Presentation on theme: "Privacy, Security, Confidentiality, and Legal Issues"— Presentation transcript:
1Privacy, Security, Confidentiality, and Legal Issues chapter sevenPrivacy, Security, Confidentiality, and Legal Issues
2Learning Outcomes When you finish this chapter, you will be able to: 7.1 Identify the HIPAA privacy and security standards.7.2 Evaluate an EHR system for HIPAA compliance.7.3 Describe the role of certification in EHR implementation.7.4 Apply procedures to set up security measures in PrimeSUITE.7.5 Follow proper procedures to access sensitive or restricted-access records.
3Learning Outcomes (cont) 7.6 Apply procedures to ensure data integrity.7.7 Apply procedures to release health information using PrimeSUITE.7.8 Account for data disclosures using PrimeSUITE.7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE.7.10 Outline the content of compliance plans.7.11 Appraise the importance of disaster recovery planning.
4Key Terms Access report Accounting of disclosures American Health Information Management Association (AHIMA)Audit trailBlogBreach of confidentialityComputer VirusConfidentialityCovered entityData IntegrityDisaster recovery planDirectory informationEncryptionFirewallHardwareHealth Information Management & Systems Society (HIMSS)Teaching Notes:After posting the key terms slide, ask class to identify which terms they feel familiar with/have heard of or experienced.Move on to the lesser-known (or not mentioned) terms and stress to students why they are also important.
5Key Terms (cont) Malware Minimum necessary information National Alliance for Health Information Technology (NAHIT)Notice of Privacy PracticesPasswordPrivacySocial mediaUser rightsTeaching Notes: See notes on slide 4.
67.1 HIPAA Privacy & Security Standards HIPAA passed in 1996Contains, privacy and security rules, among othersThe Health Information Technology for Economic and Clinical Health Act ( HITECH ) made HIPAA rules more stringentGave government authorities power to enforce privacy and security rulesLearning Outcome 7.1 Identify the HIPAA privacy and security standards.Teaching Notes:Ask students if they have ever needed to sign a HIPAA form when going to a doctor’s appointment. Discuss the reasons for this – disclosure of health information, privacy protection, patient rights.Differentiate between PRIVACY and SECURITY. How are they related? How are they different?Allow students to brainstorm examples of PHI; guide and add to their list as needed – use to discuss why this information needs to be secured.
77.1 HIPAA Privacy & Security Standards (cont) March 26, Omnibus Final Rule of HITECHSeptember, 2013 – compliance required as of this dateEnhanced HIPAA privacy regulationsIncreased individual patient rightsStrengthened government’s ability to enforce the lawMore coverage over business associatesLearning Outcome 7.1 Identify the HIPAA privacy and security standards.Teaching Notes:Point out that regulations are changed along the way – in this case the law was enhanced with the addition of the Omnibus Final Rule of HITECH.
87.1 HIPAA Privacy & Security Standards (cont) Notice of Privacy Practices (NPP) was expandedMaximum penalty for violation of the law was increased to $1.5 million per violationEnhanced breach notification requirementsUpon request, patients must be given an electronic form of their record(s) (if EHR is used in that office or hospital)Patients may instruct provider not to bill insurance, if paying in cashLearning Outcome 7.1 Identify the HIPAA privacy and security standards.Teaching Notes:Ask students to discuss the reason(s) the privacy rules were enhanced. What was wrong with HIPAA as it was already written?Pass out (or otherwise make available) the original NPP and the new NPP. Have students compare and contrast the two.
97.1 HIPAA Privacy & Security Standards (cont) Intent is to ensure Protected Health Information (PHI) is private and secureCovered entities include healthcare facilities, health plans, clearinghouses, and/or other businesses that handle PHIOnly minimum necessary information may be releasedLearning Outcome 7.1 Identify the HIPAA privacy and security standards.Teaching Notes:Ask students why only minimal information should be released to covered entities.BEFORE MOVING TO THE NEXT SLIDE, ask students/groups to create a list of what types of things a privacy/confidentiality policy should address. Use student responses to start discussion and see how close they come to the list on the next two slides…….
107.1 HIPAA Privacy & Security Standards (cont) Privacy & confidentiality policies should address:Release (disclosure) of informationRelease of directory informationWritten guidelines regarding minimum necessary informationFaxing of documentationComputer access and lockdownPassword sharingComputer screensShredding of hard-copy documentsNotice of Privacy PracticesRequirement for staff to sign confidentiality statementLearning Outcome 7.1 Identify the HIPAA privacy and security standards.Teaching Notes: See notes on slide 9 and……Ask students what they think is meant by “computer screens” and “password sharing”…….what aspects of these topics might a privacy/confidentiality policy address?Ask students to brainstorm ways that confidentiality is unintentionally broken.
117.1 HIPAA Privacy & Security Standards (cont) Privacy & confidentiality policies (cont):Password ProtectionAppointment of a security and/or privacy officerLog-in attempts lock-outProtection from computer viruses and malwareSecurity auditsOff-site accessPrinting policiesPolicies and procedures to address privacy or security incidentsStaff educationLearning Outcome 7.1 Identify the HIPAA privacy and security standards. (cont)Teaching Notes: See notes on slide 9.Have students discuss why someone should be shut out of accessing software if they make too many attempts at logging in.Have students discuss employer-assigned accounts. Should the employer have access to those s even if the employee uses it for personal as well as work-related ? Why or why not?Ask the students when employees should first be educated about privacy and security?
127.1 HIPAA Privacy & Security Standards (cont) Firewalls should deter access to the systemPolicies should exist to govern the security of hardware devicesLock-down the devices.Never store passwords on the computer.Back up your files & store backup files off-site.Encrypt PHI.Use portable devices in secure areas.Wipe hard drives for computers taken out of use before recycling.Learning Outcome 7.1 Identify the HIPAA privacy and security standards. (cont)Teaching Notes: See notes on slide 9 and…..Ensure students know what a firewall is and what it is used for; use analogies such as leaving the doors or windows to your house unlocked and going out for a period of time.
137.2 Evaluating an EHR System for HIPAA Compliance Password protectionUse of unique identifier for each userStrength of passwordsAccess to PHI only for those who have a need to knowAccounting of all disclosures (internal and external)Security policy that addresses back-up of data, storage, and restoration dataLearning Outcome 7.2 Evaluate an EHR system for HIPAA compliance.Teaching Notes:Direct student attention to Table 7.1 in worktext; reiterate the importance of HIPAA, and go through the various sections of the chart.Have students come up with various passwords and discuss the security of each.Discuss what types of guidelines a practice might put into place regarding passwords.Have student groups come up with various scenarios surrounding disclosure of internal/external information; discuss as a class.
147.2 Evaluating an EHR System for HIPAA Compliance (cont) Ability to audit who accessed a record, and which area(s) were viewed, edited, or deletedLearning Outcome 7.2 Evaluate an EHR system for HIPAA compliance. (cont)Teaching Notes: See notes on slide 13 and….Ask why HIPAA requires the ability to audit who accessed a record and see what they did.Provide a set of narrative scenarios regarding staff accessing information and have students discuss whether the staff member complied with HIPAA guidelines.
157.2 Evaluating an EHR System for HIPAA Compliance (cont) Researching, selecting, and implementing an EHR must take into consideration:required components of a compliant EHRneeds of the office or facilitybudget for acquiring a systembudget requirementsstaff and training needsintent of the EHRtarget date for implementationLearning Outcome 7.2 Evaluate an EHR system for HIPAA compliance. (cont)Teaching Notes:Discuss the team members who should make up the EHR search team.Ask why so many people should be involved….why can’t just one person make the decision?
167.3 The Role of Certification in EHR Implementation CCHIT organized by AHIMA, HIMSS, and NAHIT in 2004Non-governmental; non-profit organizationMission is to accelerate the use of an interoperable health information technologyRole is to certify EHR systems that meet all requirements of HIPAA and HITECHLearning Outcome 7.3 Describe the role of certification in EHR implementation.Teaching Notes:Remind students of the meanings of each acronym mentioned; go through the hierarchy of the organization.Put students into groups and have each group visit the website. Select two products and summarize the ONC criteria met by each.Use group research to discuss as a class.
177.4 Applying Security Measures Hands-on exercise to apply security measures:Adding new clinical usersAssigning password to new clinical usersSetting up provider’s user rightsAssigning user rights for other healthcare professionalsAssigning user rights for an office managerCreating a groupSetting general system-wide security requirementsRunning an audit trail reportLearning Outcome 7.4 Apply procedures to set up security measures in PrimeSUITE.Teaching Notes:Have students brainstorm how user rights might differ among staff members.Give students a listing of typical positions within a hospital or physicians’ practice, along with the various functionality (registration, problem list, past medical history, coding, billing, etc.), and for each position, have them list the functions each should have access rights to, and defend why they think so.Ask: what is the benefit of creating a group in PrimeSUITE?What is the purpose of an audit trail report?Have students complete Exercises
187.5 Apply Procedures to Handle Sensitive and Restricted Access Records Records may contain information that is more of a personal nature than clinical.There may be something that happened in the past that is embarrassing or highly sensitive to the patient.Records can be flagged as being sensitive or restricted access.Learning Outcome 7.5 Follow proper procedures to access sensitive or restricted-access records.Teaching Notes:Have students discuss whether or not restricting access could actually be detrimental to a patient’s care.Have students complete exercises 7.8 & 7.9.
197.6 Data IntegrityThe integrity of data can be ensured only if it is complete, accurate, consistent, timely, and has not been altered, destroyed or accessed by unauthorized individuals.Strict organization-wide policies must be in place.Learning Outcome 7.6 Apply procedures to ensure data integrity.Teaching Notes:Building on the examples in section 7.6 of the worktext, provide various examples of data collection and have students decide if data integrity exists in each scenario.Why is it that the person who made an original entry error be the one to amend it? What happens if that person is not available when the error is discovered?Have students complete Exercises
207.6 Data Integrity (cont)Integrity also applies to the addition, amendment, or omission of documentation already recorded.Proper chart correction:Amending chart entriesHiding chart entriesRecovering hidden chart entriesLearning Outcome 7.6 Apply procedures to ensure data integrity.Teaching Notes: See notes on slide 19.
217.7 Apply Policies & Procedures to Release Health Information Using PrimeSUITE Release of information is necessary for many reasons, including continuation of care.Authorizations to release information may be required and must be addressed in written policies.Must account for all disclosures to comply with HITECHBreach of confidentiality is releasing information without authorization.Learning Outcome 7.7 Apply procedures to release health information using PrimeSUITE.Teaching Notes:Provide a series of narrative examples regarding ROI and – using the guidelines discussed in the worktext – decide if a breach of confidentiality occurred (use a variety of scenarios that require and do NOT require authorization, etc.).Have students complete Exercise 7.13.
227.8 Accounting of Information Disclosures Accounting for the release of medical information is necessary in order to comply with regulations and as best practice for record keeping.It is mportant to understand how to run a report of information disclosures from a patient’s chart.Learning Outcome 7.8 Account for data disclosures using PrimeSUITE.Teaching Notes:Ask why regulations mandate that all ROI must be accounted for.Discuss the different types of reports surrounding information disclosures; how might each be used?Have students complete Exercise 7.14.
237.9 Information ExchangeMeaningful Use standards require exchange of information between providers for smooth continuation of care.Sharing of electronic information must be through a secure environment.There are regulations that address telecommunications and networking security.Learning Outcome 7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE.Teaching Notes:Assign students to research your state’s HIE via the Internet and write a short summary of the information they find.Discuss with students the necessity of having social media policies regarding health information exchange…would care providers/healthcare professionals really share PHI over Twitter, Facebook, etc.? (Cite examples of where this occurred, to stress the importance to students – they must take care to remain professional!)Show (or have students find) Facebook pages and Twitter feeds for healthcare facilities, such as hospitals and practices. Debate the pros and cons of using social media to promote a facility.Have students complete Exercise 7.15.
247.9 Information Exchange (cont) Policy to address use of social media should include:When employees may/may not access social media sites during work hoursTone used in posts to social media sitesPHI of patients should never be postedIdentity of patients should never be postedNo copyrighted materials should be postedNo information about the organization may be postedActions for failure to complyLearning Outcome 7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE.Teaching Notes: See notes on slide 23.
257.10 Compliance PlansHealthcare organizations must have written compliance plans to address how organization ensures compliance with regulations:PrivacySecurityMeaningful UseGeneral health information regulationsWritten policies must be kept and made available to all staff at all times.Learning Outcome 7.10 Outline the content of compliance plans.Teaching Notes:If possible, bring in an example compliance plan and let students skim and discuss.Have student groups write sample guidelines for various sections of a compliance plan – share and discuss as a class.Ask: why should an audit be performed on every staff member? Wouldn’t you feel uncomfortable if you were a staff member who behaved in compliance yet got audited?Mention: your worktext covers the MINIMUM requirements for a compliance plan. Discuss these, and then ask students what other/additional pieces they would recommend or cover.
267.10 Compliance Plans (cont) Compliance plan should include:Name of the compliance officerPolicies that cover:Routine daily operationsFile back-upComputer accessRelease of patient informationBreach of confidentialitySecurity breaches, internal and externalCoding and billingLearning Outcome 7.10 Outline the content of compliance plans.Teaching Notes: See notes on slide 25.
277.11 Safeguarding Your System & Disaster Recovery Planning A contingency plan is equivalent to a back-up plan, should the system fail or a natural or other disaster occur.Potential security concerns should be addressed with a detailed back-up plan.Learning Outcome 7.11 Appraise the importance of disaster recovery planning.Teaching Notes:Ask students what potential security concerns might come up during a disaster or system fail; how might each be addressed in a contingency plan?
287.11 Safeguarding Your System & Disaster Recovery Planning (cont) Written Disaster Recovery Plans should include:An accounting of all functions that are performed within the officeList of computer hardware, software, and data related to each functionLocation of back-up files and the format usedStep-by-step procedures for restoring backed-up dataAn alert system to notify personnel of the disasterRequired security training for all personnelImportance of keeping functions safe, confidential, and secure cannot be overstatedLearning Outcome 7.11 Appraise the importance of disaster recovery planning.Teaching Notes:Mention that files/backups must be stored OFFSITE – why?
29Summary HIPAA privacy and security standards HIPAA regulations and the HEROmnibus Final Rule of HITECHThe role of certification in EHR implementationProcedures to set up security measuresSensitive and restricted access recordsProcedures to ensure data integrityProcedures to release health informationAccounting for data disclosuresTeaching Notes:Before going through the chapter summary, ask students to take out their list from chapters 1-6 and write down two things:1-2 biggest takeaways from Chapter 71-2 outstanding questions/challenges from Chapter 7Encourage students to keep this list and add to it after each subsequent chapter (to compile a list of their personal key points and to see if their questions get answered).
30Summary (cont)Exchanging information with outside healthcare providers for continuity of careContent of compliance plansImportance of disaster recovery planning