1 / 35

Regulatory Training

Regulatory Training. Privacy & Information Security. Learning Objectives. This course will help you comply with privacy, information security, and identity theft regulations. After completing this course, you should be able to:

anakin
Download Presentation

Regulatory Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Regulatory Training Privacy & Information Security

  2. Learning Objectives This course will help you comply with privacy, information security, and identity theft regulations. After completing this course, you should be able to: • Distinguish between which uses and disclosures of protected health information are allowed and not allowed under the HIPAA Privacy Rule. • Recognize safeguards required to ensure the security and integrity of electronic protected health information. • Recognize a security breach under federal or state Identity Theft Laws. • Identify where to report concerns regarding these topics.

  3. Privacy & Information Security Introduction As a worker in the health care industry, you are affected by multiple laws and regulations establishing requirements related to privacy, information security, and identity theft. This lesson will: • Provide an overview of the HIPAA privacy laws and regulations; • Describe the organization's responsibilities; and • Describe your responsibilities at UMass Memorial. For more information, including UMass Memorial policies and forms, go to the Privacy & Information Security website.

  4. Privacy Rule This section reviews the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The Privacy Rule sets the first national standards for protecting the confidentiality of protected health information (PHI). The goal of the Privacy Rule is to balance two important aspects of health care: • Protecting the privacy of patients • Allowing flow of health information when needed to: • Ensure high quality health care • Protect public health

  5. What is PHI? PHI- Protected Health Information (PHI) is defined as all individually identifiable health information created, transmitted, received or maintained by a covered entity (UMMMC). This includes any information, including demographics, which identifies or could reasonably identify an individual, their health/condition, treatment or provision/payment for their health care. Identifiable information includes: name, address, city, county, zip code, names of relatives, names of employers, birth date, telephone number, fax number, e-mail address, social security number, any vehicle or other device serial number, web URL, Internet Protocol address, finger or voice prints, photographic images, and any other unique identifying number, characteristic or code. Examples of PHI in the Workplace: • Communications: Switchboard, hallway conversations, dictation, shift reports, appointment scheduling, telephone conversations and meeting discussions. • Paper Documents: Medical records, prior authorizations, white boards, clinic reports, shift reports, wristbands, encounter forms, requisitions, dietary cards, medication labels and downtime logs. • Electronic Documents/Displays: Claims, computer screens, patient monitors, identifiable photos, EKG strips, films, test results, e-mail, faxes and electronic files.

  6. What is a Business Associate? A Business Associate (BA) is a person or organization that uses PHI (including electronic PHI) to perform a service or function on behalf of UMass Memorial. Examples include outsourced transcriptionists and coders, billing services, financial institutions, contracted vendors, and collection agencies. • Specific contract language is required with BAs to make certain they will properly safeguard all PHI. • Managers involved in the review, approval and authorization of contracts must ensure the UMass Memorial approved Business Associate Agreement (BAA) is in place before disclosing PHI to an outside party. • Do not disclose more than is necessary for the BA to complete the agreed upon function. • When in doubt, call the Office of the General Counsel or the Privacy & Information Security Offices.

  7. Allowable Uses & DisclosuresWithout Authorization Minimum Necessary: • For all uses/disclosures of PHI under the Privacy Rule, except treatment, we must only use/disclose the minimum amount of PHI necessary. • Workforce members may only access, use, or disclose records of patients under their care or related to their job duties. Accessing family members, friends, co-workers, or others is not permitted without the patient's written authorization. In addition to communicating with the patient, the Privacy Rule allows use/ disclosure of PHI by a covered entity, without authorization, for the purpose of: • Treatment activities • Payment activities • Health care operations activities • De-identified information Click on each of the links above to learn more about each element. When you have reviewed all four…click here to continue this lesson.

  8. Allowable Uses & Disclosures The Privacy Rule allows use/disclosure of PHI by a covered entity, without authorization for the purposes of: • Treatment Activities • PHI may be used/disclosed among providers when two or more providers: • Provide health care services for a patient • Coordinate health care services for a patient • Manage health care services for a patient • Examples include: • Consultation between providers • Referral from one provider to another

  9. Allowable Uses & Disclosures The Privacy Rule allows use/disclosure of PHI by a covered entity, without authorization for the purposes of: • Payment Activities • PHI may be used/disclosed by a health plan to: • Obtain premiums • Determine responsibility for coverage/benefits • Fulfill responsibilities for coverage/benefits • Give or receive payment for health care provided to a patient • PHI may be used/disclosed by a provider to: • Obtain payment for providing care to a patient • Obtain reimbursement for providing care

  10. Allowable Uses & Disclosures The Privacy Rule allows use/disclosure of PHI by a covered entity, without authorization for the purposes of: • Health Care Operations • PHI may be used/disclosed when an organization is: • Performing quality assessment and improvement activities • Conducting training, certification and licensing activities • Evaluating provider competency • Conducting or arranging for medical services, audits or legal services • Performing certain insurance functions • Planning, developing, managing or administering business activities

  11. Allowable Uses & Disclosures The Privacy Rule allows use/disclosure of PHI by a covered entity, without authorization for the purposes of: De-identified Information Health care information that is stripped of all identifying information and unique characteristics or codes including: • Name • Address, including: • street address • city • county • zip code • equivalent geocodes • Names of relatives and employers • Birth date • Telephone and fax numbers • E-mail addresses • Social security number • Medical record number • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Web URL • Internet Protocol (IP) address • Finger or voice prints • Photographic images • Any other unique identifying number, characteristic, or code

  12. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: • Decedents • Organ donation • Serious threat to health or safety • Specialized government function • Workers' compensation • Public health activities • Victims of abuse or neglect • Health care oversight activities • Judicial and administrative proceedings • Law enforcement purposes(limited disclosure may be permitted) Click on each of the links above to learn more about each element. When you have reviewed all ten…click here to continue this lesson.

  13. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Public Health Activities Public health activities authorized by law such as disease prevention/control (vital statistics including births and deaths, child abuse or neglect, public health investigation and intervention, communicable diseases, reporting adverse events, product tracking, work related injuries).

  14. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Victims of Abuse or Neglect Disclosures about victims of abuse or neglect to authorized government agencies.

  15. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Health Care Oversight Activities Health care oversight activities when agencies are looking into the health care system or government benefits programs, as well as civil and criminal investigation from health oversight agencies.

  16. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Judicial and Administrative Proceedings Judicial and administrative proceedings pursuant to a court order or administrative tribunal. Absent an order of, or a subpoena issued by a court or administrative tribunal, UMMMC may respond to a subpoena or other lawful process by a party to the proceeding only if the following are provided: (1) Satisfactory assurances that reasonable efforts have been made to give the individual whose information has been requested notice of the request; or (2) Satisfactory assurances that the party seeking such information has made reasonable efforts to secure a qualified protective order that prohibits disclosure except for stated purpose and requires return or destruction of information at the end of the litigation or proceeding, or provides notice to the individual regarding the protective order; (3) Limited to expressly authorized PHI.

  17. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Law Enforcement Limited disclosure may be permitted, but is not usually required, for law enforcement purposes related to crime victims, crime on the premises, identification of possible criminals pursuant to a court order or warrant, or a subpoena or summons issued by a judicial officer, state or federal grand jury subpoena, administrative subpoenas or summons, civil or authorized investigative demands, or similar process authorized by law (suspect, fugitive, material witness, or missing person, victim of a crime, emergency calls or deaths suspected to be related to criminal conduct).

  18. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Information about Decedents (Deceased Patients) About decedents to coroners, funeral directors, medical examiners to identify a body, determine cause of death or perform other functions allowed by law.

  19. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Organ Procurement Organizations To organ procurement organizations for cadaveric donation of organs, eyes, tissues.

  20. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Serious Threat to Health or Safety To prevent or lessen serious threat to health or safety.

  21. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Specialized Government Function For specialized government function such as military and veterans activities, national security and intelligence, protective services for the President, medical suitability for Department of State officials, to correctional institutions if necessary for health and safety.

  22. Allowable Uses & DisclosuresWithout Authorization(When Required or Permitted by Law) Protected health information may be used, disclosed, and tracked by authorized members of the workforce in preparation for disclosure required or permitted by law. The individual who discloses the information is responsible for verifying the identification of the requester through picture identification and/or reviewing a written request on official letterhead. These uses/disclosures include: Workers’ Compensation For workers’ compensation (subject to minimum necessary) and in accordance with workers’ compensation laws.

  23. Allowable Uses & DisclosuresWith Authorization Allowable uses and disclosures, with authorization, include: • Marketing • Targeted Fundraising • Informal permission or patient has the opportunity to agree or object • Listing a patient's contact information in the patient hospital directory when the patient has not opted out • Dispensing a filled prescription to a patient's family member • Informing a caretaker or a patient's family of the patient's condition • Disclosure to Patient or Authorized Representative • Minimum Necessary Does Not Apply • Employee as Patient • Authorization for Electronic Access must be submitted before accessing your record • Disclosure to 3rd Parties • Pre-Employment • Disability/Life Insurance Application or Claims • Attorneys/Legal Cases • Research Use Requiring Authorization • Clinical Trials

  24. Allowable Uses & DisclosuresWith Authorization With allowable uses and disclosures with authorization, the patient has the opportunity to agree or object . This means the patient has an opportunity to: • Give informal permission • Be given a clear chance to either agree or object to the disclosure If the patient is not available or able to agree or object, this sort of use/disclosure is still allowed if the covered entity believes the use/disclosure is in the best interest of the patient.

  25. UMM HIPAA Privacy

  26. Information Security This section describes several laws and regulations that establish information security requirements for UMass Memorial. In general, these laws and regulations require UMass Memorial to ensure the confidentiality, integrity, and availability of patient data. This section also describes information security standards contained in the UMass Memorial Acceptable Use of Electronic Resources Policy that apply to all UMass Memorial workforce members.

  27. Security Rule Requirements The HIPAA Security Rule requires UMass Memorial to: • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits; • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required; and • Ensure compliance by UMass Memorial’s workforce.

  28. Acceptable Use UMass Memorial's Acceptable Use of Electronic Resources Policy defines the "acceptable use" of electronic resources, including software, hardware devices and network systems. Included in the policy are standards for: • Remote Access/Working at Home; • Wireless and Mobile Computing Devices; • Internet Use and Standards; and • Workstation Use and Security and E-mail security. Click to access the Acceptable Use of Electronic Resources policy.

  29. Your Responsibilities Your security responsibilities include: • Secure E-mail- Always use secured messaging when sending e-mails containing confidential information outside the UMass Memorial network. To encrypt an e-mail, type the word “secure” in the subject line. Be certain to always double-check all “to” and “cc” fields prior to sending any e-mails. • E-mail abuse – Do not send any information that you would not want to see in your personnel file. • Internet abuse– Do not post any confidential information to an internet site (i.e., Facebook, MySpace, Twitter). • Lock your workstation - When leaving your workstation, always lock the workstation by pushing Ctrl-Alt-Delete keys and then pressing Enter or logout. • Never share your username and password. These represent your unique identity and access to key systems/applications. • Protect mobile devices when traveling - never leave unattended. Devices such as laptops and smartphones are easily lost or stolen. • Shred copies of confidential paper documents or place in secured disposal consoles. • Identify & report security violationsto your manager and the Privacy and Information Security Offices. • Wear your ID badge and challenge unknown people in your work area without an ID.

  30. Identity Theft: FTC Red Flags The Federal Trade Commission (FTC), along with other federal bank regulatory agencies, issued the Red Flags Rules which require financial institutions and creditors to develop, implement, and document identity theft prevention programs. Red Flags are patterns, practices, or specific activities that could indicate identity theft. Examples include: • A complaint or question from a patient based on the patient’s receipt of a bill for a product or service that the patient denies receiving; or • Records showing medical treatment that is inconsistent with a physical examination, or with a medical history as reported by the patient; or • A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached; or • A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.

  31. Identity Theft:Program Requirements UMass Memorial is required to protect patients and workforce members through the establishment of a written program dedicated to preventing, detecting, and responding to potential and actual identity theft. Program Requirements include: • Identifying relevant Red Flags for the covered accounts that UMass Memorial offers or maintains, as well as the Red Flags for the personally identifiable information of UMass Memorial’s workforce members; • Detecting Red Flags indicating potential or actual identity theft; • Responding appropriately to any Red Flags that are detected; and • Updating the program periodically to reflect changes to the risk of patient and workforce member identity theft. Click to access the Policy to Prevent, Detect, and Address Identity Theft.

  32. Identity Theft - Massachusetts DataSecurity Regulations Similar to the Federal Red Flags Rules, Massachusetts has laws related to the security of personal information including: • Establish requirements for notification to state government and consumers in the event of a data security breach, • Establish a consumer’s right to request a security freeze and • Establish requirements for destruction and disposal of records containing a consumer’s personal information. Personal information is a Massachusetts resident's first and last name, or first initial and last name combined with: • SSN, or • Driver's license number or state issued ID #, or • Credit/debit card number or bank account number

  33. Identity Theft - Massachusetts DataSecurity Regulations • A data security breach is the unauthorized acquisition or unauthorized use of personal information that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth of Massachusetts. • Personal information can be found in many areas such as HR, Payroll, Billing Offices, Finance, Registration and treatment areas. • The Massachusetts ID Theft Law requires proper disposal of personal information by either redacting, burning, pulverizing or shredding so that the data cannot be read or reconstructed. • Use locked disposal bins and consoles to dispose of any personal information no longer needed, or use a department shredder if one is available. • Any breach involving personal information must be reported to the Privacy & Information Security Office so appropriate individuals and agencies may be notified.

  34. Penalties for Violations Penalties for Privacy & Information Security Violations • External Agency Enforcement (OCR, DOJ, OIG) • Civil and criminal penalties will be applied to covered entities and individuals as determined by these agencies for inappropriate disclosure of PHI. • UMass Memorial Corrective Action Enforcement • Violations of UMass Memorial policies causing privacy or information security breaches are likely to result in termination of employment or contracted service. • Examples of Breaches: • Discussing or leaving PHI in a public area; leaving a computer unattended in an accessible area with PHI unsecured; leaving your password visible on or near your computer • Unauthorized access , which includes requesting another individual to access your medical record; looking up family, friend, or co-worker information; using someone else’s user ID & password; posting pictures of patients or procedures to social networking sites • Obtaining information to use in a personal relationship; obtaining PHI for a pending legal case • Loss or unauthorized destruction of confidential information

  35. Questions and Complaints Patients or workforce members who wish to file a complaint about alleged privacy violations or information security incidents have the following reporting options available: • Notify your supervisor or manager • Call the Privacy & Information Security Hotline with any questions or suspected violations : 508-334-5551 • E-mail the Privacy & Information Security Offices at: PrivacyandSecurity@umassmemorial.org • File a complaint with the Department of Health & Human Services (DHHS)

More Related