Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter seven Privacy, Security, Confidentiality, and Legal Issues.

Similar presentations


Presentation on theme: "Chapter seven Privacy, Security, Confidentiality, and Legal Issues."— Presentation transcript:

1 chapter seven Privacy, Security, Confidentiality, and Legal Issues

2 © 2015 McGraw-Hill Education. All rights reserved. Learning Outcomes When you finish this chapter, you will be able to: –7.1 Identify the HIPAA privacy and security standards. –7.2 Evaluate an EHR system for HIPAA compliance. –7.3 Describe the role of certification in EHR implementation. –7.4 Apply procedures to set up security measures in PrimeSUITE. –7.5 Follow proper procedures to access sensitive or restricted-access records. 7-2

3 © 2015 McGraw-Hill Education. All rights reserved. Learning Outcomes (cont) –7.6 Apply procedures to ensure data integrity. –7.7 Apply procedures to release health information using PrimeSUITE. –7.8 Account for data disclosures using PrimeSUITE. –7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE. –7.10 Outline the content of compliance plans. –7.11 Appraise the importance of disaster recovery planning. 7-3

4 © 2015 McGraw-Hill Education. All rights reserved. Key Terms Access report Accounting of disclosures American Health Information Management Association (AHIMA) Audit trail Blog Breach of confidentiality Computer Virus 7-4 Confidentiality Covered entity Data Integrity Disaster recovery plan Directory information Encryption Firewall Hardware Health Information Management & Systems Society (HIMSS)

5 © 2015 McGraw-Hill Education. All rights reserved. Key Terms (cont) Malware Minimum necessary information National Alliance for Health Information Technology (NAHIT) Notice of Privacy Practices 7-5 Password Privacy Social media User rights

6 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards HIPAA passed in 1996 Contains, privacy and security rules, among others The Health Information Technology for Economic and Clinical Health Act ( HITECH ) made HIPAA rules more stringent Gave government authorities power to enforce privacy and security rules 7-6

7 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) March 26, 2013 - Omnibus Final Rule of HITECH September, 2013 – compliance required as of this date Enhanced HIPAA privacy regulations Increased individual patient rights Strengthened government’s ability to enforce the law More coverage over business associates 7-7

8 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) Notice of Privacy Practices (NPP) was expanded Maximum penalty for violation of the law was increased to $1.5 million per violation Enhanced breach notification requirements Upon request, patients must be given an electronic form of their record(s) (if EHR is used in that office or hospital) Patients may instruct provider not to bill insurance, if paying in cash 7-8

9 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) Intent is to ensure Protected Health Information (PHI) is private and secure Covered entities include healthcare facilities, health plans, clearinghouses, and/or other businesses that handle PHI Only minimum necessary information may be released 7-9

10 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) Privacy & confidentiality policies should address: –Release (disclosure) of information –Release of directory information –Written guidelines regarding minimum necessary information –Faxing of documentation –Computer access and lockdown –Password sharing –Computer screens –Shredding of hard-copy documents –Notice of Privacy Practices –Requirement for staff to sign confidentiality statement 7-10

11 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) Privacy & confidentiality policies (cont): –Password Protection –Appointment of a security and/or privacy officer –Log-in attempts lock-out –Protection from computer viruses and malware –Security audits –Off-site access –Printing policies –Policies and procedures to address privacy or security incidents –Staff education –E-mail 7-11

12 © 2015 McGraw-Hill Education. All rights reserved. 7.1 HIPAA Privacy & Security Standards (cont) Firewalls should deter access to the system Policies should exist to govern the security of hardware devices –Lock-down the devices. –Never store passwords on the computer. –Back up your files & store backup files off-site. –Encrypt PHI. –Use portable devices in secure areas. –Wipe hard drives for computers taken out of use before recycling. 7-12

13 © 2015 McGraw-Hill Education. All rights reserved. 7.2 Evaluating an EHR System for HIPAA Compliance Password protection Use of unique identifier for each user –Strength of passwords Access to PHI only for those who have a need to know Accounting of all disclosures (internal and external) Security policy that addresses back-up of data, storage, and restoration data 7-13

14 © 2015 McGraw-Hill Education. All rights reserved. 7.2 Evaluating an EHR System for HIPAA Compliance (cont) Ability to audit who accessed a record, and which area(s) were viewed, edited, or deleted 7-14

15 © 2015 McGraw-Hill Education. All rights reserved. 7.2 Evaluating an EHR System for HIPAA Compliance (cont) Researching, selecting, and implementing an EHR must take into consideration: –required components of a compliant EHR –needs of the office or facility –budget for acquiring a system –budget requirements –staff and training needs –intent of the EHR –target date for implementation 7-15

16 © 2015 McGraw-Hill Education. All rights reserved. 7.3 The Role of Certification in EHR Implementation CCHIT organized by AHIMA, HIMSS, and NAHIT in 2004 –Non-governmental; non-profit organization Mission is to accelerate the use of an interoperable health information technology Role is to certify EHR systems that meet all requirements of HIPAA and HITECH 7-16

17 © 2015 McGraw-Hill Education. All rights reserved. 7.4 Applying Security Measures Hands-on exercise to apply security measures: Adding new clinical users Assigning password to new clinical users Setting up provider’s user rights Assigning user rights for other healthcare professionals Assigning user rights for an office manager Creating a group Setting general system-wide security requirements Running an audit trail report 7-17

18 © 2015 McGraw-Hill Education. All rights reserved. 7.5 Apply Procedures to Handle Sensitive and Restricted Access Records Records may contain information that is more of a personal nature than clinical. There may be something that happened in the past that is embarrassing or highly sensitive to the patient. Records can be flagged as being sensitive or restricted access. 7-18

19 © 2015 McGraw-Hill Education. All rights reserved. 7.6 Data Integrity The integrity of data can be ensured only if it is complete, accurate, consistent, timely, and has not been altered, destroyed or accessed by unauthorized individuals. Strict organization-wide policies must be in place. 7-19

20 © 2015 McGraw-Hill Education. All rights reserved. 7.6 Data Integrity (cont) Integrity also applies to the addition, amendment, or omission of documentation already recorded. Proper chart correction: –Amending chart entries –Hiding chart entries –Recovering hidden chart entries 7-20

21 © 2015 McGraw-Hill Education. All rights reserved. 7.7 Apply Policies & Procedures to Release Health Information Using PrimeSUITE Release of information is necessary for many reasons, including continuation of care. Authorizations to release information may be required and must be addressed in written policies. Must account for all disclosures to comply with HITECH –Breach of confidentiality is releasing information without authorization. 7-21

22 © 2015 McGraw-Hill Education. All rights reserved. 7.8 Accounting of Information Disclosures Accounting for the release of medical information is necessary in order to comply with regulations and as best practice for record keeping. It is mportant to understand how to run a report of information disclosures from a patient’s chart. 7-22

23 © 2015 McGraw-Hill Education. All rights reserved. 7.9 Information Exchange Meaningful Use standards require exchange of information between providers for smooth continuation of care. Sharing of electronic information must be through a secure environment. There are regulations that address telecommunications and networking security. 7-23

24 © 2015 McGraw-Hill Education. All rights reserved. 7.9 Information Exchange (cont) Policy to address use of social media should include: –When employees may/may not access social media sites during work hours –Tone used in posts to social media sites –PHI of patients should never be posted –Identity of patients should never be posted –No copyrighted materials should be posted –No information about the organization may be posted –Actions for failure to comply 7-24

25 © 2015 McGraw-Hill Education. All rights reserved. 7.10 Compliance Plans Healthcare organizations must have written compliance plans to address how organization ensures compliance with regulations: –Privacy –Security –Meaningful Use –General health information regulations Written policies must be kept and made available to all staff at all times. 7-25

26 © 2015 McGraw-Hill Education. All rights reserved. 7.10 Compliance Plans (cont) Compliance plan should include: –Name of the compliance officer –Policies that cover: Routine daily operations File back-up Computer access Release of patient information Breach of confidentiality Security breaches, internal and external Coding and billing 7-26

27 © 2015 McGraw-Hill Education. All rights reserved. 7.11 Safeguarding Your System & Disaster Recovery Planning A contingency plan is equivalent to a back-up plan, should the system fail or a natural or other disaster occur. Potential security concerns should be addressed with a detailed back-up plan. 7-27

28 © 2015 McGraw-Hill Education. All rights reserved. 7.11 Safeguarding Your System & Disaster Recovery Planning (cont) Written Disaster Recovery Plans should include: –An accounting of all functions that are performed within the office –List of computer hardware, software, and data related to each function –Location of back-up files and the format used –Step-by-step procedures for restoring backed-up data –An alert system to notify personnel of the disaster –Required security training for all personnel Importance of keeping functions safe, confidential, and secure cannot be overstated 7-28

29 © 2015 McGraw-Hill Education. All rights reserved. Summary HIPAA privacy and security standards HIPAA regulations and the HER Omnibus Final Rule of HITECH The role of certification in EHR implementation Procedures to set up security measures Sensitive and restricted access records Procedures to ensure data integrity Procedures to release health information Accounting for data disclosures 7-29

30 © 2015 McGraw-Hill Education. All rights reserved. Summary (cont) Exchanging information with outside healthcare providers for continuity of care Content of compliance plans Importance of disaster recovery planning 7-30


Download ppt "Chapter seven Privacy, Security, Confidentiality, and Legal Issues."

Similar presentations


Ads by Google