Presentation on theme: "HIPAA Privacy & Security Training Module 1. What we want to accomplish Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI "— Presentation transcript:
HIPAA Privacy & Security Training Module 1
What we want to accomplish Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI Define PHI Identify how and when it is used and disclosed Identify the right amount of PHI to use or disclose Talk about patient rights under HIPAA Understand a breach Review responsibilities and safeguards 2
What is HIPAA? 3 Health Insurance Portability and Accountability Act of 1996 Federal law Comprised of Five Sections Administrative Simplification Electronic Transactions and Code Sets Rule Privacy Rule Security Rule
Privacy Rule v. Security Rule Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information Security Rule defines how to protect protected health information in electronic form, called ePHI 4
Education 5 The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered: Electronic Protected Health Information User Identity Password Management Appropriate Use of Computing Devices Security Policies Security Officer Reporting Security Concerns Protected Health Information Minimum Necessary Patient Rights Notice of Privacy Practices Privacy Policies Privacy Officer Reporting Privacy Concerns HIPAA PRIVACY HIPAA SECURITY
HIPPA Privacy Officer Maintains appropriate measures to guard against unauthorized access to PHI. Ensures compliance through adequate training programs and periodic audits. Maintains HIPAA policies and procedures.
Other important rules HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act Breach Notification Rule HIPAA Omnibus Rule Changed the Breach Notification Rule Don’t forget about state law! 8
What is the Privacy Rule? Personal health information must be safeguarded by organizations and the individuals who work there Patients have rights to gain access to their medical records and restrict who sees their health information Organizations must train their workforce on the privacy requirements Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed Punishes individuals and organizations that fail to keep patient information confidential 9
Who is Covered? Health Plans Healthcare Clearinghouses Healthcare Providers that conduct standard transactions in electronic form that involve PHI Known as “Covered Entities” 10
Business Associates (BA) 11 Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI) Law firm Pharmacist consultant Medical Director Record Storage Company Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA
What is Protected Health Information (PHI)? Individually identifiable health information That relates to an individual’s past, present or future health care, or That relates to health care services provided to the patient, or That relates to payment for care Created or received by a Covered Entity or Business Associate In any form: paper, electronic or oral 12
Individual Identifiers of PHI 13 Name Address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Account Number Names of relatives Names of employers Fax number Birth date/admission & discharge dates Photographic images/X-rays Medical record number Account Number , IP address, web URL
Notice of Privacy Practices (NPP) Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity. NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity. NPP for health care providers must be: Distributed at the first instance of service, Posted at the service site, Posted on the website if one exists. All employees should be aware of the NPP. 14
When does HIPAA allow use or disclosure of PHI? Permitted by law Treatment Payment Health Care Operations Public interest and public benefit Permission by the resident/patient Authorization 15
Incidental Uses and Disclosures Incidental use or disclosure Occurs as a by-product of a permissible use or disclosure using reasonable safeguards Cannot be reasonably prevented Must use reasonable safeguards Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it 16
Accidental Uses and Disclosures Accidental use or disclosure Potential breach Attempt to retrieve it, or limit exposure or risk to the information Report the incident immediately Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage 17
Minimum Necessary Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.” Example: An insurance company requests a patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent. Minimum necessary does not apply when PHI is used or disclosed: For treatment purposes, To the individual, When you obtained an authorization, When required by law. 18
Need to know Determine the information you need to know to do your job Access information only if you have a need to know it Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit. 19
Patient Rights Receive a Notice of Privacy Practices Right to Access Right to an Accounting of Disclosures Restriction of Use of PHI Confidential Communications Request Amendment File Complaint (Covered Entity and Office of Civil Rights) 20
What would you do? A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public. A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record. You notice a list of names and current medications in the trash can. 21
Disclosure that must be tracked Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request. The following disclosures need to be tracked: Required by law (i.e. reports of abuse to a public health authority) Required for public health activities (i.e. reporting of disease) For health oversight activities (i.e. audits by an oversight agency) Reports of abuse (i.e. to the police, medical staff) For law enforcement purposes (i.e. to identify the perpetrator of a crime) To the coroner (i.e. for identifying a deceased person) To avert a threat of serious injury (i.e. disclosure to a person who can prevent the threat or to law enforcement) Unlawful or unauthorized disclosure (i.e. inadvertent disclosures) 22
What is a breach? An impermissible use or disclosure that compromises the security or privacy of the PHI. A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment. 24
Examples of Possible Breaches Throwing PHI in the trash or dumpster (without being shredded); Sharing PHI with those who do not have a need to know; Posting another person’s PHI on your Facebook page; Faxing a document containing PHI to the wrong fax number; PHI that has been lost or stolen. 25
What if a breach occurred? Report incidents to your supervisor as soon as they occur or are discovered LPO investigates to determine if the incident is a breach 26
Breach Notification A breach requires notification within a required time from the date the breach was discovered or should have been discovered: Individual, within 60 days HHS – OCR, within 60 days if > 500 individuals involved HHS – OCR, annually within 60 days of the end of the calendar year if < 500 individuals Media, within 60 days if more than 500 individuals involved 27
OCR Audits / Investigations Permanent audits in planning stage Complaints can trigger an investigation A breach can trigger an investigation 28
Penalties for Non-Compliance Individual can be responsible, not just the Covered Entity or Business Associate Civil Money Penalties Violation but you did not know or could not have known $100 per violation with annual maximum of $25,000 for repeat violations Violation due to reasonable cause and not due to willful neglect $1,000 per violation with an annual maximum of $100,000 for repeat violations Violation due to willful neglect but corrected within required time period $10,000 per violation with annual maximum of $250,000 for repeat violations Violation due to willful neglect and not corrected $50,000 per violation with annual maximum of $1.5 million 29
Penalties, cont. Criminal Penalties Knowingly committed the offence Up to $50, Up to one year in prison Committed under false pretenses $100,000 Up to five years in prison Committed for financial gain or malicious harm $250,000 Up to ten years in prison 30
Headlines, Reported Breaches Southwest General Health Center Notified 480 patients that a binder containing their personal and health information had gone missing Phoenix Cardiac Surgery Appointments were available to the public on internet-based calendar Paid $100,000 to settle claims of lack of HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients Nursing Assistant in Florida sentenced for HIPAA crime Former nursing assistant of assisted living facility in sentenced to 3 years in prison for stealing and selling patient information Ordered to pay $12,000 in penalties UCLA School of Medicine Researcher terminated and in retaliation accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times Sentenced to 4 years in prison 31
General Safeguards Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data When you talk about it When you fax it When you store it When you use it When you disclose it When you dispose of it Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know 32
General Safeguards, cont. Confidential verbal conversations should be conducted away from others who do not have a need to know. Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so. Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby. 33
General Safeguards, cont. Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash! Keep information you hear about a resident to yourself. Share only with those who have a need to know. Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know. 34
General Safeguards, cont. Notify security if you see an unescorted visitor in a private area. Computer screens where PHI is viewed should be turned away from the view of visitors. Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO. 35
36 HIPAA Security Rule Security Rule defines how to protect protected health information in electronic form, called ePHI
HIPAA: Security Rule Four Requirements of Security: Ensures confidentiality, integrity, and availability of electronic PHI. Protects against possible threats and hazards to the information. Hackers, viruses, natural disasters or system failures. Protects against unauthorized uses or disclosures. Ensures compliance by the workforce through security regulations and policies/procedures. Three Components of Security: Administrative Safeguards Physical Safeguards Technical Safeguards
HIPAA: Security Rule Administrative Safeguards: Documentation kept for 6 years. Internal system audits minimize security violation s. Logins, file accesses, and or security incidents. Information access management: Access to PHI based on what is needed to preform the job. Once computer access is requested, it will take hours to implement due to complexity of security system. Security awareness and training: Security updates, incident reporting, log-in, and password management. Security incidents will be reported if suspected or if there is an actual breach.
HIPAA: Security Rule Physical Safeguards: Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel. Workstation use and security. Log on as themselves. Log off prior to leaving the workstation, Inspect the last logon information, report any discrepancies. Comply with all applicable password policies and procedures. Close files not in use.
HIPAA: Security Rule Technical Safeguards: Access controls: User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access. User passwords reset every 180 days. All passwords must consist of at least eight (8) alphanumeric characters (numbers and letters). Passwords cannot be reused until after three (3) different generations have been used. Six (6) failed logon attempts will cause the user account to be locked out. The account is locked out for (30) minutes and then reset. Computer Desktops automatically lock after 17 minutes of inactivity. Citrix sessions automatically close after 30 minutes of inactivity. CareVoyant sessions automatically close at different intervals depending on place within the program. CareTracker sessions automatically close at different intervals depending on place within the program
HIPPA Security Officer *Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards. *Oversees and/or performs on-going security monitoring of organization information systems. *Ensures compliance through adequate training programs and periodic security audits. *Ensures security standards comply with statutory and regulatory requirements. *Maintains HIPAA security policies and procedures.
Who is responsible for HIPAA? EVERYONE at Elmcroft: *Support Center Staff: *IT Staff: *Implement safeguards for the computer systems. *Local Privacy Officer: *Clinical Staff and Physicians: *Create and access the majority of resident information. *Managers and Supervisors: *Develop and implement policies and procedures that relate to security and ensure their staff are trained properly. *Clerical Staff: *Create and access resident information. *Volunteers: *Have access to resident information in various settings *Vendors and Contractors *May have access to resident information
Tips for HIPAA Security Compliance Log on and off the network appropriately. Never let others use your ID or work under your ID. Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media. may be, but is not always, a secure form of data transmission. Do NOT PHI unless using encrypted means. Use caution in opening files from unknown sources. Do NOT access non-permitted information or give non- permitted information to unauthorized employees. Be aware of, and report, security threats to the Security Officer.
Tips for HIPAA Security Compliance Passwords must be treated as sensitive and confidential information. Never share your password with anyone for any reason. Passwords should not be written down, stored electronically, or published.
Be sure to change initial passwords, password resets and default passwords first time you log in. Use different passwords for your different accounts. Create passwords that are not common, avoid common keyboard sequences, do not contain personal information, such as pets, birthdays or kid’s names. Tips for HIPAA Security Compliance
Protect sensitive information on lists and reports with social security numbers (SSNs). Limit access to lists and reports with SSNs to those who specifically need SSNs for official business. Never store SSNs or use lists with SSNs on laptops or home computers. Save and store sensitive information only on Elmcroft servers managed by IT staff.
Tips for HIPAA Security Compliance Never copy sensitive data to CDs, disks, or portable storage devices. Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.). Lock printed materials with sensitive data in drawers or cabinets when you leave at night. When done with printed sensitive material, shred them.
Tips for HIPAA Security Compliance Remove sensitive materials from printer right away. If problem with printer, turn off printer to remove sensitive material from printer’s memory. Personally deliver sensitive materials to recipient or distribute information electronically using the system. Arrange for shared electronic files that requires user ID and password.
What do we do? Complete initial and annual HIPAA training Read the Notice of Privacy Practices (NPP) Understand how HIPAA regulations impact your job function and responsibility Check with your supervisor if you are uncertain Ask for additional training if required It is our responsibility to ensure confidentiality of our residents’ health information. 50
General Rule for HIPAA What happens at work, stays at work! 51 OR…..
Resources Susan Dawson, Privacy Officer Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY Office: Your Local Privacy/Security Officer (Administrator/Executive Director) Bob Dooley, VP Information Systems Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY Office: Bob Dooley, VP Information Systems Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY Office: