Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
HIPAA PRIVACY TRAINING FOR ASSOCIATES HAYS MEDICAL CENTER CHRISTY STAHL, CPC COMPLIANCE MANAGER & PRIVACY OFFICER 2010 HIPAA HMC’s Privacy Officer is Christy Stahl. She is responsible for the oversight of HMC’s compliance with the HIPAA privacy regulations. She also investigates any alleged privacy violations. Associates You will notice the term “Associates” is used throughout this training. “Associates” is a broad term that represents all the following individuals who are associated with HMC: • • • • • • • • • Employees Volunteers Students Other trainees Members of the Board of Directors Locum Tenens Contract Staff Independent Contractors Other persons whose conduct is under the direct control of HMC (whether or not they are compensated by HMC for such services) HIPAA LESSON ONE Welcome to the introductory lesson on the HIPAA Privacy and Security Rules HIPAA COURSE RATIONALE In this course, you will learn about: • Federal regulations concerning patient confidentiality and computer security • How those regulations impact your job duties/training at HMC HIPAA COURSE GOALS After completing this course, you should • know the rules regarding the use and disclosure of protected health information • Understand safeguards to protect patient privacy • Appreciate the importance of computer security HIPAA COURSE OUTLINE Lesson 1 – this introductory lesson gives you the course rationale, goals, and outline Lesson 2 – provides an overview of the HIPAA Privacy and Security Rules Lesson 3 – explains the rules regarding use and disclosure of patient information Lesson 4 – addresses patients’ rights concerning their health information Lesson 5 – talks about safeguards to protect patient privacy Lesson 6 – focuses on HIPAA Security Rule requirements HIPAA LESSON 2 Overview of the HIPAA Privacy and Security Rules HIPAA Welcome to Lesson 2 for an overview of the HIPAA Privacy and Security Rules After completing this lesson, you should: – Understand where the rules came from – Appreciate why we have these rules – Know the consequences of violating the rules HIPAA • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 • HIPAA is a federal law that was enacted by Congress and signed by the President in 1996 HIPAA As part of the HIPAA law, Congress directed the U.S. Department of Health and Human Services (DHHS) to develop regulations that would: protect patient privacy protect the security of health information stored and transmitted electronically HIPAA The final HIPAA Privacy Rule became effective in April 2003 The final HIPAA Security Rule became effective in April 2005 These rules regulate the way covered entities handle protected health information HIPAA The HIPAA Privacy and Security Rules only apply to covered entities We refer to covered entities as CEs There are three types of CEs: Health Care Providers (e.g., hospitals, physicians, nursing homes, pharmacies) Health Plans (e.g., health insurance companies, employeesponsored health plans) Healthcare Clearinghouses (organizations that process insurance claims) HMC is a CE, so the hospital, its physician clinics, and Associates must comply with the HIPAA Privacy and Security Rules HIPAA The HIPAA Privacy and Security Rules regulate how we safeguard, use, and disclose Protected Health Information or PHI. PHI includes all individually identifiable health information PHI is not limited to paper documents. It includes data and oral communications HIPAA Health information includes: - Past, present, or future physical or mental health or condition of an individual - Provision of health care to an individual; or - Past, present, or future payment for the provision of health care to an individual. HIPAA Health information is individually identifiable if: - identifies an individual - provides some basis from which someone could identify an individual if they really wanted to HIPAA Examples of information that is considered “identifying”: - name, address, telephone number, fax number, email address - birth date, admission date, discharge date - social security number, medical record number, account number - information about relatives, employers, etc. - vehicle ID number, URL address HIPAA Examples of PHI All of the following constitute PHI: - A lab test report that lists only the patient’s medical record number - A conversation between two nurses about the patient in Room 202 - A message on an answering machine asking John Doe to call his doctor’s office - A receipt for payment of an office visit co-payment HIPAA Consequences of violating the HIPAA Privacy and Security Rules - Significant government fines and penalties against HMC - Up to $50,000 per violation - Criminal penalties against the individuals involved in the violation - Expensive civil lawsuits brought by individuals against HMC and its Associates - Damage to HMC’s reputation in the community - For licensed individuals (e.g., nurses, therapists), disciplinary action by their licensing board HIPAA • Consequences of violating HMC’s HIPAA policies: - For HMC employees, disciplinary action by HMC, up to and including termination - For students, termination of their training at HMC - For contracted individuals, termination of their contract with HMC HIPAA You have completed Lesson 2 on the purpose of the HIPAA Privacy and Security Rules HIPAA Remember: • The HIPAA Privacy and Security Rules regulate the way covered entities safeguard, use, and disclosure protected health information PHI is any information relating to a person’s health, healthcare, or payment for healthcare services that contains something that could be used to identify the person • PHI is not limited to paper documents. It includes electronic data and oral communications • The consequences of violating these rules can be severe for HMC and its Associates HIPAA Lesson 3 Uses and Disclosures of PHI HIPAA Welcome to Lesson 3 on uses and disclosures of PHI After completing this lesson, you should be able to: - List uses and disclosures of PHI allowed under the HIPAA Privacy Rule - Recognize what must be included in written permission for uses and disclosures - Define “minimum necessary” use or disclosure HIPAA Competing Interests The HIPAA Privacy Rule tries to balance two competing interests: - No. 1: protect patient privacy - No. 2: allow the flow of PHI when needed to ensure high quality healthcare and protect public health HIPAA A CE cannot use or disclose PHI without the patient’s authorization unless an exception applies Exceptions are based on the purpose of the use or disclosure, as opposed to the type of PHI involved Lets look at some of those exceptions HIPAA Treatment, Payment, Health Care Operations Use and disclosure of PHI is permitted without patient authorization if the purpose of use or disclosure is - treatment - payment - health care operations HIPAA Treatment HMC may use and disclose PHI to treat its patients HMC may disclose PHI to other healthcare providers for them to treat their patients HIPAA Payment HMC may use and disclose PHI to obtain payment for services it provides. HMC may disclose PHI to another CE as necessary for that CE’s payment purposes HIPAA Health Care Operations HMC may use and disclose PHI for health care operations, which include: - management functions necessary to support treatment or payment - quality assurance activities - utilization review activities - audits - credentialing Research activities and marketing do not qualify as health care operations HMC may disclose PHI to another CE for that CE’s health care operations only if that CE has a pre-existing treatment relationship with the patient HIPAA Opportunity to Opt Out HMC may use or disclose PHI in the following ways without a written authorization if the individual has the opportunity to agree to or prohibit or restrict the use or disclosure: - HMC may use a patient’s name, location in the facility, religious affiliation, and condition described in general terms to maintain a facility directory. HMC may disclose this information to clergy or, with the exception of religious affiliation, to other persons who ask for the person by name HIPAA - HMC may disclose to a patient’s family member, close personal friend, or other person identified by the patient PHI directly relevant to such person’s involvement with the patient’s care or payment for services - HMC may use or disclose PHI to notify a family member, a personal representative of the individual, or other person responsible for the individual’s care HIPAA Other Permitted Uses and Disclosures Without Written Authorization The HIPAA Privacy Rule includes several other exceptions that permit use and disclosure of PHI without written authorization - as specifically required by law - for public health activities (e.g., reporting disease or injury) - to report victims of abuse, neglect, or domestic violence - for health oversight activities by the government - in judicial and administrative proceedings HIPAA Continued: - for law enforcement purposes - to disclose information to coroners, including medical examiners, or for the purpose of cadaveric organ, eye and tissue donations - to avert a serious threat to health and safety - to a funeral director as necessary to carry out duties with respect to decedent - for specialized governmental functions - for workers compensation claims HIPAA Special Rules for Certain Types of Disclosures Use and disclosure of PHI for the following purpose without an authorization is permitted in limited circumstances - marketing - fundraising - research HIPAA Special Rules for Certain Types of PHI Certain types of PHI are subject to special protections under state and federal law - HIV/AIDS information - records of treatment in a federally-assisted drug and alcohol treatment program - information relating to patients of community mental health centers, community service providers, psychiatric hospitals, or state institutions for the mentally retarded Even if a particular use or disclosure is permitted without an authorization under the HIPAA Privacy Rule, such use or disclosure may be prohibited under these rules HIPAA Authorizations If no exceptions applies, HMC must obtain a written authorization from the patient (or personal representative) before using or disclosing the patient’s PHI HIPAA Authorization – Required Elements To be effective, a written authorization must include: - Description of PHI to be used or disclosed Description of the purpose of the use or disclosure Description of the persons or class of persons that may use PHI or to who the PHI may be disclosed Revocation and re-disclosure instructions Notice that HMC must treat the patient regardless of whether authorization is given Expiration date or triggering event Individual’s signature or personal representative’s signature and authority HMC has a standard Authorization Form it uses to release PHI. HIPAA • Breach Notification – If a patient’s PHI is breached, HMC must provide specific written notice of such breach to that patient within 60 days of discovery – Must submit annual reports to the government – Breach = improper use or disclosure + potential for harm to the individual – HMC must review every improper use or disclosure to determine if it constitutes a breach – Failure to document such review = HIPAA violation • Associates must report all improper uses or disclosures of PHI to HMC’s Privacy Officer HIPAA Minimum Necessary Rule Any use or disclosure must be limited to the minimum amount of information necessary to accomplish the specific purpose of the use or disclosure. HIPAA The minimum necessary rule does not apply to: - uses and disclosures for treatment purposes - uses and disclosures made pursuant to an authorization - disclosures to the person who is the subject of the information - disclosures required by law HIPAA Associate Access to PHI An Associate may access or discuss any patient’s PHI only to the extent necessary to perform his/her job duties An Associate who accesses or discusses any patient’s PHI (including family members) without a legitimate job-related reason for doing so will be subject to discipline up to and including termination HIPAA What To Do If You Have Questions The rules concerning use and disclosure of PHI can be confusing If you have a question concerning these rules, contact HMC’s Privacy Officer, Christy Stahl - 785-623-2188 work # - 785-623-1821 cell # - [email protected] HIPAA You have completed Lesson 3 on uses and disclosures of PHI HIPAA Remember: - you cannot use or disclose PHI without written authorization unless an exception applies uses and disclosures for treatment, payment, and health care operations are permitted there are several other exceptions that apply in specific circumstances a written authorization must contain specific information to be valid All improper uses or disclosures of PHI must be reported to the Privacy Officer to determine if breach notification is required an associate who uses or discloses a patient’s PHI without a job related reason for doing so will be disciplined Seek guidance from your supervisor or the Privacy Officer before disclosing any protected healthcare information to a police officer if you have questions concerning uses and disclosures of PHI, contact HMC’s Privacy Officer HIPAA Lesson 4 Patients’ Rights Concerning Their PHI HIPAA Welcome to Lesson 4 on patients’ rights concerning their PHI After completing this lesson, you should be able to: - identify patients’ rights concerning their PHI - assist a patient who wants to exercise one of those rights HIPAA Right to Access PHI HMC must give a patient access to inspect and copy his or her PHI maintained in a designated record set A patient wanting access must submit a written request to the Medical Records Department HIPAA Right to an Accounting A patient may request accounting of HMC’s uses and disclosures of the patient’s PHI made within the last 6 years Such an accounting does not include uses or disclosures for treatment, payment, or health care operations or uses and disclosures authorized by the patient A patient wanting an accounting must submit a written request to the Privacy Officer HIPAA Right to Request Amendments A patient can request that PHI be amended if he or she believes it is not accurate HMC can deny such request if the information is accurate and complete or not created by HMC A patient seeking an amendment must submit a written request to the Privacy Officer or to the Medical Records Department HIPAA Right to Request Restrictions A patient may request HMC restrict those uses or disclosures permitted without authorization Such request must be made in writing to the Privacy Officer or to the Medical Records Department HMC is not required to agree to such request HIPAA Right to Receive Confidential Communications A patient may request that HMC communicate with him or her by alternative means or at alternative locations (e.g., only contact the patient at a certain telephone number) HMC must abide by all reasonable requests If a patient makes such a request to you, make sure such request is communicated to the appropriate people and documented appropriately HIPAA You have completed Lesson 4 on patients’ rights concerning their PHI HIPAA Remember: A patient has the right to: - access his/her PHI obtain an accounting of HMC’s disclosures of his/her PHI request an amendment to his/her PHI request restrictions on uses and disclosures permitted without an authorization - receive confidential communications HIPAA Lesson 5 Administrative Requirements HIPAA Welcome to Lesson 5 on administrative requirements When you complete this lesson, you should be able to: - identify the administrative requirements the HIPAA Privacy Rule imposes on HMC - understand the importance of following safeguards to prevent improper disclosures of PHI HIPAA Notice of Privacy Practices • HMC must give all of its patients a written Notice of Privacy Practices • Patients are requested to sign an acknowledgement of receipt • A copy of the Notice is available on HMC’s website, www.haysmed.com HIPAA Safeguards All Associates must follow safeguards to prevent improper uses and disclosures of PHI As part of your work, you will have conversations with patients, family member, co-workers involving PHI. You must take care to avoid others overhearing those conversations Never leave documents containing PHI unattended where they could be accessed by unauthorized persons HIPAA Safeguards (Cont.) Never share your computer password with anyone else Never allow anyone else to use your computer password If you have reason to believe the security of your password has been compromised, notify the Privacy Officer immediately HIPAA Safeguards (Cont.) Always wear name badges to prevent unauthorized individuals from having access to PHI Confirm identity of person with whom speaking and follow procedures when leaving messages Keep all PHI within an HMC facility unless job duties specifically require otherwise (this is the rule, not the exception) HIPAA Safeguarding Electronic PHI (e-PHI) Computer Security Measures: ▪ Passwords and access codes ▪ Audit logs ▪ Physical location of equipment ▪ Firewalls, virus detection ▪ Password-protected screensavers ▪ Removal and destruction ▪ User profiles ▪ Encryption ▪ Data back-up HIPAA Other Administrative Requirements To comply with the HIPAA Privacy Rule, HMC must: - discipline Associates, Vendors, and Agents that violate the HIPAA Privacy Rule - maintain a complaint/grievance process for complaints about HIPAA Privacy Rule violations - take action to mitigate any bad effect of inappropriate disclosure or use of PHI to the extent possible HIPAA Reporting Concerns If you believe there has been a violation of the HIPAA Privacy Rule, report that information to the Privacy Officer as soon as possible HIPAA Prohibition on Waiver and Retaliation HMC will not require any person to waive his or her rights under the HIPAA Privacy Rule as a condition of treatment or payment of benefits HMC strictly prohibits any sort of retaliation, intimidation, or discrimination against persons exercising their rights under the HIPAA Privacy Rule HIPAA You have completed Lesson 5 on the HIPAA Privacy Rule’s administrative requirements HIPAA Remember: - you must act to protect patient confidentiality - you will be disciplined if you do not follow proper safeguards - you must report suspected violations of the Privacy Rule to HMC’s Privacy Officer HIPAA Your responsibilities: • • • • Comply with the HIPAA Privacy Rules Follow the Confidentiality Agreement Do not take any PHI out of the facility Do not access your medical record or the medical record of your family members on your own – make request at the Medical Records Department (Health Information Management) • Do not access any medical records unless your job/training requires you to access a patient’s medical record • Do not have an Associate, Physician, or any other person access a record for you HIPAA Your responsibilities: • • • • Do not view patient status boards for other departments Never text any information about a patient Do not discuss patients with persons outside HMC Do not discuss your training experience at HMC on Facebook, MySpace or Twitter…………….even if you do not mention patient names • Associates that are students must de-identify all information used, unless your HMC supervisor gives you approval to obtain an authorization from the patient