HIPAA For General Workforce What you need to know HIPAA Training Presentation for Management Workforce 1 The Catholic Health Initiatives Mission Catholic Health Initiatives continues the journey begun by our foundresses. Like these women religious, we continue the healing ministry of Jesus Christ through the provision of health care in our many communities. Our core values of reverence, integrity, compassion and excellence guide us on this journey. We build relationships based upon these core values. These relationships enable us to assume the challenging role of caring for those most in need, those least able to care for themselves. Our core values and standards of conduct are the principles that guide us in navigating the complexity of providing health care. At a minimum, we are expected to follow all laws related to our responsibilities. However, following the law is not enough. Our values call us to live by an ethical standard that is greater than the law. We are responsible for ensuring the privacy of an individual’s health information and are entrusted with that information in order to provide the necessary care and services. We have a duty to prevent the inappropriate use or disclosure of an individual’s health information. Course Objectives/Navigation The objectives of this course are: – To foster and maintain a culture of integrity. – To develop individual and team character and virtue in the workplace. – To foster compliance with applicable federal and state laws and regulations. – To understand the policies and procedures in order to protect health information. Navigating this course: Each course contains Cases to Consider, which are designed to help improve your understanding of the course material. At the end of each course you will take a Section Test. The Section Test is designed to measure your understanding of the course material and is scored. You will be required to successfully pass the Section Test. You can use the arrows at the top and bottom of your screen to move forward and backward through the course. For most people, this course should take approximately 1 hour. Education Objectives Understand the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations Understand the penalties for not complying Understand patients’ rights and health care workers’ role in protecting them Understand your responsibilities under HIPAA-related policies and procedures The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA is a federal law imposed on all health care organizations, including: Hospitals, physician offices, home health agencies, nursing homes, and other health care providers Clearinghouses HMOs, private health plans, and public payers such as Medicare and Medicaid The above organizations are considered Covered Entities under HIPAA. HIPAA • HIPAA consists of five main sections, or “titles.” The most important title for health providers is Title II, Administrative Simplification. • The three main components of Title II include the following standards: Privacy Security Electronic Data Interchange • The Privacy and Security standards will be reviewed in this module. HIPAA Privacy Rule HIPAA Training Presentation for Management Workforce 7 HIPAA Privacy Rule Compliance date of April 14, 2003 Gives patients federal rights to gain access to their medical records and restrict who sees their health information Requires organizations to take measures to safeguard patient health information Requires organizations to train members of the workforce on patients’ rights to privacy and control over their health information Punishes individuals and organizations that fail to keep patient health information confidential The Privacy Official A Privacy Official has been appointed by each covered entity to: Manage the development of the organization’s privacy standards, policies, and procedures Oversee training and education of workforce Enforce the rules and investigate violations Myths about HIPAA Patients cannot be paged Organizations must get rid of all their semi-private rooms and put up sound barriers Organizations cannot put patient names outside their doors or use white boards HIPAA does not require the above measures and these myths are not true. Quiz Question What type of rule is HIPAA? a. a state law imposed only on hospitals b. a federal law imposed on all health care organizations c. a guideline set forth by the American Medical Association d. an accreditation requirement b. HIPAA is the first federal regulation that gives patients rights to gain access to their medical records and restrict who sees their health information. Safeguarding Health Information What is Confidential? Any information about a patient written on paper, saved on a computer, or spoken, is protected health information (PHI), including: Name Address Age Social Security number Phone number E-mail address Diagnosis Medical history Medications Observations of health Medical record number And more... Protect Patient Privacy “Do’s” Log off the computer when you’re finished Dispose of health information only by shredding or storing in locked containers for destruction Notify Security if you see an unescorted visitor in a private area Protect Patient Privacy “Don’ts” Don’t leave patient records lying around Don’t discuss a patient in public areas such as elevators, hallways, and cafeterias Don’t look at information about a patient unless you need it to do your job Rules for Computers “Do’s” Keep your password a secret Turn computer screens away from public view Change your password every 180 days or as required by internal policy Do not log into the system using someone else’s password Do not remove equipment, disks, or software without permission Quiz Question When are you free to repeat a patient’s private health information that you hear on the job? a. b. c. d. after you no longer work at the organization after a patient dies if you know the patient would not mind when your job requires it Quiz Question Which of the following is protected health information under HIPAA? a. b. c. d. the patient’s address the patient’s allergies the patient’s medical record number all of the above Quiz Question Which of the following types of information does HIPAA’s privacy rule protect? a. b. c. d. patient information in electronic form patient information communicated orally patient information in paper form all of the above Do You Need to Know? The Minimum Necessary Standard Do You Need To Know? HIPAA requires health care workers to use the minimum amount of health information they need to do their jobs efficiently and effectively. Ask yourself: Do I need this information to do my job and provide good service? What is the least amount of information I need to do my job? Do You Need to Know? Coders and billers need to look at certain portions of records to code and bill correctly Professional health care workforce members such as doctors, nurses, and therapists need to look at their patients’ records to care for them Housekeeping staff do not need to look at patient records to perform their job Quiz Question What question should you ask yourself before looking at health information? a. b. c. d. Would the patient mind if I looked at this? Do I need to know this to do my job? Can anyone see what I’m doing? Am I curious? Quiz Question Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do? a. b. c. d. ask a nurse on the floor how the patient is doing and pass the information along to your sister log in to the computerized record system and read the patient’s record to find information for your sister explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members none of the above Authorization Authorization Organizations must obtain authorization from a patient before using or sharing protected health information (PHI) for reasons other than treatment, payment, or health care operations. Reasons other than treatment, payment or health care operations include: – – – – Marketing Fundraising Research Employment determinations •A patient may revoke an authorization at any time by making a written request. Examples of Treatment, Payment and Health Care Operations Treatment: doctors and nurses caring for patients; technicians performing tests Payment: billers sending out claims; coders applying codes to procedures Health care operations: quality assurance staff performing reviews; transcriptionists typing reports Authorization Exceptions An authorization is not necessary for uses or disclosures mandated by law such as: Reporting births, deaths, and communicable diseases to state agencies Giving certain information to the police for investigations, searches for missing people Responding to a court order, subpoena, or other lawful process Workers’ compensation Specialized government functions External health oversight agencies Public health activities Quiz Question When is the patient’s authorization to release information required? a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations b. upon admission c. when information is to be shared among two or more clinicians d. when information is used for billing a private insurer Marketing and Fundraising Marketing In most cases, we may not use or disclose protected health information (PHI) to market a product or service without obtaining a valid authorization. Defining Marketing The following are not considered marketing under HIPAA and do not require an authorization: Descriptions of the organization and whether products or services are provided or covered Explanations of treatment alternatives Case management or care coordination Recommendations of alternative treatments, therapies, providers, or settings Reminders and disease management and wellness programs Fundraising We can use only the following information for fundraising purposes without patient authorization: Demographic information Dates of service Opting Out A patient has the right to revoke his/her authorization and opt out of receiving future fundraising or marketing communications The Facility Directory The Facility Directory Unless a patient has asked not to be included in the directory, you may disclose the following information to visitors and callers who ask for a patient listed in the directory by name: Location (room number) General condition (e.g. stable, critical) Directory Disclosures to Clergy Clergy who have signed the Clergy Confidentiality Agreement do not have to ask for a patient by name and may receive: Names of patients listed in the directory with the same religious affiliation of the clergy making the request Locations General conditions Quiz Question What information about a patient who is listed in the directory can be disclosed to someone who asks for the patient by name? A. B. C. C. room number and name of doctor room number and general condition general condition and prognosis D. nothing Individual Rights Individual Rights Patients have the following rights under HIPAA: To know who has access to their health information and how it is used (Notice of Privacy of Practices) To access and request an amendment to their health records in the designated record set (Access and Amendment) To request a list of people and organizations who have received his/her health information (Accounting of Disclosures) To request that we communicate with them by alternative means (Confidential Communications) To request restrictions for the use and disclosure of their health information (Request Restrictions) To complain to a covered entity, to the Secretary of HHS, or to the Office for Civil Rights (OCR) Notice of Privacy Practices Provides individual notice of the ways the organization uses and shares an individual’s health information Explains an individual’s rights to confidentiality and access to his/her health information Is posted prominently in the organization Right to Access A patient has the right to inspect and obtain a copy of his/her designated record set, which includes protected health information (PHI) used in whole or in part to make decisions about the patient. Designated Record Set A designated record set is a group of records that may include: Health care provider medical and billing records Health plan enrollment, payment, claims adjudication and case or medical management records Right to Request Amendments A patient has the right to request amendments to his/her designated record set. However, organizations are not required to automatically make whatever changes the patient requests. Personal Representatives Persons who have the authority (under federal and state laws) to act on behalf of a patient in making health care decisions may have access to the patient’s health information as his/her personal representative. Personal Representatives for Minors Parents, guardians, and others who have authority (under federal and state laws) to act on behalf of a minor in making health care decisions may have access to the minor’s health information as his/her personal representative Accounting of Disclosures A patient has the right to request a list of people and organizations who have received his/her health information. The list does not have to include disclosures: For treatment, payment, and health care operations Authorized by the patient To the facility directory For national security Of “limited data set” information Confidential Communications A patient may ask to receive correspondence at an alternate location or by an alternate means. Organizations must honor all reasonable requests such as: Sending mail to a P.O. Box or alternative location Calling the patient at work instead of home Using sealed envelopes instead of postcards Complaints and Grievances The Notice of Privacy Practices includes information on filing complaints: The name of the designated representative or department for handling grievances The representative’s phone number The steps for filing a formal complaint The Formal Grievance Process If a patient or personal representative complains about a breach of confidentiality or a violation of a HIPAA rule, notify your supervisor and contact the representative listed on the Notice of Privacy Practices. Quiz Question What should members of the workforce do if a patient complains that her privacy was violated during her stay? a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices b. Ask the patient to provide proof c. Nothing—it’s not their job to handle complaints d. None of the above Quiz Question Which of the following does the complaints section of the Notice of Privacy Practices include? a. the name of the designated representative or department for handling grievances b. the representative’s phone number c. the steps for filing a formal complaint d. all of the above Confidentiality Agreement and Penalties Confidentiality Agreement By signing you agree to: Dispose of health information properly Follow the organization’s policies and procedures Use computers and information systems only for performing job duties Use confidential information only in performing job duties Share confidential information only with those who need the information to do their jobs Handle health records carefully to preserve individual privacy Penalties for Breaking the Privacy Rules Criminal penalties under HIPAA: Maximum of 10 years in jail and a $250,000 fine for serious offenses Civil penalties under HIPAA: Maximum fine of $25,000 per violation Organization actions: Employee disciplinary actions including suspension and/or termination for serious violations of the organization’s policies and procedures HIPAA Security Rule HIPAA Security Rule Compliance date of April 20, 2005 Applies to the same covered entities described in the Privacy Rule section. Applies to protected health information (PHI) that is electronically sent from one location to another or stored by the facility. Identifies steps to take to secure electronic PHI. Information Security A Security Official has been appointed with responsibility to: Make sure the covered entity complies with the security standards, and Provide training to all system users at the facility. Information Security The Security Rule has three key areas that work together to protect PHI. These include: Physical safeguards Technical safeguards Administrative safeguards Physical Safeguards The purpose of physical safeguards is to help protect the physical computer systems and related buildings and equipment from unauthorized access, fire, and other natural and environmental hazards. Some physical safeguards were discussed in the privacy section of this course. These included access to computer systems, workstations, and the use of passwords. Technical Safeguards Technical safeguards focus on the steps and procedures that must be in place to: Protect the integrity of electronic PHI Control access Record and examine system activity Validate the identity and authorization of users Protect electronic PHI transmitted over a communications network Technical Safeguard Examples – Unique user IDs – Reliable user authentication – typically passwords – Authorization to access information – Automatic computer logoff (inactivity timeout) – Firewalls – Log capture and monitoring Passwords, the First Layer of Protection Password usage: • Generic User IDs are not permitted except in special circumstances. • User ID access must be changed immediately upon a User’s transfer to a different role in the organization. • All User ID passwords must change at least once every 180 days or as required by policy. Systems should be set to automatically force password changes. • When changing passwords, a User must not create passwords that are identical to his or her previous eight passwords. Passwords, the first layer of protection Password Syntax Rules • Passwords must be at least six characters in length and – – have a minimum of four alphabetic characters. have a minimum of two numeric characters (0 through 9). • Passwords may include no more than two consecutively repeated characters. • NOTE: The use of control characters and other non-printing characters is not permitted because they may cause network or system problems. Passwords, the First Layer of Protection Examples of passwords: • Good / strong passwords: – 15djOth (15 dogs jumped over the house) – Cft6vgy& (keyboard pattern) • Poor / weak passwords: – Orange – Skipper – BobH Passwords, the First Layer of Protection Password Selection Rules • Choose passwords that are difficult to guess. • Passwords must not be related to the user’s job or personal life. For example, do not use names of family members or pets as a password. • Personal information that is easily obtainable, including date of birth, license plate number, telephone number, Social Security number, make of automobile or home address must not be used as a password. • The first, middle or last name of the user should not be used to construct a password. • User IDs must not be used as a password in any form. Administrative Safeguards Under the Security Rule, policies and procedures must be in place that define the steps to address: Adding, changing or deleting user access based on job responsibilities or if user terminates employment Use and assignment of individual user IDs and passwords How to access the computer system and/or electronic PHI in the event of an emergency Quiz Question Which of the following is NOT a key area of the HIPAA Security Rule? a. b. c. d. Physical safeguards Technical safeguards Documentation safeguards Administrative safeguards Quiz Question When is it acceptable to share your password? a. when your co-worker forgets his password b. when it saves time c. when you know you can trust the person to use it appropriately d. never Quiz Question Which of the following choice of passwords is best to use? a. b. c. d. AlSm!th 15djOth Terry 12345678 What Should You Do? Case #1 You are called to work in a patient’s room to perform a routine job. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient’s condition or medication. What should you do? Case #1 Answer If you must do the job immediately ask whether you can interrupt. If the job can wait, explain that you are there to perform a routine job and will return in 15 or 20 minutes. This protects the patient’s privacy by allowing him/her to openly discuss his/her condition without being overheard. Some patients may say that it is acceptable for you to stay in the room during the conversation. But remember that patients may not feel comfortable sharing everything about their symptoms or medical history while you are in the room. They also might not feel comfortable asking you to leave. Case #2 A visitor tells you she is at the organization to work on the computers and wants you to point the way to the system. How do you respond? Case #2 Answer The best response is to ask the repairwoman who at the organization contacted her. Find that person. He or she can take the repairwoman to the appropriate work area. Case #3 You are walking by a trash can and notice a pile of photocopied health records has been laid on top of the trash can. How should you handle this? Case #3 Answer Gather the records and take them to your supervisor. He or she will report it to the organization’s Privacy Official to determine why the records were not destroyed. Case #4 You are working on a nursing unit and see the name of a friend on a white board. Should you stop by her room? Case #4 Answer If you learned of your friend’s stay only by looking at the white board, you should not go to her room unless your job responsibilities take you there. If you find out from the patient or her family member that she is a patient at the facility, feel free to visit her. Be sure to follow the visitor policies. Case #5 A co-worker is having trouble logging in to the organization’s system. She asks for your login name and password so she can use them. Should you share them with her? Case #5 Answer No. The HIPAA security standards require the use of individual passwords for each workforce member with access to health information stored in the computer system. The organization keeps track of the records you gain access to based on the login name and password you use to enter the system. If you let others use your name and password, you are breaking HIPAA’s rules and the organization’s policy, and you may be held responsible if the co-worker gains access to patient information inappropriately. Case #6 You have a hard time remembering your password for the computerized record system. Should you jot it down on a piece of paper and stick it in your desk drawer? Case #6 Answer No. Even if your desk drawer remains locked, it is not appropriate to keep it in your desk. If you have a hard time remembering your password, select a password that meets your organization’s criteria, but is easy for you to remember. Test Your Understanding Question #1 A man comes into the organization and tells you he is supposed to work on the computers and wants you to open a door for him or point the way to a workstation. How should you respond to this request? a. provide him with the information or access he needs b. ask him who at the organization hired him and find that person for assistance c. call the police d. none of the above Question #2 Your sister’s friend just had triple bypass surgery at your organization. She asks you to find out his prognosis. What should you do? a. ask a nurse on the floor how the patient is doing and pass the information along to your sister b. log in to the computerized record system and read the patient’s record to find information for your sister c. explain that it is a violation of the patient’s privacy for you to ask around or look at his record, and suggest that she call one of her friend’s family members d. none of the above Question #3 When are you free to repeat a patient’s private health information that you hear on the job? a. b. c. d. after you no longer work at the organization after a patient dies if you know the patient would not mind when your job requires it Question #4 You see an open recycling bin full of paper. You can see names, addresses, and diagnoses on the paper. What should you do? a. nothing b. bring it to your supervisor or the Privacy Official so he or she can dispose of it properly and determine why it was put there c. read the report and try to figure out what workforce member disposed of it improperly d. none of the above Question #5 What question should you ask yourself before looking at patient information? a. b. c. d. Would the patient mind if I looked at this? Do I need to know this to do my job? Can anyone see what I’m doing? Am I curious? Question #6 When is the patient’s authorization to release information required? a. in most cases in which information is going to be shared with anyone for reasons other than treatment, payment, or health care operations b. upon admission c. when information is to be shared among two or more clinicians d. when information is used for billing a private insurer Question #7 When is it acceptable to share your password? a. when your co-worker forgets his password b. when it saves time c. when you know you can trust the person to use it appropriately d. never Question #8 Which of the following is protected health information under HIPAA? a. b. c. d. the patient’s address the patient’s allergies the patient’s medical record number all of the above Question #9 Which of the following types of information does HIPAA’s privacy rule protect? a. b. c. d. patient information in electronic form patient information communicated orally patient information in paper form all of the above Question #10 What should members of the workforce do if a patient complains that her privacy was violated during her stay? a. Notify their supervisor and the person or department responsible for handling complaints listed on the Notice of Privacy Practices b. Ask the patient to provide proof c. Nothing—it’s not their job to handle complaints d. None of the above Question 11 Which of the following does the complaints section of the Notice of Privacy Practices include? a. the name of the designated representative or department for handling grievances b. the representative’s phone number c. the steps for filing a formal complaint d. all of the above Question #12 Which of the following choice of passwords is best to use? a. b. c. d. AlSm!th 15djOth Terry 12345678 Course Summary This course linked your everyday job functions with their effect on the organization’s privacy and security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA requirements discussed throughout this course included: – Understanding the purpose of HIPAA regulations. – Safeguarding written, oral and electronic information. – Knowing the steps to protect privacy. – Understanding the role of the Privacy and Security Officials in your organization. The intent of this course was to educate staff members and make them more aware of how their everyday activities affect their organization’s HIPAA compliance. Through this course, you were empowered to protect the privacy of those we serve and prevent violations of confidentiality. Our purpose for asking you to take this course was not only to help you become familiar with some of the current laws and regulations associated with HIPAA, but also to reinforce the mission of Catholic Health Initiatives (CHI). CHI is built upon a foundation of integrity. All of the women and men who have gone before us tried to ensure that, regardless of the challenges they faced, CHI would truly minister to and be worthy of trust by their communities. It is our ethical duty to continue this mission at CHI. Knowledge from this course is one tool that assists us in fulfilling that mission. Thank you for taking this course. Please click here to take the Final Test.