HIPAA PRIVACY AND SECURITY CONFIDENTIALITY

Before we begin… Have the printed Power Point Notes pages in front of you on the left Have attachments 1 and 2 in front of you on the right Attachment 1 = Related Policies and Procedures Attachment 2 = Quiz/Acknowledgement

HIPAA - A Brief Refresher Health Insurance Portability and Accountability Act of 1996 What it does: Protects the privacy and security of health information (confidentiality) Improves the way health information is transferred Gives new rights to Clients, which give them greater access and control of their health information

The Big Privacy Rule Messages remain the same: Client information Keep it confidential! Before Using or Disclosing Information Use the “Need to Know” Rule When in Doubt…ASK!

Why are We Here Today? (Agenda) Review some Basic Information about the HIPAA Privacy Rule Protected Health Information (PHI) Client Rights under HIPAA Using and Disclosing PHI Complaint and Grievance Process Define Roles and Responsibilities

Why are We Here Today? (Agenda) -2 Review some Basic Information about the HIPAA Security Rule Password Protection Workstation Use

Participants will know that there is a federal law that pertains to permitted and required uses and disclosures of protected health information; what protected health information is what confidentiality means what rights patients have to their information what the ramifications of violations are to each member of the work force and the organization where to obtain policies and procedures on privacy and security the importance of reporting--without fear of retaliation-- any suspected breaches of confidentiality

And… Understand HIPAA Sanctions and Penalties Review New Policies and Procedures Test your knowledge Practice Session

How Will HIPAA Affect You Policies, procedures and practices The Facility Use and Disclosure, Access and Sanctions Policies, among others, have been updated to include HIPAA requirements Our Actions and Decisions Must be more conscious of privacy and security all the time and in every interaction Be aware of the rules and stick to them

What is Protected Health Information (PHI)? PHI is all health information about clients including: Their medical or mental health condition Any treatment they’ve had or will have Clinical, billing and financial information CONFIDENTIAL ALL of this information is protected and therefore CONFIDENTIAL

PHI Can be written, oral, automated, electronic or manual, or a fax. Is individually identifiable Some examples include: Name, address, birth date, social security number

HIPAA Makes us aware of using Information Example: I stop to speak with a peer in the hall about one of the clients. Who’s around me? I could be breaching confidentiality Example I get up and walk away from my workstation I don’t log off because my screensaver will come up in 5 minutes I could be breaching confidentiality

Notice of Privacy Practices Clients have a right to know how we will use and disclose their PHI The Notice of Privacy Practices Explains the client’s rights under HIPAA Tells them how to file a complaint/grievance The Notice must be posted where clients can see it.

Notice Of Privacy Practices: Rights Under HIPAA Clients also have the right to Inspect and Copy records Amend records under certain circumstances Request an accounting of disclosures of PHI Confidential Communications Request Restrictions on uses and disclosures of PHI The Facility has the right to refuse the requested restriction If the client is conserved, access privileges will be processed through the conservator, public guardian, etc. and per facility policy. ALL requests for access should be reported to the Administrator and process through Medical Records

The Facility May Use or Disclose PHI To provide services to Clients For the normal operations of the Facility If it is required by law (subpoena, etc.) To our Business Associates in the course of providing services

Business Associates The Business Associate Signs an agreement with the facility to provide services that include using, creating, and maintaining PHI for Clients of the Facility Ensures the facility that they are HIPAA compliant Must fulfill the roles and responsibilities stipulated in the Business Associate Agreement

Safeguarding Privacy & Security Disclose only the amount of PHI necessary to accomplish the intended purpose Staff access to PHI both written and electronic information is delineated by the Facility and is limited to only what is needed to perform job duties

Safeguarding Privacy & Security -2 You may inadvertently disclose information electronically by… Using Public Internet Installing shareware or freeware Using Instant Messaging Improperly disposing of media (CD’s, etc) or computers, hard drives, paper Sending PHI over that is unencrypted

Safeguarding Privacy & Security -3 The Facility Sanctions Policy for Privacy and Security Violations may have levels of violations Level one violations Less severe infractions – sharing password, for example Level two violations Disciplinary actions up to and including termination Must mitigate any harmful effects caused by privacy or security violations

The Bottom Line… BE CAREFUL WITH PHI There are serious consequences to misuse and improper disclosure In addition to facility Sanctions there are possible Civil Penalties

The Use and Disclosure Policy Outlines how the Facility may Use and Disclose PHI including staff access privileges Assures that all Staff will maintain privacy in accordance with HIPAA Delineates the requirements and procedures for the Facility’s Notice of Privacy Practices

Contact the Privacy Officer/Administrator/Medical Records When… You have questions about whether or not something is PHI You receive an authorization to release information A Client Asks to see or copy records Wants to amend, correct records Wants to restrict disclosure of PHI Requests an alternate method of communicating PHI

Authorizations Required for release of protected health information Must be HIPAA compliant authorization Forward any requests to the Administrator and/or Medical Records

Receiving an Authorization Another organization or person may request an client’s records by using their own authorization (Signed by the client) Refer these requests to Medical Records to ensure appropriate processing according to HIPAA Rules

Verification of Authority Verify authority to request PHI regarding enrollment or other PHI maintained or created by you Physical ID check, i.e. Driver’s License, Medicare Card, etc Phone call to an office to verify authenticity of the requestor Any doubts…refer to the Administrator or Privacy Officer

Client Access to Records Refer requests to the Administrator and Medical Records A written request is required If the person is conserved, that request must come through the conservator, public guardian, etc. The Physician should also be contacted to make sure that reviewing the record would not cause harm to the client If the request made involves a large volume of records and is very time consuming there may be a nominal charge to the client

Access to or Inspection of Records Access or Inspection of records must be done through the Administrator/Medical Records The Administrator/Medical Records may deny access when PHI makes reference to another person PHI is not created by the Facility And will Notify the client/conservator of the denial in writing

Request for Copies of PHI A written request is required The Facility may charge for copies of records Refer all requests to the Administrator/Medical Records

Confidential Communications Provide confidential communications to the client to the extent possible Fax Mail to an alternate address Must be done through the Admissions Office

Requesting Restrictions on Release of PHI Technically a right of the client Facility only releases To the client, as permitted By authorization of the client As permitted or required by HIPAA or required by law As part of Treatment, payment or healthcare operations

Privacy Violation Complaint and Grievance Procedure The Facility must have a Complaint and Grievance Procedure for Privacy & Security Complaints The client may complain to the Privacy Officer or Privacy Contact Person If unsatisfied, the client may complain to the Secretary of DHHS, which is listed on the Notice of Privacy Practices

Reporting breaches The staff must be able to report--without fear of retaliation--any suspected breaches of confidentiality Reports may be made to your Privacy or Security Officer Or directly to the Secretary of the Dept. of Human Services as listed on the posted Notice of Privacy Practice

Passwords The risk of breach is ranked high because password cracking is still a very common form of hacking. Passwords should Not be written down in a place where they could be accessed Be required to be changed frequently Have a combination of characters and letters and cases Not be words found in a dictionary (English or Foreign) Never be shared

Workstation use The risk is ranked medium for desktop workstations, and high for portable workstations due to their greater potential for loss or theft and generally weaker controls, including the human factor. Do desktop workstations contain data inappropriately stored on the hard drive? Private Programs, downloaded freeware, shareware Have any of the workstation’s security configurations have been changed? (Security settings changes, for example)

Workstation use-2 Could “shoulder surfers” and other social engineers determine if passwords or other security-related information could be obtained from users of workstations? Workstations, including printers, copiers, and faxes automatically connected to workstations, should also be safeguarded.

Key Positions Privacy Officer Overall responsibility for all Privacy Functions for the Facility Responds to Clients privacy questions complaints Facility Contact Person First Line of Defense for Privacy Questions and Issues Security Officer Overall responsibility for all Security Functions for the Facility Responds to Facility IT Security questions Problems, reports of possible breaches

Test Your Knowledge See Attachment 2 – Quiz/Acknowledgement 1. The client has the right to access all protected health information held by the Facility. True or False? 2. A person’s address may be considered PHI? True or False?

Test Your Knowledge 3. You may release PHI as long as there is a written request for you to do so? True or False?

Test Your Knowledge 4. Privacy or Security Violations may result in termination of employment. True or False 5. Sharing passwords is permissible as long as it is someone you work closely with. True or False

Acknowledgment of Advanced HIPAA Training Documentation of additional specialized HIPAA Training Please Sign the Form provided by the DSD