Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Security, Confidentiality, and Legal Issues

Published byJayce Sennett Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy, Security, Confidentiality, and Legal Issues"— Presentation transcript:

1 Privacy, Security, Confidentiality, and Legal Issues
chapter seven Privacy, Security, Confidentiality, and Legal Issues

2 Learning Outcomes When you finish this chapter, you will be able to:
7.1 Identify the HIPAA privacy and security standards. 7.2 Evaluate an EHR system for HIPAA compliance. 7.3 Describe the role of certification in EHR implementation. 7.4 Apply procedures to set up security measures in PrimeSUITE. 7.5 Follow proper procedures to access sensitive or restricted-access records.

3 Learning Outcomes (cont)
7.6 Apply procedures to ensure data integrity. 7.7 Apply procedures to release health information using PrimeSUITE. 7.8 Account for data disclosures using PrimeSUITE. 7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE. 7.10 Outline the content of compliance plans. 7.11 Appraise the importance of disaster recovery planning.

4 Key Terms Access report Accounting of disclosures
American Health Information Management Association (AHIMA) Audit trail Blog Breach of confidentiality Computer Virus Confidentiality Covered entity Data Integrity Disaster recovery plan Directory information Encryption Firewall Hardware Health Information Management & Systems Society (HIMSS) Teaching Notes: After posting the key terms slide, ask class to identify which terms they feel familiar with/have heard of or experienced. Move on to the lesser-known (or not mentioned) terms and stress to students why they are also important.

5 Key Terms (cont) Malware Minimum necessary information
National Alliance for Health Information Technology (NAHIT) Notice of Privacy Practices Password Privacy Social media User rights Teaching Notes: See notes on slide 4.

6 7.1 HIPAA Privacy & Security Standards
HIPAA passed in 1996 Contains, privacy and security rules, among others The Health Information Technology for Economic and Clinical Health Act ( HITECH ) made HIPAA rules more stringent Gave government authorities power to enforce privacy and security rules Learning Outcome 7.1 Identify the HIPAA privacy and security standards. Teaching Notes: Ask students if they have ever needed to sign a HIPAA form when going to a doctor’s appointment. Discuss the reasons for this – disclosure of health information, privacy protection, patient rights. Differentiate between PRIVACY and SECURITY. How are they related? How are they different? Allow students to brainstorm examples of PHI; guide and add to their list as needed – use to discuss why this information needs to be secured.

7 7.1 HIPAA Privacy & Security Standards (cont)
March 26, Omnibus Final Rule of HITECH September, 2013 – compliance required as of this date Enhanced HIPAA privacy regulations Increased individual patient rights Strengthened government’s ability to enforce the law More coverage over business associates Learning Outcome 7.1 Identify the HIPAA privacy and security standards. Teaching Notes: Point out that regulations are changed along the way – in this case the law was enhanced with the addition of the Omnibus Final Rule of HITECH.

8 7.1 HIPAA Privacy & Security Standards (cont)
Notice of Privacy Practices (NPP) was expanded Maximum penalty for violation of the law was increased to $1.5 million per violation Enhanced breach notification requirements Upon request, patients must be given an electronic form of their record(s) (if EHR is used in that office or hospital) Patients may instruct provider not to bill insurance, if paying in cash Learning Outcome 7.1 Identify the HIPAA privacy and security standards. Teaching Notes: Ask students to discuss the reason(s) the privacy rules were enhanced. What was wrong with HIPAA as it was already written? Pass out (or otherwise make available) the original NPP and the new NPP. Have students compare and contrast the two.

9 7.1 HIPAA Privacy & Security Standards (cont)
Intent is to ensure Protected Health Information (PHI) is private and secure Covered entities include healthcare facilities, health plans, clearinghouses, and/or other businesses that handle PHI Only minimum necessary information may be released Learning Outcome 7.1 Identify the HIPAA privacy and security standards. Teaching Notes: Ask students why only minimal information should be released to covered entities. BEFORE MOVING TO THE NEXT SLIDE, ask students/groups to create a list of what types of things a privacy/confidentiality policy should address. Use student responses to start discussion and see how close they come to the list on the next two slides…….

10 7.1 HIPAA Privacy & Security Standards (cont)
Privacy & confidentiality policies should address: Release (disclosure) of information Release of directory information Written guidelines regarding minimum necessary information Faxing of documentation Computer access and lockdown Password sharing Computer screens Shredding of hard-copy documents Notice of Privacy Practices Requirement for staff to sign confidentiality statement Learning Outcome 7.1 Identify the HIPAA privacy and security standards. Teaching Notes: See notes on slide 9 and…… Ask students what they think is meant by “computer screens” and “password sharing”…….what aspects of these topics might a privacy/confidentiality policy address? Ask students to brainstorm ways that confidentiality is unintentionally broken.

11 7.1 HIPAA Privacy & Security Standards (cont)
Privacy & confidentiality policies (cont): Password Protection Appointment of a security and/or privacy officer Log-in attempts lock-out Protection from computer viruses and malware Security audits Off-site access Printing policies Policies and procedures to address privacy or security incidents Staff education Learning Outcome 7.1 Identify the HIPAA privacy and security standards. (cont) Teaching Notes: See notes on slide 9. Have students discuss why someone should be shut out of accessing software if they make too many attempts at logging in. Have students discuss employer-assigned accounts. Should the employer have access to those s even if the employee uses it for personal as well as work-related ? Why or why not? Ask the students when employees should first be educated about privacy and security?

12 7.1 HIPAA Privacy & Security Standards (cont)
Firewalls should deter access to the system Policies should exist to govern the security of hardware devices Lock-down the devices. Never store passwords on the computer. Back up your files & store backup files off-site. Encrypt PHI. Use portable devices in secure areas. Wipe hard drives for computers taken out of use before recycling. Learning Outcome 7.1 Identify the HIPAA privacy and security standards. (cont) Teaching Notes: See notes on slide 9 and….. Ensure students know what a firewall is and what it is used for; use analogies such as leaving the doors or windows to your house unlocked and going out for a period of time.

13 7.2 Evaluating an EHR System for HIPAA Compliance
Password protection Use of unique identifier for each user Strength of passwords Access to PHI only for those who have a need to know Accounting of all disclosures (internal and external) Security policy that addresses back-up of data, storage, and restoration data Learning Outcome 7.2 Evaluate an EHR system for HIPAA compliance. Teaching Notes: Direct student attention to Table 7.1 in worktext; reiterate the importance of HIPAA, and go through the various sections of the chart. Have students come up with various passwords and discuss the security of each. Discuss what types of guidelines a practice might put into place regarding passwords. Have student groups come up with various scenarios surrounding disclosure of internal/external information; discuss as a class.

14 7.2 Evaluating an EHR System for HIPAA Compliance (cont)
Ability to audit who accessed a record, and which area(s) were viewed, edited, or deleted Learning Outcome 7.2 Evaluate an EHR system for HIPAA compliance. (cont) Teaching Notes: See notes on slide 13 and…. Ask why HIPAA requires the ability to audit who accessed a record and see what they did. Provide a set of narrative scenarios regarding staff accessing information and have students discuss whether the staff member complied with HIPAA guidelines.

15 7.2 Evaluating an EHR System for HIPAA Compliance (cont)
Researching, selecting, and implementing an EHR must take into consideration: required components of a compliant EHR needs of the office or facility budget for acquiring a system budget requirements staff and training needs intent of the EHR target date for implementation Learning Outcome 7.2 Evaluate an EHR system for HIPAA compliance. (cont) Teaching Notes: Discuss the team members who should make up the EHR search team. Ask why so many people should be involved….why can’t just one person make the decision?

16 7.3 The Role of Certification in EHR Implementation
CCHIT organized by AHIMA, HIMSS, and NAHIT in 2004 Non-governmental; non-profit organization Mission is to accelerate the use of an interoperable health information technology Role is to certify EHR systems that meet all requirements of HIPAA and HITECH Learning Outcome 7.3 Describe the role of certification in EHR implementation. Teaching Notes: Remind students of the meanings of each acronym mentioned; go through the hierarchy of the organization. Put students into groups and have each group visit the website. Select two products and summarize the ONC criteria met by each. Use group research to discuss as a class.

17 7.4 Applying Security Measures
Hands-on exercise to apply security measures: Adding new clinical users Assigning password to new clinical users Setting up provider’s user rights Assigning user rights for other healthcare professionals Assigning user rights for an office manager Creating a group Setting general system-wide security requirements Running an audit trail report Learning Outcome 7.4 Apply procedures to set up security measures in PrimeSUITE. Teaching Notes: Have students brainstorm how user rights might differ among staff members. Give students a listing of typical positions within a hospital or physicians’ practice, along with the various functionality (registration, problem list, past medical history, coding, billing, etc.), and for each position, have them list the functions each should have access rights to, and defend why they think so. Ask: what is the benefit of creating a group in PrimeSUITE? What is the purpose of an audit trail report? Have students complete Exercises

18 7.5 Apply Procedures to Handle Sensitive and Restricted Access Records
Records may contain information that is more of a personal nature than clinical. There may be something that happened in the past that is embarrassing or highly sensitive to the patient. Records can be flagged as being sensitive or restricted access. Learning Outcome 7.5 Follow proper procedures to access sensitive or restricted-access records. Teaching Notes: Have students discuss whether or not restricting access could actually be detrimental to a patient’s care. Have students complete exercises 7.8 & 7.9.

19 7.6 Data Integrity The integrity of data can be ensured only if it is complete, accurate, consistent, timely, and has not been altered, destroyed or accessed by unauthorized individuals. Strict organization-wide policies must be in place. Learning Outcome 7.6 Apply procedures to ensure data integrity. Teaching Notes: Building on the examples in section 7.6 of the worktext, provide various examples of data collection and have students decide if data integrity exists in each scenario. Why is it that the person who made an original entry error be the one to amend it? What happens if that person is not available when the error is discovered? Have students complete Exercises

20 7.6 Data Integrity (cont) Integrity also applies to the addition, amendment, or omission of documentation already recorded. Proper chart correction: Amending chart entries Hiding chart entries Recovering hidden chart entries Learning Outcome 7.6 Apply procedures to ensure data integrity. Teaching Notes: See notes on slide 19.

21 7.7 Apply Policies & Procedures to Release Health Information Using PrimeSUITE
Release of information is necessary for many reasons, including continuation of care. Authorizations to release information may be required and must be addressed in written policies. Must account for all disclosures to comply with HITECH Breach of confidentiality is releasing information without authorization. Learning Outcome 7.7 Apply procedures to release health information using PrimeSUITE. Teaching Notes: Provide a series of narrative examples regarding ROI and – using the guidelines discussed in the worktext – decide if a breach of confidentiality occurred (use a variety of scenarios that require and do NOT require authorization, etc.). Have students complete Exercise 7.13.

22 7.8 Accounting of Information Disclosures
Accounting for the release of medical information is necessary in order to comply with regulations and as best practice for record keeping. It is mportant to understand how to run a report of information disclosures from a patient’s chart. Learning Outcome 7.8 Account for data disclosures using PrimeSUITE. Teaching Notes: Ask why regulations mandate that all ROI must be accounted for. Discuss the different types of reports surrounding information disclosures; how might each be used? Have students complete Exercise 7.14.

23 7.9 Information Exchange Meaningful Use standards require exchange of information between providers for smooth continuation of care. Sharing of electronic information must be through a secure environment. There are regulations that address telecommunications and networking security. Learning Outcome 7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE. Teaching Notes: Assign students to research your state’s HIE via the Internet and write a short summary of the information they find. Discuss with students the necessity of having social media policies regarding health information exchange…would care providers/healthcare professionals really share PHI over Twitter, Facebook, etc.? (Cite examples of where this occurred, to stress the importance to students – they must take care to remain professional!) Show (or have students find) Facebook pages and Twitter feeds for healthcare facilities, such as hospitals and practices. Debate the pros and cons of using social media to promote a facility. Have students complete Exercise 7.15.

24 7.9 Information Exchange (cont)
Policy to address use of social media should include: When employees may/may not access social media sites during work hours Tone used in posts to social media sites PHI of patients should never be posted Identity of patients should never be posted No copyrighted materials should be posted No information about the organization may be posted Actions for failure to comply Learning Outcome 7.9 Exchange information with outside healthcare providers for continuity of care using PrimeSUITE. Teaching Notes: See notes on slide 23.

25 7.10 Compliance Plans Healthcare organizations must have written compliance plans to address how organization ensures compliance with regulations: Privacy Security Meaningful Use General health information regulations Written policies must be kept and made available to all staff at all times. Learning Outcome 7.10 Outline the content of compliance plans. Teaching Notes: If possible, bring in an example compliance plan and let students skim and discuss. Have student groups write sample guidelines for various sections of a compliance plan – share and discuss as a class. Ask: why should an audit be performed on every staff member? Wouldn’t you feel uncomfortable if you were a staff member who behaved in compliance yet got audited? Mention: your worktext covers the MINIMUM requirements for a compliance plan. Discuss these, and then ask students what other/additional pieces they would recommend or cover.

26 7.10 Compliance Plans (cont)
Compliance plan should include: Name of the compliance officer Policies that cover: Routine daily operations File back-up Computer access Release of patient information Breach of confidentiality Security breaches, internal and external Coding and billing Learning Outcome 7.10 Outline the content of compliance plans. Teaching Notes: See notes on slide 25.

27 7.11 Safeguarding Your System & Disaster Recovery Planning
A contingency plan is equivalent to a back-up plan, should the system fail or a natural or other disaster occur. Potential security concerns should be addressed with a detailed back-up plan. Learning Outcome 7.11 Appraise the importance of disaster recovery planning. Teaching Notes: Ask students what potential security concerns might come up during a disaster or system fail; how might each be addressed in a contingency plan?

28 7.11 Safeguarding Your System & Disaster Recovery Planning (cont)
Written Disaster Recovery Plans should include: An accounting of all functions that are performed within the office List of computer hardware, software, and data related to each function Location of back-up files and the format used Step-by-step procedures for restoring backed-up data An alert system to notify personnel of the disaster Required security training for all personnel Importance of keeping functions safe, confidential, and secure cannot be overstated Learning Outcome 7.11 Appraise the importance of disaster recovery planning. Teaching Notes: Mention that files/backups must be stored OFFSITE – why?

29 Summary HIPAA privacy and security standards
HIPAA regulations and the HER Omnibus Final Rule of HITECH The role of certification in EHR implementation Procedures to set up security measures Sensitive and restricted access records Procedures to ensure data integrity Procedures to release health information Accounting for data disclosures Teaching Notes: Before going through the chapter summary, ask students to take out their list from chapters 1-6 and write down two things: 1-2 biggest takeaways from Chapter 7 1-2 outstanding questions/challenges from Chapter 7 Encourage students to keep this list and add to it after each subsequent chapter (to compile a list of their personal key points and to see if their questions get answered).

30 Summary (cont) Exchanging information with outside healthcare providers for continuity of care Content of compliance plans Importance of disaster recovery planning

Download ppt "Privacy, Security, Confidentiality, and Legal Issues"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Similar presentations

Ads by Google