Presentation on theme: "T.A.S. Communications, Inc. HIPAA – Privacy & Security (Part 1 & Part 2) HITECH (Part 3) Revised 03/16/2010."— Presentation transcript:
T.A.S. Communications, Inc. HIPAA – Privacy & Security (Part 1 & Part 2) HITECH (Part 3) Revised 03/16/2010
2 parts of HIPAA covered in this presentation: HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003) HIPAA Security – Protection for the security of electronic Protected Health Information (e-PHI) effective April 20, 2005
What is the difference between Privacy and Security? The Privacy Rule sets the standards for how covered entities and business associates are to maintain the privacy of Protected Health Information (PHI) The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic Protected Health Information (e-PHI)
Part 1: HIPAA Privacy Training Revised 03/16/2010
The Health Insurance Portability and Accountability Act (HIPAA) requires that T.A.S. Communications, Inc. (as a business associate (BA)), train all workforce members on the HIPAA policies and…
…those specific HIPAA-required Procedures that may affect the work you do for the call center.
The HIPAA Training Program will help you to understand: What is HIPAA? Who has to follow the HIPAA law? When is the HIPAA implementation date? How does HIPAA affect you and your job? Why is HIPAA important? Where can you get answers to your questions about HIPAA?
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory.
HIPAA … Protects the privacy and security of a patient’s health information. Provides for electronic and physical security of a patient’s health information. Prevents health care fraud and abuse. Simplifies billing and other transactions, reducing health care administrative costs.
Who must follow the HIPAA Law? At T.A.S. Communications, Inc., all employees must follow the HIPAA Law.
A Business Associate is… A person or entity which performs certain functions, activities, or services for or to a covered entity involving the use and/or disclosure of PHI, but the person or entity is not a part of the covered entity or its workforce. (Examples: transcription services, temporary staffing services, off site call center, etc.) T.A.S. Communications, Inc. is required to have agreements with covered entities stating we will protect a patient’s PHI.
Examples of Covered Entities Providers Health Plans Clearinghouses for Electronic Billing Business Associates (through contracts)
Covered Transactions Consist of Enrollment and dis-enrollment Premium payments Eligibility Referral certification and authorization Health claims Health care payment and remittance advice
What Patient Information Must We Protect? Protected Health Information (PHI) Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. Is transmitted or maintained in any form (electronic, paper, or oral representation). Identifies, or can be used to identify the individual.
Examples of PHI PHI = Health Information with Identifiers Name Address (including street, city, county, zip code, etc.) Name of employer Any date (birth date, date of appointment) Telephone and Fax numbers Electronic (email) addresses Social Security Number
Other Examples of PHI Health Plan beneficiary number Account number, billing records, claims data, referral authorizations, EOBs Certificate/License number Any Vehicle (or other device) serial number URL (Web universal resource locator) Internet Address
More Examples of PHI Finger prints or voice prints Photographic Images Research records ANY other unique identifying number, characteristic, or code.
And More Examples of PHI… Medical records: Medical Record Number X-rays Lab results Test results Prescriptions Charts
T.A.S. Communications as a Business Associate… …may not use or disclose an individual’s protected health information, except as otherwise permitted, or required, by law.
But… T.A.S. Communications MAY Use and Share a Patient’s PHI for: Treatment of the patient, including appointment reminders Business and management operations Disclosures required by law
“Treatment” Includes… Direct patient care Coordination of care Consultations Referrals to other health care providers
T.A.S. Communications, Inc Must use or share only the minimum amount of PHI necessary, except for requests made by the patient, or as requested by the patient to others by the Secretary of the Department of Health & Human Services (DHHS) as required by law
When Does T.A.S. Communications, Inc. Have to Protect PHI? NOW!NOW!NOW! Privacy Compliance went into effect on February 17 th, 2010.
At all times, protect a patient’s information as if it were your own. Look at a patient’s PHI only if you need it to perform your job. Use a patient’s PHI only if you need it to perform your job. Give a patient’s PHI to others only when it’s necessary for them to perform their jobs. Talk to others about a patient’s PHI only if it is necessary to perform your job, and do it discreetly.
For Example… A man calls to confirm an appointment time for his wife. What can you do? – You can look up her appointment time and give the information to her husband. – You can ask your supservisor to look into her records for you. – You can tell the man that you can only look at his wife’s medical records if she allows you to do so. Suggest that he have his wife call us to check on her appointment herself, or ask to speak with his wife for her to give authorization for him to receive the information.
Answer: C. Under HIPAA, you are only allowed to use information required to do your job. Since the husband is not the recipient of the service, it is against the law to access the patient record or ask someone to access it on your behalf— even though you may want to be helpful. Keep in mind that people may want to keep their appointments private, even from family members.
Why is protecting privacy and security important? We all want our privacy protected when we are patients – it’s the right thing to do. Don’t be careless or negligent with PHI in any form. HIPAA and Wisconsin law require us to protect a patient’s privacy.
What if there is a breach of confidentiality? Breaches of the policies and procedures or a patient’s confidentiality must be reported to a supervisor right away Send an email to Debbie with the following information: Date/Time of the call Account number and name The name of the person whose PHI you accidentally disclosed What information was disclosed and to whom.
…and if a breach is reported The incident will be thoroughly investigated. T.A.S. Communications is required to report any breach of PHI to the client affected.
Disciplinary Actions Internal Disciplinary Actions Individuals who breach the policies will be subject to appropriate discipline. Civil Penalties Business Associates and individuals who violate these standards will be subject to civil liability. An employee who does not protect a patient’s privacy could lose his or her job!
Penalties are $100 per violation $25,000 for an identical violation within one year $50,000 for wrongful disclosure $100,000 and/or 5 years in prison for wrongful violation for obtaining PHI under false pretenses $250,000 and/or 10 years in prison if committed with intent to sell or transfer for commercial advantage, personal gain, or malicious harm, includes obtaining or disclosing.
Protecting Patient Privacy Requires Us to Secure Patient Information
Downloading/Copying/Removing Employees should not download, copy, or remove from the office any PHI, except when necessary to perform their job. – For example, printing out a copy of a message ticket containing PHI to send to a client.
Public Viewing/Hearing PHI should not be left in areas where the information may be accessible to the public. Do not take papers with PHI outside of the office (for example, if you print something out and there is PHI on the reverse side, DO NOT take it with you!)
Treat a Patient’s Information as if it were your own … T.A.S. Communications, Inc. Needs Your Help in Protecting Patients’ Privacy.
In Review… T.A.S. Communications, Inc. is a Business Associate under HIPAA T.A.S. has specific policies relating to HIPAA
Part 2: HIPAA Security Training Revised 03/16/2010
So, what IS “e-PHI”? e-PHI (electronic Protected Health Information) is computer-based patient health information that is used, created, stored, received or transmitted by T.A.S. using any type of electronic information resource. Information in an electronic medical record, digital images and print outs, recordings of calls from patients, information when it is being sent by T.A.S. to a client electronically.
How do we protect e-PHI? Ensure the confidentiality, integrity, and availability of information through safeguards (Information Security) Ensure that the information will not be disclosed to unauthorized individuals or processes (Confidentiality) Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another (Integrity) Ensure that information is accessible and useable upon demand by an authorized person (Availability)
Safeguard #1: Access Controls (Unique User Identification) Users are assigned a unique “User ID” for log-in purposes, which limits access to the minimum information needed to do your job. Never use anyone else’s log-on, or a computer someone else is logged-on to. Use of information systems is audited for inappropriate access or use. Access is cancelled for terminated employees.
Safeguard #2: Password Protection T.A.S. Communications requires that: All passwords be changed immediately if a breach of a password is suspected. Passwords not be inserted into email messages or other forms of electronic communication;
If someone knows your password, he has stolen your identity!
If I think someone knows my password? Notify Barrett and Change your password IMMEDIATELY (ask Barrett or a supervisor for assistance) Remember: You are responsible for everything that occurs under your T.A.S. login.
Workstation Security Access Controls Log-off or lock your workstation before leaving it unattended. This will prevent other individuals from accessing PHI under your User-ID, and limit access by unauthorized users.
Malware – a few bad examples Viruses –are programs that attempt to spread throughout your system and the entire network –can be prevented by not opening suspicious emails or any attachments on your station here at T.A.S.
Worms… spread without any user action. They take advantage of security holes in the operating system or software package.
Spyware…. is a class of programs that monitors your computer usage habits and reports them for storage in a marketing database are installed without you knowing while installing another program or browsing the Internet can open advertising windows can be prevented by installing and running an updated spyware scanner
Keystroke Loggers… can be software (programs that log every keystroke typed) or hardware (devices installed between your keyboard and computer
Remote Access Trojans… allow remote users to connect to your computer without your permission, letting them –take screenshots of your desktop –take control of your mouse and keyboard –access your programs at will
Suspicious Email includes… any email you receive with an attachment any email from someone whose name you don’t recognize Phishing.
Indication of tampered accounts… your account is locked when you try to open it your password isn’t accepted you’re missing data your computer settings have mysteriously changed If you suspect someone has tampered with your account, report it to Barrett.
Signs of Malware are… Reduced performance (your computer slows or “freezes”) Windows opening by themselves Missing data Slow network performance Unusual toolbars added to your web browser Contact Barrett if you suspect that your computer has malware installed
Acceptable Use of Computers End Users (read “YOU- ALL”) are responsible for any violations associated with their User ID Use of computer system must be consistent with T.A.S.’s goals All computer equipment and electronic data created by it belong to the company.
End users must comply….with all Federal and State laws with organizational rules and policies with terms of computing contracts with software licensing rules And must take reasonable precautions to avoid introducing computer viruses into the network, and must participate and cooperate with the protection of IT infrastructure.
And Thou shall not… Engage in any activity that jeopardizes the availability, performance, integrity, or security of the computer system Use computing resources wastefully Use IT resources for personal gain or commercial activities not related to your job Install, copy, or use any software in violation of licensing agreements, copyrights, or contracts.
Or … Try to access the files or email of others unless authorized by the owner Harass, intimidate, or threaten others through e-messages Construct a false communication that appears to be from someone else Send or forward unsolicited email to lists of people you don’t know Send, forward, or reply to email chain letters Send out “Reply to all” mass emailings
Or… Create or transmit offensive, obscene, or indecent images, data, or other material Re-transmit virus hoaxes
Because… Engaging in these activities could result in disciplinary action up to, and including, loss of network access, termination of employment, and civil or criminal liability.
Security Incidents and e-PHI (HIPAA’s Final Security Rule) A “Security Incident” is “ The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’’ [45 CFR 164.304]
Reporting Security Incidents / Breaches You are required to: Respond to security incidents and security breaches, and report them to: –Debbie
Security Reminders! Password protect your computers and devices Log-out or lock your workstation when you are away from your desk. Keep offices secured
Security Reminders! Good Security Standards follow the “90 / 10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices Example: The lock on the door is the 10%. Your responsibility is 90% which are remembering to lock, checking to see if it is closed, ensuring others do not prop the door open, keeping controls of keys. 10% security is worthless without YOU!
Part 3: Health Information Technology for Economic and Clinical Health Act (HITECH) Revised 03/16/2010
HITECH-Overview HITECH is a part of the American Recovery and Reinvestment Act (ARRA) of 2009 It is a federal law that affects the healthcare industry ARRA allocated ~$20 billion to health information technology projects, expanded the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law
HITECH-Breach Notification Provisions One of the biggest changes in HITECH is the inclusion of a federal breach notification law for health information –Many states, including WI, have data breach laws that require entities to notify individuals –State laws typically only pertain to personal information (which does not necessarily include medical information)
HITECH-Breach Notification Provisions All employees of T.A.S. Communications, Inc. must be trained to ensure they are aware of the importance of timely reporting of privacy and security incidents and of the consequences of failing to do so. If you suspect a breach, you MUST report it immediately to Debbie.
HITECH-Breach Notification Provisions Law applies to breaches of “unsecured protected health information” –Protected Health Information (PHI) Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. Is transmitted or maintained in any form (electronic, paper, or oral representation). Identifies, or can be used to identify the individual. Examples of PHI include –Health information with identifiers, such as name, address, name of employer, telephone number, or SSN –Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts
HITECH-What Constitutes a Breach Definition of “Breach” – Was there an impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule? Examples include –A computer containing PHI is stolen –A person who is not authorized to access PHI looks through client messages in order to learn of a patient’s treatment –An agent gives appointment information to someone other than the patient. –An agent gives out information to a family member that a patient called in to the call center to speak with their therapist. –An agent allows a person who is not an employee into the board room and this person overhears an employee discussing PHI with a client.
HITECH-What Constitutes a Breach 2.Did the impermissible use or disclosure under the HIPAA Privacy Rule compromise the security or privacy of PHI? Is there a significant risk of financial, reputational or other harm to the individual whose PHI was used or disclosed? –If the nature of the PHI does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach. For example, if a business associate improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule; but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. T.A.S. is responsible for conducting risk assessment and should be fact specific
HITECH-Breach Notification Obligations If a breach has occurred, T.A.S. will be responsible for providing notice to –The affected client(s) (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)
HITECH-Reporting Breaches Breaches of unsecured PHI (can include information in any form or medium, including electronic, paper, or oral form) or of any of T.A.S.’s HIPAA policies and procedures must be reported to the a supervisor immediately. If a breach is reported, the incident will be thoroughly investigated. T.A.S. Communications, Inc. as a Business Associate is required to provide notification to the Covered Entity if a breach has occurred.
Disciplinary Actions Internal Disciplinary Actions –Individuals who breach the policies will be subject to appropriate discipline Civil Penalties – Business Associates and individuals who violate these standards may be subject to civil liability.
Tiered Civil Penalties Circumstance of Violation Minimum Penalty Maximum Penalty Entity did not know (even with reasonable diligence) $100 per violation ($25,000 per year for violating same requirement) $50,000 per violation ($1.5 million annually) Reasonable cause, not willful neglect $1,000 ($100,000) $50,000 ($1.5 million) Willful neglect, but corrected within 30 days $10,000 ($250,000) $50,000 ($1.5 million) Willful neglect, not corrected $50,000 ($1.5 million) None
Disciplinary Actions An employee who does not report a breach in accordance with the policies and procedures could lose his or her job.
Employee Obligations Do not disclose PHI without patient authorization. If you have questions about whether a disclosure is permitted, ask your supervisor. If you think there has been an unauthorized disclosure of PHI, let a supervisor know immediately. Never remove PHI from the premises
Quiz Time! Ask a supervisor for the multiple choice quiz!