HIPAA Health Insurance Portability and Accountability Act HIPAA is FEDERAL LAW! Keep our Patients’ Healthcare Information SECURE Keep our Patients’ Healthcare Information PRIVATE TELL our patients what their RIGHTS to their Healthcare Information ARE KNOW our HIPAA RESPONSIBILITIES What “Is” Patient Information? Any information that lets someone know about that person’s Health: PAST or PRESENT or FUTURE It is “PROTECTED INFORMATION” HIPAA Says We Have To: Tell patients about their information rights IN WRITING Tell patients about our information privacy and security duties IN WRITING “NOTICE OF PRIVACY PRACTICES” Keep a Record of who received a “NPP” HIPAA Says It is OK To: Share healthcare information for Treatment Payment Operations Minimum Necessary: share only information needed for payment and operations Work with our Medical Staff Physicians because we are all now part of an Organized Health Care Arrangement – OHCA HIPAA Says Patients Have Rights to: Accounting of disclosures not done under TPO Accounting disclosures go back: 6 YEARS! Request restrictions on ALL disclosures. Request amendments to their Medical Records (same as California law) Get a copy of their Medical Record, with some restrictions (same as California law) File Privacy Violation complaints with Community Hospital’s PRIVACY OFFICER HIPAA Says We Have To: Appoint a Privacy Officer that patients can contact. Our “PO” is RON GAASCH Patients can contact him at 625-4582 or Community Hospital, Privacy Officer, Compliance and Internal Audit PO Box HH, Monterey, CA 93942. If patients want to complain to the Department of Health & Human Services, the PO can help them. HIPAA REQUIRES THAT WE: train all EMPLOYEES and VOLUNTEERS ABOUT HIPAA Have special contracts with VENDORS that use patient information: HIPAA Business Agreements DOCUMENT all our HIPAA privacy work! Impose DISCIPLINE for employees who VIOLATE HIPAA HIPAA VIOLATIONS PENALTIES -- IT COULD HAPPEN TO YOU! $100 fine/day for each violation (Up to $25,000 per person, per year) $50,000 fine and one year in prison (for improper disclosure of health information) $100,000 fine and five years in prison (getting health information under false pretenses) $250,000 fine and 10 years in prison (using health information for personal gain) Privacy Officer Tips: Don’t “look away” from unauthorized uses and disclosures of patient information REPORT THEM! Computer Users! Be sure to: Keep passwords private! Know your responsibilities! Work with your co-workers to keep our patients’ PHI safe and secure! Help our patients’ healthcare information stay: PRIVATE and SAFE! Keeping electronic patient healthcare information secure is not only good practice; it is also required by the federal regulation called HIPAA. Everyone who works, volunteers or visits Community Hospital and has access to electronic patient healthcare information is responsible for the safeguarding and security of that information. This includes not only employees and volunteers, but even vendors and medical staff. Even if in my job I don’t use anything containing patient information, I still share in the responsibility for seeing that patients’ healthcare information is safe and secure. This means that papers containing patient names and patient information must be disposed of in a way that the information is not visible. Be careful with your computer password – Never share it, never write it down where others can see it. If you suspect someone knows your password, report it to your supervisor right away and get a new password. Do not use words found in dictionaries and don’t use proper names. It is best to build a password by combining numbers, letters, symbols and/or special characters. Try using a combination of upper and lower case letters. Practice safe computer use! When patient information shows on your screen, you must: Position the display screen so no one from the public can read what’s displayed on it. When you are through working, log out Put a privacy screen on the front so that it’s hard for anybody else to see patient information When you fax patient healthcare information, double-check the number every time and check it for accuracy before you hit the send key. Remember, if you fax, fax carefully! All electronic storage media (diskettes, DCs, personal digital assistants etc.) must always be kept out of sight when not being used, and stored and locked away when no one is there. CHOMP accepts responsibility to protect patient information security and privacy, and is required by law to audit its information systems to verify that they are being used ONLY for valid work-related reasons. CHOMP is also required by law to take disciplinary actions against members of its workforce who intentionally violate its security and privacy policies and procedures.