Presentation is loading. Please wait.

Presentation is loading. Please wait.

Page 1 Introduction to the HIPAA Information Privacy and Security Rule 2012 Update “ What is it, and how does it affect me?” CPC Multi-Specialty Group.

Similar presentations

Presentation on theme: "Page 1 Introduction to the HIPAA Information Privacy and Security Rule 2012 Update “ What is it, and how does it affect me?” CPC Multi-Specialty Group."— Presentation transcript:


2 Page 1 Introduction to the HIPAA Information Privacy and Security Rule 2012 Update “ What is it, and how does it affect me?” CPC Multi-Specialty Group

3 Page 2  The misspelling of the name of a large animal often see at the zoo?  A secret code word meaning “Let’s go nuts and drive ourselves crazy”!  A new set of Federal Regulations which health care facilities had to comply with beginning on April 14, 2003 CPC Multi-Specialty Group

4 Page 3  Health Insurance Portability and Accountability Act of 1996  One set of Federal Health Care regulations with many parts  Insurance Portability  Privacy  Security CPC Multi-Specialty Group

5 Page 4  Before you look at any patient health information(PHI), ask yourself, “Do I need to know this to do my job?  Follow CPC’s procedures for disposing of patient medical and financial information  Tell your supervisor if you see patient information in an open trash container CPC Multi-Specialty Group

6 Page 5  Protected Health Information (PHI) Information related to any healthcare provided to a person. This includes demographic information that can be used to identify the patient. Information that can be used in some manner to identify the person (e.g. social security number) is also considered PHI. CPC Multi-Specialty Group

7 Page 6 ◦ Tornado, Hurricane, Flood, and Tsunami ◦ Credit Card and Identity Theft ◦ Accusations of Falsified Records CPC Multi-Specialty Group

8 Page 7  Under the HIPAA Privacy Regulations, patients have the right to:  Receive the Notice of Privacy Practices  Request an amendment to their PHI (Protected Health Information)  Inspect and request a copy of their PHI  Know to whom their information is being disclosed in certain situations  Request restrictions on use and disclosure of their PHI  Request confidential communications of their PHI CPC Multi-Specialty Group

9 Page 8 ◦ Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. ◦ Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the Privacy Rule. ◦ Ensure compliance by the CPC workforce. CPC Multi-Specialty Group

10 Page 9 Integrity PHI or EPHI is not altered or destroyed in an unauthorized manner. Availability PHI or EPHI can be accessed as needed by an authorized person. Confidentiality PHI or EPHI is accessible only by authorized people and processes when needed. CPC Multi-Specialty Group Remember it is a “Need to Know”… not a “Curious as to what happened”.

11 Page 10  The HIPAA information security standards have four primary areas of focus:  Administrative Safeguards: Steps taken to manage and oversee security processes and promote compliance with the HIPAA Security Rules  Physical Safeguards: The actual hands-on access to computer hardware, restricted areas, and CPC facility  Technical Safeguards: Processes to identify the level of access and type of information individuals are permitted to open and see on the computer systems  Documentation Requirements: Policies and Procedures that are put in place to support the Security Requirements CPC Multi-Specialty Group

12 Page 11  Assigned a privacy officer/privacy manager  Developed written policies and procedures for employees to follow  Provided privacy training to all employees  Providing a way for patients and others to file complaints  Providing discipline for employees who don’t follow the privacy practices CPC Multi-Specialty Group

13 Page 12 The Notice of Privacy Practices contains:  An explanation to our patients of how their Health Information is used and disclosed  An explanation of patient rights as defined by the HIPAA privacy regulations  The Notice of Privacy Practices is:  Available in a paper copy  On the CPC web site CPC Multi-Specialty Group

14 Page 13  Provide a copy of the privacy notice to all patients  Allow the patient an opportunity to ask any questions he or she may have  Obtain the patient’s acknowledgement of receipt of the privacy notice  Retain the acknowledgement of the privacy notice  In an emergency, we document the reason and give the patient a copy of the notice at a later time CPC Multi-Specialty Group

15 Page 14  Treatment  Payment  Healthcare Operations CPC Multi-Specialty Group

16 Page 15  Communication between health care providers for the purposes of treatment: ◦ Between physicians and nurses ◦ Between facilities ◦ Between the facility and other providers, including physicians  Does not require authorization CPC Multi-Specialty Group

17 Page 16  Communication between the facility and a payer, usually a health insurance company, to pay for the treatment of services rendered by the facility on behalf of the patient  Does not require an authorization CPC Multi-Specialty Group

18 Page 17  Information used to perform certain business functions at CPC: o Management and administration o Health care insurance contracting o Quality management o Case management o Health care agency oversight o Accrediting organizations  Does not require an authorization  used to CPC Multi-Specialty Group

19 Page 18  As required by law  For public health activities as related to victims of abuse, neglect or domestic violence  Health oversight activities  Judicial and administrative proceedings  Law enforcement purposes under certain circumstances  Organ, eye or tissue donation purposes  Research purposes  To avert a serious threat to health or safety  Specialized government functions  Workers’compensation CPC Multi-Specialty Group

20 Page 19  To an attorney  To schools  To physicians not treating you during your admission  To supplemental insurance companies  To the patient and/or family member  CPC requires a valid ID from each patient before releasing the records to the patient CPC Multi-Specialty Group

21 Page 20 ◦ Assignment of the HIPAA Information Security Officer and the supporting security team ◦ Making sure only the appropriate people have access to our systems, applications, and data ◦ Establishing education requirements for keeping our workforce trained and informed ◦ Putting methods in place for reporting and tracking security incidents ◦ Contingency planning to ensure CPC can continue operation in case of an emergency ◦ Business Associate Agreements CPC Multi-Specialty Group

22 Page 21  The Information Security team includes: ◦ Chief Compliance & HIPPA Privacy Officer and IT Security Manager: ◦ Leah Hassell  Representation from Administration, Human Resources and CPC Physicians CPC Multi-Specialty Group

23 Page 22  Under HIPAA regulations, we are required to trace who is accessing what records, and at what time, for all our systems containing EPHI. ◦ To ensure that only the correct people have access to systems applications and data, user IDs, passwords, and access to systems and software are carefully given and monitored. ◦ User IDs and application access must be requested by supervisors and managers only. ◦ When an associate leaves CPC or changes jobs, supervisors must inform the Privacy Team. Keep system access “Need to Know”! CPC Multi-Specialty Group

24 Page 23  We are also required to keep our workforce trained and informed on HIPAA Privacy and Security and any changes that may come up. You will… ◦ Be required to annually complete an online refresher course or attend a training session. ◦ Be trained on any privacy and/or security issues associated with any application software or computer systems you will use in your daily work. ◦ Receive regular reminders about privacy, confidentiality,. viruses, keeping passwords secure, and any attempts to break into CPC systems or software. Keep aware… don’t read about yourself in the newspaper! CPC Multi-Specialty Group

25 Page 24  As well as having our computer systems monitor any data activities, we also must have a way for our people to report any suspicious activity.  Call Administration  Contact any Compliance Team member Keep us aware… so we don’t read about each other in the newspaper! CPC Multi-Specialty Group

26 Page 25  It is important to ensure CPC can continue operation in the event of an emergency. This means making sure we have: ◦ Disaster recovery plans for all systems and all facilities ◦ Backing up all our data and systems  We highly recommend using My Documents as the folder for all your local application files. That will help us implement a new backup methodology that is coming soon. Store your local files in My Documents to help us keep your systems backed up. CPC Multi-Specialty Group

27 Page 26  CPC Multi-Specialty Group Cartoon copyrighted by Mark Parisi, printed with permission.

28 Page 27  All relationships that we have with vendors, temporary agencies, contractors, etc. that involve the access and/or exchange of EPHI are covered under special documents called Business Associate Agreements (BAA).  It is very important that these documents be in place for any Business Associates that will be given access to patient information.  If you are unsure whether a BAA exists, please ask your Operations Manager. Before you distribute EPHI, make sure it is covered… with a BAA! CPC Multi-Specialty Group

29 Page 28  Facility access deals as much with personal security as it does with system security: ◦ CPC policy requires that you wear your badge at all times. ◦ If you are unsure who someone is or why they are in your area… ask. They will be happy to tell if it is a valid reason. ◦ Keep doors and closets closed and locked. If you see a door open that shouldn’t be, contact your facility security. Also, keep any filing cabinet locked if it contains PHI. The best question you can ask to keep us all safe and secure… “May I Help You?” CPC Multi-Specialty Group

30 Page 29  By now, we are all used to keeping patient charts and printouts away from easy viewing… And now we all use computers to look up a lot of the same information and enter the same data about our patients.  The same care we take with patient charts is important for electronic systems too! ◦ Turning a monitor a bit so it can’t be easily seen by someone standing at the nurses station. ◦ Putting a printer or fax machine in a different place, so someone can’t walk by and pick up the output. If it was the patient’s chart, how would I protect it from being seen? CPC Multi-Specialty Group

31 Page 30 ◦ Every CPC employee will be assigned a unique User ID when they are hired. ◦ It is the supervisor’s duty to determine what system access is needed by the associate, and to apply for it. ◦ Close your application session to log off when you are done… You don’t want others to enter data using your ID! ◦ Do not change the default settings for automatic logoff on any PC. These settings are mandatory under HIPAA regulations. Remember… your User ID is like your unique fingerprint in the system. CPC Multi-Specialty Group

32 Page 31  We are required to ensure all transactions in our systems have not been altered or destroyed by unauthorized means: ◦ System transactions are logged and can be traced back to the User ID. ◦ You are responsible for any data changes or deletions made with your User ID. ◦ Make sure that you log off each terminal when you walk away from it. Don’t let other users make you responsible for their errors… LOG OUT! CPC Multi-Specialty Group

33 Page 32  The other part of your unique system access is your password. It is very important to keep it secure. ◦ Never share your password with anyone. ◦ Never leave your password on your monitor, under your keyboard, in a desk drawer, etc. ◦ Use the following rules when creating a password. A good password will contain at least:  6 characters (some systems require more) Passwords are like your ATM PIN… keep them secret. CPC Multi-Specialty Group

34 Page 33 CPC Multi-Specialty Group Cartoon copyrighted by Mark Parisi, printed with permission.

35 Page 34 ◦ Never email EPHI to anyone without explicit directions from your supervisor to do so, and exactly how to send it. ◦ Use extreme caution when sending EPHI via email internally. Double and triple check the email address to make sure you don’t send it to the wrong person – without a “need to know”. Email is a powerful tool Use it wisely! CPC Multi-Specialty Group

36 Page 35  HIPAA regulations require documentation of policies and procedures for day-to-day operations, along with specifics for any workforce members that access EPHI. ◦ The primary purpose of the procedures and documentation is to identify how to protect information from improper access, use and disclosure. ◦ Procedures help associates and other workforce members understand what they can do to protect information and data. ◦ If you need a copy of your medical records via Intergy, you must come to your manager or Medical Records clerk with a valid picture ID to obtain your records. Do not just print them out of the system. Policies and Procedures are the keys to Compliance… Keep yourself informed! CPC Multi-Specialty Group

37 Page 36 ◦ Keep your HIPAA Security Team and IT personnel “in the know”. ◦ Know the required procedure before information can be released – not only to patients, but also to other individuals, entities, and business associates. ◦ Access only your patient’s records. ◦ Keep your password secure and hard to guess. ◦ Be aware of shoulder surfing. ◦ Log off your computer sessions when not in use. Only you can prevent unauthorized EPHI exposure! CPC Multi-Specialty Group

38 Page 37  Go to the medical records clerk at the facility of which you are a patient  Take your drivers license or some proof of ID with you  Ask them for a copy of your medical records CPC Multi-Specialty Group

39 Page 38  While working on the fourth floor, Snow White noticed that her neighbor Chester Test was walking down the hall in a hospital gown and pushing an IV pole. When she went home later that day, she told her husband that she saw their neighbor on the cancer unit.  What might be wrong with this situation? CPC Multi-Specialty Group

40 Page 39  Snow White is waiting in the outpatient clinic. Nurse Jones enters the waiting room and call out, “Snow White.”  While still in the waiting room, Nurse Jones asks Snow White, “Have you been taking your Prozac for your depressions?”  What might be wrong with this situation? CPC Multi-Specialty Group

41 Page 40  Cullman Primary Care, P.C.  CONFIDENTIALITY STATEMENT  I, ______________________, understand that in the performance of my duties as an employee of CPC, I am required to have access to and am involved in the processing of patient care or patient care data. I understand that I am obliged to maintain the confidentiality of this data at all times. I understand that a violation of these confidentiality considerations may result in disciplinary action, including termination of my employment.  I certify by my signature that I understand the  issues concerning the privacy and confidentiality consideration of patient care. CPC Multi-Specialty Group

42 Page 41 Remember… Security is a chain that is only as strong as its weakest link. Don’t be the weakest link! CPC Multi-Specialty Group

43 Page 42 CPC Multi-Specialty Group Hear No P rotected H ealth I nformation

44 Page 43 CPC Multi-Specialty Group See No P rotected H ealth I nformation

45 Page 44 CPC Multi-Specialty Group Speak No P rotected H ealth I nformation

46 Page 45  Proceed to the test. 100 % is required for completion.  Good luck! CPC Multi-Specialty Group

Download ppt "Page 1 Introduction to the HIPAA Information Privacy and Security Rule 2012 Update “ What is it, and how does it affect me?” CPC Multi-Specialty Group."

Similar presentations

Ads by Google