Presentation is loading. Please wait.

Presentation is loading. Please wait.

SullyMed Informatics 2003 1 HIPAA Privacy Training Staff.

Similar presentations


Presentation on theme: "SullyMed Informatics 2003 1 HIPAA Privacy Training Staff."— Presentation transcript:

1 SullyMed Informatics HIPAA Privacy Training Staff

2 SullyMed Informatics HIPAA What?

3 SullyMed Informatics What is HIPAA Health Insurance Portability and Accountability Act

4 SullyMed Informatics What is HIPAA A Federal Law intended to  Improve portability and continuity of health insurance coverage  Combat waste, fraud and abuse in health insurance and health care delivery  Promote use of medical savings account  Improve access to long term care services  Simplify administration

5 SullyMed Informatics HIPAA TITLE I -- HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY TITLE II -- PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL LIABILITY REFORM TITLE III--TAX-RELATED HEALTH PROVISIONS TITLE IV -- APPLICATION AND ENFORCEMENT OF GROUP HEALTH PLAN REQUIREMENTS TITLE V -- REVENUE OFFSETS

6 SullyMed Informatics HIPAA TITLE I -- HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY TITLE II -- PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL LIABILITY REFORM TITLE III--TAX-RELATED HEALTH PROVISIONS TITLE IV -- APPLICATION AND ENFORCEMENT OF GROUP HEALTH PLAN REQUIREMENTS TITLE V -- REVENUE OFFSETS

7 SullyMed Informatics Immediate Impact Transaction and Code Sets Security Rule Privacy Rule

8 SullyMed Informatics Focus Today Transaction and Code Sets Security Rule Privacy Rule

9 SullyMed Informatics Scene I Monday morning 10 A.M.  Waiting room full, phones ringing, conversations going on all over  Receptionist sitting at in window Phone on shoulder on hold Monitor in view of patient  “Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?”

10 SullyMed Informatics Scene 2 MA comes to get Mrs. Jones Says hello to another patient she knows  Inquires about her daughter  How did husband’s lab test come back Patient surprised he had any test Brings Mrs. Jones back to exam room

11 SullyMed Informatics Scene 3 Records room and clerks all working and talking Filing labs and asks coworker if they saw the results on Mr. Smith Notices duplicate copies of results and throws one in trash can

12 SullyMed Informatics Scene 4 Billing rep on phone  Mrs. Jones we cannot send bill to a work address  You want to change the diagnosis in your chart? We cannot do that!

13 SullyMed Informatics Scene 5 End of day  Charts all over countertops, desks etc.  Wastebaskets full of duplicate copies of reports, letters etc.  Filing cabinets open  Computer screens remain on open to practice management system

14 SullyMed Informatics Do We Need a Privacy Regulation No Federal law or national standard State laws inadequate and inconsistent False sense of privacy with paper charts Now the sharing of health information with millions is only a mouse click away

15 SullyMed Informatics Harm from Inappropriate Disclosure of PHI Mental anguish Personal Discrimination Economic harm Non-disclosure of important medical info is important to physicians  Core of health care today  Harms patient – physician relationship  Harms quality of care

16 SullyMed Informatics Who does it apply to? Health Plans Health Care Clearinghouses Health Care Providers  No distinction between small office and large tertiary care hospital  Same rule apply, only implementation differs

17 SullyMed Informatics Definitions

18 SullyMed Informatics Health Information Any information in any form which  Is created or received by the practice  Relates to past, present, future physical or mental health or condition of an individual  Relates to past, present, future payment for providing health care  Includes oral, written, electronic information

19 SullyMed Informatics I I H I Individually Identifiable Health Information Information that is a subset of health information collected from an individual and that  Is created or received by a provider  Relates to past, present, future physical or mental health of individ, payment for providing the health care or providing the health care  AND Identifies the individual OR There is a reasonable basis to believe it can be used to identify the individual

20 SullyMed Informatics Protected Health Information PHI Individually Identifiable Health Information that is transmitted or maintained in any form Excludes IIHI in  Educational records Family Educational Right and Privacy Act 20 U.S.C. 1232g  Employment records held by the office in its role as employer

21 SullyMed Informatics T P O Treatment Payment Operations  Health Care Operations

22 SullyMed Informatics Use and Disclosure Use  Sharing, analysis, utilization or examination of IIHI within the office Disclosure  Release, transfer, providing access to or divulging IIHI outside the office holding the information

23 SullyMed Informatics Confidentiality Carried out or revealed in the expectation that anything done or revealed will be kept private Entrusted with somebody’s personal or private matters

24 SullyMed Informatics Privacy Freedom from observation, intrusion or attention of others The state of being kept secret About controlling access to information

25 SullyMed Informatics So far…….. What HIPAA is Who it applies to Some important definitions

26 SullyMed Informatics Now…….. How does it apply to us What we can and cannot do Office’s privacy practices Patient Rights When do we have to do all this What are the penalties if we don’t do this

27 SullyMed Informatics Privacy Rule Intent To protect IIHI from being wrongfully used or disclosed To protect IIHI from being used or disclosed without an individual’s knowledge

28 SullyMed Informatics Uses and Disclosures Required Permitted Minimum Necessary Special Circumstances

29 SullyMed Informatics Required Disclosures To the individual when they request access to their information or they request an accounting of disclosures When requested by the Secretary to investigate compliance with the Privacy Rule

30 SullyMed Informatics Permitted Uses-Disclosures To the individual For TPO Incident to another permitted use-discl Pursuant to a valid authorization As permitted under special circumstances

31 SullyMed Informatics Minimum Necessary Standard

32 SullyMed Informatics Minimum Necessary Must make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure

33 SullyMed Informatics Minimum Necessary Must use, disclose and request only the smallest amount of PHI needed to accomplish the purpose  Access only needed information  Follow office policies and procedures for disclosures  Be careful about disclosing entire medical records

34 SullyMed Informatics When Minimum Necessary Does not apply Treatment  Provider requests PHI for treatment purposes Individual  Disclosures made to the individual Authorization  Pursuant to a valid authorization Secretary  When requests Law  When required Compliance  When required for compliance with these requirements

35 SullyMed Informatics Special Circumstances Need to take additional steps

36 SullyMed Informatics Special Circumstances Use and Disclosure PHI Personal representatives Deceased individuals Whistleblowers Victims of a crime

37 SullyMed Informatics Personal Representatives Must treat a personal representative as the individual except  Unemancipated minor  Abuse or neglect

38 SullyMed Informatics Adults and Emancipated Minor If a person has authority to act on behalf of adult or emancipated minor in making decisions related to health care, must treat that person as the individual with respect to PHI  Durable Power of Attorney  Adult with Dementia

39 SullyMed Informatics Unemancipated Minors If parent or guardian has authority to act on behalf of unemancipated minor in making decisions about health care, must treat that person as the individual

40 SullyMed Informatics Unemancipated Minors May be able to act as individual when:  Consents to health care and no law requires other consent and has not requested the person to act as a personal rep  The personal rep agrees to confidentiality between minor and provider  Minor may lawfully obtain health care services and consents e.g. birth control, STD

41 SullyMed Informatics Deceased Individuals Must comply with all requirements regarding PHI of a deceased individual Same rules apply to uses and disclosures Personal Representatives become important

42 SullyMed Informatics Deceased Individuals If an executor, administrator, or person has the authority to act on behalf of a deceased individual, must treat that person as the personal representative of the deceased individual.

43 SullyMed Informatics Abuse – Neglect - Endangerment May elect not to treat a person as a personal representative if you believe  Individual is or may be subject to domestic violence, abuse or neglect by the person OR  Treating the person as a personal rep would endanger the individual AND Exercising professional judgment, decides it is not in the best interest of the individual to treat the person as the personal rep

44 SullyMed Informatics Whistleblowers The organization is not in violation if a member of its workforce or discloses PHI provided that:  The person or believes the organization is in violation of the rule AND  Disclosure is to either Health oversight agency or public health authority OR An attorney

45 SullyMed Informatics Victims of a Crime Organization is not in violation if a member of it’s workforce who is the victim of a crime discloses PHI to a law enforcement official provided that:  PHI is about the suspected perpetrator AND  PHI disclosed is limited to Name, address, DOB, SSN, blood type Date and time of treatment or death Description of identifying characteristics  Ht, wt, gender, race, color eyes/hair, scars, tattoos

46 SullyMed Informatics Authorizations

47 SullyMed Informatics Authorization Must obtain from the individual for any use/disclosure of PHI other than the following:  TPO  When required by law  As listed in the Privacy Notice

48 SullyMed Informatics Valid Authorization Must include specific elements  Core elements  Required statements Use the office Authorization Form  Previously used authorization forms will not be valid under new rules as they lack the necessary specific elements

49 SullyMed Informatics Authorizations Have right to revoke at any time  In writing using office revocation form Must document and retain signed authorization forms Must give copy of signed authorization form to individual

50 SullyMed Informatics Allowed uses and disclosures outside of TPO Without authorization

51 SullyMed Informatics Use-Disclosures Allowed outside of TPO Required by Law Public Health Activities Victims Abuse- Neglect, Domestic Violence Health Oversight Activities Administrative Proceedings Law Enforcement Funeral Homes and Coroners Organ Donations Specialized Govt Functions

52 SullyMed Informatics Prior to ANY Disclosure What you must do

53 SullyMed Informatics Prior to any disclosure must Verify identity of person receiving PHI and authority to do so  Ask for verification when on phone e.g. if lab calling for info ask them for your tax id # Obtain any document, statement or representation from the person requesting the info when such a statement is a condition of the disclosure  Subpoena

54 SullyMed Informatics Privacy Practices Notice of Privacy Practices

55 SullyMed Informatics Notice of Privacy Practices Every employee must read the office’s Notice of Privacy Practice Must make a good faith effort to give Notice once to every patient and document that effort Must be prominently displayed in the office

56 SullyMed Informatics Good Faith Effort Must make good faith effort to give Notice to every patient  Get written receipt of individual getting the Notice Retain that receipt  If individual refuses, simply document your efforts and why they failed E.g. ‘patient refused to take the Notice’

57 SullyMed Informatics Patient Rights

58 SullyMed Informatics Six Patient Rights To request restrictions To receive confidential communication To inspect and copy PHI To amend PHI To receive accounting of disclosures To obtain a paper copy of notice

59 SullyMed Informatics Patient Rights Must know them all Must know how to implement them Each has a specific office policy and a procedure on how to implement If ever in doubt, ask your Privacy Officer

60 SullyMed Informatics Right to Request Restriction

61 SullyMed Informatics Right to Request Restriction Must allow individual to request a restriction on  Uses and disclosures for TPO  Uses and disclosures for involvement in the individual’s care and notification purposes  Other uses and disclosures in Privacy Notice Not required to agree to the restriction request Must document agreed upon restrictions

62 SullyMed Informatics Right to Request Restriction If agree to restriction must abide by it  May use or disclose PHI during emergency treatment when necessary but  Must request provider receiving the info not use or disclose the information any further An agreed upon restriction not effective to prevent uses and disclosures permitted or required without authorization

63 SullyMed Informatics Terminating a Restriction May terminate agreement to a restriction if  Individual agrees or requests the termination in writing  Individual orally agrees and this is documented  Inform individual you are terminating the restriction effective after the notification

64 SullyMed Informatics How to Request a Restriction Follow policies and procedures Must be done in writing using the form provided by the office Staff cannot agree to or deny the request, only the Privacy Officer can do so.

65 SullyMed Informatics Right to Confidential Communications

66 SullyMed Informatics Confidential Communications Must permit individuals to request receiving PHI by alternative means or at alternative locations  Must accommodate if reasonable Follow office policy and procedures  Use proper form to obtain the request in writing Only the Privacy Officer can determine if the request will be approved or rejected

67 SullyMed Informatics Right to Access

68 SullyMed Informatics Right to Access PHI Right to inspect and or obtain a copy of PHI

69 SullyMed Informatics Requests for Access Follow office policy and procedure  Must be made in writing Staff members may not approve or reject the request  Only Privacy Office can do so

70 SullyMed Informatics Fees for Providing Copy of PHI If individual requests copy or agrees to a summary of the PHI can charge reasonable, cost-based fees This is described in the form individual completes to request access

71 SullyMed Informatics Denial of Access To the extent possible, must give access to PHI other than PHI to which there is a ground for denial Must provide written denial in plain language  Basis for denial  Statement of right to review if applicable  Description of how to complain

72 SullyMed Informatics Right to Amend PHI

73 SullyMed Informatics Right to Amend Follow office policy and procedure  Use proper form May deny the request if the PHI  Was not created by the organization  Is not part of a designated record set  Is excluded from the right to access the PHI  Is accurate and complete

74 SullyMed Informatics Accounting of Disclosures Right to Request

75 SullyMed Informatics Right to Accounting of Disclosures Individual has right to receive accounting of disclosures made in the 6 years prior to date on which accounting requested  Can be for a shorter time period if requested

76 SullyMed Informatics Concept of Disclosure Accounting That every patient should be aware of disclosures of their PHI If they are already aware of the disclosure then you need not keep track of it  Authorizations If they are not aware of the disclosure then you need to keep track of it so can tell them if they ever ask  subpoenas

77 SullyMed Informatics Accounting of Disclosures Must keep track of disclosures as they are done Follow office policy and procedures  Use proper form to document the disclosures as they occur

78 SullyMed Informatics Complaints

79 SullyMed Informatics Complaints Must provide a way patients can file a complaint  Concerning policy and procedures  Concerning compliance Must document all complaints Follow office policy and procedures

80 SullyMed Informatics Safeguards Physical Technical Administrative

81 SullyMed Informatics Physical Safeguards Shred all documents with PHI prior to disposal Non-employees are not allowed in the medical records area unless escorted Non-employees are not allowed in the patient care areas unless escorted All printers and fax machines will be located in non-public areas of the office

82 SullyMed Informatics Technical Safeguards Password based log in procedure to computer system Limiting PHI access to the minimum necessary to perform job functions  Role Based Access Control Automatic logoff after inactivity

83 SullyMed Informatics Administrative Safeguards Remind employees to protect patient confidentiality Enforce use of strong passwords to access computer system No sharing of passwords Limit information left on answering machines or with family members

84 SullyMed Informatics Administrative Safeguards Have sender of a fax verify the number is correct for the intended recipient before sending the fax Sanctions have been developed for employees violating the office’s privacy policy and procedures

85 SullyMed Informatics Sanctions

86 SullyMed Informatics Sanctions Sanctions have been developed for employees who fail to comply with the office’s Privacy Policies and Procedures All sanctions applied will be documented and retained for 6 years

87 SullyMed Informatics Violations Level 1  Inadvertent or accidental unauthorized use or disclosure of PHI Level 2  Purposeful or intentional unauthorized use or disclosure of PHI  More than two Level 1 violations Level 3  Malicious unauthorized use or disclosure PHI  More than two Level 2 violations

88 SullyMed Informatics Sanctions Level 1 violation  Verbal warning Level 2 violation  Written warning in employee file Level 3 violation  Employee termination immediately

89 SullyMed Informatics Sanctions Will not apply  To whistleblowers  For filing a complaint  For participating in an investigation

90 SullyMed Informatics No Retaliatory Acts

91 SullyMed Informatics Refraining from Intimidating or Retaliatory Acts May not intimidate, threaten, coerce, discriminate against or take retaliatory action against  Individual for filing a complaint  Testifying, assisting or participating in investigation, compliance review or hearing  Opposing any practice that individual believes is unlawful and does not involve PHI disclosure

92 SullyMed Informatics Penalties

93 SullyMed Informatics Civil Penalties Up to $100 per person per violation Up to $25,000 per person per violation of a single standard for a calendar year

94 SullyMed Informatics Criminal Penalties Up to $50,000 and/or imprisonment for 1 year If offense is under false pretenses, up to $100,000 and/or 5 years in prison If offense is with intent to sell, transfer or use info for commercial advantage, personal gain or harm, then up to $250,000 and 10 years in prison

95 SullyMed Informatics Compliance

96 SullyMed Informatics Compliance Date for Initial Implementation of Privacy Rule Health Care Providers  April 14, 2003 Health Plans  April 14, 2003  Small Health Plans – April 14, 2003 Health Care Clearinghouses  April 14, 2003

97 SullyMed Informatics Revisit Scenarios Put your HIPAA hat on

98 SullyMed Informatics HIPAA Scene 1 Monday morning 10 A.M.  Waiting room full, phones ringing, conversations going on all over  Receptionist sitting at in window Phone on shoulder on hold (put patient on hold) Monitor in view of patient (monitor should be facing in direction so only employee can see it)  “Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?” (can ask if she brought records but not be specific)

99 SullyMed Informatics HIPAA Scene 2 MA comes to get Mrs. Jones Says hello to another patient she knows  Inquires about her daughter (OK if done so in general terms)  How did husband’s lab test come back (cannot share PHI unless have authorization from husband; if she inquired about results simply say cannot share that information without written permission from him) Brings Mrs. Jones back to exam room

100 SullyMed Informatics HIPAA Scene 4 Records room and clerks all working and talking Filing labs and asks coworker if they saw the results on Mr. Jones (should not be looking at PHI unless necessary to do job) Notices duplicate copies of results and throws one in trash can (must shred all documents with PHI before disposing)

101 SullyMed Informatics HIPAA Scene 5 Billing rep on phone  Mrs. Jones we cannot send bill to a work address (must have first identified who you are talking to is the correct person; if patient requesting then should accommodate but get request in writing from patient)  You want to change the diagnosis in your chart? We cannot do that! (you are right, you cannot change the info but you need to inform patient of their right to request an amendment to their PHI)

102 SullyMed Informatics HIPAA Scene 6 End of day  Charts all over countertops, desks etc. (charts need to be filed properly)  Wastebaskets full of duplicate copies of reports, letters etc. (these should have all been shredded)  Filing cabinets open (if possible, they should all be closed)  Computer screens remain on open to practice management system (computers should all be logged off from the system)

103 SullyMed Informatics

104 SullyMed Informatics


Download ppt "SullyMed Informatics 2003 1 HIPAA Privacy Training Staff."

Similar presentations


Ads by Google