Presentation on theme: "4/28/2015 DAVID LAWRENCE CENTER 1 Introduction to Client Confidentiality: Privacy & Security (HIPAA/Release of Information)"— Presentation transcript:
4/28/2015 DAVID LAWRENCE CENTER 1 Introduction to Client Confidentiality: Privacy & Security (HIPAA/Release of Information)
4/28/2015 DAVID LAWRENCE CENTER 2 Introduction You will learn about: PRIVACY -Authorization to Release Information SECURITY -Password protection -Encryption STANDARDIZATION OF TRANSACTION CODE SETS -Standardization of HIPAA transaction standards (5010) -Modification of Medical Data Code Sets (ICD-10-CM)
4/28/2015 DAVID LAWRENCE CENTER 3 HIPAA Health Insurance Portability and Accountability Act Privacy –Privacy Rule protects all forms of Protected Health Information (PHI) including ePHI (electronic, paper, or oral) Protected Health Information: NamesRelatives NamesSSN Addresses DOB Employers Telephone and fax numbers PHI – Protected Health Information: which is any client identifying information which if disclosed would provide identifying information about a client and / or their treatment. ePHI – Electronic Protected Health Information any PHI that is stored, held or transmitted, either permanently or temporarily in any electronic format. – Examples: Email, Documents (Word, Excel, PowerPoint or plain text); electronic reports saved for printing at a later date; PDA’s; Electronic Health Record; Enterprise systems; network shares. Portability-ensures that individuals moving from one health plan to another will have continuation of coverage and will not be denied coverage under the pre-existing-condition clauses. Accountability-significantly increases the federal governments fraud enforcement authority for privacy and security Administrative Simplification- August 2000 standardizes electronic transmissions of health care data
4/28/2015 DAVID LAWRENCE CENTER 4 Client Rights to Privacy Right to have access to their information Request amendments to their information (DLC has the right to approve or deny their request) Request revocation of their previously signed authorizations at any time; Any information previously released will not be impacted by the revocation. Request an accounting of disclosures 1. Paper records-Access to Records Log 2. Electronic Records-Access is monitored by IT through Profiler Reporting System.
Accessing and Requesting Protected Health Information Authorization to Release Information- must be completed and on file in order to disclose information. -Clinical Records Department process requests on paper or in electronic format -Fees ($1.00/page) (No charge for healthcare providers, Prison Health Services, Medical Examiner, and Department of Children and Families) -Required to respond within 7 business days -Who can complete the Authorization to Release Information? –Client –Biological Parent/Guardian –Proxy –Guardian Ad Litem-with appropriate court documentation. Basic information is disclosed by signing the Authorization- if additional information is requested the client must initial the items and specify if “Other”. Authorization is not required for treatment, payment and operations. 4/28/2015 DAVID LAWRENCE CENTER 5
Accessing and Requesting Protected Health Information Access to information may be temporarily denied to the client. Authorization from the treatment provider to release information to the client will be required in the instances identified below: –DCF Involvement for Abuse and Neglect –Baker Act admission for Suicide Attempts if requested within 30 days of discharge –Custody cases Why is this required: If a client is requesting information that the provider feels could be harmful to that client we have the right to temporarily deny the request. If denied the Health Information Record Denial Request must be sent to the client. 4/28/2015 DAVID LAWRENCE CENTER 6
4/28/2015 DAVID LAWRENCE CENTER 7 DLC’S responsibility to protect clients rights are: Control who can access information-”Do I need to know this to do my job?” Acknowledge/Notify client’s of their rights HIPAA Acknowledgement Form-Client only needs to sign once, unless major changes are made to the document Provide training to all staff Sanction Policy Policy and Procedures- Access on Center’s Intranet, Your program supervisor or office manager and Quality Assurance. Documentation- Assure errors in the electronic clinical record are appropriately corrected using the void function. Assure entries in clinical records are not deleted.
4/28/2015 DAVID LAWRENCE CENTER 8 DLC’s HIPAA Compliance Officers Privacy Officer – Sharie Boscaglia Security Officer - Faron Richards Facility Security - Gary Boivin
4/28/2015 DAVID LAWRENCE CENTER 9 Who Can see what ? DLC is consider a “Covered Entity” which requires us to comply with HIPAA privacy and security regulations. (“covered entity” includes most providers, clearinghouses and health plans) Any organization receiving PHI from DLC is mandated to have a Business Associate Agreement which requires them to comply with HIPAA regulations. (exceptions are those who routinely receive PHI as part of treatment, payment or operations; otherwise a specific authorization is required) Only authorized personnel can see the physical chart or any electronic version or representation thereof. Authorized Personnel are defined as those individuals directly involved in treatment, billing, records or auditing of the information. These individual are allowed access and only then in direct correlation with their job responsibilities. Clinical personnel not assigned to the treatment team are prohibited to review the chart – unless for peer review, auditing purposes or referral to program. Administrative personnel should have limited access to the client’s record unless it directly relates to their job. (Medical Records, auditing, reporting, scheduling)
4/28/2015 DAVID LAWRENCE CENTER 10 SECURITY Security –Security covers specifically electronic PHI (ePHI) which is being held, stored or transmitted.
4/28/2015 DAVID LAWRENCE CENTER 11 Security The Security Rule requires us to establish Administrative, Physical and Technical safeguards, to control access to electronic protected health information in order to ensure: –Confidentiality – No accidental or intentional disclosure to unauthorized recipients. –Integrity – Data has not been altered or destroyed in an unauthorized manner. In no instance should information be deleted from a record. –Availability – Accessible and useable upon demand by an authorized entity.
4/28/2015 DAVID LAWRENCE CENTER 12Security Technology has allowed us to compile a large amount of protected data in our Information Systems. Loss of any of these systems and subsequently the loss of the data contained therein would have a devastating impact on the agency. Technology Security –Passwords, encryption etc Keep your passwords secret – known only to you, Never share it with anyone. You are responsible for anything done on the system under your login ID. You are never permitted to share login and password information., this is considered a serious offense and corrective action may be taken.. Commit your password to memory and change it often If you forget your password or suspect it has been compromised in any way contact IT Helpdesk to have it reset for you. Select passwords not easily guessed. Always include at least one number and/or a special character such as $ # ! & Never leave your system while you are logged on – always use Ctrl-Alt-Del and lock computer. Do not write password down and leave it in a conspicuous place such as on your monitor or under the keyboard Contingency/Disaster Plan DLC has Security Procedures in place and can be located on the intranet. Use common sense never leave PHI on Fax or Printer for others to see. Security is not just a computer issue. Faxing information to an incorrect fax number is considered a breach of confidentiality. The use of memory sticks and key fobs are against center policy. Electronic access is managed by security level in Profiler which is based on provider type, tree view and treatment team participants
4/28/2015 DAVID LAWRENCE CENTER 13 Security 3 ways to enter buildings, KEY, key fobs, Electronic key pad Discard all documents with PHI in proper locked container or use crosscut shredder. Loading of personal computer programs on DLC computer equipment is NOT permissible. The integrity of data on any Information System is the responsibility of every employee. Each person should verify the data they enter into the system by spot checking or data sampling to ensure it is in the proper location and is correct. Any PHI that is going to be sent via email outside the Center must be put into a MS-Office document and encrypted. Then send via email attachment. PHI should never be included in the in “subject” line or content of email of the email. If you are required to email PHI as part of your job duties please contact IT to ensure you are following adequate password and policy procedures.
4/28/2015 DAVID LAWRENCE CENTER 14 Why Security is Important? Public Trust Morally and ethically the right thing to do. Good business practice Protection against liability claims and law suits Avoids financial penalties and possible imprisonment
4/28/2015 DAVID LAWRENCE CENTER 15 REPORTING BREACHES Employees are required to notify the Privacy or Security Officer when they breach a HIPAA standard or witness or discover any other individual breaching a standard. We are required to follow our policy on violations and they must be enforced. Effective November 30, 2009 HIPAA standards allow for penalties up to $250,000 per violation and up to 10 years imprisonment for breaches. Civil penalties of $25,000 for Failure to Comply Criminal penalties such as: $50,000 fine and 1 year in prison for knowingly obtaining and wrongfully sharing information; $100,000 fine and 5 years in prison for obtaining and disclosing through false pretenses; $250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm.
4/28/2015 DAVID LAWRENCE CENTER 16 TRANSACTION CODE SETS Transaction Code Sets- a set of codes standardized by HIPAA used for billing purposes. Improved the efficiency and effectiveness of the health care system by leading to cost reductions and improvements in benefits from electronic health care transactions. Has enhanced security of protected health information.
4/28/2015 DAVID LAWRENCE CENTER 17 WHY COMPLY? It’s a Federal Law! There are Civil and Criminal Penalties. Enforced by the Office of Civil Rights DLC requires it It’s a good business practice
4/28/2015 DAVID LAWRENCE CENTER 18 PLEASE COMPLETE QUIZ THE END