1. NC DMH Privacy Training1 HIPAA Privacy: HOW IT AFFECTS YOU !!!

2. NC DMH Privacy Training2 Goals of Training To increase your knowledge & understanding of what protected health information (PHI) is in this facility, and what threats may exist to its privacy and its security To enhance your awareness of your role in helping this facility follow HIPAA rules To provide information about to whom you can go with questions about privacy, and about security To inform you about your reporting responsibilities when HIPAA violations occur To alert you to the possible penalties for violation of HIPAA law for both you and this facility To protect the confidentiality of our consumer's Protected Health Information (PHI) in support of one of our values -- dignity, self-worth and individual rights. It's the right thing to do! To Understand that this same law also protects you as a consumer of health care.

3. NC DMH Privacy Training3 Privacy Regulations IMPLEMENTATION DATE Security Regulations (To Be Announced) April 2003

4. NC DMH Privacy Training4 What is HIPAA? Health Insurance Portability and Accountability Act of 1996 – a Federal Law Portability Administrative Simplification Data Standardization Security Privacy

5. NC DMH Privacy Training5 What is HIPAA? Portability: Protects and guarantees health insurance coverage when an employee changes job Accountability: Protects health data integrity, confidentiality and availability Reduces Fraud and Abuse Makes fraud prosecution easier (Medicare/Medicaid) Reduces Paperwork

6. NC DMH Privacy Training6 What is HIPAA? Data Standardization Establishes National Standards for Electronic Data Transmission Portability –Transactions (Enrollment, Eligibility, Claims, Payment and others), Codesets and Identifiers. Establishes Standards for Protection of Health Information –Privacy (Operational, Consumer Control, Administration) –Security (Administrative, Physical, Technical, Network)

7. NC DMH Privacy Training7 WHY COMPLY WITH HIPAA ? Avoid denied and or delayed reimbursements –DHHS agencies process claims bringing in more than $ 550 million in receipts annually. –Annual Medicaid disbursements totaling more than $4.6 billion. May risk Accreditation. (e.g. Joint Commission on Accreditation on HealthCare Organizations: Public relations and business risk issues Benefit from long term healthcare cost reductions Impose severe penalties for non-compliance

8. NC DMH Privacy Training8 DEFINITION: PRIVACY Privacy is the right of an individual to keep his/her individual health information from being disclosed.

9. NC DMH Privacy Training9 HIPAA KEY TERMS as they relate to privacy of Protected Health Information (PHI) Privacy Use Disclose Authorization PHI Minimum Necessary

10. NC DMH Privacy Training10 HIPAA KEY TERMS Defined Use - means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (Also see Part II, 45 CFR 164.50) Disclose - Release or divulgence of information by an entity to persons or organizations outside of that entity. (Also see Part II, 45 CFR 164.501) Authorization - The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, Protected Health Information (PHI) released for special Olympics activity. PHI (Protected Health Information) - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…) Minimum Necessary - When using any PHI, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”.

11. NC DMH Privacy Training11 Privacy Why the concern?

12. NC DMH Privacy Training12 HIPAA Enforcement CIVIL PENALTIES for failure to comply –$100 fine per person per violation –$25,000 fine per year for multiple violations –$25,000 fine cap per year per requirement. –You can be personally liable!

13. NC DMH Privacy Training13 HIPAA Enforcement CRIMINAL PENALTIES for failure to comply –Knowingly or wrongfully disclosing or receiving PHI: $50,000 fine and/or one year prison time –Commit offense under false pretenses: $100,000 fine and/or five years prison time –Intent to sell PHI or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time. –Again, you can be personally liable!

14. NC DMH Privacy Training14 HIPAA Enforcement Continued These penalties apply to oral, paper and electronic Protected Health Information (PHI).

15. NC DMH Privacy Training15 HIPAA Requires DMH to….. Establish or Appoint –Policies and procedures to safeguard PHI –Privacy Officer –Security Officer –Privacy Officer and the Security Officer work with each facility’s HIPAA core team –Disciplinary actions policy Provide HIPAA training to the workforce -As necessary and appropriate on Privacy Policies and Procedures

16. NC DMH Privacy Training16 What is PHI ? Protected Health Information - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

17. NC DMH Privacy Training17 Where do we find PHI? 1. 2. 3. 4. 5. 6. 7.

18. NC DMH Privacy Training18 Where do we find PHI? Medical records and billing records Insurance/Benefit Enrollment and Payment Claims adjudication Case or medical management records (Note---it exists both on paper and electronically)

19. NC DMH Privacy Training19 Examples of PHI 1. Name 2. 3. 4. 5. 6 7 8 9

20. NC DMH Privacy Training20 Names All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code………. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death…….. Telephone numbers Fax numbers Electronic mail addresses Social Security Numbers Medical record numbers Health plan beneficiary numbers Examples of PHI Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images….. Any other unique identifying number, characteristic….. +

21. NC DMH Privacy Training21 HIPAA Requires DMH to….. Identify PHI Uses and Disclosures –WHO: People who routinely use or disclose (or receive requests to) PHI in our Institutions/Facilities –WHAT: Individually identifiable health information –HOW: Written, oral, electronic communication –HOW MUCH: Minimum necessary to accomplish purpose

22. NC DMH Privacy Training22 PHI Does Not Include….. –Education records –Workman’s comp Records –Health information in your personnel record –Psychotherapy notes: (Treatment/Counseling by mental health professionals) Kept separate from the medical record, usually in a clinician’s own file and not made part of the individual’s medical record.

23. NC DMH Privacy Training23 Psychotherapy Notes ARE NOT The following are not considered psychotherapy notes and therefore are PHI: –Medication prescription and monitoring –Counseling session start and stop times, the modalities and frequencies of treatment furnished –Clinical test results –Any summary of the following items: diagnosis functional status, the treatment plan, symptoms prognosis, and progress to date

24. NC DMH Privacy Training24 WHO IS AFFECTED? Employees who handle/use/know individuals’ Protected Health Information (PHI) Health Care Providers (Health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically) Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs) Trading Partners - Electronically Exchange Protected Health Information Business Associates - Perform services “on your behalf” HIPAA also applies to you as a consumer of healthcare!

25. NC DMH Privacy Training25 Case Scenario Presentations How would we handle the following situations?

26. NC DMH Privacy Training26 Challenge for DMH whatwhereIf you do NOT know what or where PHI is, whoand who uses or asks for it, You will be hard pressed to protect it.

27. NC DMH Privacy Training27 How Do Individual Staff Protect PHI? (Your List) 1. 2. 3. 4. 5. 6. 7.

28. NC DMH Privacy Training28 How Individual Staff Protect PHI Close doors or draw privacy curtains/screens Conduct discussions so that others may not overhear them Don’t leave medical records where others can see them or access them Keep medical test results private PHI info should NOT be shared or viewable in public areas Don’t leave copies of PHI at copy machines, printers, or fax machines. Don’t leave PHI exposed in mail boxes or conference rooms. Don’t share computer passwords or leave them visible Don’t leave computer files open when leaving unlocked or shared work area Secure PHI when no one is in the area, lock file cabinets and office doors Safeguard PHI when records are in your possession Return medical records to appropriate location Dispose of paper containing PHI properly Fax only if according to Center policy

29. NC DMH Privacy Training29 How Individual Staff Protect PHI ……….Email with individuals’ identifiable information (1st name, last initial ok) ……….Leave PHI in any public wall file trays unless enclosed in an interoffice envelope ……….Discuss an individual in front of other individuals or visitors ……….Leave diskette boxes containing PHI in unlocked areas ……….Leave PHI for shredding in unlocked/undesignated area ……….Place individuals’ full names on desk blotters ……….Leave Rolodex files containing PHI accessible ……….Leave individual/employee PHI lists publicly posted ……….Leave records opened and unattended ……….Bring personal computers for use at a Health Center ……….Leave Center keys unattended ……….Leave Rolodex files containing PHI accessible WHETHER A HEALTH or FINANCIAL INTERVIEW, WHETHER A HEALTH or FINANCIAL INTERVIEW, OBSERVE THESE GUIDELINES !!! OBSERVE THESE GUIDELINES !!!

30. NC DMH Privacy Training30 “Need to Know” Principles Necessary for your job How much do you need to know? How much do other people need to know?

31. NC DMH Privacy Training31 HIPAA’s Minimum Necessary rules : –Must provide only PHI in the minimum necessary amount to accomplish the purpose for which use or disclosure is sought –Minimum necessary does not apply when patient provides a valid, signed authorization for release of PHI –De-identified Information: De-identified information is PHI with all HIPAA identifiers removed. Exceptions: –Disclosure to a health care provider for treatment –permissible uses or disclosures made by the patient. –Uses or disclosures made based on patient’s signed authorization. –Uses or disclosures required for HIPAA compliance –Use for legal proceedings, law enforcement, et. How Does “Need to Know” Translate into HIPAA?

32. NC DMH Privacy Training32 HIPAA Requires… Notice of Privacy Practices –Purpose: to provide consumer with adequate notice of uses or disclosures of PHI –Must be written in plain language –Must be provided at the time of first service or assessment for eligibility –Has to provide Privacy Officer contact information

33. NC DMH Privacy Training33 HIPAA Consumer Protections Amendment –Consumers may request to amend PHI in medical records –That request may be referred to the facility Privacy Official DMH facility may either grant OR deny the request

34. NC DMH Privacy Training34 HIPAA Consumer Protections Restrictions –Consumers may request that the facility restrict how it uses/discloses their PHI –Facility is NOT required to accept the request –If restriction is accepted, then follow it Don’t deviate or depart from that restriction!

35. NC DMH Privacy Training35 HIPAA Consumer Protections Access –Consumers can access PHI Inspect Copy –Request for access MUST be in writing –Facility Must - Respond to request within 60 days; May recover cost-based fee for copy, explanation, or summary of records –If access is denied, reason for that denial will determine if the consumer can appeal –Consumer must appeal to facility Privacy Official

36. NC DMH Privacy Training36 HIPAA Consumer Protections Accounting of Disclosures –Consumers have a right for an accounting of disclosures Time frame: 6-year period Clock starts: April 14, 2003 –Applies to both written and oral disclosure –Specific to times, places, beneficiaries and content disclosures

37. NC DMH Privacy Training37 HIPAA Consumer Protections Verification –Facility must verify that Person or agency requesting the PHI Is who they say they are –Facility must document the verification.

38. NC DMH Privacy Training38 HIPAA Consumer Protections Complaint Procedure –HIPAA requirement –Allows a consumer to file a complaint if they believe we have improperly used or disclosed their PHI

39. NC DMH Privacy Training39 HIPAA PHI Protections Staff Access to PHI –Purpose: to guide staff in keeping PHI confidential –Inappropriate access/use/disclosure of consumer PHI results in disciplinary action, possible other penalties.

40. NC DMH Privacy Training40 HIPAA Disclosure Protections Authorization –Required to disclose PHI to person or agency outside the facility –Must be specific: What PHI is to be shared With whom For what purpose –May be revoked

41. NC DMH Privacy Training41 When No Authorization Is Needed… Key examples: –Child abuse/neglect reports –Judicial/administrative proceeding –Law enforcement –To avert serious threat to health or safety –Audits Management and Financial –When required by US DHHS –Program monitoring and evaluation –Certification of facilities and individuals

42. NC DMH Privacy Training42 PRIVACY REGULATIONS RELATING TO RESEARCH, MARKETING, FUND RAISING For Research, Marketing and Fund Raising purposes, all PHI must be De-identified Information. (De-identified information is PHI with all HIPAA identifiers removed.) HIPAA still allows research to be conducted Proper authorizations must be in place WHAT ELSE DOES HIPAA REQUIRE?

43. NC DMH Privacy Training43 What Else Does HIPAA Require? Preemption of state law –Privacy Rule overrides any other state law unless that state law provides more protection for the consumer

44. NC DMH Privacy Training44 WAIVER OF RIGHTS Waiver: Covered entities may not require individuals to waive their rights as a condition of: –Treatment –Payment –Enrollment –Eligibility

45. NC DMH Privacy Training45 REFRAIN FROM INTIMIDATING OR RETALITORY ACTS Protection for individuals exercising their rights or whistleblowers: Covered entities may not –Intimidate –Threaten –Coerce –Discriminate against –Take any other retaliatory action

46. NC DMH Privacy Training46 QUESTIONS? If you are ever in doubt, always ask your Privacy Officer or their designee! Remember, that person is your first line of response to privacy questions. Privacy

47. NC DMH Privacy Training47 Key Things to Remember about Privacy We must safeguard consumer records Share only information necessary to do the work Consumers have the right to ask about use and disclosure of PHI DMH has Policies on HIPAA and you need to know them and follow them

48. NC DMH Privacy Training48 PRIVACY Vs. SECURITY Privacy is the right of an individual to keep his/her individual health information from being disclosed. Security is how we protect PHI from accidental or intentional disclosure, alteration, destruction or loss.

49. NC DMH Privacy Training49 SAFEGUARDS NCSCC must have appropriate safeguards in place: –Administrative –Technical –Physical Exceptions for preemption of state laws as agreed to by the US DHHS Secretary –More stringent –Public health investigation/intervention –Audits; management & financial –Program monitoring and evaluation –Certification of facilities and individuals

50. NC DMH Privacy Training50 Required Training Topics Security Issues that Impact Privacy –General Security Awareness –System Access –Password Management

51. NC DMH Privacy Training51 Purpose of Security To protect the system and information from unauthorized access To protect the system and information from unauthorized use

52. NC DMH Privacy Training52 General Security Awareness Security (protecting the system and the information it contains) includes protecting against unauthorized access from outside and misuse from within –hardware and software (Physical Computer Systems) –personnel policies –information practice policies –develop disaster/intrusion/response and recovery plans –designate security responsibilities –develop protocols regarding activities and security at personnel and work station level –Safeguards from fire, natural and environmental hazards and intrusions

53. NC DMH Privacy Training53 General Security Awareness Two Types of Security in HIPAA –Building\Physical Security –Computer\Electronic Security

54. NC DMH Privacy Training54 General Security Awareness Building\Physical Security –Building\Work Area Access –Locks and Keys –Badges\ID –Security Officer –Printers\Copy\Fax Machines

55. NC DMH Privacy Training55 General Security Awareness Building\Work Area Access –Sign into building –Show ID\Visitors Badge –Patient\Client Area Entry

56. NC DMH Privacy Training56 General Security Awareness Computer\Electronic Security –Computers –Location of PCs –Passwords\Log On –E-mail –Faxes

57. NC DMH Privacy Training57 Things to Know about System Access Don’t share the session Report Discrepancies Be aware that disciplinary action may result Termination of Access

58. NC DMH Privacy Training58 PC and System Protection Be aware of potential harm Follow the e-mail policy Don’t download non-DMH approved programs Report unknown or suspicious e-mail, attachments

59. NC DMH Privacy Training59 What is Password Security? –Don’t tell anyone your password. –Don’t write your password down anywhere –Change password if others know it –Enter your password in private Password Management

60. NC DMH Privacy Training60 Password Management Guidelines for good passwords –Don’t Choose password with more than 8 characters Choose password that can be found in a dictionary Choose password that uses public information such as SSN, Credit Card or ATM #, Birthday, date, etc. Reuse old passwords or any variation Use user id or any variation

61. NC DMH Privacy Training61 Guidelines for good passwords –Do No clear link to you personally Six to 8 characters Minimum of 2 alpha and 1 numeric Use upper and lower case characters Change to a completely new password Memorize your password Password Management

62. NC DMH Privacy Training62 Application Role in Security Role will dictate access –Only access to what you need in order to do the job

63. NC DMH Privacy Training63 Key Things to Remember about Security Security impacts privacy Both building and computer security are important Fundamentals of good password management

64. NC DMH Privacy Training64 TOP 10 PRIVACY & SECURITY PRACTICES 1. When in doubt, don’t give information out 2. Log off before you walk off from your computer 3. Double check fax numbers before sending 4. Do not send e-mails or use the internet unless the connection is secure and approved. 5. Identity of the caller before releasing confidential information. 6. Never share your password with anyone. 7. Maintain the security of all patient information in all its medium like paper, electronic and oral. 8. Discuss patient information in private locations 9. Access information on a need to know basis, only to do your job. 10. Dispose of confidential information according to proper procedures (ie. Locked Shred Bins)

65. NC DMH Privacy Training65 SUMMARY -1 HIPAA - A Health Care Paradigm Affects clearinghouses, patients. Requires changes to business processes and applications, staffing plans, facilities and Information systems applications Provides patients with rights Shifts power in provider/consumer relationships Introduces new legal liabilities Conveys severe civil and criminal penalties payers, providers, employers, medical manufacturers, Pharmaceutical companies, employees

66. NC DMH Privacy Training66 SUMMARY -2 HIPAA - is not going away Healthcare industry wants standardization Consumers want health information to be protected HIPAA is not an option HIPAA is doing business in the “New Millennium” Implementation cost is short term Operational benefit is long term

67. NC DMH Privacy Training67 Where To Go For More Information US Department of Health and Human Services - www.aspe.os.shhs.gov Center for Medicare and Medical Aid Services - www.cms/gov Workgroup for Electronic Data Interchange (WEDI) - www.wedi.org Washington Publishing Company - www.wpc-edi.com North Carolina Division of Medical Assistance - www.dhhs.state.nc.us/dms/ NC DHHS HIPAA Web Site -http://dirm.state.nc.us/hipaa/

68. NC DMH Privacy Training68 Any Questions?

69. NC DMH Privacy Training69 IMPLEMENTATION DATE April 2003