TriStar 2021 Job Specific HIPAA and HITECH Privacy Training

HIPAA/HITECH Privacy Education for all hospital staff based on role Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Click on the link below to choose your specialty. *If you are not certain, check with your supervisor. • Administrative Staff • Clergy • Clinical Non-Patient Care Areas (Pharmacy, Dietary, Quality Management, Social Services) • Health Information Management • Nursing Staff and Therapists • Patient Care Areas (Radiology, Laboratory, OR staff, Pre-Admit Testing, Case Management) • Volunteers and all Non-Clinical Staff 2 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Administrative Staff Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA and Its Purpose 4 What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Title II – Administrative Simplification • Reduce fraud and abuse • It’s a federal law. • Improve quality of healthcare in general • HIPAA is mandatory, penalties for failure to comply. • Reduce healthcare administrative costs (electronic transactions) Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • Applies to covered entities and business associates • It’s a federal law • Creates a nationwide electronic health record • Increases penalties for privacy and security violations 5 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Key HITECH Changes • Breach Notification requirements • OCR Privacy Audits • AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment • Copy charges for providing copies from EHR • Business Associate Agreements • HIPAA preemption applies to new provisions • Restrictions • Private cause of action • Right to access • Sharing of civil monetary penalties with harmed individuals • Criminal provisions • Penalties 6 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 7 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 8 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 9 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Patient information must only be accessed if there is a legitimate need to know o Example  The information is required for the treatment of a patient.  To carry out health care operations  For payment purposes o Only the minimum necessary amount of information may be access, used or disclosed. • All workforce members must have privacy job specific training. 10 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Reasonable safeguards must be in place to protect the privacy of all patients • Patients are provided with their privacy rights at the time of admission/registration via a Notice of Privacy Practices • Written patient authorization is required for most disclosures that are not related to treatment, payment, or health care operations 11 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information What is protected by HIPAA (PHI)? • Name • Medical record number • Address including street, city, county, zip code and equivalent geocodes • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Names of relatives • Name of employers • All elements of dates except year o (i.e., DOB, Admission, Discharge, Expiration) 12 Information Protection & Security • Telephone numbers • Fax Numbers • Finger or voice prints • Electronic e-mail addresses • Photographic images • Social Security Number • Any other unique identifying number, characteristic, code CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices (NOPP) • Must be given to each patient that has a face-to-face contact with hospital staff • Patients must acknowledge receipt of the NOPP • Must be posted on website and in each of the registration areas of the facility 13 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Confidential Communications • Patients can request the use of an alternate address or phone number • If there is a failure to respond by the patient, then the facility may revert to permanent address or phone number to collect payment • Request must be communicated with facility FPO to work with the SSC FPO 14 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Contracts • Must be identified for all departments. • An HCA HITECH-compliant Business Associate Agreement (BAA) must be executed if PHI will be: o Created o Received o Maintained o Transmitted • Facility must maintain a listing of BAAs. 15 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • A complaint log must be maintained in accordance with the complaint process and facility policy • Complaints must be investigated and documented with corrective action, if applicable • There may be no retaliation due to a complaint being made • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Security Violations policy 16 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions • Requests for such restrictions must be made in writing to the your FPO • No other facility workforce member may process such a request unless specifically authorized by the FPO o Example: “I don’t want my information shared with anyone outside the hospital.”  This would not be appropriate because information is required for state reporting and accreditation purposes (e.g., JCAHO) 17 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Accounting of Disclosures (AOD) Includes all releases of the DRS EXCEPT those: • Authorized by the patient • Used for treatment, payment or health care operations • Released to individuals themselves • Used for law enforcement agencies that have custody of an inmate • Disclosed as part of a limited data set • Releases that occurred before April 14, 2003 • Used for national security or intelligence purposes 18 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Access • Patient has a right to inspect or obtain copies of their medical and billing records. • Facility will provide a readable electronic or paper copy of portions of record requested. • Must provide access within 30 days. 19 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Amend • Right to request an amendment of information within the DRS. • Request must be in writing. • Facility may deny the requested amendment. • Patient will be notified via letter from the FPO. 20 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notification • HITECH provisions require the following notifications when breaches (as defined in IP.PRI.011) occur: o To the patient o To the Department of Health and Human Services o To the media when the breach involves more than 500 individuals in the same state or jurisdiction 21 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Security Compliance • Ensure users log off terminals when not in use. • Computers should have screen savers whenever possible. • Computer monitors should be positioned so PHI is not readable by the public or other unauthorized viewers. • Printers should be positioned in secure locations so that printed information is not accessible or viewable by an unauthorized person. • PHI must be securely disposed of (e.g., shred bins). 22 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Impacts on Patient Care Areas/Ancillaries • Passcode for family members and friends. • Patient rights may be requested at any time during hospitalization. • Verification of requestors. • Required accounting of disclosures. • Photography policy. 23 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples of Privacy/Security Issues • Multiple nurses using same password or physician’s staff using physician’s password to get patient information. • Inappropriate control or use of documents containing PHI – paper or electronic. • Lack of knowledge regarding permitted uses of patient information. 24 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples of Privacy/Security Issues • Sharing PHI without an authorization when one is required. • Failure to act proactively to prevent, detect, or correct privacy or security breaches. • PHI in the trashcan. • Not using appropriate safeguards when emailing or faxing. • Discussing patient information on social networking sites (e.g., Facebook, Twitter). 25 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions Two categories of privacy and security violations • Negligent o Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations. • Gross Negligence o Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations. FPO to review sanctions policy 26 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your knowledge! Do you know? • Who is your FPO? • Who would you refer a patient privacy issue to? • What is PHI? • What is a Notice of Privacy Practices? • Can you give out information on a “confidential patient”? Click here to advance to final slide 27 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Clergy Information Protection & Security 28 Last Updated 6/20/2019 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose • It gives patients more control over their health information. • It establishes appropriate safeguards to protect the privacy of health information. • Only workforce members with a legitimate “need to know” may access, use or disclose patient information. • It holds violators accountable if they violate patients’ privacy rights. 29 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 30 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Privacy and the Clergy • Hospital Staff Chaplains • Community Clergy • Are considered part of the hospital’s workforce, specifically the healthcare treatment team. • Facilities are permitted to disclose the facility directory; including the individual’s name, individual’s location, condition in general terms and religious affiliation (if captured), to members of the clergy. • Staff chaplains are allowed access to the minimum necessary patient health information (PHI) to fulfill their job responsibilities. • • Providing directory information to community clergy is completely voluntary. • As part of the workforce the hospital must provide job specific HIPAA training. 31 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Community Clergy • The names of patients that have “opted out” of the facility directory must not be included in the listing given to the community clergy. Best practice is for the directory to be divided by religious affiliation and only the portion of the directory related to that community clergy’s religious affiliation be given. 32 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What are three ways that patient confidentiality is most often violated? • Discussions of patient information in a public place or with inappropriate, unauthorized individuals. • Documents containing patient information that is left exposed where visitors or unauthorized individuals can view it. • Records that are accessed without the need to know in order to perform job duties. 33 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Minimum Necessary • Staff chaplains are considered part of the hospital’s workforce, specifically the healthcare treatment team. Thus, staff chaplains are allowed access to the minimum necessary PHI to fulfill their job responsibilities • Several factors must be considered when determining minimum necessary. For example, which patients’ PHI, and specifically what PHI, a staff chaplain may access in the course of their job responsibilities. 34 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Minimum Necessary continued… • Most facilities incorporate a “spiritual assessment” in the initial nursing assessment and ask a question similar to the following: o “Would you object to receiving a visit from the Chaplain?” • If this type of question is asked by nursing, the staff chaplain’s work list may only contain the names of patients who have not objected to a visit. The staff chaplain can not receive a census list that includes all patient names. 35 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Minimum Necessary continued… • If the staff chaplain needs additional information beyond the patient’s name and location to plan out or execute their job responsibilities, the list of patients may contain other data elements; such as, diagnoses, procedures or length of stay (LOS). • These elements should only be available to the staff chaplain if they are required in the performance of their job responsibilities. An example is a staff chaplain may use a diagnosis and projected LOS to triage which patients to visit first. 36 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • The FPO must maintain a complaint log in accordance with the complaint process. • Privacy complaints must be routed to the FPO. • Responses cannot be accompanied by retaliatory actions by the hospital. • The disposition of a complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations. 37 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions • Two categories of privacy and security violations: o Negligent  Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations o Gross Negligence  Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations 38 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Questions • Your Facility Privacy Official (FPO) • Email the Information Protection & Security mailbox at IPS@HCAHealthcare.com Click here to advance to final slide 39 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Clinical Non-Patient Care Areas (Pharmacy, Dietary, Quality Management, Social Services) Information Protection & Security 40 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Improve quality of healthcare in general • Reduce healthcare administrative costs (electronic transactions) • Title II – Administrative Simplification • It’s a federal law. • HIPAA is mandatory. o There are penalties for failure to comply. 41 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Applies to covered entities and business associates • Creates a nationwide electronic health record • Increases penalties for privacy and security violations • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • It’s a federal law. 42 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 43 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Key HITECH Changes • Breach Notification requirements • OCR Privacy Audits • AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment • Copy charges for providing copies from EHR • Business Associate Agreements • HIPAA preemption applies to new provisions • Restrictions • Private cause of action • Right to access • Sharing of civil monetary penalties with harmed individuals • Criminal provisions • Penalties 44 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 45 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 46 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Coversheets with confidential statement need to be used on all faxes. • Screens will need to be placed out of public view and screensavers in use. • Patients will identify who their information can be discussed with, including family. • All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins). • Patient information must only be accessed if there is a need to know and only the minimum necessary may be used. 47 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information What is protected by HIPAA (PHI)? • Name • Medical record number • Address including street, city, county, zip code and equivalent geocodes • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Names of relatives • Name of employers • All elements of dates except year o (i.e., DOB, Admission, Discharge, Expiration) 48 Information Protection & Security • Telephone numbers • Fax Numbers • Finger or voice prints • Electronic e-mail addresses • Photographic images • Social Security Number • Any other unique identifying number, characteristic, code CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices • Patients will receive notice upon each registration. • Patients must acknowledge receipt of the NOPP. • Must be posted on website and in each registration area. • Outlines patient rights o Breach Notification o Right to Access o Right to Amend o Confidential Communication o Fundraising and the Right to Opt Out o Right to Privacy Restriction o Right to Opt Out of Directory • Review Notice of Privacy Practices in detail. 49 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Confidential Communications • Patients can request use of alternate address or phone number. • If there is a failure to respond by the patient, then we may revert to permanent address or phone number. 50 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions • Patients have the right to request a privacy restriction of their PHI. • NEVER agree to a restriction that a patient may request. • All requests must be made in writing and given to the FPO to make a decision on. • NO request is so small that it should not be routed to the FPO. 51 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • FPO must maintain complaint log in accordance with the complaint process. • Privacy Complaints must be routed to the FPO. • Responses cannot be accompanied by retaliatory actions by the hospital. • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations. 52 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Accounting Of Disclosures AOD Includes all releases of the DRS EXCEPT those: • Used for treatment, payment or health care operations • Used for law enforcement agencies that have custody of an inmate • Released to individuals themselves • Disclosed as part of a limited data set • Used for national security or intelligence purposes • Releases that occurred before April 14, 2003 • Authorized by the patient Additional requirements forthcoming as a result of HITECH regulations 53 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notification • HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: o To the patient o To the Department of Health and Human Services o To the media when the breach involves more than 500 individuals in the same state or jurisdiction 54 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples Examples of Exposure • Sharing of passwords. • Inappropriate control or use of patient lists with PHI. • Lack of knowledge regarding permitted uses of patient information. • Using business agents without contracts and appropriate Business Associate Agreements. • Discussing patient information on social networking sites (e.g., Facebook, Twitter). 55 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples Examples of Exposure • Sharing PHI without an authorization when one is required. • Failure to act proactively to prevent, detect, or correct privacy or security breaches. • PHI in the trashcan. • Discussing PHI with someone who does not have a need to know. 56 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions • Two categories of privacy and security violations o Negligent  Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations o Gross Negligence  Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations • FPO to review sanctions policy 57 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your Knowledge! • Who is your FPO? • Who would you refer a patient privacy issue to? • What is PHI? • What is a Notice of Privacy Practices? • Would you ever agree to a patient privacy restriction? Click here to advance to final slide 58 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Health Information Management (HIM) Information Protection & Security 59 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Improve quality of healthcare in general • Reduce healthcare administrative costs (electronic transactions) • Title II – Administrative Simplification • It’s a federal law. • HIPAA is mandatory. o There are penalties for failure to comply. 60 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Applies to covered entities and business associates • Creates a nationwide electronic health record • Increases penalties for privacy and security violations • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • It’s a federal law. 61 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Key HITECH Changes • Breach Notification requirements • OCR Privacy Audits • Business Associate Agreements • Copy charges for providing copies from • Restrictions • Right to access • Criminal provisions • Penalties EHR • HIPAA preemption applies to new provisions • Private cause of action • Sharing of civil monetary penalties with harmed individuals 62 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 63 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 64 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 65 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Defines when PHI may be disclosed with and without an authorization or consent • All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins) • Patient information must only be accessed if there is a need to know and only the minimum necessary may be used. • Allows PHI to be given to insurance companies, health plans and other covered entities that are requesting information for payment purposes 66 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What is a Covered Entity? 67 Information Protection & Security Health plans, Healthcare clearinghouses, and Healthcare providers that transmit electronically for billing Examples • Hospitals • Physician Practices • Insurance companies • Ambulance Transportation Services • Hospice • Home Health CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What does that mean to me? • You can share information without patient authorization as it relates to treatment, payment, and health care operations (TPO). • Covered entities will request only the minimum necessary to perform their job. • You may request information from them for reasons of TPO without patient authorization. • May need to verify the requestor according to policy. 68 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information What is protected by HIPAA (PHI)? • Name • Medical record number • Address including street, city, county, zip code and equivalent geocodes • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Names of relatives • Name of employers • All elements of dates except year o (i.e., DOB, Admission, Discharge, Expiration) 69 Information Protection & Security • Telephone numbers • Fax Numbers • Finger or voice prints • Electronic e-mail addresses • Photographic images • Social Security Number • Any other unique identifying number, characteristic, code CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices • Patients will receive notice upon each registration. • Outlines patient rights o Breach Notification o Right to Access o Right to Amend o Confidential Communication o Fundraising and the Right to Opt Out o Right to Privacy Restriction o Right to Opt Out of Directory 70 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Contracts • Must be identified for all departments. • An HCA HITECH-compliant Business Associate Agreement (BAA) must be executed if PHI will be created, received, maintained, or transmitted. • Facility must maintain a listing of BAAs. 71 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Access • Must be able to provide access and/or electronic or paper copy of record, including billing record if requested. • May be presented in written form unless it is for billing records. o Verbal requests must be logged with paper log or online documentation. • A summary may be provided if the patient agrees to format and associated fees. • Must act on request within 30 days. • If record cannot be produced within 30 days, FPO must be notified. 72 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Authorization Requirements • Patient name • Requestor • Date of birth • Expiration date • Patient Address • Revocation statement • Telephone Number • Signature of patient or requestor • Type of Request 73 Information Protection & Security • Purpose of request • Date of request • Condition statement • Re-disclosure statement CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Verification of Requestors • Requestors must provide ONE of the following: o Valid state or federal issued I.D o Three of the following:  Patient SS#, DOB and one of the following: – Account number, street address, MR#, birth certificate, insurance card or policy number o Positive match of signature on file 74 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Third Party Requestors • Provide request on letterhead or from email address of the entity they are representing • Present Identification: o Business Card o Badge (If Law enforcement) o Photo Identification o Other Official Credentials o Fax coversheet with company logo 75 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Unacceptable Forms of Identification • Employment IDs • Student IDs • Membership Cards • Generic Billing Statements • SSI Cards • Credit Cards (photo or non-photo) 76 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Releases NOT Requiring Patient Authorization* Examples of Exposure • Physician offices • Emergency Departments • Insurance companies • Other Hospitals or care providers • Peer review • JCAHO • Home Health agencies • State Reporting • Ambulance transportation companies • Court Orders • Cancer Registry Follow-ups • Quality Assessments * Provided the applicable regulations in the HIPAA Privacy Rule are met 77 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. External Faxing Guidelines • Limit when possible • Verify fax number • Utilize preset numbers when applicable • Locate fax machine in secure location • ALWAYS use cover sheet with confidentiality statement for transmittals • Highly sensitive information should NEVER be faxed (i.e., HIV status, abuse records) 78 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Amend • Right of patient to provide amendment to records • Request must be made in writing • Cannot change or omit documentation already in the medical record • Amendment must be included in all future releases • Denial Process: o Amendment may be denied by the FPO o Patient has right to provide a written statement of disagreement of the denial o FPO may respond with response statement to the patient’s disagreement 79 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Opt out of Directory • Cannot acknowledge that patient is in hospital or condition of patient except for purposes of TPO or as otherwise permitted by the HIPAA Privacy Rule. • Confidential flag will be set in Meditech. 80 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions • All requests must be made in writing and given to the FPO. • Workforce members must never agree to a patient’s restriction request. o The FPO must make the determination after reviewing the request. • As of 2/17/2010, requests may be denied except when a patient pays out of pocket, in full and requests a restriction to the health plan. 81 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • FPO must maintain complaint log in accordance with the complaint process. • Complaints must be routed to the FPO. • Responses cannot be accompanied by retaliatory actions by the hospital. • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations. 82 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Designated Record Set DRS • What is included o Any information that was used to make a decision about the patient  Medical record  Billing record  Collection notes  Case management notes  UB-04  Itemized bill o FPO to review DRS policy 83 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Accounting of Disclosures AOD Includes all releases of the DRS EXCEPT those: Authorized by the patient • Used for treatment, payment agencies that have custody or health care operations of an inmate • Released to individuals • Used for Law enforcement • • limited data set themselves • Used for national security or intelligence purposes Disclosed as part of a • Releases that occurred before April 14, 2003 Additional requirements forthcoming as a result of HITECH regulations 84 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Releases for Research Purposes • Releases needed to complete a research project or study. • Must have patient authorization or waiver of authorization from the Institutional Review Board (IRB). o Examples of Research  University study of effects of certain drugs.  Study on alternative treatments for patients. 85 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Law Enforcement/ Public Good Disclosures Subpoenas • If patient is suspected of a domestic violence • Health care oversight • In relation to inmates • Decedents • If release is necessary to • Worker’s compensation prevent threat to harm to • Research purposes • Judicial or administrative • Information Protection & Security Victims of abuse, neglect or crime person(s) or public 86 • • As required by law proceedings CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notifciation HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: • To the patient • To the Department of Health and Human Services • To the media when the breach involves more than 500 individuals in the same state or jurisdiction 87 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Ensuring Security Compliance • Ensure users log off terminals when not in use. • Computers should have screen savers whenever possible. • Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers • Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person. • PHI must be properly disposed of in shred bins. 88 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples 89 Information Protection & Security Examples of Exposure • Multiple people using same password or physician’s staff using physician’s password to get patient information • Inappropriate control or use of patient lists with PHI • Lack of knowledge regarding permitted uses of patient information • Using business agents without contracts and appropriate Business Associate Agreements CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Examples 90 Information Protection & Security Examples of Exposure • Sharing PHI without an authorization when one is required • Failure to act proactively to prevent, detect, or correct privacy or security breaches • PHI in the trashcan • Discussing patient information on social networking sites (e.g., Facebook, Twitter) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions • Two categories of privacy and security violations o Negligent  Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations o Gross Negligence  Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations • FPO to review sanctions policy 91 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your Knowledge! • Do you know who your FPO is? • Does the patient have the right to access or obtain a copy their medical record? • Can a patient amend their record? • Do you know who to refer patient privacy questions or complaints to? • What is an Accounting of Disclosures? Click here to advance to final slide 92 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Nursing Staff & Therapists Information Protection & Security 93 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Improve quality of healthcare in general • Reduce healthcare administrative costs (electronic transactions) • Title II – Administrative Simplification • It’s a federal law. • HIPAA is mandatory. o There are penalties for failure to comply. 94 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Applies to covered entities and business associates • Creates a nationwide electronic health record • Increases penalties for privacy and security violations • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • It’s a federal law. 95 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Key HITECH Changes • Breach Notification requirements • OCR Privacy Audits • Business Associate Agreements • Copy charges for providing copies from • Restrictions • Right to access • Criminal provisions • Penalties EHR • HIPAA preemption applies to new provisions • Private cause of action • Sharing of civil monetary penalties with harmed individuals 96 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 97 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 98 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 99 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Coversheets with confidential statement need to be used on all external faxes. • Screens will need to be placed out of public view when possible • Patient charts will need to be placed in secure area • Patient family members will give a passcode for other than directory releases • All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins) • Patient information must only be accessed if there is a need to know and only the minimum necessary may be used. 100 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Registration will be giving out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy. • Patients will be given the option to “opt out” of our directory. • Patients have a right to a copy of their medical record. • Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO) or as otherwise permitted by the HIPAA Privacy Rule. 101 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information What is protected by HIPAA (PHI)? • Name • Medical record number • Address including street, city, county, zip code and equivalent geocodes • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Names of relatives • Name of employers • All elements of dates except year o (i.e., DOB, Admission, Discharge, Expiration) 102 Information Protection & Security • Telephone numbers • Fax Numbers • Finger or voice prints • Electronic e-mail addresses • Photographic images • Social Security Number • Any other unique identifying number, characteristic, code CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What is a Covered Entity? 103 Information Protection & Security Health plans, Healthcare clearinghouses, and Healthcare providers that transmit electronically for billing. Examples • Hospitals • Physician Practices • Insurance companies • Ambulance Transportation Services • Hospice • Home Health CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What does that mean to me? • You can share information without patient authorization as it relates to TPO. • Other covered entities will request only minimum necessary to perform their job. • You may request the minimal information necessary from them for reasons of TPO without patient authorization. • May need to verify the requestor according to policy. 104 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Disclosing PHI to Family Members and Friends Who Call the Unit • Patient will be assigned a four-digit passcode . • Distribution of passcode will be the responsibility of the patient. • Passcode may be changed during treatment. o Revocation and password change form must be routed to FPO. 105 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Verification of Requestors Requestors via phone will need: • Patient SS#, DOB and one of the following: o Account number o Street address o Medical record number o Birth certificate o Insurance card o Policy number • Scenarios o Unknown physician calling from cell phone o Family member or friend calling without passcode 106 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. External Faxing Guidelines • Limit when possible • Verify fax number • Utilize preset numbers when applicable • Fax machine located in secure location • ALWAYS use cover sheet with confidentiality statement for transmittals • Highly sensitive information should NEVER be faxed o Examples:  HIV status  Abuse records 107 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Access • Forward to HIM for processing. • Must be able to provide access and/or electronic or paper copy of record. • If patient is in-house, HIM will manage access process. 108 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Amend • Forward request to HIM for processing. • Right of patient to request amendment to records. o Request must be in writing. • Cannot change or omit documentation already in the medical record. • If patient in in-house HIM will manage amendment process. 109 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Opt out of Directory • Patient can opt out of directory at anytime but will probably happen during admission process. • You may not acknowledge the patient is in the facility or give information about the patient to friends, family or others who may inquire. • Can still release information to family and friends with 4-digit passcode as defined in the Directory policy. • Forward any request for opt out to Registration for processing. 110 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions • Patients have the right to request a privacy restriction of their PHI • NEVER agree to a restriction that a patient may request • All requests must be made in writing and given to the FPO to make a decision on • NO request is so small that it should not be routed to the FPO 111 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • FPO must maintain complaint log in accordance with the complaint process. • ALL privacy complaints must be routed to the FPO. • Responses cannot be accompanied by retaliatory actions by the hospital. • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations. 112 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Accounting of Disclosures AOD Includes all releases of the DRS EXCEPT those: Authorized by the patient • Used for treatment, payment agencies that have custody or health care operations of an inmate • Released to individuals • Used for Law enforcement • • limited data set themselves • Used for national security or intelligence purposes Disclosed as part of a • Releases that occurred before April 14, 2003 Additional requirements forthcoming as a result of HITECH regulations 113 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices 114 Information Protection & Security NOPP CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sharing Information with Other Treatment Providers TPO Verify Requestor PHI • We can share information for TPO with: • Need to verify the requestor according to policy. • Patient information (PHI) can be released for reasons of: o Physicians and office staff o Hospitals o Treatment o Other treatment facilities for mutual patients o Payment 115 Information Protection & Security o Healthcare operations CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Confidential Communications • Request for use of alternate address or phone number for future contact. • Route any request for Confidential Communications to Admissions. • Should communicate only with alternate address given. 116 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notifciation HITECH provisions require the following notification when breaches (as defined in the regulations) occur: • To the patient. • To the Department of Health and Human Services. • To the media when the breach involves more than 500 individuals in the same state or jurisdiction. 117 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Ensuring Security Compliance • Ensure users log off terminals when not in use. • Computers should have screen savers whenever possible. • Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers • Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person. • PHI must be properly disposed of in shred bins. 118 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Common Exposures on Nursing Units • Discussions of patient information in public places such as: o Elevators o Hallways o Cafeterias • Printed or electronic information left in public view • PHI in regular trash • Records that are accessed without need to know in order to perform job duties • Unauthorized individuals hearing patient sensitive information: o Diagnosis o Treatment o Charts left on counters • Discussing patient information on social networking sites o Facebook o Twitter 119 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions • Two categories of privacy and security violations o Negligent  Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations o Gross Negligence  Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations • FPO to review sanctions policy 120 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your Knowledge! • Do you know who your FPO is? • Does the patient have the right to access or obtain a copy their medical record? • Can a patient amend their record? • Do you know who to refer patient privacy questions or complaints to? • What is an Accounting of Disclosures? • Where do you dispose of patient information? Click here to advance to final slide 121 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Patient Care Areas (Radiology, Laboratory, OR staff, Pre-Admit Testing, Case Management) Information Protection & Security 122 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Improve quality of healthcare in general • Reduce healthcare administrative costs (electronic transactions) • Title II – Administrative Simplification • It’s a federal law. • HIPAA is mandatory. o There are penalties for failure to comply. 123 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Applies to covered entities and business associates • Creates a nationwide electronic health record • Increases penalties for privacy and security violations • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • It’s a federal law. 124 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Key HITECH Changes • Breach Notification requirements • OCR Privacy Audits • Business Associate Agreements • Copy charges for providing copies from EHR • Restrictions • Right to access • Criminal provisions • Penalties 125 Information Protection & Security • HIPAA preemption applies to new provisions • Private cause of action • Sharing of civil monetary penalties with harmed individuals CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 126 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 127 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 128 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Coversheets with confidential statement need to be used on all faxes. • Screens will need to be placed out of public view and screensavers in use. • Patients will identify who their information can be discussed with, including family. • All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins). • Patient information must only be accessed if there is a need to know and only the minimum necessary may be used. 129 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Registration areas will need to distribute a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy. • Patients will need to be given the option to “opt out” of our directory. • Patients will have a right to inspect a copy of their medical record. • Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO). 130 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information What is protected by HIPAA (PHI)? • Name • Medical record number • Address including street, city, county, zip code and equivalent geocodes • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Names of relatives • Name of employers • All elements of dates except year o (i.e., DOB, Admission, Discharge, Expiration) 131 Information Protection & Security • Telephone numbers • Fax Numbers • Finger or voice prints • Electronic e-mail addresses • Photographic images • Social Security Number • Any other unique identifying number, characteristic, code CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What is a Covered Entity? Health plans, health care clearinghouses, and health care providers that transmit claims electronically for billing. Examples • Hospitals • Physician practices • Insurance companies • Ambulance transportation services • Hospice • Home health 132 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What does that mean to me? • You can share information without patient authorization as it relates to treatment, payment or health care operations (TPO). • Other covered entities will request only minimum necessary to perform their job. • You may request the minimal information necessary from them for reasons of TPO without patient authorization. • May need to verify the requestor according to policy. 133 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Disclosing PHI to Family Members and Friends • Patient will be assigned a four-digit passcode that will be needed to get non-directory information. • Distribution of passcode will be responsibility of patient. • May be changed during treatment. o Revocation and password change form must be routed to FPO. 134 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Verification of Requestors Requestors via phone will need: • Three of the following • Patient SS#, DOB and one of the following: • Account number • Street address • Medical record number • Birth certificate • Insurance card or policy number • Scenarios • Unknown physician calling from cell phone • Family member or friend calling without passcode 135 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices • Patients will receive notice upon each registration. • Outlines patient rights o Breach Notification o Right to Access o Right to Amend o Confidential Communication o Fundraising and the Right to Opt Out o Right to Privacy Restriction o Right to Opt Out of Directory 136 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Access • Patient may request a copy or inspection of their medical record • May be presented verbally or in written form o Verbal requests must be logged with paper log or online documentation • Patient request will need to be routed to FPO for compliance 137 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient’s Right to Amend • Right of patient to request amendment to records. o Request must be in writing. • CANNOT change or omit documentation already in the medical record. • Amendment must be included in all future releases. • Requests should be routed to HIM Department or FPO. 138 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Confidential Communications • Request for use of alternate address or phone number for future contact • Need to review form for completeness • Provide copy to patient • Document in CPCS upon Registration • Registrar may not ask for explanation 139 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions 140 Information Protection & Security • Patients have the right to request a privacy restriction of their PHI • NEVER agree to a restriction that a patient may request • All requests must be made in writing and given to the FPO to make a decision on • NO request is so small that it should not be routed to the FPO CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Opt out of the Directory • Right to request that general condition and status not be releases to those who call. • Confidential flag will be set in CPCS. • Even if patient is asked for by name, no information is to be given. 141 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • FPO must maintain complaint log in accordance with the complaint process. • Privacy Complaints must be routed to the FPO. • Responses cannot be accompanied by retaliatory actions by the hospital. • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations. 142 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Faxing Guidelines • Limit to urgent or emergency situations • Verify fax number • ALWAYS use cover sheet with confidentiality statement for transmittals • Utilize preset numbers when applicable • Highly sensitive information should NEVER be faxed • Fax machine located in secure location 143 Information Protection & Security o HIV status o Abuse records CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Accounting Of Disclosures AOD Includes all releases of the DRS EXCEPT those: • Used for treatment, payment or health care operations • Used for law enforcement agencies that have custody of an inmate • Released to individuals themselves • Disclosed as part of a limited data set • Used for national security or intelligence purposes • Releases that occurred before April 14, 2003 • Authorized by the patient Additional requirements forthcoming as a result of HITECH regulations 144 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Law Enforcement/Public Good Disclosures • Subpoenas • As required by law • If patient is suspected of a crime • Victims of abuse, neglect or domestic violence • In relation to inmates • If release is necessary to prevent threat to harm to person(s) or public. • Healthcare oversight • Decedents • Worker’s compensation • Research purposes • Judicial or administrative proceedings 145 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How will AOD affect me? • You must enter information into the AOD for: o State mandated reporting  Suspected abuse victims  Certain disease reporting such as STDs  Brain injury • Organ and tissue donations • Health oversight activities o The Joint Commission 146 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notification • HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: o To the patient o To the Department of Health and Human Services o To the media when the breach involves more than 500 individuals in the same state or jurisdiction 147 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Ensuring Security Compliance • Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers. • PHI must be properly disposed. • Sign-in sheets are used properly. • White boards with limited or no PHI. 148 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Common Exposures in Patient Care Areas • Radiology films in public areas • Lab/X-ray results left on counters • Schedules in public view • PHI in trash 149 Information Protection & Security • White boards with full patient name • Poor use of sign-in sheets • Charts left in public view CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions • Two categories of privacy and security violations o Negligent  Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations o Gross Negligence  Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations • FPO to review sanctions policy 150 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your Knowledge! • Who is your FPO? • Who do you refer patient privacy complaints to? • What would you do if you had a patient request a restriction? • Can a patient access their medical record? • Can a patient provide an amendment to their medical record? • What is an Accounting of Disclosures? • Where do you dispose patient protected health information? Click here to advance to final slide 151 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA/HITECH Privacy Education for Volunteers Information Protection & Security 152 CONFIDENTIAL –– Contains Contains proprietary proprietary information. information. CONFIDENTIAL Not intended for external distribution. HIPAA and Its Purpose What is HIPAA? Purpose: • Health Insurance Portability and Accountability Act of 1996 • Protect health insurance coverage, improve access to healthcare • Reduce fraud and abuse • Improve quality of healthcare in general • Reduce healthcare administrative costs (electronic transactions) • Title II – Administrative Simplification • It’s a federal law. • HIPAA is mandatory. o There are penalties for failure to comply. 153 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HITECH and Its Purpose What is HITECH? Purpose: • Health Information Technology for Economic and Clinical Health Act • Makes massive changes to privacy and security laws • Applies to covered entities and business associates • Creates a nationwide electronic health record • Increases penalties for privacy and security violations • Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) • It’s a federal law 154 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. As of May 2019 Civil Penalties for Non-compliance Violation Categories Minimum penalty/violation Maximum penalty/violation Annual limit No Knowledge $100 $50,000 $25,000 Reasonable Cause $1,000 $50,000 $100,000 Corrected $10,000 $50,000 $250,000 Not Corrected $50,000 $50,000 $1,500,000 Willful Neglect 155 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Your contact for patient privacy questions! Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitate training and education of staff 156 Information Protection & Security Review the Course Attachment for the name of your Facility Privacy Official (FPO) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. HIPAA Terminology • BAA o Business Associate Agreement • HIPAA o Health Insurance Portability and Accountability Act • HITECH o Health Information Technology for Economic and Clinical Health Act • PHI o Protected Health Information 157 Information Protection & Security • CE • DRS o Covered Entity (Hospital) • ACE o Affiliated Covered Entity (Common ownership) o Designated Record Set (medical record and billing record) • AOD o Accounting of Disclosures (patient’s right to receive) • OHCA o Organized Health Care Arrangement o The hospital and medical staff will be considered an Organized Health Care Arrangement. • Directory o Hospital census list used by volunteers and operators with name and room CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. How does HIPAA affect you? • Coversheets with confidential statement need to be used on all faxes. • Screens will need to be placed out of public view and screensavers in use • Patients will identify who their information can be discussed with, including family. • All PHI (e.g., dietary slips) will need to be placed in shred containers o Shred-It bins • Patient information must only be accessed if there is a need to know and only the minimum necessary may be used. • Individuals, except medical staff physicians, with access to electronic records systems may not access their own record in any system. Such individuals must request access through the their Medical Records/HIM Department 158 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Protected Health Information 159 Information Protection & Security What is protected by HIPAA (PHI)? • Name • Health plan beneficiary number • Address including street, city, county, zip code and equivalent geocodes • Account number • Certificate/license number • Any vehicle or other device serial number • Names of relatives • Name of employers • • All elements of dates except year (i.e. DOB, Admission, Discharge, Expiration) Web Universal Resource Locator (URL) • Internet Protocol (IP) address number • Telephone numbers • Finger or voice prints • Fax Numbers • Photographic images • Electronic e-mail addresses • • Social Security Number Any other unique identifying number, characteristic, code • Medical record number CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Notice of Privacy Practices 160 Information Protection & Security NOPP • Patient will receive Notice upon each registration • Outlines patient rights • Breach Notification • Right to Access • Right to Amend • Fundraising and the Right to Opt Out • Confidential Communication • Right to Privacy Restriction • Right to Opt Out of Directory CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Right to Privacy Restrictions • Patients have the right to request a privacy restriction of their PHI • NEVER agree to a restriction that a patient may request • All requests must be made in writing and given to the FPO to make a decision on • NO request is so small that it should not be routed to the FPO 161 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Patient Privacy Complaints • FPO must maintain complaint log in accordance with the complaint process • Privacy Complaints must be routed to the FPO • Responses cannot be accompanied by retaliatory actions by the hospital • Disposition of complaint must be consistent with the facility’s Sanctions for Privacy and Information Security Violations 162 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Directory • Directory • Lists • Volunteers • PBX operator • Others use to see which patients are at the facility • Patients may opt out of being listed in a facility directory • Including lists to clergy • Patients must invoke the right to opt out and sign the “Status Change Request” form. 163 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Directory FAQs 164 Information Protection & Security Confidential Patients I am not comfortable stating a patient is not here when in fact they are a patient. Would it be acceptable to transfer the call to my supervisor or admitting? • No – by doing so you are letting the caller know the patient is here. • Part of healthcare is to protect the rights of the patient. • The Patient Bill of Rights guarantees the patient confidentiality. • HIPAA, a federal law, requires us to follow this policy. CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Directory FAQs 165 Information Protection & Security Confidential Patients What harm could come from delivering flowers to the patient? After all it is delivered by the florist and it would brighten the patient’s day. • Domestic Violence Issues • Media • Family Issues • Not honoring the patient’s request CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Directory FAQs 166 Information Protection & Security Confidential Patients Would it be okay to say I am not allowed to give out that information? • No. • By doing this, you are alerting the individual that the person is in the facility. CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Directory FAQs 167 Information Protection & Security Non-Confidential Patients What information may be released if the patient is non-confidential? • Confirm patient’s name • Give patient’s location (e.g., room number) • Give patient’s condition in general terms (e.g., stable, critical) CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. What are four ways that patient confidentiality is most often violated? • Discussions of patient information in a public place or with inappropriate, unauthorized individuals. • Print of electronic patient information that is left exposed where visitors or unauthorized individuals can view it. • Records that are accessed without the need to know in order to perform job duties. • Unauthorized persons hearing patient-sensitive information. 168 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Breach Notification 169 Information Protection & Security HITECH Provisions Require the following notifications when breaches (as defined in the regulations) occur: • To the patient • To the Department of Health and Human Services • To the media when the breach involves more than 500 individuals in the same state or jurisdiction CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Ensuring Security Compliance • Ensure users should log off terminals when not in use. • Computer’s should have screen savers whenever possible. • Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers. • Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person. • Need to address disposal of PHI. 170 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Sanctions Two categories of privacy and security violations • Negligent o Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations. • Gross Negligence o Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations. FPO to review sanctions policy 171 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Test your knowledge! Do you know? • Who is your FPO? • Who would you refer a patient privacy issue to? • What is PHI? • What is a Notice of Privacy Practices? • Would you ever agree to a patient privacy restriction? • Can you give out information on a “confidential patient”? Click here to advance to final slide 172 Information Protection & Security CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Facility Privacy Official (FPO) Responsible for: • • • Privacy Program Privacy Rights of patients Requests for Privacy Restrictions Facilitate training and education of staff • Your contact for patient privacy questions! 173 Information Protection & Security: Updated February 2021 Your Facility FPO: Ashland City Medical Center Kendall Swint Cartersville Medical Center Brandy Burchett Centennial Medical Center Kendall Swint Eastside Medical Center Shawn White Greenview Medical Center Jennifer Scofield Hendersonville Medical Center Clint Johnson Horizon Medical Center Christian Caldwell Skyline Madison Irene Arnold Parkridge Medical Center Jessica Harber Parkridge East Medical Center Dawn Gatlin Parkridge Valley Medical Center Jessica Harber Parkridge West Medical Center Dawn Gatlin Pinewood Springs Melissa Gannon Redmond Regional Medical Center Mana Harris Skyline Medical Center Irene Arnold Southern Hills Medical Center Christian Caldwell StoneCrest Medical Center Melissa Gannon Summit Medical Center Pamela Samuels CONFIDENTIAL – Contains proprietary information. Not intended for external distribution. Thank you for participating! If you have any questions, please reach out to your Facility Privacy Official 174 CONFIDENTIAL – Contains proprietary information. Not intended for external distribution.

TriStar 2021 Job Specific HIPAA and HITECH Privacy Training

Related documents

Products

Support

TriStar 2021 Job Specific HIPAA and HITECH Privacy Training

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib