to a ‘Line’ member who is not on the MDG MCA list Excellent Healthcare, Clinical Currency
  • 9. Military Command Authority (MCA) n  Common Examples of health information flows from the MDG -  Readiness Reports (PIMR) -  Quarters notices to the Line -  Physical Profiles and Duty Limiting Condition Reports -  Appointment Scheduling and Reminders -  Direct Communications from Healthcare Providers -  Family Advocacy and support programs -  Required communications from Mental Health Provider -  MEB/PEB Processing -  PRP determinations -  CITA reports -  PHAs -  Request to access an individual’s health records for a specific purpose -  Request to meet with a provider to receive clarification of duty limitations, etc -  Commander Directed Mental Health Evaluation Excellent Healthcare, Clinical Currency
  • 10. Military Command Authority (MCA) n  Air Force actions resulting from the Ft Hood incident n  Briefing that should be given to all ‘Line’ commanders n  Memorandum For ALMAJCOM/CV; from HQ USAF/SG; Subject: Sharing Protected Health Information with Appropriate Command Authorities; 14 May 2010 Memorandum For All MTF/CC; from AFMOA/CC; Subject: Disclosure of Protected Health Information to Appropriate Command Authorities; 24 May 2010 PowerPoint – Awareness Campaign Presentation n  Suggest presentation be viewed in “notes” mode n  n  Excellent Healthcare, Clinical Currency 10
  • 11. The Privacy Rule –Disclosing Information n  What is a Disclosure? -  -  n  The release, transfer, provision of access to, or divulging of information in any manner outside the covered entity holding the information Any time the Medical Group provides health information of an individual under your command, they are making a disclosure and must document it There are three types of disclosures -  -  -  Patient’s authorization is not required Patient’s authorization is required Patient must be given the opportunity to either agree with, or object to the disclosure; such notice is provided by the Notice of Privacy Practices As Required by Law Judicial and Administrative Proceedings Medical Facility Patient Directory Research Involving Minimal Risk Inmates in Correctional Institutions or in Custody Law Enforcement Purposes Cadaveric Organ, Eye or Tissue Donation Purposes Workers Compensation Public Health Activities Specialized Government Functions (MCA) About Decedents Avert A Serious Threat to Health or Safety Health Oversight Activities About Victims of Abuse, Neglect, or Domestic Violence Excellent Healthcare, Clinical Currency
  • 12. Six Year Retention Requirement n  Documentation associated with HIPAA Privacy/Security Program must be maintained for six years from date of implementation or last use n  n  n  Common documents to be retained: n  n  n  n  n  n  n  n  Privacy Implementation Date: 14 Apr 03 Security Implementation Date: 21 Apr 05 Privacy Officer/Security Officer appointment letters Commander Designee letters Medical Group Instructions or Operating Instructions Local training plans/sign in sheets Security Risk Assessment (OCTAVE) Privacy Gap Analysis (HIPAA Basics)/MEDFACTS Compliance Assessments Disclosure accountings; complaints; requests for restriction, amendments, or confidential communications Items should be maintained in file system, not a continuity binder Excellent Healthcare, Clinical Currency 12
  • 13. The Privacy Rule - In a Nutshell n  What it does… -  Sets boundaries on the use and release of health records -  Establishes safeguards that must be met to protect the privacy of health information -  Holds violators accountable with civil and criminal penalties that can be imposed if the patient’s privacy rights are violated n  What the Medical Group Must Do to Comply… -  -  -  -  Develop local policies & procedures to ensure compliance with privacy requirements Enforce workforce compliance with policies & procedures, to include sanctions when required Ensure workforce is trained on HIPAA requirements Make the MHS Notice of Privacy Practices available to beneficiaries Excellent Healthcare, Clinical Currency
  • 14. The Privacy Rule – Key Terms -  Disclosure: Allowing healthcare information to be accessed, released, or otherwise conveyed in any manner outside the entity holding the information -  Protected Health Information (PHI): Individually identifiable health information in any form o  Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and o  Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual -  Minimum Necessary: The minimum amount of protected health information necessary to accomplish a permitted use or disclosure o  The HIPAA Privacy Rule requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information o  Even within the Medical Group, staff members may only share or gain access to PHI on a “role-based” basis Excellent Healthcare, Clinical Currency
  • 15. Notice and Authorizations n  We are required to give our patients a Notice Of Privacy Practices when we make our first contact with them n  This notice tells them how we will use or disclose their health information according to the HIPAA law n  Finally, it tells our patients about their rights to access their own health information and receive confidential communications n  We ask that our patients sign an acknowledgement of this Notice Of Privacy Practices to confirm that they have received it and understand it. This sticker is placed on the back of medical and dental records Excellent Healthcare, Clinical Currency
  • 16. HIPAA Patient Privacy Rights – NoPP To Inspect and Copy To Request Restrictions To request Confidential Communications To Request Amendment To an Accounting of Disclosures To Obtain a Copy of this Notice To File a Complaint Excellent Healthcare, Clinical Currency
  • 17. HIPAA and How It Affects You n  Transmission of PHI from the Medical Group to You -  The Medical Group must observe Privacy Act and AF Communications Guidelines to ensure e-mail containing PHI is properly safeguarded during transmission o  Includes use of PKI encryption and Digital Signature as outlined in AFI 33-119 o  Must be For Official Use Only (FOUO) as outlined in AFI 33-332 o  Information is not transmitted to distribution lists unless each recipient is a Commander’s Designee and has a need to receive the information being transmitted -  n  The Medical Group will not transmit an e-mail message containing PHI if it cannot be properly encrypted Verification of Identity -  Medical Group personnel must verify the identity of Commander’s and designees prior to disclosing health information o  n  Privacy Officer should have a good process in place for members of the MDG to know who the Commanders and the Commander designees are in each unit. Where HIPAA Ends and the Privacy Act Begins -  -  -  PHI is a subset of Personally Identifiable Information (PII) as defined in DoD 5400.11-R Within the Medical Group, PHI is governed by both the Privacy Act (PA) and HIPAA Once properly released by the Medical Group, the information ceases to be protected by HIPAA, but remains subject to the Privacy Act Excellent Healthcare, Clinical Currency
  • 18. HIPAA and How It Affects You as a Privacy Officer HIPAA Privacy Officers’ Roles and Responsibilities n  n  n  Be the MTF’s initial Point of Contact for all HIPAA Privacy issues and concerns Monitor compliance with HIPAA training requirements Ensure adherence to Federal Law, MHS, and AF SG policies and procedures at the MTF level n  n  n  n  n  Investigate patient privacy complaints Develop MTF specific polices and procedures Implement methods to track disclosures of PHI Chair HIPAA Compliance teams Completes HIPAA Privacy risk assessment Excellent Healthcare, Clinical Currency
  • 19. HIPAA and How It Affects You as a Security Officer HIPAA Security Officers’ Roles and Responsibilities Oversee compliance with HIPAA Security Rule n  Establish policies and procedures to manage electronic PHI/PII n  Monitor compliance with HIPAA training requirements q  Chairs the Medical Information Security Readiness Team (MISRT) n  Develop HIPAA Security MTF specific polices and procedures n  Ensure sanction policies are consistently applied for failure to comply with ePHI security and breaches q  Complete OCTAVE HIPAA security risk assessment n  Excellent Healthcare, Clinical Currency
  • 20. Important Contacts n  Effective management requires establishing good working relationships with: n  n  n  n  n  n  n  n  Wing SJA/Medical Legal Advisor Regional Medical Legal Consultant AFMOA Regional Health Information Compliance Rep Base Comm Sq IT Staff Local hospital Privacy Officers where frequent admissions occur MDG Patient Advocate Base Privacy Act Officer Base Freedom of Information Act (FOIA) Officer Excellent Healthcare, Clinical Currency 20
  • 21. Trends q  HITECH Breaches: AFMS has experienced 3 total that affected 500 plus individuals PHI. q  Improper disposal, PHI accidentally recycled or employee removal of medical forms/PHI q  Inappropriate AHLTA and CHCS access- “AHLTA Snooping” q  Errant emails containing PHI/PII sent unencrypted, sent to wrong email/ unintended recipients, on mail group to MDG All email groups. q  Violation of the “Minimum Necessary” principal when the MDG discloses too health information q  MTF mails wrong medical records to requestor q  Lost electronic equipment: Laptop/media storage/CD/thumb drive q  US Postal or Fedex: medical records packages open during shipment to other MTFs or AFPC. q  Test results to wrong patients q  Pharmacy dispenses to wrong patient q  Verbal breaches of PHI to neighbors about neighbors Excellent Healthcare, Clinical Currency
  • 22. HIPAA and Privacy Act Incidents n  An Incident, defined per HIPAA, is the KNOWN or PERCEIVED unauthorized access, use, disclosure, modification, or destruction of Protected Health Information (PHI). n  An Incident, defined per the Privacy Act, is the KNOWN or PERCEIVED unauthorized access, use, disclosure, modification, or destruction of Personally Identifiable Information (PII) Excellent Healthcare, Clinical Currency
  • 23. HIPAA Incidents n  AFMS personnel must report potential and actual compromises of PII to the United States Computer Emergency Readiness Team (US-CERT) within one hour of the breach occurring or becoming known. n  A Defense Privacy Civil Liberties Office (DPCLO) Breach Report is then accomplished. n  AFMS organizations experiencing a breach of PHI must provide a copy of the DPCLO Breach Report to AFMOA/SGAT as soon as possible, but not later than 24 hours after the breach occurred or became known. n  AFMOA/SGAT will forward the report to AFMSA/SG3SA where the report will be reviewed for content and clarity before forwarding to the TMA Privacy Office. AFMSA/SG3SA maintains copies of all correspondence and reports associated with breach reporting for purposes of tracking and trending incidents within the AFMS, and for documenting HHS reporting requirements. Excellent Healthcare, Clinical Currency 23
  • 24. USCERT Notification Procedures 11/14/13 Excellent Healthcare, Clinical Currency 24
  • 25. Affected Individual Notification Procedures §  A “risk of harm” assessment will be accomplished after the incident. If the assessment results in a “high risk of harm” the affected individuals will be notified as soon as possible, but not later than 10 working days after the loss, theft, or compromise is discovered and the identities of the individuals ascertained. The notification should be in writing and should be concise, conspicuous, and in plain language. §  NOTE: The 10-day period is a line requirement under DoD 5400.11-R, and AFI 33-332 and begins after the Component is able to determine the identities of the individuals whose records were lost. If the Component is only able to identify some but not all of the affected individuals, notification shall be given to those that can be identified with follow-up notifications made to those subsequently identified 11/14/13 Excellent Healthcare, Clinical Currency 25
  • 26. Most Common Privacy Issues n  Health and Human Services reports the following as the most common types of issues investigated (in order of frequency): n  n  n  n  n  Impermissible uses and disclosures of PHI Lack of safeguard of PHI Lack of patient access to PHI - CLIA Uses or disclosures of more than “Minimum Necessary” PHI Lack of or invalid authorizations for uses and disclosures Excellent Healthcare, Clinical Currency 26
  • 27. HOW TO AVOID BREACHES §  Do not leave PII unattended §  Lock records in cabinets/offices §  Do not remove PII from office workspace •  Limit the extraction of PII from protected information systems (i.e. export to Microsoft Access, Excel, Printed Format, etc.) §  Be deliberate before posting in shared environments ( shared drives) §  Give access only as needed to perform duties •  Limit disclosure/access to absolute minimal needed •  Have checks/balances in place to prevent misuse Properly destroy records when record retention is met You can’t lose what you don’t have! Excellent Healthcare, Clinical Currency
  • 28. HIPAA Compliance n  MEDFACTS n  We have added HIPAA elements into MEDFACTS. n  These are regulatory elements to ensure your program is in compliance with the HIPAA rule. n  If your Privacy and Security officers do not have a MEDFACTS account, suggest they get with MDG QA folks to obtain one. Excellent Healthcare, Clinical Currency 28
  • 29. Summary q  HIPAA hasn’t changed your ability to access the health information you need to effectively execute the military mission q  The Specialized Government Functions provision allows the Medical Group to disclose information to appropriate military command authorities or their designated representative q  The Medical Group must observe the “Minimum Necessary” principal when they disclose health information to you q  HIPAA protects health information, but the Privacy Act remains in force q  Leadership Role overseeing HIPAA Privacy and Security functions to keep the MTF compliant. q  Always feel free to confer with any case you are dealing with by consulting with your AFMOA HIPAA Reps. Excellent Healthcare, Clinical Currency
  • 30. “HIPAA-theticals” for discussion q  While in the Public Health area a MSgt who works in PH says to a friend who is not a member of the MDG, “I know your girlfriend has an STD.” The PH officer hears about it and calls you to ask what should be done. q  What should you do and how should you follow this potential breach of PHI? What guidance and direction would you give your HIPAA Privacy Officer (HPO), who is a lower rank than the MSgt? q  The Specialized Government Functions provision in HIPAA rules, outlined in the DoD 6025.18-R, allows the Medical Group to disclose information to appropriate military command authorities or their designated representative(s). Your HPO comes and tells you that an Army Colonel on the base for an exercise is a Senior Aide for the 4 star Admiral commander who is running the Joint Exercise. He says he needs a daily list of the exercise members who come to the MDG so he can brief the Admiral on the health status of the unit. You do not have a MCA list from the Admiral. When the HPO first told the Colonel he could not get the list, the Colonel became visibly angry and demanded to speak with the CO of the MTF. q  What actions would you take to assist the HPO from being intimidated by the Colonel and how would you provide top cover on this situation? Excellent Healthcare, Clinical Currency
  • 31. “HIPAA-theticals” for discussion q  A airman in the Patient Administration section reports to you that one of the other technicians has been accessing AHLTA/CHCS and reviewing the medical status of other MTF staff. q  Do you consider this a privacy breach? Should you involve your HIPAA Security Officer with your HIPAA Privacy Officer? What rule did this Airman break if any? What resources do you have available to investigate this issue? q  A member of your MTF contacts an AD Patient’s unit and speaks to the member’s direct supervisor. The MTF staff member discusses the patient’s medical condition with the supervisor. q  Do you consider this a Privacy Violation? What rule did the MTF staff member break if any? Who should have the MTF Staff member contacted, if not the direct supervisor? Excellent Healthcare, Clinical Currency
  • 32. AFMOA Health Info Compliance POCs •  •  •  •  •  •  •  Chief, Health Benefits Support Branch: 210-395-9944 Support Branch: 210-395-9926 (DSN: 969) North: 210-395-9953 South: 210-395-9814 West: 210-395-9921 OCONUS: 210-395-9948 Org email box: afmoahipaatraining@us.af.mil Excellent Healthcare, Clinical Currency
  • 33. Resources n  n  n  DoD 6025.18-R AFI 41-210 AFI 41-217 n  Military Health System -  http://www.tricare.mil/tmaprivacy/Hipaa.cfm n  Department of Health and Human Services -  n  http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html AF HIPAA Guide - https://kx.afms.mil/kxweb/dotmil/kj.do?functionalArea=HIPAA n  HIPAA Briefing for Commanders https://kx.afms.mil/kxweb/dotmil/kjFolderList.do?folder=Toolkits&functionalArea=AFMOAHealthBenefits Excellent Healthcare, Clinical Currency
  • 34. Questions? Excellent Healthcare, Clinical Currency

×