Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v. 11 03-31-09.

Similar presentations


Presentation on theme: "© Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v. 11 03-31-09."— Presentation transcript:

1 © Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v

2 © Copyright 2009 HIPAA COW2 Disclaimers This HIPAA Privacy & Security Training Session is Copyright 2009 by the HIPAA Collaborative of Wisconsin (HIPAA COW). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This HIPAA Privacy & Security Training Session is provided as is without any express or implied warranty. This HIPAA Privacy & Security Training Session is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this HIPAA Privacy & Security Training Session. Therefore, this document may need to be modified in order to comply with Wisconsin law.

3 © Copyright 2009 HIPAA COW3 Disclaimers continued… This is an example training session containing only some of the Privacy & Security topics which organizations are required to train. It is not legal advice and is not intended to cover all privacy & security laws training requirements. It may contain items not required by your organization and/or that need to be tailored to your organizations P&Ps. It may also be too lengthy to provide in just one session. Slides are provided for informational purposes only.

4 © Copyright 2009 HIPAA COW4 HIPAA Topics Covered HIPAA Privacy & Security Contacts HIPAA Privacy & Security Contacts What is HIPAA? What is HIPAA? Why Follow HIPAA? Why Follow HIPAA? HIPAA Definitions HIPAA Definitions Who protects PHI? Who protects PHI? Patient Rights Patient Rights Security Security Audit Trails Audit Trails Violations Violations Release of Information Release of Information Identity Verification Identity Verification Documenting Disclosures Documenting Disclosures Safeguarding Information Safeguarding Information BAAs & Other Agreements BAAs & Other Agreements Your Role Your Role Reporting Violations Reporting Violations

5 © Copyright 2009 HIPAA COW5 Privacy and Security and/or Compliance Committee Members Name, title, extension and address Jackie Maurer, Billing Office Supervisor , ext Jeff Raschke, Director IT & Security Officer , ext 125 Privacy Officer: Jackie Maurer Security Officer: Jeff Raschke

6 © Copyright 2009 HIPAA COW6 What is HIPAA? HIPAA is an acronym for the Health Insurance Portability & Accountability Act of 1996 (45 C.F.R. parts 160 & 164). HIPAA is an acronym for the Health Insurance Portability & Accountability Act of 1996 (45 C.F.R. parts 160 & 164). Provides a framework for the establishment of a nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information. Provides a framework for the establishment of a nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information.

7 © Copyright 2009 HIPAA COW7 What is HIPAA? Each part has separate regulations to comply with Each part has separate regulations to comply with ELECTRONIC DATA EXCHANGE SECURITY PRIVACY HIPAA Consists of three separate parts: HIPAA Consists of three separate parts: 1) Privacy, 2) Security, and 3) Electronic Data Exchange HIPAA mandates accountability HIPAA mandates accountability

8 © Copyright 2009 HIPAA COW8 Parts of HIPAA: 1. The Privacy Rule The Privacy Regulations went into effect April 14, The Privacy Regulations went into effect April 14, Privacy refers to the protection of an individuals health care data. Privacy refers to the protection of an individuals health care data. Defines how patient information is used and disclosed. Defines how patient information is used and disclosed. Gives patients privacy rights and greater control over their own health information. Gives patients privacy rights and greater control over their own health information. Outlines ways to safeguard Protected Health Information (PHI). Outlines ways to safeguard Protected Health Information (PHI). We also need to keep in mind Wisconsin privacy laws, such as WI Chapters 51, 146, 252 and DHS 92, which in some situations continue to protect patients rights more than the HIPAA Regulations. We also need to keep in mind Wisconsin privacy laws, such as WI Chapters 51, 146, 252 and DHS 92, which in some situations continue to protect patients rights more than the HIPAA Regulations.

9 © Copyright 2009 HIPAA COW9 Parts of HIPAA: 2. The Security Rule Security (IT) regulations went into effect April 21, Security (IT) regulations went into effect April 21, Security means controlling: Security means controlling: –The confidentiality of electronic protected health information (ePHI). –How patient data is electronically stored. –How patient data is electronically accessed.

10 © Copyright 2009 HIPAA COW10 Parts of HIPAA: 3. EDI Electronic Data Exchange (EDI) – defines the format of electronic transfers of information between providers and payers to carry out financial or administrative activities related to health care. Electronic Data Exchange (EDI) – defines the format of electronic transfers of information between providers and payers to carry out financial or administrative activities related to health care. Information includes coding, billing and insurance verification. Information includes coding, billing and insurance verification. The goal of using the same formats is to ultimately make the billing process more efficient. The goal of using the same formats is to ultimately make the billing process more efficient.

11 © Copyright 2009 HIPAA COW11 Why Should Our Organization Comply with HIPAA? We must be committed to protecting our patients privacy. We must be committed to protecting our patients privacy. Northwest Counseling and Guidance Clinic is placing trust in you to follow the policies. This is not an option, it is required. Northwest Counseling and Guidance Clinic is placing trust in you to follow the policies. This is not an option, it is required. Choosing not to follow these rules, Choosing not to follow these rules, –Could put you at risk. –Could put Northwest Counseling and Guidance Clinic at risk.

12 © Copyright 2009 HIPAA COW12 Why Should Our Organization Comply with HIPAA? The right thing to do is to: The right thing to do is to: –Protect patient records. –Protect business data. –Protect patient data and reduce the risk of litigation to organizations. There are significant penalties associated with non-compliance to organizations and employees of those organizations. There are significant penalties associated with non-compliance to organizations and employees of those organizations.

13 © Copyright 2009 HIPAA COW13 HIPAA Regulations The HIPAA Regulations require that we protect our patients PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media: The HIPAA Regulations require that we protect our patients PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media: –Verbal discussions (i.e. in person, on the phone, etc.). –Written on paper (i.e. chart, progress note, encounter form, prescription, x-ray order, referral form, explanation of benefits (EOBs), scratch paper, etc.). –In all of our computer applications/systems (i.e. electronic health record (EHR), Practice Management, Lab, X-ray, Microsoft, etc.). –In all of our computer hardware/equipment (PCs, laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones, patient care devices, servers, etc.).

14 © Copyright 2009 HIPAA COW14 This training session provides reminders of Northwest Counseling & Guidance Clinics policies and of how you, an employee or provider, are required to protect PHI.

15 © Copyright 2009 HIPAA COW15 Why is Privacy and Security Training Important? It outlines ways to prevent accidental and intentional misuse of PHI. It outlines ways to prevent accidental and intentional misuse of PHI. To make PHI secure with minimal impact to staff and business processes. To make PHI secure with minimal impact to staff and business processes. Its not just about HIPAA – its about doing the right thing. Its not just about HIPAA – its about doing the right thing. We should treat personal electronic data with the same care and respect as weapons- grade plutonium -- it is dangerous, long- lasting and once it has leaked, there's no getting it back. -- Corey Doctorow We should treat personal electronic data with the same care and respect as weapons- grade plutonium -- it is dangerous, long- lasting and once it has leaked, there's no getting it back. -- Corey Doctorow

16 © Copyright 2009 HIPAA COW16 This training is designed to educate you on the importance of Privacy and Security It is everyone s responsibility to take the confidentiality of patient information seriously. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, YOU It is everyone s responsibility to take the confidentiality of patient information seriously. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, YOU become involved with some become involved with some facet of the privacy and security facet of the privacy and securityregulations. The law requires us to train you. The law requires us to train you.

17 © Copyright 2009 HIPAA COW17 HIPAA Definitions PHI is Individually Identifiable Health Information (IIHI) relating to information about: Health/condition of an individual. Health/condition of an individual. Payment for health care of an individual. Payment for health care of an individual. Reasonably identifies the individual (patient identifiers/demographics). Reasonably identifies the individual (patient identifiers/demographics). What is Protected Health Information (PHI)?

18 © Copyright 2009 HIPAA COW18 PHI Includes: Items in the record, such as: Items in the record, such as: –Encounter/visit documentation –Lab Results –Appointment dates/times –Invoices –Radiology films and reports –History and Physicals (H&Ps), etc. HIPAA Definitions

19 © Copyright 2009 HIPAA COW19 PHI Includes: Patient Identifiers PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. HIPAA Definitions

20 © Copyright 2009 HIPAA COW20 PHI Includes Patient Identifiers Examples include: Names Names Medical Record Numbers Medical Record Numbers Social Security Numbers Social Security Numbers Account Numbers Account Numbers License/Certification numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Internet protocol addresses Health plan numbers Health plan numbers Full face photographic images and any comparable images Full face photographic images and any comparable images Web universal resource locaters (URLs) Web universal resource locaters (URLs) Any dates related to any individual (date of birth) Any dates related to any individual (date of birth) Telephone numbers Telephone numbers Fax numbers Fax numbers addresses addresses Biometric identifiers including finger and voice prints Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code Any other unique identifying number, characteristic or code HIPAA Definitions

21 © Copyright 2009 HIPAA COW21 HIPAA Definitions Use: when we review or use PHI internally (audits, training, customer service, quality improvement). Use: when we review or use PHI internally (audits, training, customer service, quality improvement). Disclose: when we release or provide PHI to someone (ex. an attorney, a patient, faxing records to another provider, etc.). Disclose: when we release or provide PHI to someone (ex. an attorney, a patient, faxing records to another provider, etc.).

22 © Copyright 2009 HIPAA COW22 HIPAA Definitions What does releasing the minimum necessary PHI mean? What does releasing the minimum necessary PHI mean? –To use or disclose/release only the minimum necessary to accomplish the intended purposes of the use, disclosure, or request. –Requests from employees at NWCGC: Identify each workforce member who needs to access PHI. Identify each workforce member who needs to access PHI. Limit the PHI provided on a need-to-know basis. Limit the PHI provided on a need-to-know basis. –Requests from individuals not employed at NWCGC: Limit the PHI provided to what is needed to accomplish the purpose for which the request was made. Limit the PHI provided to what is needed to accomplish the purpose for which the request was made.

23 © Copyright 2009 HIPAA COW23 What is TPO? HIPAA allows us to Use and/or Disclose PHI for the purpose of: HIPAA allows us to Use and/or Disclose PHI for the purpose of: –Treatment – providing care to patients. –Payment – the provision of benefits and premium payment. –Operations – normal business activities (reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, etc.). These terms are collectively referred to as TPO. These terms are collectively referred to as TPO. PHI used outside of TPO is not allowed without a signed authorization. PHI used outside of TPO is not allowed without a signed authorization. TPO must be within the minimum necessary to perform your job! TPO must be within the minimum necessary to perform your job! HIPAA Definitions

24 © Copyright 2009 HIPAA COW24 Why Do We Need to Protect PHI? Its the law. Its the law. To protect our reputation. To protect our reputation. To avoid potential withholding of federal Medicaid and Medicare funds. To avoid potential withholding of federal Medicaid and Medicare funds. To build trust between providers and patients. To build trust between providers and patients. –If patients feel that their PHI will be kept confidential, they will be more likely to share the information needed for their care.

25 © Copyright 2009 HIPAA COW25 Who or What Protects PHI? The Federal Government through the laws of HIPAA. The Federal Government through the laws of HIPAA. –Civil penalties up to $25,000 for Failure to Comply. –Criminal penalties: $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses. $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses. $250,000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. $250,000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. Our organization, through the Notice of Privacy Practices (NOPP). Our organization, through the Notice of Privacy Practices (NOPP). You, by following our policies and procedures. You, by following our policies and procedures.

26 © Copyright 2009 HIPAA COW26 Enforcement The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! They will take action. The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! They will take action. Office For Civil Rights (OCR). This is the agency that enforces the privacy regulations. They will provide guidance and monitor compliance. Office For Civil Rights (OCR). This is the agency that enforces the privacy regulations. They will provide guidance and monitor compliance. Department of Justice (DOJ). This agency is involved in criminal privacy violations. Provides fines, penalties and imprisonment to offenders. Department of Justice (DOJ). This agency is involved in criminal privacy violations. Provides fines, penalties and imprisonment to offenders.

27 © Copyright 2009 HIPAA COW27 HIPAA Regulations Brought individual privacy rights to patients. Brought individual privacy rights to patients. Require that we provide these rights to them. Require that we provide these rights to them. –The following slides explain patient rights…

28 © Copyright 2009 HIPAA COW28 Patient Rights: Access Right to inspect and copy their PHI. Right to inspect and copy their PHI. Situations where access may be denied or delayed: Situations where access may be denied or delayed: –Psychotherapy notes. –PHI compiled for civil, criminal or administrative action or proceedings. –PHI subject to CLIA Act of 1988 when access would be prohibited by law. –Access would endanger a persons life or safety based upon a professional judgment. –A correctional inmates request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution. –A research study has previously secured agreement from the individual to deny access. –Access is protected by the Federal Privacy Act. –PHI was obtained under promise of confidentiality and access would reveal the source of the PHI.

29 © Copyright 2009 HIPAA COW29 Right to request to receive communication by alternative means or location. Examples: Right to request to receive communication by alternative means or location. Examples: –The patient may request a bill be sent directly to him instead of to his insurance company. –The patient may request we contact her on her cell phone instead of at her home telephone number. Patient Rights: Alternative Communications

30 © Copyright 2009 HIPAA COW30 Patient Rights: Special PHI Requests What should I do if a patient requests we always call a family member instead of her? What should I do if a patient requests we always call a family member instead of her? –Request patients with permanent and special/unique calling and/or mailing instructions to go to their primary mental health provider or onsite administrator to complete and sign a release of information. Alternative communication requests

31 © Copyright 2009 HIPAA COW31 Patient Rights: Amendment Requests Right to Request an Amendment or Correct PHI. Right to Request an Amendment or Correct PHI. –Situations where a request may be denied. Northwest Counseling & Guidance Clinic did not create the information. Northwest Counseling & Guidance Clinic did not create the information. Record is accurate according to the health care professional that wrote it. Record is accurate according to the health care professional that wrote it. Information is not part of the Northwest Counseling & Guidance Clinic record. Information is not part of the Northwest Counseling & Guidance Clinic record. A patient states there is an error in his electronic record and wants it corrected. What should I do? A patient states there is an error in his electronic record and wants it corrected. What should I do? –Request the patient contact the onsite administrator to request to have the record amended.

32 © Copyright 2009 HIPAA COW32 Patient Rights: Restrictions and AOD Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes). Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes). –We are not required to approve the request, but must make reasonable efforts to approve it, when possible. Right to an Accounting of Disclosures (AOD). Right to an Accounting of Disclosures (AOD). –Must give information on disclosures of information released except those that were given to: The Individual. The Individual. TPO. TPO. Law enforcement officials, correction institutions or national security. Law enforcement officials, correction institutions or national security.

33 © Copyright 2009 HIPAA COW33 Patient Rights: Right to Receive an Accounting of Disclosures of PHI A. An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, B. A covered entity must suspend accounting of disclosures to a patient if an agency or law enforcement indicate the accounting is likely to impede the agencys activity.

34 © Copyright 2009 HIPAA COW34 Patient Rights: Right to Receive an Accounting of Disclosures of PHI C. Disclosures NOT requiring accounting include disclosures made: –For Treatment (to persons involved in the individuals care), Payment or Operations. –To the individual subjects of the PHI. –Incident to an otherwise permitted disclosure. –Based on the individuals signed authorization. –For a facility directory. –For national security or intelligence purposes. –To correctional facilities or law enforcement on behalf of inmates. –As part of a limited data set (see ). –That occur prior to the compliance date of April 14, 2003.

35 © Copyright 2009 HIPAA COW35 Patient Rights: Right to Receive an Accounting of Disclosures of PHI –Required by law –For public health activities –Victims of abuse, neglect, violence. –Health oversight activities –Judicial/Administrative proceedings –Law enforcement purposes –Organ/eye/tissue donations –Research purposes –To avert threat to health and safety –For specialized government functions –About decedents –Workers compensation –Releases made in error to an incorrect person/entity (i.e. breach) D. Disclosures requiring accounting include:

36 © Copyright 2009 HIPAA COW36 Patient Rights: NOPP Are we still required to request patients sign the Notice of Privacy Practices (NOPP) acknowledgment prior to their first visit? Are we still required to request patients sign the Notice of Privacy Practices (NOPP) acknowledgment prior to their first visit? Yes. Please continue to request they sign the acknowledgment before they see a provider for their first appointment at Northwest Counseling & Guidance Clinic. (except in the case of emergency services where staff will attempt to provide notification based on the needs of the client). Yes. Please continue to request they sign the acknowledgment before they see a provider for their first appointment at Northwest Counseling & Guidance Clinic. (except in the case of emergency services where staff will attempt to provide notification based on the needs of the client). Patient signs the Acknowledgment of Receipt to confirm that they have been offered and/or received the Notice. Patient signs the Acknowledgment of Receipt to confirm that they have been offered and/or received the Notice. What is the purpose of the NOPP? What is the purpose of the NOPP? Summarizes how Northwest Counseling & Guidance Clinic uses and discloses patients PHI. Summarizes how Northwest Counseling & Guidance Clinic uses and discloses patients PHI. Details patients rights in respect to their PHI. Details patients rights in respect to their PHI.

37 © Copyright 2009 HIPAA COW37 Patient Rights: NOPP Reminders If a patient or legal guardian refuses to take a NOPP, this is their right; do not force them to take one. If a patient or legal guardian refuses to take a NOPP, this is their right; do not force them to take one. If a patient or legal guardian refuses to sign the acknowledgment form, document this on the form and in the system. If a patient or legal guardian refuses to sign the acknowledgment form, document this on the form and in the system. Once the patient turns 18, he/she must sign an acknowledgment form. Once the patient turns 18, he/she must sign an acknowledgment form. Host parents of a foreign exchange student may act on behalf of the students biological parent(s) and sign the NOPP acknowledgment form. Host parents of a foreign exchange student may act on behalf of the students biological parent(s) and sign the NOPP acknowledgment form.

38 © Copyright 2009 HIPAA COW38 Patient Rights: Privacy Complaints Right to file a privacy complaint. Right to file a privacy complaint. –Direct all requests or complaints regarding these rights to the Privacy Officer at , extension 126.

39 © Copyright 2009 HIPAA COW39 Security One key element of protecting our patients PHI lies in maintaining the security of our systems, which houses and transmits ePHI (electronic protected health information). One key element of protecting our patients PHI lies in maintaining the security of our systems, which houses and transmits ePHI (electronic protected health information). The HIPAA Security Rule outlines how we are to do this. The HIPAA Security Rule outlines how we are to do this. How do we protect our computer systems and our patients information in them? How do we protect our computer systems and our patients information in them? Read on to explore this…

40 © Copyright 2009 HIPAA COW40 Applying the Security Rule Administrative Safeguards Administrative Safeguards –Policies and procedures of the organization are REQUIRED and must be followed by the employees to maintain security (i.e. disaster recovery of computer systems, use of the internet, use of , faxing, use of voic , computer hardware and software standards). Technical Safeguards Technical Safeguards –Many technical devices are needed to maintain security. Examples include different levels of computer passwords, screen savers and devices to scan ID badges, data backups, disposal of media, encryption, audit trails. Computer and system processes are set up to protect, control and monitor information access.

41 © Copyright 2009 HIPAA COW41 Applying the Security Rule Physical Safeguards. Many physical barriers and devices are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organizations property and the health information. Physical Safeguards. Many physical barriers and devices are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organizations property and the health information. Personnel Security. Organizational policies and procedures manage the assignment of access authority to employees and other workforce members. Procedures should address employee transfers, role changes and terminations. Effective security and privacy training must be conducted. Personnel Security. Organizational policies and procedures manage the assignment of access authority to employees and other workforce members. Procedures should address employee transfers, role changes and terminations. Effective security and privacy training must be conducted.

42 © Copyright 2009 HIPAA COW42 Access to ePHI: UNs and PWs How do we control access to electronic protected health information (ePHI) in our computer systems? How do we control access to electronic protected health information (ePHI) in our computer systems? –By requiring all users to utilize individually unique Usernames (UNs) and Passwords (PWs), we control access to the information in each of our computer systems and applications. –UNs and PWs control what users are able to access and help us identify what information users accessed in our applications.

43 © Copyright 2009 HIPAA COW43 Access to ePHI: UNs and PWs Cont. For these reasons, you may not share your UNs and PWs with anyone else (the only exception to this is to share a UN and PW with IS, if necessary, for troubleshooting a computer problem). For these reasons, you may not share your UNs and PWs with anyone else (the only exception to this is to share a UN and PW with IS, if necessary, for troubleshooting a computer problem). When leaving a computer, ALWAYS: When leaving a computer, ALWAYS: –Log off, OR –Lock the computer screen (Ctrl-Alt-Del and select lock). This prevents other users from using your applications.

44 © Copyright 2009 HIPAA COW44 Access to ePHI: UNs and PWs Cont. Creating strong passwords. Creating strong passwords. –Use at least 6-8 characters. –Use a minimum of 2 letters and 1 number, and capital and lower case letters. –Do not use pws that may be easily guessed, such as: names (spouses, pets, childs, etc.), significant dates, words, favorite team names, etc. Note: UN and PW controls are required by law. Note: UN and PW controls are required by law. TIP: Use a pass-phrase to help you remember your password such as: MbcFi2yo (My brown cat, Fluffy, is two years old).

45 © Copyright 2009 HIPAA COW45 Protect Your UNs and PWs Memorize your PW. Dont post UNs and PWs on your computer, notebook, tablet, under your keyboard, etc. Memorize your PW. Dont post UNs and PWs on your computer, notebook, tablet, under your keyboard, etc. –Lock up your UNs and PWs so they may not be accessed by anyone else. If you believe one of your PWs has been compromised, request the IT Department to change it. If you believe one of your PWs has been compromised, request the IT Department to change it. –If you think PHI may have been inappropriately accessed, discuss it with the Privacy Officer.

46 © Copyright 2009 HIPAA COW46 Help Protect Our Systems/Equipment It is your responsibility to protect Northwest Counseling & Guidance Clinics systems/ equipment/computers at all times. It is your responsibility to protect Northwest Counseling & Guidance Clinics systems/ equipment/computers at all times. Do not disable anti-virus software, malware protection, or any other security items unless directed by the IS Department. Do not disable anti-virus software, malware protection, or any other security items unless directed by the IS Department. If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only. If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only. –Family and friends may not utilize it.

47 © Copyright 2009 HIPAA COW47 Security It is against Northwest Counseling & Guidance Clinic policy to forward joke s. It is against Northwest Counseling & Guidance Clinic policy to forward joke s. –Joke s frequently have viruses attached to them and they take up a lot of space on our servers. Refer to the Release of Information slides for ing ePHI requirements. Refer to the Release of Information slides for ing ePHI requirements. Please report it to IT if you receive a suspicious and/or threatening . Please report it to IT if you receive a suspicious and/or threatening .

48 © Copyright 2009 HIPAA COW48 Audit Trails of What I Access Northwest Counseling & Guidance Clinic conducts random audits of employee and provider access to determine: Northwest Counseling & Guidance Clinic conducts random audits of employee and provider access to determine: –Appropriateness of access, and –If access is in compliance with Northwest Counseling & Guidance Clinic policies. Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc. Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc. –If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate. The Security regulations require this.

49 © Copyright 2009 HIPAA COW49 Audit Trails and HIPAA Violations What are some common types of HIPAA privacy and security violations found in these audit trails and/or reported? Following are a few examples from which to learn…

50 © Copyright 2009 HIPAA COW50 Audit Trails: Access to Own ePHI An employee viewed his own appointment list. Another employee accessed her own lab results from her own workstation (using her own password). Is this against Northwest Counseling & Guidance Clinic policies? An employee viewed his own appointment list. Another employee accessed her own lab results from her own workstation (using her own password). Is this against Northwest Counseling & Guidance Clinic policies?

51 © Copyright 2009 HIPAA COW51 Audit Trails: Access to Own ePHI Yes, it is Northwest Counseling & Guidance Clinic policy that you may not directly access your own medical record, using your own password in any system/application. Yes, it is Northwest Counseling & Guidance Clinic policy that you may not directly access your own medical record, using your own password in any system/application. PHI in the electronic medical record, scheduling/billing system, etc. are considered a part of your medical record. In fact, PHI in all Northwest Counseling & Guidance Clinic systems make up your medical record. PHI in the electronic medical record, scheduling/billing system, etc. are considered a part of your medical record. In fact, PHI in all Northwest Counseling & Guidance Clinic systems make up your medical record. –To view your medical record, contact the NWCGC Privacy Officer at –To view your appointment list, contact a receptionist in the department in which you schedule appointments. –To view your billing information, contact the billing office at

52 © Copyright 2009 HIPAA COW52 Audit Trails: Access to a Family Members PHI and Unassigned Tasks A receptionist scheduled an appointment for her child in a different department/site than she works. Is this against Northwest Counseling & Guidance Clinic policies? A receptionist scheduled an appointment for her child in a different department/site than she works. Is this against Northwest Counseling & Guidance Clinic policies?

53 © Copyright 2009 HIPAA COW53 Audit Trails: Access to a Family Members PHI and Unassigned Tasks Yes. Only schedule appointments as assigned in the departments in which you work. If you dont work in that department, call the receptionist in that department and request him/her to schedule the appointment. Yes. Only schedule appointments as assigned in the departments in which you work. If you dont work in that department, call the receptionist in that department and request him/her to schedule the appointment. Note: while scheduling this appointment, the employee may have viewed appointment information which she did not have the right to see. Note: while scheduling this appointment, the employee may have viewed appointment information which she did not have the right to see. Dont schedule appointments for or otherwise view, access, edit, etc. family members PHI, unless it is a part of your assigned duties, it is an urgent matter, AND nobody else is available to do the job at that time. Dont schedule appointments for or otherwise view, access, edit, etc. family members PHI, unless it is a part of your assigned duties, it is an urgent matter, AND nobody else is available to do the job at that time.

54 © Copyright 2009 HIPAA COW54 Audit Trails: Access to PHI by a Coworker An employee requested a coworker to view his/her appointment list to find the last time the employee had a physical in Internal Medicine. Her coworker does not work in the Internal Medicine department. Is this against Northwest Counseling & Guidance Clinic policies? An employee requested a coworker to view his/her appointment list to find the last time the employee had a physical in Internal Medicine. Her coworker does not work in the Internal Medicine department. Is this against Northwest Counseling & Guidance Clinic policies?

55 © Copyright 2009 HIPAA COW55 Audit Trails: Access to PHI by a Coworker Yes. It is inappropriate to ask your coworkers to do this if it is not part of their regular assigned job responsibilities. Yes. It is inappropriate to ask your coworkers to do this if it is not part of their regular assigned job responsibilities. If you need to know when you had your last physical, call the department in which you had this appointment (or will be scheduling your next appointment). If you need to know when you had your last physical, call the department in which you had this appointment (or will be scheduling your next appointment).

56 © Copyright 2009 HIPAA COW 56 Audit Trails: Securing Systems When leaving his/her computer, an employee didnt log off the electronic medical record; another employee then utilized it to look up her own and her family members transcriptions, appointment lists, medications, etc. When leaving his/her computer, an employee didnt log off the electronic medical record; another employee then utilized it to look up her own and her family members transcriptions, appointment lists, medications, etc. –Important Note: in this situation, both employees did not follow Northwest Counseling & Guidance Clinic P&Ps which require: Logging off/securing all applications when unattended. Logging off/securing all applications when unattended. Using the password protected screensaver when leaving it unattended. Using the password protected screensaver when leaving it unattended. Not using another persons login, unless they are training you and directly observing what you do. Not using another persons login, unless they are training you and directly observing what you do.

57 © Copyright 2009 HIPAA COW57 Audit Trails: Accessing More Than the Minimum Necessary A clinical staff employee is assigned to routinely view and update medications, blood pressure, pulse, and weight for each patient being seen by the provider with whom she works. She was curious and concerned about a particular patients health, and therefore viewed several other records, such as lab results, and specialist transcriptions. A clinical staff employee is assigned to routinely view and update medications, blood pressure, pulse, and weight for each patient being seen by the provider with whom she works. She was curious and concerned about a particular patients health, and therefore viewed several other records, such as lab results, and specialist transcriptions. –Note: It was determined this was a breach of confidentiality as she was not requested by her provider and/or supervisor to access this patients additional records.

58 © Copyright 2009 HIPAA COW58 Audit Trails: Accessing More Than the Minimum Necessary We may only access the minimum necessary to complete our assigned job responsibilities. This means we may not access information out of curiosity and/or concern about a patients health. We may only access the minimum necessary to complete our assigned job responsibilities. This means we may not access information out of curiosity and/or concern about a patients health.

59 © Copyright 2009 HIPAA COW59 The following slides provide examples of Privacy and Security violations to help you better understand how they occur so that you may help prevent them.

60 © Copyright 2009 HIPAA COW60 Security Violations: Downloading Onto PCs Users have downloaded software onto Northwest Counseling & Guidance Clinic computer/laptop/tablet. Is this ok? Users have downloaded software onto Northwest Counseling & Guidance Clinic computer/laptop/tablet. Is this ok?

61 © Copyright 2009 HIPAA COW61 Security Violations: Downloading Onto PCs No. We may not download anything onto our computers, laptops, notebooks, PDAs, etc. without the permission from the IT Administrator or Security Officer. No. We may not download anything onto our computers, laptops, notebooks, PDAs, etc. without the permission from the IT Administrator or Security Officer. –This includes not downloading from the Internet, CD, flash drive, DVD, disc, software, etc. –Why not? The IT Department or Security Officer verifies we have appropriate licenses and virus protection in place. Did you know that downloading may slow down our systems? Did you know that downloading may slow down our systems? Some downloads have interfered with the appropriate functioning of web based EHRs! Some downloads have interfered with the appropriate functioning of web based EHRs!

62 © Copyright 2009 HIPAA COW62 Security Violations: Downloading From PCs If it is absolutely necessary to copy or save files onto removable media, obtain approval from your Supervisor and encrypt the file so that it may only be accessed by utilizing the password (ask the IT Department how to encrypt a file). If it is absolutely necessary to copy or save files onto removable media, obtain approval from your Supervisor and encrypt the file so that it may only be accessed by utilizing the password (ask the IT Department how to encrypt a file). –This includes downloading anything off our computers onto media such as a flash drive, USB, disc, CD, etc. –Safeguard this removable media, and the password to access the information, at all times so that the information may not be inappropriately accessed. –Immediately contact the IT Department and Security Officer if a device is lost or stolen.

63 © Copyright 2009 HIPAA COW63 Other Types of Security Issues and Incidents Theft (or loss) of a computer, laptop, PDA. Theft (or loss) of a computer, laptop, PDA. Inappropriate usage of Northwest Counseling & Guidance Clinic computers. Inappropriate usage of Northwest Counseling & Guidance Clinic computers. A technology-related situation which results in a significant adverse effect on people, process, technology, facilities, etc., such as: A technology-related situation which results in a significant adverse effect on people, process, technology, facilities, etc., such as: –A system glitch which results in ePHI being accessed and/or sent to an inappropriate recipient. –A virus that prevents users from being able to access PHI.

64 © Copyright 2009 HIPAA COW64 What is Misuse of PHI? U n a u t h o r i z e d: U n a u t h o r i z e d: Access to… Access to… Using… Using… Taking… Taking… Possession of… Possession of… Release of… Release of… Edit of… Edit of… Destruction of… Destruction of… Patient PHI Without Authorization. Patient PHI Without Authorization.

65 © Copyright 2009 HIPAA COW65 Privacy Violations: How Do They Happen? What are some common ways breaches of confidentiality occur? What are some common ways breaches of confidentiality occur? –Many incident reports happen due to common human errors, such as the following:

66 © Copyright 2009 HIPAA COW66 Privacy Violations: How Do They Happen? Faxing to the wrong individual/location. Faxing to the wrong individual/location. When searching for a patients address, her name is typed, her date of birth is not validated, and a patient with the same name is selected instead. When searching for a patients address, her name is typed, her date of birth is not validated, and a patient with the same name is selected instead. These can be prevented by double checking you have the right patients records prior to releasing PHI. These can be prevented by double checking you have the right patients records prior to releasing PHI.

67 © Copyright 2009 HIPAA COW67 Privacy Violations: Incorrect Patient on a Form Jane Does name, medical record number, and date of birth was placed on a prescription and handed to Molly Sue. Is this considered a breach of confidentiality? Jane Does name, medical record number, and date of birth was placed on a prescription and handed to Molly Sue. Is this considered a breach of confidentiality? –Yes. If Molly Sue reads Jane Does name on this form, or any other document, it is a breach of confidentiality. Request Molly Sue to return the incorrect prescription and contact the Privacy Officer to walk through the reporting process. Request Molly Sue to return the incorrect prescription and contact the Privacy Officer to walk through the reporting process.

68 © Copyright 2009 HIPAA COW68 Privacy Violations: Incorrect Records Released A patient requested we send 2006 mental health diagnosis to her non- Northwest Counseling & Guidance Clinic provider. In addition to the 2006 mental health diagnosis, we also released 2004 and 2005 mental health diagnosis. Is this a breach of confidentiality? A patient requested we send 2006 mental health diagnosis to her non- Northwest Counseling & Guidance Clinic provider. In addition to the 2006 mental health diagnosis, we also released 2004 and 2005 mental health diagnosis. Is this a breach of confidentiality?

69 © Copyright 2009 HIPAA COW69 Privacy Violations: Incorrect Records Released Yes. This is a breach of confidentiality as more information than was requested by the patient was released (the 2004 and 2005 test results). Yes. This is a breach of confidentiality as more information than was requested by the patient was released (the 2004 and 2005 test results). Always keep in mind we may only release the minimum necessary PHI to accomplish the purpose of the request – even when releasing to another treating provider, insurance company, etc. Always keep in mind we may only release the minimum necessary PHI to accomplish the purpose of the request – even when releasing to another treating provider, insurance company, etc. –Request the provider to return the 2004 and 2005 test results, and contact the Privacy Officer.

70 © Copyright 2009 HIPAA COW70 Privacy Violations: Incorrect Patients Results Mailed Treatment plan of one patient was mailed to a different patient. Is this a breach of confidentiality? Treatment plan of one patient was mailed to a different patient. Is this a breach of confidentiality? –Yes. It is a breach of confidentiality if the treatment plan includes a different patients name. Request the patient to return the incorrect treatment plan, document the disclosure, and contact the Privacy Officer. Request the patient to return the incorrect treatment plan, document the disclosure, and contact the Privacy Officer.

71 © Copyright 2009 HIPAA COW71 Privacy Violations: Patients Records Sent to Wrong Company Patient records were sent to the wrong insurance company. Is this a breach of confidentiality? Patient records were sent to the wrong insurance company. Is this a breach of confidentiality? –Yes, because this insurance company does not provide coverage for this patient, they did not have a need to know anything about him/her. Request the company return the incorrect records, document the disclosure, and contact the Privacy Officer. Request the company return the incorrect records, document the disclosure, and contact the Privacy Officer.

72 © Copyright 2009 HIPAA COW72 Release of Information (ROI) What PHI may I release? What PHI may I release? –What WI Laws and Federal Regulations apply? What information can be released without an authorization? What information can be released without an authorization? What are the steps in releasing information? What are the steps in releasing information? When is an authorization required? When is an authorization required? How do I verify the authority and identify the requestor? How do I verify the authority and identify the requestor? Are there any restrictions which do not allow this release? Are there any restrictions which do not allow this release? Do I need to document the release? Do I need to document the release? Why do I need to be doing all this? Why do I need to be doing all this? What are some practical release of information examples? What are some practical release of information examples? Please proceed to learn more about how to correctly release PHI

73 © Copyright 2009 HIPAA COW73 ROI: Applying the Steps I received a request to release a patients PHI. What now? I received a request to release a patients PHI. What now? Whether releasing verbally or in writing, determine the following: Whether releasing verbally or in writing, determine the following: –Is the requestor legally authorized to receive the PHI? Important Note: when uncertain, ask the onsite administrator, Privacy Officer, or obtain a signed authorization from the patient. –Is a signed Authorization required? If yes, determine if the Authorization is HIPAA and WI compliant (refer to next slide). If yes, determine if the Authorization is HIPAA and WI compliant (refer to next slide).

74 © Copyright 2009 HIPAA COW74 ROI: Valid Authorizations Elements of a valid authorization: Elements of a valid authorization: 1. Client/Patient Name and date of birth. 2. Name of the individual or agency authorized to make the requested disclosure. 3. Name of the person or organization to whom the disclosure is to be made. 4. Purpose of the disclosure. 5. Specific description of the type and amount of information to be released. A.If the release includes mental health, alcohol or drug abuse or test results, or developmental disability records, these must be specified. B.If the release includes HIV test result, AIDS, or AIDS related disease, the statement HIV test results is required. 6. Statement on possibility of re-disclose by the recipient and that it is no longer protected by Northwest Counseling & Guidance Clinic. 7. Right to inspect a copy of the records released (required only for WI DHS 92 records).

75 © Copyright 2009 HIPAA COW75 ROI: Valid Authorizations Elements of a valid authorization Cont.: Elements of a valid authorization Cont.: 8. Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits. 9. If the release involves marketing and direct or indirect remuneration to Northwest Counseling & Guidance Clinic by a third party, include a statement reflecting this. 10. A statement of the right to revoke the authorization in writing, exceptions to the right to revoke, and how to request a revocation. 11. Expiration date or event. 12. Time period during which the authorization is effective. 13. Signature of client/patient or legal personal representative and date signed. A.If signed by a legal personal representative, a description of his/her authority to sign. 14. A copy of the form is required to be given to the client/patient. Refer to the HIPAA COW Authorization Form located at

76 © Copyright 2009 HIPAA COW76 ROI: Authorization Not Required There are times when an authorization is not needed. There are times when an authorization is not needed. Read on to find out when authorizations are not required…

77 © Copyright 2009 HIPAA COW77 ROI: Permitted Uses and Disclosures of PHI Without an Authorization Uses and disclosures of PHI for (TPO): Uses and disclosures of PHI for (TPO): –Treatment –Payment –Health Care Operations Mandatory disclosures by law. Mandatory disclosures by law. If use of the information does not fall under one of these categories you must have the patients signed authorization (written permission) before sharing that information with anyone. If use of the information does not fall under one of these categories you must have the patients signed authorization (written permission) before sharing that information with anyone.

78 © Copyright 2009 HIPAA COW78 ROI: When is an Authorization Required?

79 © Copyright 2009 HIPAA COW79 ROI: General Wisconsin Confidentiality Laws WI laws may require authorizations, even though HIPAA doesnt require them. The next few slides summarize a few of the more commonly utilized WI laws…

80 © Copyright 2009 HIPAA COW80 ROI: General Wisconsin Confidentiality Laws StatuteSummary , Wis. Stat. Covers general medical health care PHI and authorization requirements , Wis. Stat. Covers PHI relating to mental health, AODA, and developmentally disabled treatment, authorization requirements, and penalties. DHS 92 Adm. Code Further covers confidentiality of mental health treatment records (with 51.30). DHS 144, Adm. Code Covers release of immunizations between vaccine providers, and to schools specifically for minors.

81 © Copyright 2009 HIPAA COW81 ROI: General Wisconsin Confidentiality Laws StatuteSummary & Wis. Stat. Covers records reasonably related to a workers compensation claim and release to the employee (patient), employer, workers compensation insurer, or Department with a written request Wis. Stat. Covers disclosure of personal medical information by insurers , Wis. Stat. Covers health care information relating to HIV testing and authorization requirements.

82 © Copyright 2009 HIPAA COW82 ROI: Other Regulations to Consider StatuteSummary 42 CFR, Part 2 Federal Alcohol and Drug Regulations which covers use and release of a patients drug and alcohol abuse records in a federally assisted program.

83 © Copyright 2009 HIPAA COW83 ROI: Identity Verification Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: –Name –Date of Birth –Address –Other identifiers: –Other identifiers: Social security number, mothers maiden name Identify someone other than the patient by requesting he provide you with all the above information, as well as his relationship to the patient. Identify someone other than the patient by requesting he provide you with all the above information, as well as his relationship to the patient. – –Check a physical signature against a known one on file – –Make a call-back to a known number – –Ask for a photo ID – –Ask for a business card Provide only the minimum necessary to safeguard PHI. Provide only the minimum necessary to safeguard PHI. Refer to the HIPAA COW Identity Verification Policy located at

84 © Copyright 2009 HIPAA COW84 ROI: Authority Verification Who are you? Once you know who the requestor is, be sure he or she has the right to access this information. Routine requests from employees you know in our organization who have a need to know information for business reasons, are ok. Unusual requests from individuals you dont know can be risky, so before sharing PHI: –Ask your supervisor. –And/or check your procedure.

85 © Copyright 2009 HIPAA COW85 ROI: Individual Needs to Find Patient In Any Setting If an individual would like to find out if a patient is in our facility. If an individual would like to find out if a patient is in our facility. –Do not confirm or deny the patient is here, and politely end the phone call. –After ending the call, notify the client and/ or parent/guardian in the case of a minor client that the individual inquired about them and ask them how they would like to proceed for future contacts with this person.

86 © Copyright 2009 HIPAA COW86 ROI: Minimum Necessary Release only the requested PHI, and only include sensitive PHI (mental health, HIV/AIDS, STDs, etc.) if specifically authorized. Release only the requested PHI, and only include sensitive PHI (mental health, HIV/AIDS, STDs, etc.) if specifically authorized. Release the minimum necessary (note, this may be less than what was requested). Release the minimum necessary (note, this may be less than what was requested). –Limit access to what is needed to accomplish the purpose for which the request was made (or that which was authorized). –May not disclose an entire medical record unless it is specifically justified as the amount of PHI that is reasonably needed to accomplish the purpose for the use or disclosure.

87 © Copyright 2009 HIPAA COW87 ROI: Documentation Document the release, when required by law, and our organizations policies. See Accounting of disclosures policy in the HIPAA policy manual. Document the release, when required by law, and our organizations policies. See Accounting of disclosures policy in the HIPAA policy manual. Effective April 1, 2008, Wisconsin Statute 146 no longer requires documentation of disclosures for purposes relating to treatment (providing and coordinating care); payment (billing for services rendered); and health care operation (internal business). Effective April 1, 2008, Wisconsin Statute 146 no longer requires documentation of disclosures for purposes relating to treatment (providing and coordinating care); payment (billing for services rendered); and health care operation (internal business).

88 © Copyright 2009 HIPAA COW88 ROI: Documentation (Continued) Document the release, per WI Statute, HIPAA and our organization policies. See Accounting of disclosures policy in the HIPAA policy manual. Document the release, per WI Statute, HIPAA and our organization policies. See Accounting of disclosures policy in the HIPAA policy manual. For example, HIPAA requires documentation of breaches, public health reporting, etc.) This documentation would be made directly into the clients file. For example, HIPAA requires documentation of breaches, public health reporting, etc.) This documentation would be made directly into the clients file.

89 © Copyright 2009 HIPAA COW89 ROI: Documentation (Continued) What are we required to document? What are we required to document? – –Date of the disclosure – –The name of the person the PHI was released to (and address if known) – –A brief description of the PHI disclosed – –The purpose of the release Other suggested items but not required: –Received date –Who released the information –How the information was disclosed * * Also required if information is from a treatment record.

90 © Copyright 2009 HIPAA COW90 ROI: Documentation Why do we have to document when we release PHI (when required by law)? Why do we have to document when we release PHI (when required by law)? –Patients have the right to request from us a record of what PHI was released and to whom (Accounting of Disclosures).

91 © Copyright 2009 HIPAA COW91 ROI: Wow! Thats a lot to know! Were you aware you can ask the onsite administrator/and or the Privacy Officer if you have questions or concerns related to the release of information. Wow! Thats a lot to know! Were you aware you can ask the onsite administrator/and or the Privacy Officer if you have questions or concerns related to the release of information. Thats right! If you arent absolutely 100% certain on whether or not you can (or how to) release information, STOP and ask for help by calling , extension 126. Thats right! If you arent absolutely 100% certain on whether or not you can (or how to) release information, STOP and ask for help by calling , extension 126. Following are some examples of release situations … Following are some examples of release situations … Note: those steps must be followed each time you release information verbally and in writing.

92 © Copyright 2009 HIPAA COW92 ROI: Family and Friends Patient present and alert – patient decides. Patient present and alert – patient decides. Patient incapable to make wishes known – inferred permission to discuss current care. Patient incapable to make wishes known – inferred permission to discuss current care. Care or payment. Care or payment. –Information needed for patients care. –Must clearly be involved in payment for care (involvement is obvious, patient stated so). Notify family or friend(s): Notify family or friend(s): –When involved in their care. –Of patients general condition. –Of patients location. –When patients ready for discharge. –Of patients death. Note: paper copies may not be released under these examples

93 © Copyright 2009 HIPAA COW93 ROI: Divorced Parents A parent calls to get information on their child. Can you release it? A parent calls to get information on their child. Can you release it? –If the parents are divorced, either parent may get access to the records with a proper release. Assume that they can get records unless told otherwise. –In the case where parental rights of one parent have been terminated, the parent with sole right is responsible to provide the information. –When in doubt, call the parent who has physical placement to ask if the other parent is allowed to obtain records. If they say no, then they would be required to present the corresponding court documents. If they say yes, obtain permission and document what was provided.

94 © Copyright 2009 HIPAA COW 94 ROI: Legal Guardians An individual calls to discuss appointment information with you for a patient and states he is the patients Legal Guardian, may I discuss this with the individual? An individual calls to discuss appointment information with you for a patient and states he is the patients Legal Guardian, may I discuss this with the individual? –Yes, after verifying the individual is the patients Legal Guardian and has access rights to the type of records being requested. Heres how to verify: Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: –Name –Date of Birth –Address –Other identifiers: Ask them to verify other identifying information that we would have in the client file. S.S.# etc..

95 © Copyright 2009 HIPAA COW95 ROI: Step-Parents A step-parent calls to discuss her stepchilds care. May you discuss this with her? A step-parent calls to discuss her stepchilds care. May you discuss this with her? –No, unless the step-parent is a legal guardian and we have the guardianship papers on file, or a legal guardian has provided authorization. –Step-parents may call to schedule appointments, but do not have access to their step-childrens PHI, without authorization by a legal guardian.

96 © Copyright 2009 HIPAA COW96 ROI: Foster Parents Can foster parents get information on the child they are caring for? – –Yes, if they have guardianship, other court papers, or an authorization from the birth parent, allowing them the right of access. – –If they dont have any legal papers and a health care provider is in need of the information, you may release directly to the care provider.

97 © Copyright 2009 HIPAA COW97 ROI: Workers Compensation PHI to an Employer When releasing workers compensation records to an employer and/or work comp carrier, may I release the rest of the patients medical history (not related to the work comp claim with that employer)? When releasing workers compensation records to an employer and/or work comp carrier, may I release the rest of the patients medical history (not related to the work comp claim with that employer)? –No. The patients employer and work comp insurance carrier have the right to only those records reasonably related to the workers compensation claim/condition without an authorization. –Request the patient to sign an authorization form to release additional types of records.

98 © Copyright 2009 HIPAA COW98 ROI: Leaving Messages A spouse answers the phone, or the voice mail picks up. What information may I provide? Unless client has requested we not call their home or leave them messages: A spouse answers the phone, or the voice mail picks up. What information may I provide? Unless client has requested we not call their home or leave them messages: –State your first name and that you are calling from Northwest. –Ask the patient to return your call, and provide your direct phone number. –Do not provide detailed information, other than an appointment reminder. –Example: This is Sally from Northwest calling for Johnny Doe. Please call me back at your earliest convenience at (the phone number where you can be reached). Thank you. –Double check you ended the call.

99 © Copyright 2009 HIPAA COW99 ROI: Faxing PHI May we Fax PHI? May we Fax PHI? –Yes, we may fax PHI, but only when in the best interest of patient care or payment of claims. –We may not fax sensitive PHI (HIV, mental health, AODA, STDs, etc.), unless approval is given on the ROI. –It is best practice to test a fax number prior to faxing PHI to it. If this is not done, then complete the following: Restate the fax number to the individual providing it to you. Restate the fax number to the individual providing it to you. Obtain a telephone number to contact the recipient with any questions. Obtain a telephone number to contact the recipient with any questions. Do not include PHI on the cover sheet. Do not include PHI on the cover sheet. Verify you are including only the correct patients information (i.e. check the top and bottom pages). Verify you are including only the correct patients information (i.e. check the top and bottom pages). Double check the fax number prior to sending it. Double check the fax number prior to sending it.

100 © Copyright 2009 HIPAA COW100 ROI: When sending ePHI to anyone for treatment, payment or healthcare operations, encrypt the and verify that the organizations confidentiality disclaimer is included on the . When sending ePHI to anyone for treatment, payment or healthcare operations, encrypt the and verify that the organizations confidentiality disclaimer is included on the .

101 © Copyright 2009 HIPAA COW101 And now, for some general safeguarding tips… How else can I protect our patients PHI?

102 © Copyright 2009 HIPAA COW102 Safeguarding: Discussing PHI You never know who may overhear you discussing a patient. The patient or coworker could be the patients neighbor, best friend, cousin, etc… You never know who may overhear you discussing a patient. The patient or coworker could be the patients neighbor, best friend, cousin, etc… –Remember to talk quietly. –When possible, discuss PHI privately, such as behind a closed door. –Avoid having discussions in patient waiting rooms, elevators, cafeteria, etc.

103 © Copyright 2009 HIPAA COW103 Safeguarding PHI: Approaching a Co-worker You need to talk with a co-worker, but she is talking with a different patient to schedule his appointment. What should you do? You need to talk with a co-worker, but she is talking with a different patient to schedule his appointment. What should you do? –Provide your co-worker with the privacy to finish working with that patient and approach her when she is done.

104 © Copyright 2009 HIPAA COW104 Safeguarding: Seeing a Patient Outside [Organization] Youre walking through the grocery store one day, and see a Northwest Counseling & Guidance Clinic patient. What should you do? Youre walking through the grocery store one day, and see a Northwest Counseling & Guidance Clinic patient. What should you do? –Its ok to say hello but dont ask the patient how shes doing or questions about her health. Its ok to listen if she offers to update you on her health. –Let the patient approach you first, but dont make it seem like you are trying to avoid her.

105 © Copyright 2009 HIPAA COW105 Safeguarding: Talking with Friends About Work You had a negative encounter with a patient and really need to vent to a friend after work. What can you discuss? You had a negative encounter with a patient and really need to vent to a friend after work. What can you discuss? –Working in health care isnt easy and patient confidentiality MUST be maintained at all times: – at work, during non-work hours and after your employment ends with the organization. Here are some helpful tips…

106 © Copyright 2009 HIPAA COW106 Safeguarding: Talking with Friends About Work Do not share with family, friends, or anyone else a patients name, or any other information that may identify him/her, for instance: Do not share with family, friends, or anyone else a patients name, or any other information that may identify him/her, for instance: –It would not be a good idea to tell your friend that a patient came in to be seen after a severe domestic dispute incident. Why? Your friend may hear about the domestic dispute on the news and know the person involved. Why? Your friend may hear about the domestic dispute on the news and know the person involved. Do not inform anyone that you know a famous person, or their family members, were seen at this organization. Do not inform anyone that you know a famous person, or their family members, were seen at this organization.

107 © Copyright 2009 HIPAA COW107 Safeguarding PHI: Media If I am contacted by the media, may I release PHI to them? If I am contacted by an individual offering to pay me for PHI, may I release it to them? If I am contacted by the media, may I release PHI to them? If I am contacted by an individual offering to pay me for PHI, may I release it to them? –No! You may not release PHI under either of these circumstances. Both are grounds for disciplinary action. –Refer the requestor to the Privacy Officer.

108 © Copyright 2009 HIPAA COW108 Safeguarding PHI: Delivery I need to transport paper records/PHI to another department. Is it ok for me to do this? I need to transport paper records/PHI to another department. Is it ok for me to do this? –Yes, you may transport documents to another department, –Secure them so you dont drop them: Carry them close to your person. Carry them close to your person. Carry them in a facility designated bag, box, or container. Carry them in a facility designated bag, box, or container. Ensure no names are visible. Ensure no names are visible. Ensure that no records are left unattended. Ensure that no records are left unattended.

109 © Copyright 2009 HIPAA COW109 Safeguarding PHI: Transporting Offsite When necessary to transport PHI externally: When necessary to transport PHI externally: –Place in a locked briefcase, closed container, sealed self-addressed interoffice envelope; –Place PHI in the trunk of your vehicle, if available, or on the floor behind the front seat; –Lock vehicles when PHI is left unattended. You may not transport patient charts between departments or offsite – unless authorized by the onsite administrator. You may not transport patient charts between departments or offsite – unless authorized by the onsite administrator.

110 © Copyright 2009 HIPAA COW110 Safeguarding PHI: Interoffice Mail Send all PHI in sealed interoffice envelopes. Send all PHI in sealed interoffice envelopes. –Verify all PHI was removed from the envelope before stuffing it. –Address them to the correct individual and department. –Mark the envelope confidential. –Confirm you are sending the correct PHI.

111 © Copyright 2009 HIPAA COW111 Safeguarding PHI: Paper Turn over/cover PHI when you leave your desk/cubicle so others cannot read it. Turn over/cover PHI when you leave your desk/cubicle so others cannot read it. –If you have an office, you have the option of closing your door instead. Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI. Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI.

112 © Copyright 2009 HIPAA COW112 Safeguarding PHI: Paper Continued Dont leave documents containing PHI unattended in fax machines, printers, or copiers. Dont leave documents containing PHI unattended in fax machines, printers, or copiers. Check your fax machine frequently so documents are not left on the machine. Check your fax machine frequently so documents are not left on the machine.

113 © Copyright 2009 HIPAA COW113 Safeguarding PHI: Disposal How should I dispose of confidential paper? How should I dispose of confidential paper? –Shred or place all confidential paper in the designated confidential paper bins. Does this include Post-it notes, scratch paper, envelopes, and old non-confidential documents we no longer need? Does this include Post-it notes, scratch paper, envelopes, and old non-confidential documents we no longer need? –No. Please put these in the recycling paper bins! Does this include tissue, paper plates, cardboard, and pizza boxes? Does this include tissue, paper plates, cardboard, and pizza boxes? –No. Please put these items in the regular trash or other appropriate recycling container! How should I dispose of electronic media (floppy disk, CD, USB Drive, etc.)? How should I dispose of electronic media (floppy disk, CD, USB Drive, etc.)? –Provide electronic media to the IT Department to dispose it

114 © Copyright 2009 HIPAA COW114 Facility Security How can I help protect our facilities? How can I help protect our facilities? –Wear your ID Badge at all times, if provided (it helps identify you as a Northwest Counseling & Guidance Clinic employee/provider). –Only let employees enter through employee entrances with you. –Keep hallway doors that lead to patient care areas closed. –Request vendors and contracted individuals to sign-in.

115 © Copyright 2009 HIPAA COW115 What are Restricted Areas? Restricted areas are those areas within our facilities where PHI and/or organizationally sensitive information is stored or utilized. Restricted areas are those areas within our facilities where PHI and/or organizationally sensitive information is stored or utilized. –Receptionist stations –Business office windows –Records Department –Patient care hallways/treatment areas –Offices –Storage closets and cabinets –Accounting, Human Resources, Administration Offices, IT Department, etc. –Employee meeting/rooms/kitchens in the departments –Areas containing potential safety hazards (ex. medical imaging, lab, nuclear medicine, etc.

116 © Copyright 2009 HIPAA COW116 Facility Security Continued… –If you see someone in a restricted area and you do not recognize them, kindly ask May I help you? Escort the individual out of the restricted area and to the individual/area he/she is visiting. Escort the individual out of the restricted area and to the individual/area he/she is visiting.

117 © Copyright 2009 HIPAA COW117 Business Associate Agreements If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact the Northwest Counseling & Guidance Clinic Privacy Officer to obtain a Business Associate Agreement (BAA). Examples of when to obtain a BAA with a company include: If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact the Northwest Counseling & Guidance Clinic Privacy Officer to obtain a Business Associate Agreement (BAA). Examples of when to obtain a BAA with a company include: –Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; and –Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

118 © Copyright 2009 HIPAA COW118 Other Confidentiality Agreements When initiating a contract with a company to perform work for Northwest Counseling & Guidance Clinic which will not have direct access to PHI, request that they sign a Confidentiality Agreement. When initiating a contract with a company to perform work for Northwest Counseling & Guidance Clinic which will not have direct access to PHI, request that they sign a Confidentiality Agreement.

119 © Copyright 2009 HIPAA COW119 HIPAA and Your Role Remember, it is your responsibility, as a Northwest Counseling & Guidance Clinic employee or provider, to comply with all privacy and security laws, regulations, and Northwest Counseling & Guidance Clinic policies pertaining to them. Remember, it is your responsibility, as a Northwest Counseling & Guidance Clinic employee or provider, to comply with all privacy and security laws, regulations, and Northwest Counseling & Guidance Clinic policies pertaining to them. Employees and providers suspected of violating a privacy or security law, regulation, or Northwest Counseling & Guidance Clinic policy are provided reasonable opportunity to explain their actions. Employees and providers suspected of violating a privacy or security law, regulation, or Northwest Counseling & Guidance Clinic policy are provided reasonable opportunity to explain their actions. Violations of any law, regulation, and/or Northwest Counseling & Guidance Clinic policy will result in disciplinary action, up to and including termination. Violations of any law, regulation, and/or Northwest Counseling & Guidance Clinic policy will result in disciplinary action, up to and including termination.

120 © Copyright 2009 HIPAA COW120 HIPAA Violations: -How Much is Enough? -How Much is too Much? There are three types of violations: There are three types of violations: –Incidental –Accidental –Intentional

121 © Copyright 2009 HIPAA COW121 Incidental Violations If reasonable steps are taken to safeguard a patients information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure. If reasonable steps are taken to safeguard a patients information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure. Incidental disclosures are going to happen…even in the best of circumstances. Incidental disclosures are going to happen…even in the best of circumstances. An incidental disclosure is not a privacy incident. This type of disclosure is not required to be documented. An incidental disclosure is not a privacy incident. This type of disclosure is not required to be documented.

122 © Copyright 2009 HIPAA COW122 Accidental Violations Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data: Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data: –Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately. –Learn from the error and help revise procedures (when necessary) to prevent it from happening again. –Assist in correcting the error only as requested by your leader or the Privacy Officer. Dont cover up or try to make it right by yourself. Accidental disclosures are Privacy Incidents and must be reported to your Privacy Officer immediately! It is required to document this disclosure.

123 © Copyright 2009 HIPAA COW123 Intentional Violations If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: –Disciplinary action, up to and including termination. –Civil and/or criminal charges. Examples include: Examples include: –Accessing PHI for purposes other than assigned job responsibilities. –Attempting to learn or use another persons access information. If youre not sure about a use or disclosure, check with your Supervisor or the Privacy Officer

124 © Copyright 2009 HIPAA COW124 Reporting HIPAA Violations If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. –Northwest Counseling & Guidance Clinic may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistle- blowing). –Refer to the office of Civil Rights web page tml for more examples of what and how to report.

125 © Copyright 2009 HIPAA COW125 Its Important to Report HIPAA Violations… So they can be investigated, managed, and documented. So they can be investigated, managed, and documented. So they can be prevented from happening again in the future. So they can be prevented from happening again in the future. So damages can be kept to a minimum. So damages can be kept to a minimum. To minimize your personal risk. To minimize your personal risk. In some instances, management may have to notify affected parties of lost, stolen, or compromised data. In some instances, management may have to notify affected parties of lost, stolen, or compromised data. Incidental disclosures need not be reported, but if youre not sure, report them anyway.

126 © Copyright 2009 HIPAA COW126 Patient Complaints Report all patient complaints. Report all patient complaints. We are required by law to respond to privacy and security complaints. We are required by law to respond to privacy and security complaints.

127 © Copyright 2009 HIPAA COW127 How May I Report a HIPAA Privacy Violation? Directly to your Supervisor, who in turn reports it to the Privacy Officer. Directly to your Supervisor, who in turn reports it to the Privacy Officer. Call or the Privacy Officer. Call or the Privacy Officer.

128 © Copyright 2009 HIPAA COW128 If it involves a breach of patient confidentiality, report it through the same methods listed for Privacy Violations. If it involves a breach of patient confidentiality, report it through the same methods listed for Privacy Violations. If it does not involve a breach of confidentiality, report it through one of the following methods: If it does not involve a breach of confidentiality, report it through one of the following methods: –The same methods listed for Privacy Violations –Call or the Security Officer. How May I Report a HIPAA Security Violation?

129 © Copyright 2009 HIPAA COW129 Questions, Comments, Concerns… Please contact your Privacy Officer, at Please contact your Privacy Officer, at Extension 126 Extension Please contact your Security Officer, at Please contact your Security Officer, at Extension 126 Not sure which way to go?

130 © Copyright 2009 HIPAA COW130 Remember to complete your training documentation and turn it into your supervisor.

131 © Copyright 2009 HIPAA COW131 Thank you, from.... The Privacy and Security Committees Hand In - hand Protecting All Accounts! Refer to the HIPAA COW website for privacy, security, and EDI reference materials

132 © Copyright 2009 HIPAA COW132 HIPAA COW Authors Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer Contributing authors: – –Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant – –Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant – –Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records Supervisor – –Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service – –Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health Services – –Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance Coordinator – –Kim Pemble, Executive Director, WI Health Information Exchange (WHIE) – –LaVonne Smith, Information Services Director, Tomah Memorial Hospital Reviewed by: HIPAA COW Privacy & Security Networking Groups


Download ppt "© Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v. 11 03-31-09."

Similar presentations


Ads by Google