HIPAA FOR THE WORKPLACE 2012 COURSE GOAL The goal of this training is to help ensure that all Optima employees are prepared to protect the privacy and security of our members’ health information. LEARNING OBJECTIVES After review of this training and successful passing completion of the quiz, you will be able to: • Discuss the 3 different Acts that comprise the Administrative Simplification regulation; • Demonstrate comprehensive understanding of privacy and security measures for our members; and • Understand how to prevent, identify and report violations or breaches. HIPAA OVERVIEW • The Privacy Rule governs who has access to protected health information (PHI). • The Security Rule specifies a series of administrative, technical and physical security procedures to assure the confidentiality, integrity and availability of ePHI. • The American Recovery and Reinvestment Act (ARRA) goal is to establish secure electronic health records for all Americans by 2014. • The Health Information Technology for Economic and Clinical Health Act (HITECH) • ARRA/HITECH brings changes to the HIPAA regulations in 3 categories: – Breach notification – Business Associate responsibilities – Penalties HITECH and ARRA RULES HITECH is designed to encourage health care providers to adopt health information technology in a standardized manner and to protect private health information. ARRA is the direct result of modifications in the HIPAA Privacy, Security and Enforcement Rules and strengthens health information privacy and security protections. ARRA specifically addresses: – Breaches – Electronic Health Records(EHR) – Personal Health Records (PHR) THE PRIVACY RULE The Privacy Rule is designed to protect individuals’ health information (PHI) and allows individuals to: • • • • • get a copy of their medical records ask for changes to their medical records find out and limit how their PHI may be used know who has received their PHI have communications sent to an alternate location or by an alternate means • file complaints and participate in investigations GUIDELINES FOR USING & DISCLOSING PHI You may disclose information, without a member’s authorization, to the appropriate authorities: • if required by law, court order, etc. • to public health officials, FDA, etc. • for abuse or domestic violence • to help law enforcement officials • to notify of suspicious death • to provide information for workers’ compensation • to assist government actions • to help in disaster relief efforts • to avert a serious threat to health or safety • for health oversight activities YOUR RESPONSIBILITIES You are required to: • disclose PHI – limit the information you share with a person to what he or she needs to know (“minimum necessary” guidelines) • use PHI according to HIPAA-approved guidelines for access, accounting, amendment, and restriction of PHI • only access the PHI necessary to complete your job duties • maintain confidentiality & security of member information at all times ALTERNATE ADDRESS Members and Personal Representatives have the right to request alternate confidential means of receiving communications that includes PHI. Send the completed request to the Director of Compliance: • Must be in writing • Must indicate the alternate address or specifications for the alternative means of communication • Must be signed • If requestor is a Personal Representative, must provide legal proof of their authority to represent the Member VERIFICATION FOR RELEASE OF PHI • Prior to making any verbal disclosures of PHI, you must verify the requestor’s identity by asking several identifying questions, i.e., address, birth date, member number, etc. • You may discuss billing questions, benefit information, etc. without having an Authorization form signed. • Protected health information may be given to custodial parents, adults acting in Loco Parentis, emancipated minors, Designated Representatives and Designated Agents as long as an authorization and/or legal documents are on file. MENTAL HEALTH and SUBSTANCE ABUSE • Federal law protects all information about a member with a current or past diagnosis of substance abuse and/or mental disorder. • These laws override the HIPAA laws. • Protected health information cannot be disclosed without a signed authorization. • Limited mental health information can be discussed with a minor’s custodial parent. MINORS • Federal and State Laws protect Minor’s (under the age of 18) health care rights. • Staff may discuss a minor’s health information with custodial parents except for: – Pregnancy and family planning – Sexually transmitted diseases – Substance abuse – Mental health, if treatment consent given by minor only • All discussions should be limited to the minimal amount of information necessary to resolve the question. • If unsure about procedures for releasing information, seek advice from your supervisor or the Compliance Department. EMAILS In your daily job responsibilities, email is used to communicate with staff, members, providers and vendors. Remember: • Emails about members should only be shared with those who have a need to know this information in connection with their specific job function(s). • Emails sent externally should be encrypted. • The Email system cannot be used by employees to express discriminatory views, threaten or harass employees or to advertise information that brings personal or financial gain. ENCRYPTED EMAIL ENCRYPTED EMAIL PROCESS for messages to an external email user (non-Sentara): • The sender needs to insert [secure] in the subject line. • The recipient(s) needs to register for an IRONPORT (POSTX) mailbox to receive/view the message. • The message never leaves Sentara’s Network in an email format, therefore it is only viewed as a web page over https. FAXES • Avoid faxing confidential information. If you send a fax to an incorrect number, report the incident immediately to your Supervisor or Manager. • Verify fax numbers prior to transmission to ensure the fax will be going to the correct person. • Use the Optima Health Fax Cover Sheet located on Wavenet. • The Fax Cover Sheet should contain a confidentiality notice requesting notification if the fax went to the wrong person. PRIVACY/SECURITY BUSINESS ASSOCIATES (BAs) • Performs services to/for Optima Health that involves the use or disclosure of member PHI. • Optima Health Business Associate Agreement (BAA) requires specified written safeguards for PHI. • ARRA requires BAs to comply with all the same regulations as Optima Health. • Optima’s Business Associates have the same penalties for violations as Optima. • Business Associate Agreement (BAA) must be included with contract. THE SECURITY RULE The Security Rule is designed to keep secure the transfer and storage of electronic health information (ePHI) by enforcing: • Administrative Procedures: These measures manage the selection, development, implementation and maintenance of security measures and include workforce security, security training, policies & procedures. • Technical Safeguards: The technology that protects ePHI and controls access and transmission security. • Physical Safeguards: Physical measures to protect the electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. PROTECTING ePHI Every organization has its own rules for internal and external storing and transferring of information, also known as EDI (electronic data interchange). You are required to: - use passwords - log off computer systems when you leave your desk - turn monitors so that they are not visible to others - dispose of disks and CDs properly (Contact the IT Dept for disposal assistance) - always save PHI to shared directory – not personal drives WHAT IS A BREACH? A breach is defined as the acquisition, access, use or disclosure of unsecured PHI which is not permitted by the HIPAA Privacy Rules and which compromises the security or privacy of the PHI. – Unsecured PHI is any member health information that is not secured through encryption or an approved destruction process that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals. – PHI can be in any form or medium including electronic, paper or oral. HITECH BREACH CHANGES When a breach is identified, Optima Health is to notify each individual whose unsecured PHI has been, or believed to have been accessed, acquired or disclosed. Business Associates must notify Optima as well as the individual whose PHI was disclosed. The first day the breach is discovered, or there is reason to suspect that a breach has occurred, is counted as the first day. Required notifications must occur without unreasonable delay (no more than 60 calendar days after discovery). REPORTING HIPAA VIOLATIONS OR BREACHES • If a HIPAA violation, breach or possible breach occurs, complete the Member Disclosure Tracking Form and the HIPAA Breach Form. • Give it to your supervisor who will send it to the Director of Compliance. • Reports may be made without fear of intimidation, coercion, threats, retaliation, or discrimination. • If you have questions about the Privacy Rule and how it affects your job, talk to your supervisor, compliance personnel or call the Sentara Integrity Hotline at 1-800-981-6667. • Be sure to notify your supervisor and/or the Director of Compliance even if you are not sure the error is a breach. OPTIMA BREACH HISTORY 2010 2011 21 32 Sent to wrong provider/group/Business Associate 4 8 Sent to wrong member 5 6 Email violation 2 6 Fax violation 1 8 Encryption violation 4 2 Physical security/equipment violation 5 2 Remedial action: PHI returned/destroyed 7 20 Remedial action: staff training 10 9 Remedial action: computer/physical security enhanced 2 4 Remedial action: staff disciplinary action 0 0 TOTAL BREACHES/VIOLATIONS This is the end of the 1st Module of the 2012 Optima Health Compliance Course. Please begin Quiz #1. Thank you!