Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc.

Published byTodd Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc."— Presentation transcript:

1 CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc.

2 HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA 92706 Email: office@ahis.netoffice@ahis.net Telephone 714 -558 - 3887 2

3 HIPAA IS BROADER NOW!! 3 HIPAA Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR 160 -164 Effective Date 2003 SB 541 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 HITECH ACT Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPAA CEs and BAs Effective Date February 2009

4 HITECH & HIPAA ACCESS HITECH HIPAA SB 541 BREACHES 4

5 AGENDA 1. What is TODAYS CONFIDENTIALITY? 2. Disclosure of Health Information 4. OCR Reviews- SB 541 – California 5. Penalties 3. Breach Reporting 5

6 HITECH VOCABULARY Breach – the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information 6

7 HITECH VOCABULARY -2 Unsecured PHI – PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals. 7

8 HITECH VOCABULARY -3 Acceptable methodologies – Encryption as specified in the HIPAA security rule Shredding or destroying of non- electronic PHI 8

9 HITECH REPORTING REQUIREMENTS Notification to each individual whose unsecured PHI has been or is reasonably believed by the CE to have been accessed, acquired or disclosed as a result of such breach without reasonable delay no later than 60 days of discovery of the breach by the CE or BA 9

10 HITECH REPORTING REQUIREMENTS -2 Notice must be made by first-class mail or email if specified by an individual. If there are more than 10 affected individuals, the entity must do a conspicuous web site posting or notice in major print or broadcast media 10

11 HITECH REPORTING REQUIREMENTS -3 If there are more than 500 individuals all residents of the same State or jurisdiction the entity must provide immediate notice to HHS and notice to the media 11

12 HITECH REPORTING REQUIREMENTS -4 Business associates must adhere to the same reporting timeline but are not required to provide notice of breach to the individual but instead notify the covered entity of a breach along with identification of the each affected individual The Covered Entity is then responsible for notifying each affected individual 12

13 HITECH REPORTING REQUIREMENTS -5 The clock starts for the CE when the BA reports the breach Covered entities and Business associates are required to keep a log of breaches and submit it within 60 days after the end of the year unless immediate notification is required such as in the case of more than 500 affected individuals 13

14 BA AGREEMENTS Covered entities must update all business associate agreements and ensure that they include HITECH requirements 14

15 BA AGREEMENTS -2 Who applies in this situation Vendors such as the Computer company, HealthMedX Rehab. Computer systems (if the rehab. Contractor is using a computerized system); who is responsible, where is information stored? The facility must have a complete copy that affects their records? 15

16 HITECH REPORTING REQUIREMENTS -6 Documentation should also be maintained for suspected breaches that after investigation are deemed as not constituting a Breach under the HITECH requirements 16

17 HITECH REPORTING REQUIREMENTS -7 The notice to individuals must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information. 17

18 HIPAA CIVIL PENALTIES UNDER NEW HITECH PROVISIONS EFFECTIVE 11/30/09 Violation CategoryEach Violation All such violations of an identical provision in a calendar year Did not know$100-50,000$1,500,000 Reasonable Cause$1,000-50,0001,500,000 Willful neglect corrected within 30 days $10,000-50,0001,500,000 Willful neglect - not corrected $50,0001,500,000 18

19 RISKS With unsecured PHI? Does the facility have any RISK? 19

20 RISK ANALYSIS AND IMPLEMENTATION Analyze possible areas of risk Re: you Disclosure of Information Re: your risks of electronic breaches 20

21 YOUR LATEST ISSUES FOR DISCLOSURE OF PHI PROTECTED HEALTH INFORMATION List your main issues!! 21

22 REQUESTS FOR PHI In the Middle of HIPAA and HITECH there are requests for information other providers insurance and other providers, Medicare, MediCal, Palmetto, RAC audits Safeguard Response to requests –type of request and how requested List your most challenging requests? What about Dept. Public Health? 22

23 TRADITIONAL CONFIDENTIALITY All information – automated and manual are confidential and protected and must be secured against loss, destruction and unauthorized access. Facility and Corporate data are confidential if it includes PHI Who is authorized to release information? 23

24 REQUESTS FOR INFORMATION What are the steps? What will you do? 24

25 LIST THEM Check the request as to who has the legal access Clear as to what is requested Check to see if you have the information Log the request Provide input as to the time the information will be available (we will discuss that later) 25

26 REQUESTS FOR INFORMATION CALIFORNIA LAW Legislature expressed intent to permit access to medical information for people who are responsible for the health care of others. “Patient Representative” –parent, guardian of minor, guardian/conservator of adult, beneficiary or personal representative of deceased resident 26

27 REQUESTS FOR INFORMATION -2 Protection and Advocacy access to state agency files (that would be 2567 for instance; although names are not included. Ombudsmen on resident request/authority 27

28 VALID AUTHORIZATION Written/typewritten by person Signed by the resident/legal representative/resident identified representative/conservator Specific date of end of authorization Copy of authorization – kept by individual Description of information to be used/disclosed 28

29 VALID AUTHORIZATION -2 Right to revoke Cannot conditions services/benefits on signing of authorization Statement re: re-disclosure-may be re- disclosed (this has effects beyond us and is an attorney decision as to how this is done) California law brings other concerns… 29

30 VALID AUTHORIZATION -3 CALIFORNIA LAW Handwritten or typed Only one purpose – auth. To release info Signed dated by: resident, Legal Rep. of resident, beneficiary or personal rep. of deceased resident. States limitations, states who may disclose, who can receive, end date, right for a copy, revoke, no conditions, re-disclosure statement 30

31 ACCOUNTING OF DISCLOSURES Under HITECH, covered entities and business associates are required to maintain an accounting of disclosures made through EHR including disclosures made for treatment, payment and health care operations. This may mean tracking. Information is limited to 3 years of disclosure information rather than the current 6 years requirement under HIPAA. 31

32 CV – ACCOUNTING OF DISCLOSURES A checklist for yourself How many request have you had? Have you kept a record of resident’s own requests (or family members w/authority)? Do you have a record of the copies of DPH records taken? Is this required by HIPAA/HITECH? WHAT ARE YOUR QUESTIONS? 32

33 TRACKING OF DISCLOSURES Document request received and action taken. Note there are different times for requests response. 48 hrs. response 5 days to respond (Calif. Med. Info. Act) subpoenas has other time frames (can ask for extension) 33

34 TRACKING OF DISCLOSURES -2 Log all disclosures except for tx., payment and operation Do we know what that means to you? Can the resident or responsible party ask for disclosure logs? What would you do? Let’s list the steps. 34

35 TRACKING OF DISCLOSURES -3 Accounting of disclosure within 60 days of request Can obtain 30 day extension from resident responsible party Check out who really has access to the accounting? What would you do to determine this? Are there exceptions? Yes…survey…law enforcement 35

36 HIPAA – VS - HITECH 6 years Accounting of Disclosure The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures. HITECH is 3 years for electronic records requests. 36

37 BROAD REQUESTS Requests from Residents Subpoenas. (what you should know and who do you report to re: subpoenas?) Surveyor requests. Watch about RAC or other requestors!! Importance of Legal Authority – What to do? 37

38 ATTORNEY REQUESTS What you should know! Attorney can present an authorization or a subpoena. Follow CV p/p re: notification to the Administrator and to CV Attorney to handle or provide direction. 38

39 SUBPOENA Notice to include the resident has been notified of the subpoena and the right to object to disclosure before the court or tribunal long with a copy of the notice or statement of the notice. Usually served together now. Facility can respond – of course it is Corporate who will deal with this; the facility will make the records available. 39

40 WHAT CAN YOU CHARGE – TIME OF RESPONSE? California Evidence Code 1158 – 1563 (b) Attorneys and Subpoenas HIPAA Allowance- 45CFR {Part 164} Health and Safety Code 123110(b) California Medical Record Information Act. Same as 123110 (b) 40

41 SEE HANDOUT #1 http://healthconsumer.org/cs028MedicalR ecords.pdfhttp://healthconsumer.org/cs028MedicalR ecords.pdf A good link for resources.

42 NO SAFE HARBOR California covered entities are still required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 days to comply with SB 541 – which has been in effect since January 2009 42

43 PENALTIES SB-541 – failure to report within 5 days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000. 43

44 ELECTRONIC STATE HEALTH RECORD SURVEY PROCEDURES SURVEY GUIDELINES IN TWO DOCUMENTS CMS Department of Public Health Not their role to check on Privacy and Security or the Medical Information Act- but under Title 22- Protection of Health Records and meeting professional standards re: records management Looks at indicators of how the facility maintains privacy of resident records and not focusing on details of HIPAA or CMIA compliance. 44

45 DPH AREAS OF ATTENTION Give attention to and how workforce deals with EHR ?? And answer with workforce may be a focus Evaluation of terminals, screen access, Terminals log off Password easy access 45

46 DPH AREAS OF ATTENTION -2 Records kept electronically – is there a system to identify EHR documents. Purging of e-records – what is process & access, storage & retrieval. Back-up, etc. +++focus on privacy, access potential, etc. 46

47 DPH AREAS OF ATTENTION -3 Quality assurance monitoring (another day I will deal with this in more detail) re: Health MedX Make records available to DPH = track!!! 47

48 SB 580 Audits – SECTION 1. Section 56.101 of the Civil Code –(B) Automatically record and preserve any change or deletion of any electronically stored medical information. 48

49 SB 850 The record of any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information.

50 SOCIAL MEDIA Threat to resident confidentiality, Social media has no constraints, potentially spontaneous, widespread and searchable all at once – available to the world. Watch the use of Face Book, Tweets, Many do not allow social media on the facility websites for employee access Corporate, employment and HIPAA risks!

51 WHAT IS USED NOW AND IN FUTURE RISKS ? Providers may prohibit workforce members from discussing work-related matters on “sites other than secure work related sites”. No FACEBOOK discussions re: work that can identify any resident No FACEBOOK discussions re: work as a good idea in all cases. 51

52 CV & AHIS AS YOUR PARTNER 52 IMPLEMENTATION PLAN TRAINING CURRENT SYSTEM REVIEW POLICY & PROCEDURE ACTION AS NEEDED

53 QUESTIONS & ANSWERS 53 Rhonda Anderson, RHIA President, AHIS, Inc. 714-558-3887 office@ahis.net Thank You!

Download ppt "CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc."

Similar presentations

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Similar presentations

Ads by Google