Presentation on theme: "2014 Getting Back to the Basics. Review HIPAA Privacy and Security requirements Review American Behavioral standards and practices developed to comply."— Presentation transcript:
2014 Getting Back to the Basics
Review HIPAA Privacy and Security requirements Review American Behavioral standards and practices developed to comply with HIPAA Privacy and Security requirements your Review your responsibilities for ensuring compliance with Privacy and Security requirements Review consequences of non-compliance
HIPAA The H ealth I nsurance P ortability and A ccountability A ct (HIPAA) Signed into law in 1996 Adopted Privacy Rules (2003) that protect health data (referred to as PHI) and provide members with certain rights about their health Adopted Security Rules (2005) that protect electronic health data (referred to as e-PHI) Amended by the HITECH Act of 2009 Amended by the Omnibus Rule to enhance patient privacy protection effective 9/24/2013 New rules and guidance continue to be issued to strengthen the requirements
PHI P rotected H ealth I nformation is any information, including demographic information, transmitted or maintained in any medium (electronically, on paper, via spoken word) that is created or received by a health care provider, health plan or health care clearinghouse that relate to the past, present or future physical or mental health condition of an individual, or past, present or future payment for the provision of health care to the individual and can be used to identify the individual.
The following identifiers of an individual or of relatives, employers or household members of the individual are considered PHI: Names Postal addresses smaller than state All elements of dates (except year) such as birth date, admission/discharge date, date of death Telephone numbers Fax numbers addresses Social security numbers Medical record numbers Health plan ID numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plates Device identifiers and serial numbers Web Universal Resources Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying numbers, characteristics, or codes
PII P ersonally I dentifiable I nformation is information that can be used to distinguish or trace an individual’s identity (e.g., name, social security number, member number, etc.), alone or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). PII may also be referred to as personally identifiable data or individually identifiable information. NOTE: Although PII alone is not health information, it must be protected the same as PHI. Whenever PHI is referenced in this presentation, the same standard applies to PII!
EVERYTHING! Written documentation and paper records Electronic databases and information stored on a computer, laptop, memory card, mobile device, flash drive, etc. Verbal communication (spoken words, voic messages, etc.) Photographic images
TP O PHI is to be accessed for work-related purposes only – those that relate to T reatment, P ayment or health care O perations (TPO – defined later in this presentation) Your access to PHI must be restricted to only the information necessary for you to perform your job o This protects you
When HIPAA allows a use or disclosure of PHI, you should use only the minimum PHI necessary to accomplish the purpose of the use or disclosure Exceptions: o Treatment of the member o Purposes for which a member has signed a HIPAA authorization o Disclosures by law o When sharing information with the member or his/her legal representative
De-identified health data: o Excludes all 18 elements (PHI identifiers listed previously in this presentation) any o Cannot include any information that can be used alone or in combination with other information to identify the member who is the subject of the information Whenever possible, use de-identified health information instead of PHI De-identified data is not PHI and is not protected by the Privacy Rule. * Consult the Privacy Officer to ensure data has been sufficiently de-identified when in doubt
Know “how” and “where” you should store PHI o Paper files should be stored in a filing cabinet or secure location when not in use (or at a minimum, turned facedown) o PHI stored in electronic databases, document logs, spreadsheet applications, etc. must be password protected and saved to a secure location, such as a department folder.
Store important documents in a secure location (such as your user area or in a department folder) Lock your screen before leaving the room (never leave your computer unlocked when unattended)
All s must include confidentiality notice (see next slide for example) When sending an , be very careful to choose the correct recipient’s name o Choosing the wrong name could result in a HIPAA breach!
Always verify fax number before dialing Must use a approved fax sheet that includes a confidentiality notice
o Place all data containing confidential information in the shred bins when no longer needed o Hand shredding is not sufficient
Member authorization not required to disclose PHI to: Public health and governmental agencies, law enforcement officials and other authorities as required by law (forward these requests to the Privacy Officer for processing) Comply with legal proceedings, such as a court or administrative order or subpoena, etc.
Member authorization not required to disclose PHI to the: Member (who is the subject of the PHI) Member’s Power of Attorney (POA) or Legal Guardian (ordered by the court or protective order) o American Behavioral must have proof of the individual’s legal authority o Legal document must specifically authorize health disclosures Parents covered on the same American Behavioral policy of a child age 13 or younger o If the child is 14 or older, the child must authorize the disclosure *** ALWAYS ask the individual for at least two forms of ID to validate their identity***
Member authorization not required to disclose a member’s PHI to the member’s family or friends in emergency situations where the member becomes incapacitated or unable to agree or object Generally, management should approve emergency disclosures, but use your best judgment – if there is not time for approval, document the situation thoroughly and notify your supervisor afterwards
Member authorization not required to disclose a member’s PHI to the member’s family or friends when a member becomes incapacitated long-term (or expected long-term) Requires proof of long-term incapacity Can disclose to the member’s spouse or parent, or to an individual over age 19 that is the member’s child/brother/sister/next of kin Requires completion of a Personal Representative Attestation for Long-Term Incapacitated MembersPersonal Representative Attestation for Long-Term Incapacitated Members
Member authorization not required for disclosure of general plan information publically available on American Behavioral’s website to family members and friends involved in a member’s care, such as: Evidence/Certificate of Coverage Attachment A (commercial members) Formulary Provider/Pharmacy Directory Other General Plan Information *It is permissible to release information to a friend or relative if we have obtained a signed Appointment of Representative (AOR) Form
Member authorization not required when we: Share other non-PHI information with family members and friends involved in the member’s care Verify certain information for those involved in the member’s care
For non-emergent situations, we can disclose to the member’s family and friends if the member authorizes the disclosure: The member can appoint someone as their personal representative. Both the member and the appointed representative must sign the form
For non-emergent situations, we can also disclose PHI to a member’s family or friends through a verbal authorization from the member
Any other disclosure not listed previously requires the member’s authorization Examples of disclosures requiring authorization: o Requests from attorneys/law offices o Requests from medical record companies o Requests from medical suppliers/vendors wanting to market their products or services without a treatment referral from a physician o Requests from employers Plans (self-insured employer groups) may designate specific associates authorized to receive PHI Fully insured employers should never receive PHI without a member’s authorization
Right to confidential communications Right to access their PHI Right to request we amend our records Right to an accounting of disclosures we have made concerning their PHI Right to file a privacy complaint Right to request a restriction on how we use/share their PHI
A breach occurs when PHI is “acquired, accessed, used or disclosed” in an unauthorized manner that compromises the security or privacy of the information Examples: o Accessing PHI without a work-related need to know o Sharing PHI with those who do not need to know o Sending an /fax containing PHI to the wrong recipient o Loss or theft of records containing PHI
Texas HIPAA Blunder affects 277k July Texas Health Harris Methodist Fort Worth notified some 277,000 patients that their PHI was compromised after several hospital microfilms, which were supposed to be destroyed, were found in various public locations. Lesson: Make sure all PHI is disposed of properly! Advocate Health Slapped with Lawsuit After Massive Data Breach August Advocate Health Care reported the second largest HIPAA breach when four unencrypted laptops were stolen from its facility, compromising over 4 million patients’ information. Advocate has now been slapped with a class action lawsuit filed by affected patients. Lesson: Portable devices must be secured at ALL times (even when not in use) and must be encrypted!
Under the Breach Notification Rule (part of the Health Information Technology for Economic and Clinical Health (HITECH) Act) individuals whose PHI is compromised must be notified in writing within 60 days of discovery of a breach All breaches must be reported to HHS HHS posts information about breaches at: reachnotificationrule/breachtool.html reachnotificationrule/breachtool.html
immediately It is imperative to report HIPAA incidents immediately
The Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR) enforces tiered civil penalties o Monetary penalties range from $100 per violation up to 1.5 million per calendar year State attorneys general can pursue civil suits against persons violating HIPAA U.S. Department of Justice enforces criminal penalties o Criminal penalties for “wrongful disclosure” include fines of $50,000 to $250,000 and up to 10 years in prison NOTE: Penalties and fines apply to associates – not just to covered entities!
Sending PHI via unencrypted Faxing or ing PHI to the wrong recipient Leaving PHI unattended at copiers, on printers and fax machines, in conference rooms, in public locations, etc. Discussing PHI in common places or with others who do not need to know the information
Protect PHI the way you would want someone to protect your PHI Make HIPAA Privacy and Security a priority!
American Behavioral Resources o American Behavioral’s Information Security Handbook (I:\HIPAA\Information Security Handbook_9_2012.pdf)I:\HIPAA\Information Security Handbook_9_2012.pdf o American Behavioral’s Notice of Health Information Practices (available in EOCs, COCs and on American Behavioral’s website at Behavioralhealth.com/Privacy/Default.aspx) Behavioralhealth.com/Privacy/Default.aspx o American Behavioral’s Fax Coversheet (I:\HIPAA) o American Behavioral’s Appointment of Representative Form (I:\HIPAA) o American Behavioral’s HIPAA Policies & Procedures (I:\HIPAA\HIPAA Policies and Procedures)I:\HIPAA\HIPAA Policies and Procedures HHS Resources o HHS HIPAA Q & A’s (http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html)http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html