Presented by Carol Crews, CMPE 1 Health Insurance Portability and Accountability Act (HIPAA) of 1996 Congress called for the Department of Health & Human Services to develop standards and requirements for the electronic transmission of health information Title II - Administrative Simplification provision - provides legislation around privacy, security and electronic data In a constantly changing environment, FCSRMC is committed to educating employees about healthcare information concerning HIPAA. 2 Standardization of Electronic Transactions & Code Sets Privacy Security National Provider Identifiers Electronic Signatures Electronic Medical Records 3 • • • A covered entity includes a health plan or payor (including government payors), a healthcare clearinghouse such as a billing service, or a healthcare provider such as a physician, hospital, or pharmacy. (Does not include Life, Worker’s Comp, Disability or Property and Casualty plans). All healthcare providers who transmit any healthcare information in electronic form, which includes telephones, fax machines and computers, are considered covered entities. FSCRMC, acting as the covered entity and it’s member colleges, acting as the plan sponsor, have undertaken fiduciary duties to the plan. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA. This may include hospital and medical benefit plans, dental plans, vision plans, health flexible spending accounts and employee assistance plans. 4 Covered Entities (CEs) must have contracts from any third party or business associate who may have access to PHI while carrying out certain functions or activities on behalf of the college or covered entity. Business Associates includes vendors, contractors and subcontractors for CEs. Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations. Business Associates must notify the CE if they discover a data breach and must include the ID of each subject and any other information that the CE is required to include in the notice of a breach. 5 • • • Anything that connects a patient or employee/individual to his or her information Medical records and health data containing individually identifiable health information Names, identification numbers (social security number, address, phone number), medical records, physician’s personal notes, and billing information 6 Any health information that is collected from the patient/individual, or created or received by a Covered Entity, that could potentially identify an individual such as: the past, present or future physical or mental health or condition of an individual the provision of healthcare the past, present or future payment for the provision of healthcare by your college 7 • Names • Geographic subdivisions smaller that a state (city, street address, county, precinct, zip code) • All elements of dates (birth date, admission date, discharge date, date of death). Exception - years • Telephone & fax numbers • E-Mail address • Social Security Numbers • Medical records numbers • Health plan beneficiary numbers • Account Numbers • Certificate/license numbers 8 Other Examples: • Vehicle identifiers and serial numbers, (including license plate numbers) • Device identifiers and serial numbers • URL’s (Uniform Resource Locator) • IP Address numbers • Biometric identifiers, including voice and fingerprints • Full face photographic images • Any other unique identifying number, characteristic, or code 9 HIPAA’s Privacy Rule covers the use and disclosure of PHI for: • • • • Individually Identifiable Health Information (IIHI) held or disclosed by a health plan regardless of how it is communicated (electronically, verbally, or written) Information shared, examined, applied or analyzed by a covered entity that receives or maintains it Information that is disclosed when released, transferred, allowed to be accessed or divulged outside the entity Patient or employee/individual rights over health information 10 HIPAA's Privacy Rule is everyone's business - from the CEO to the maintenance staff. It protects our fundamental right to privacy and the confidentiality of our medical information. Basically, the HIPAA Privacy Rule: • Imposes restrictions on the use and disclosure of personal health information • Created new rights for individuals concerning their health information 11 Covered entities cannot share PHI without the individual's awareness of their privacy rights. To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions. Consent can be revoked by an employee/individual (patient) in writing. It is the policy of FCSRMC and it’s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it’s member colleges is not obligated to grant the request. 12 A summary of the Privacy Notice that is brief and written in plain language will be provided to the employee/individual. It will outline: • How PHI will be used and disclosed • The patient/employee's privacy rights, date, and patient or patient representative's signature • Refer patient to review the organization's Notice of Privacy Practices This should be provided by the Group’s Health Plan TPA to the Group Health Plan participants. 13 Authorization: Can be requested for specific purposes For use/disclosure of PHI outside the health care facility for the continuum of care Generally, for reasons other than treatment, payment and health operation purposes Only covers use/disclosure outlined in the form Must have an expiration date Authorization forms must contain: Description of PHI to be used/disclosed Name of Covered Entity authorized to use/disclose The party to whom PHI will be released Date, signature and expiration date 14 The individual who is the subject of the information: has authorized the use or disclosure has received the Notice of Privacy Practices developed and distributed by your third party administrator (TPA) thus allowing the use or disclosure, and the use or disclosure is for reatment, payment or health care operations agrees with the disclosure via the authorization form or a signed copy of this Privacy Policy and the disclosure is to persons involved in the processing or assistance of health care claims is provided the disclosure for compliance-related purposes 15 The use or disclosure is for one of the HIPAA “public purposes” (i.e. required by law, etc.) The information is disclosed for the purposes of a judicial or administrative proceeding only when accompanied by appropriate documentation and directed to the TPA. Patient Health Information will never be utilized to make employment decisions (hiring, termination, promotion) 16 The Privacy Rule gives employees/individuals the right to: Review the Notice of Privacy Practices Review past access and request amendments Limit access to PHI - Access is limited to people who need it for their specific job function and only the minimum necessary to accomplish the assigned job function 17 The following requests should be directed to and processed by the Group’s Health Plan TPA: Request a review and/or amendment of the health record Restrict disclosures Have access to his/her own PHI Receive a PHI disclosure for disclosures that have occurred outside the TPO relationships 18 File a written complaint if privacy is violated. ◦ Complaints should be directed to the college’s privacy contact, and any intimidating or retaliatory acts is prohibited. Know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. ◦ Physical protection of premises and PHI ◦ Technical protection of PHI maintained electronically ◦ Administrative protection 19 The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has been assigned the authority to enforce the Privacy Rule. The OCR has several responsibilities: • • • Investigating complaints it receives from individuals who believe that a Covered Entity is not complying with HIPAA privacy requirements Providing Covered Entities with assistance in order to achieve compliance Making determinations regarding exceptions to state law preemption. Any person or organization can file a complaint with OCR, but complaints typically must be filed within 180 days of the occurrence of an action in violation of the Privacy Rule. 20 Security encompasses the measures organizations must take to protect information within their possession from internal and external threats. The Security Rule: Focuses on requirements for safeguarding PHI in the electronic form through policies, procedures and technology in order to preserve confidentiality, integrity and availability of electronic PHI. Mandates that PHI is concealed from people who do not have the right to see the information. Mandates integrity of data by ensuring information has not been improperly changed or deleted. 21 Establish an “accounting” procedure to track uses and releases of PHI Limit access to only those employees that require it (“Minimum necessary”) “Minimum necessary” use must identify persons or classes of persons who need access to PHI to carry out their duties “Minimum necessary” use must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas) 22 Current and former employees (malicious intent, curiosity, carelessness) Visitors Business Associates Hackers, criminals, terrorists Improper use or disposal of PHI 23 Ensure that security plans, policies, procedures, training and contractual agreements exist Establish an employee termination policy Security incident reporting system (report, respond, repair) Procedures that address staff responsibilities for protecting data Security safeguards that protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included 24 Maintain the following documentation for six years, unless a longer period applies: All necessary policies and procedures. Ensure changes to policies and procedures are not implemented until documented and appropriate persons are notified. Business Associate Agreements Patient Acknowledgement of Privacy Policies 25 Authorization forms Notices and amended notices Training of employees Patient/employee complaints and their disposition (this must be documented on the complaint form and forwarded to FCSRMC) Your organization must cooperate with an OCR investigation or compliance review should these occur. 26 In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law. However, the Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations. Medical paperwork that should be filed separately includes the following: Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions Anything that identifies a medical issue 27 Impermissible use/disclosure of PHI which poses significant risk or harm such as financial, reputational, or other harm. A Covered Entity (CE) that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHI must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach. It is not a breach if there is good faith belief that the disclosure was to an unauthorized person who would not be able to retain the PHI. It is not a breach it if is unintentional acquisition or use in good faith in the course and scope of employment to someone authorized to access PHI. 28 Improper use or disclosure of PHI can result in the following fines and/or imprisonment, as set forth under HIPAA: • • • • If offender did not know, and by exercising reasonable diligence would not have known that he/she violated the law: $100 - $50,000/violation for identical violations. If the violation was due to reasonable cause and not willful neglect: $1,000 $50,000/violation for identical violations. If the violation was due to willful neglect but was corrected: $10,000 $50,000/violation, and imprisonment up to 5 years. If the violation was due to willful neglect and was not corrected: $50,000 and imprisonment up to 10 years. Maximum for all violations of a single standard in a year: $1,500,000. 29 If records are placed in the wrong hands, it can negatively impact your personal safety, job security, or relationships. • • • Do not share Personal Health Information without prior consent or authorization. Always ensure that the information is being sent to the correct person by never releasing information without referring to the consent or authorization. Use and disclose the minimum necessary to protect patient privacy. Remember, privacy is everyone's business. HIPAA is a federal law that all must abide by. 30 Identify systems/areas that have covered data (paper and electronic) Secure your PHI (paper and electronic) Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff Assign internal roles and responsibilities Encrypt data at rest / in transit 31 Provide initial training at hire and annually thereafter. Use the group attendance log as documentation. Maintain a separate employee health file. Keep all protected information in a limited access area and under lock and key. 32 Manage your password – Do not write password anywhere and do not share with anyone Use workstations properly Know FCSRMC’s sanction policies Learn and follow the college’s policies and procedures Don’t leave information open and unattended Lock computer, desk and file cabinets when you leave Use the shredder when destroying information 33 34