Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin.

Similar presentations


Presentation on theme: "TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin."— Presentation transcript:

1 TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin

2 2 The Purpose of this Training Module As employees involved in Human Resources, it is imperative that we understand and apply the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). These rules require that employees who may have access to Protected Health Information (PHI) be trained about the HIPAA Privacy and Security Policies and Procedures. The ACWA/JPIA has made this module available to meet the training needs of employers and employees. Training Module Next Back

3 3 Course Objectives As an employee who has been identified as having access to PHI, at completion of this Training Module you will be able to: Demonstrate the basic HIPAA Rules regarding the use, transmission, security and privacy of healthcare data Recognize what is HIPAA protected information as well as know how to manage it in accordance with HIPAA regulations Manage and limit risk associated with the improper disclosure of PHI Training Module Introduction Next Back

4 4 Quiz Instructions To complete this module you will need to proceed as follows:  This training module contains 5 Lessons. Read the information provided in each Lesson, clicking the arrow at the bottom right of the slide to move forward.  At the end of each Lesson there is a quiz. Click the answers you believe are correct to move forward.  At the end of this module is a printable Certificate of Completion. You will need to print, sign and return this Certificate to Human Resources. Training Module Introduction Next Back

5 LESSON ONE What is Protected Health Information and How Do You Recognize It? Begin Lesson Back

6 6 Definition of Key Terms Protected Health Information (PHI): Individually identifiable health information (past, present, future), including payment or treatment history, generated by a Health Plan, Provider, or Clearinghouse. PHI includes information provided on paper, orally, or by electronic media. Covered Entities (In our world: the Group Health Plan): Health Plans, Health Care Providers, Clearinghouses. Summary Health Information: Aggregated utilization (e.g. 3,100 hospital days used in March). De-identified Information: Key data removed such as name, address, phone/FAX, address, SSNs, medical records numbers, etc. Lesson One More Definitions Back

7 7 Definition of Key Terms (cont’d) Health Plans: Medical, dental, vision plans, etc., whether insured or self-insured. Health Care Providers: Doctors, hospitals, etc. Health Care Clearinghouse: Third-party billing agencies (TPAs). Health Care Operations:  Treatment (Providers);  Payment (TPAs); and,  Operations (Administration, marketing, etc.). Lesson One More Definitions Back

8 8 Definition of Key Terms (cont’d) Business Associates: Brokers, benefits consultants, TPAs, actuaries, attorneys, CPAs, etc. Employer/Plan Sponsor: NEITHER a Covered Entity NOR a Business Associate. Electronic Media:  Storage media: Hard drives, tapes, discs; and,  Transmission media: Internet, intranet, extranet, leased lines, dialup lines, LAN, PLN;  BUT NOT: Faxes or voic s. Lesson One Next Back

9 9 Examples of PHI Claims experience reports with names, social security numbers, diagnosis, etc.; Explanation of Benefits (EOB); Physician/hospital bills for services rendered to a Plan Participant; Verbal or written information on an individual’s claim or treatment; Medical, dental, vision or mental health medical files and records Lesson One Next If it is by name or otherwise individualized, it’s technically PHI However, the Privacy Rules don’t apply if the data is used for employment-related activities A Word About Census Data Back

10 10 What Information is NOT PHI Not everything with medical information is protected by HIPAA’s Rules. Here are some examples of what is NOT protected: Information required for Workers’ Compensation, Fit for Duty, Return to Work, FSAs, HSAs, or any information related to employment; Rules on eligibility for benefits coverage (waiting periods, benefits offered to different classes of employees, contribution information); Plan design questions; and, Summary health information (de-identified data, aggregated claims experience, etc.). Lesson One Lesson One Quiz Back

11 Which one of these is PHI? A birthday card to individual staff members for Human Resources. Human Resources notifies HR Staff that Enda is sick and would love some home cooked meals. Kaiser nurse tells friend that Brad Pitt is her patient. Human Resources tells employee that the plan covers in vitro fertilization. Incorrect, try again Correct! Next Correct! Next 11 Lesson One Quiz Back

12 Answer Explanation: Lesson One Answer 3 is PHI: Kaiser is a Covered Entity (a Plan). The fact that Brad is getting treatment is PHI! Answers 1, 2, and 4 are incorrect:  1. The birth date is information the employer uses for employment reasons and didn’t come from the group health plan.  2. With Edna, you can presume she authorized a request for home cooked meals and HR did not disclose the illness. NOT a good practice, though.  4. Plan design information is not PHI. Next Lesson 12 Back

13 LESSON TWO The Patient’s Right to Privacy Begin Lesson Back

14 14 Patients Rights 1. Right to access their PHI; 2. Right to restrict PHI disclosures (e.g. to family members, etc.); 3. Right to receive PHI in a confidential manner (e.g. secure ); 4. Right to inspect and copy PHI (psychotherapy restrictions); 5. Right to amend (e.g. add explanation, correct and error); and, 6. Right to an accounting of how PHI has been used including its use in plan operations. Lesson Two Next Back

15 15 The Patient’s Right to Privacy The patient’s right to privacy of health information is absolute: ALMOST... The health care industry would come to a grinding halt unless there were exceptions to this right. The usual rule is that the patient/plan participant’s written permission is required to use or release this information to third parties. Users must have written permission unless the use or release of information falls under one of the exceptions specified in the HIPAA Rules. Lesson Two Next Back

16 16 The Patient’s Right to Privacy (cont’d) HIPAA Rules allow the release or use of PHI without permission under the following circumstances: Covered Entities (e.g. the Group Health Plan). Covered Entities do not need permission as long as the PHI is used for treatment, payment, or health care operations. When Required By Law. For example:  Public Health Authority investigating diseases, injury, or death;  Victims of abuse;  Food and Drug Administration investigating drug interactions; or,  Law enforcement, judicial proceedings, etc. Lesson Two Next Back

17 17 When Used By Business Associates Business Associates of Covered Entities include auditors, lawyers, consultants, data collection organizations and billing firms, or others with whom the Covered Entities have agreements involving the use of PHI. PHI may be disclosed to Business Associates for purposes of:  Processing claims, billing, or analyzing data;  Performing benefit management services; and,  Providing legal, actuarial or accounting services. HIPAA requires a Business Associate Agreement between the Plan as Covered Entity and each Business Associate. Lesson Two Next Back

18 18 Plans Must Disclose How They Intend to Use PHI: Notice of Privacy Practices (NOPPs) Before disclosing PHI, a Covered Entity must provide plan participants with a NOPP and make a good-faith effort to obtain each individual’s written acknowledgment of receiving it. The NOPP must inform the plan participants of:  The uses and disclosures of PHI that the covered entity may make;  The individual's right to access and amend their medical information; and  The Covered Entity's responsibilities with respect to PHI. Lesson Two Lesson Two Quiz Back

19 Q-1. A Visitor comes to Human Resources and identifies herself as Charlie’s lawyer, Ima Shyster. You received a call from Charlie (you think) telling you that “Ima” will be coming by and can you release Charlie’s PHI to Ima. Do you release Charlie’s PHI? NO, do not release the PHI to Ms. Shyster. YES, release the PHI. Incorrect, try again Correct! Next Correct! Next 19 Lesson Two Quiz Back

20 Answer Explanation: Lesson Two Q-1 No. You cannot give Charlie’s PHI to Ms. Shyster until Charlie gives you written permission. When releasing information to third parties, the Plan must have written authorization. A phone call is not good enough, even if you think you recognize Charlie’s voice. Second Question 20 Back

21 Q-2. You are having lunch with a co-worker who tells you that John, another employee, fell in the office yesterday. She asks you if he was injured. What can you say to her? An ambulance took him to the hospital. All of the above None of the above. This is the second time John has fallen at work. 21 This would be a Workers Comp claim if he was hurt. Lesson Two Quiz Incorrect, try again Correct! Next Correct! Next Back

22 Answer Explanation: Lesson Two Q-2 Answers 1, 2 and 3 are all correct:  1. OK since HIPAA Privacy Rules do not apply to Workers Comp claims (because they are employment related).  2. OK since ambulance transportation info is not PHI (no treatment info).  3. OK since the first fall was also Workers Comp related (no disclosure of injury or treatment). Third Question 22 Back

23 Q-3. An adult patient was transferred from a hospital to a skilled nursing facility for long-term care. Prior to transfer, the hospital social worker called Adult Protective Services (APS) with a concern that family members were neglecting the patient and using the patient’s money for their own benefit. APS then came to our facility asking to review the patient’s medical record. Do we need written permission to release the medical records? NO, let APS review the patient’s medical record. YES, get written permission. Incorrect, try again Correct! Next Correct! Next 23 Lesson Two Quiz Back

24 Answer Explanation: Lesson Two Q-3 No. APS and Child Protective Services have authority under state law to obtain the information they need to investigate cases under their jurisdiction. Because APS has an open investigation in this case, the caseworker has legal authority to review the patient’s medical record or obtain copies without authorization from the patient or the patient’s legal representative. Next Lesson 24 Back

25 LESSON THREE As Someone Who May Handle or Even Create PHI, What Must You Do to Make the Information Secure? Begin Lesson Back

26 26 Physical Safeguards Implementation The Security Rule requires a number of physical steps to ensure that PHI contained on computers is properly protected from fire and environmental hazards, as well as from intrusion. Work areas requiring Physical Safeguards include secure areas (such as cubicles or examination rooms):  Lock file cabinets;  Protect data (such as records on laptops) while traveling;  Maintain records on what and where data is stored; and,  Dispose of PHI when permitted. Lesson Three Next Back

27 27 Electronic Safeguards Implementation The Security Rule also requires the following Electronic Safeguards be implemented:  Require password protections;  Limit login capabilities;  Lock media up when not in use;  Protect data against malicious software; and,  Implement a data back up plan. Lesson Three Next Back

28 28 Administrative Safeguards Implementation Administrative Safeguards include the development, implementation and monitoring of policies and procedures designed to prevent, detect, contain, and correct security violations:  Conduct security awareness and training;  Conduct audits on use and storage of media;  Assure minimum necessary disclosures; and,  Test procedures and revise as needed, including with subcontractors. Lesson Three Lesson Three Quiz Back

29 Call the Privacy/Security Officer at your first opportunity if a breach is suspected. Both Answers 1 and 4. Dismiss it as no big deal. Tell the Privacy/Security Officer the next time you see him or her. Q-1. You are working late. You notice a janitor cleaning the next office. He’s been there a while and a file drawer is open. What should you do? 29 Go to the room, determine if the drawer may contain PHI, and if so, secure the file drawer. Lesson Three Quiz Incorrect, try again Correct! Next Correct! Next Back

30 Answer Explanation: Lesson Three Q-1 5. is correct. Inspect the area for a possible breach of PHI and secure the drawer if needed. Call the Privacy Officer at your first opportunity if a breach is suspected. Answers 2., 3., and 4. are incorrect:  1. Make a preliminary identification of the drawer contents (A drawer full of coffee mugs doesn’t need to be reported as a possible breach).  2. You cannot just dismiss the incident. Some investigation is necessary.  3. You can’t wait until you run into the Privacy officer at lunch. There is urgency and you have a duty to mitigate a possible breach.  4. Common sense dictates you should investigate the open drawer and report any possible breach immediately. Second Question 30 Back

31 Q-2. You are assisting a plan participant, Maria, resolve a claims problem. You have taken notes, received copies of medical records, and it’s time for lunch. Should you: Lock the records in your desk. Destroy the records. Turn the documents upside down and go to lunch.. Leave the records in the back seat of your car. 31 Take Maria’s records with you to lunch. Lesson Three Quiz Incorrect, try again Correct! Next Correct! Next Back

32 Answer Explanation: Lesson Three Q-2 5. is OK. By putting the records in your locked desk, you have protected the PHI. Answers 1., 2., 3., and 4. are incorrect:  1. Bringing the PHI into a public place is not a good idea. You must protect and secure the PHI.  2. There is no need to destroy the records. You may not be done with the matter.  3. Leaving PHI available on a desktop, even if upside down, could leave the information vulnerable to a breach.  4. You cannot tell your dinner guests about the matter, even if they know Maria. Third Question 32 Back

33 Q-3. You have saved the notes and documents regarding Maria’s claim problem on a flash drive. Is the PHI secure if you… Store the flash drive in your unlocked desk drawer with other office supplies. Keep the flash drive in your purse or briefcase. Lock it up with other PHI at the office. Keep it at home on your desk where no other employees can access it. Incorrect, try again Correct! Next Correct! Next 33 Lesson Three Quiz Back

34 Answer Explanation: Lesson Three Q-3 Answer 1. is correct. As this PHI is unencrypted and not in current use, it should be kept locked up at the office with other PHI. The Security Officer should periodically purge PHI that is no longer needed Answers 2., 3., and 4. are incorrect:  2. A purse or briefcase is not necessarily a secure location. Purses and unlocked briefcases may be stolen or easily accessed.  3. A flash drive sitting in an unlocked drawer, even though not in an openly recognizable format, is very easily accessed.  4. Storing PHI at home is never a good idea, especially not locked up. This is unsecured PHI. Fourth Question 34 Back

35 Q-4. The General Manager asks you about Maria’s problem. What should you do? Stonewall the GM. Minimum necessary PHI. Respond by saying you are helping her with a health claim and, as such, you can’t go into detail without violating your HIPAA obligations. Just enough to make the GM go away. Incorrect, try again Correct! Next Correct! Next 35 Lesson Three Quiz Back

36 Answer Explanation: Lesson Three Q-3 Answer 2. is correct. It’s OK to provide non-PHI such as “I am helping her get a medical claim adjudicated properly.” Answers 1., 3., and 4. are incorrect:  1. Stonewalling is probably not a good idea. You might create a performance problem for yourself.  3. Disclosing minimum necessary PHI is not OK. You cannot disclose any PHI, even a little bit, without violating your HIPAA obligations.  4. Same as Answer 3.: You cannot disclose even a little bit of PHI! Next Lesson 36 Back

37 LESSON FOUR Procedures in the Event of a PHI Breach Begin Lesson Back

38 38 Procedures in the Event of a PHI Breach In the past two years, along with Health Care Reform, Congress created the Health Information Technology for Economic and Clinical Health Act (HITECH) which sets the federal standards for what one needs to do in the event there is a breach, allowing PHI to be exposed. Comply with all the Rules promulgated for breach notification; Encrypt or Destroy PHI: Eliminate “unsecured PHI”; and, Cooperate with the Office of Civil Rights in any investigation. Lesson Four Next Back

39 39 HITECH Definitions Securitized PHI: PHI that is rendered unusable, unreadable, or indecipherable. Information: Includes information on paper, in use, transferred internally or redacted, or aggregated but not fully identified. Breach: Information involved is:  Not encrypted or fully destroyed;  Used or disclosed in an unauthorized manner; or,  A risk of financial, reputational, or other harm to the individual. Lesson Four Next Back

40 40 Breach Exceptions HITECH includes three exceptions to the definition of "breach", which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach. These exceptions include when: The breach was in good faith and within the scope of employment; The breach was inadvertent and happened only once; or, The recipient of the information wouldn’t reasonably have been expected to retain it. Breach exceptions should be determined by the Privacy Officer or HITECH Security Officer when a possible breach is reported. Lesson Four Next Back

41 41 Notice Requirements for Covered Entities after a Breach Occurs The HITECH Rule requires Covered Entities to provide:  A notice to all affected individuals within 60 days from date of discovery of the breach;  Written notice by first class mail to the individual; and,  If deceased, then next of kin. If the breach involves 500 or more individuals:  Notify media; and,  Notify the Department Health and Human Services (HHS). Lesson Four Lesson Four Quiz Back

42 Find a new job. Continue your search, but call your Supervisor immediately. See if you can reproduce the lost files for the office. Wait 30 days to tell your Supervisor in case you find them and HITECH Rules give you 60 days. Q-1. You work from home. You bring paper files home following proper office safeguards. The dog ate them! Actually, you hope the dog ate them because you can’t find them anywhere. What is your first obligation? 42 Follow the dog closely when he goes outside. Lesson Four Quiz Incorrect, try again Correct! Next Correct! Next Back

43 Answer Explanation: Lesson Four Q-1 4. is OK. You must continue your search and call your supervisor. These are your priorities. Answers 1., 2., 3., and 5. are incorrect: The HITECH Regulations require you to mitigate any potential breach.  Did someone break into your car?  Was the housekeeper or “au per” around when you got home?  Did it get buried in the mail you just picked up? You have a major duty to investigate. Second Question 43 Back

44 Q-2. If a breach of PHI is identified, which of the following is correct procedure? Notification can be made by bulk mailing to affected individuals. Notify all affected individuals within 90 days. If the breach involves 500 or more individuals, you must notify media. Wait to see if a possible breach is reported by more than one person. Incorrect, try again Correct! Next Correct! Next 44 Lesson Four Quiz Back

45 Answer Explanation: Lesson Four Q-2 Answer 1. is correct. For large informational breaches, Covered Entities must inform the public through the media. Answers 2., 3., and 4. are incorrect:  2. Affected individuals must be notified within 60 days.  3. Notification must be sent by first class mail to affected individuals.  4. Once a possible breach is reported, whether by one or more individual’s, it must be investigated. Next Lesson 45 Back

46 LESSON FIVE What Are the Penalties for Failure to Comply with HIPAA’s Rules? Begin Lesson Back

47 47 HIPAA Compliance and Enforcement It is important to note that failure to comply with the Privacy or Security Rule not only can lead to significant disciplinary action but also can lead to considerable financial and other types of penalties and fines. Recent laws have increased the civil penalty amounts determined by type of violation. Lesson Five Next Back

48 48 Civil Penalties for Noncompliance No Knowledge: Where a person does not know (and by exercising due diligence would not have known) of a violation, the minimum penalty is $100 per violation, with a cap of $25,000 for identical violations during a calendar year. Reasonable Cause: Where a violation is due to “reasonable cause,” the minimum penalty is $1,000 per violation, with a cap of $100,000 for identical violations during a calendar year. Lesson Five Next The maximum penalty allowed for “no knowledge” or “reasonable cause” shall be $50,000 per violation with a cap of $1.5 million for identical violations during a calendar year. Back

49 49 Civil Penalties for Noncompliance (cont’d) Willful Neglect: Where violation is due to "willful neglect," the minimum penalty is $10,000 per violation, with a cap of $250,000 for identical violations during a calendar year. If the Willful Neglect violation is not corrected within 30 days, then the minimum penalty increases to $50,000 per violation, with a cap of $1.5 million for identical violations during a calendar year Lesson Five Lesson Five Quiz Back

50 Q-1. An external disk drive containing the eligiblity list and related PHI of the group health plan is discovered missing. You observe an unauthorized individual leaving the building. What should you do next? Call security. Call the Security Officer. Answer 1. or 2. based on the situation. Take down the individual’s license plate number and call the police. Incorrect, try again Correct! Next Correct! Next 50 Lesson Five Quiz Back

51 Answer Explanation: Lesson Five Q-1 4. is OK. You must mitigate when the circumstances allow it. Answers 1., 2., and 3 are incorrect:  1. If it is clear that the event is over, then this is the correct answer: Call the Security Officer.  2. On the other hand, if you think you see the perpetrator walking through the office, you have a duty to take steps to mitigate the loss: Call security.  3. Leave identification of the individual to security; they are trained for it. Second Question 51 Back

52 Keep the encrypted data pending your Supervisor’s approval to destroy it. Put it in the paper recycle bin. Destroy it, now. You can always retrieve the basic data from the TPA. Q-2. As a part of your job, you’ve been asked to study and report on the frequency of cancer claims filed under the group health plan in the last 3 years. You obtained and printed out information from encrypted records provided by the TPA. You have now completed the project and have no apparent need for the data. What should you do next? 52 Take the print version and the report in hard copy, two hole punch, and put it in your research files (locked file cabinet). Lesson Five Quiz Incorrect, try again Correct! Next Correct! Next Back

53 Answer Explanation: Lesson Five Q-2 Answer 2. is correct. If the data is encrypted it meets HITECH standards. You can destroy it, but we suggest you wait until you know the project is complete. Answers 1., 3., and 4. are incorrect:  1. There is no need to give life to the hard copy of the underlying data. Also there would be no need to have the report in hard copy. A locked file cabinet is not always locked.  3. If you destroy the data and then need to modify your report, you will need to retrieve the data again, un-encrypt it, use it, and re- encrypt it. Leaving your report encrypted until you know the project is complete eliminates the additional steps and the re-creation of an unencrypted record.  4. Even if your paper report will be destroyed at some point, it is available to ‘dumpster divers” in the meantime. Final Steps 53 Back

54 FINAL STEPS Completing This HIPAA Training Next Back

55 55 Identify All Employees Needing This Training If you are a Supervisor:  Assure that training gets extended to your staff.  Establish inspection teams to identify deficiencies.  Your Security Officer can provide checklists and FAQs to assist in ongoing compliance.  Develop alternative training materials and methods.  Make sure that you and your staff receive periodic refresher training. Completing This HIPAA Training Next Back

56 56 Where to Get Help? The Human Resources Manager The Security Officer The HITECH Security Officer Completing This HIPAA Training Next Back

57 57 Certificate of Completion Completing This HIPAA Training Print and complete the Certificate of Completion provided with this Training – Print your name, fill in the date, and sign the Certificate. – Take the completed Certificate to Human Resources. Back You are Done!


Download ppt "TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin."

Similar presentations


Ads by Google