1 / 24

Just what is HIPAA anyway? Let’s look and see!

nirav
Download Presentation

Just what is HIPAA anyway? Let’s look and see!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. At Medical Center Hospital, we believe protecting patient confidentiality is doing the right thing because it’s the right thing to do. We must all work together to show our patients that protecting the confidentiality and security of their protected health information (PHI) is as important to us as their health.

  2. Just what is HIPAA anyway? Let’s look and see! • The Health Insurance Portability and Accountability Act is a federal law enacted in 1996. It sets national standards for the privacy and security of electronic protected health information (ePHI). It also helps prevent fraud and abuse and simplifies billing to help reduce health care administrative costs.

  3. What is a covered entity? A covered entity is any person, group of people, company, establishment, health plan or clearing house for electronic billing and business associates that provides health care or social services or maintains PHI in support of health care or social services. What is PHI? Protected health information is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This includes any part of a patient’s medical record or payment history. PHI relates to past, present or future conditions of an individual; provisions of healthcare to an individual or for payment of care provided to an individual transmitted or maintained in any electronic, paper or oral form. Examples of PHI are: name, address, street, city, zip code; any date (birth, admit, discharge, death); telephone and fax numbers; electronic addresses; social security number; medical record number. A complete list of PHI identifiers is provided in the section detailing de-identification of PHI.

  4. What is a Business Associate? Most health care providers and health plans do not carry out all of their health care activities and functions by themselves. They often use the services of a variety of other persons or businesses. The Privacy Rule of HIPAA allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

  5. When can PHI be shared? • For treatment of the patient (direct care; coordination of care; consultation; referrals) • For payment of health care bills • For healthcare operations/business management such as quality improvement, compliance, competency and training • For disclosures required by law; • For public health or other governmental reporting • When the patient gives written authorization De-identification of PHI: De-identification requires the elimination not only of primary or obvious identifiers such as the patient’s name, address, date of birth (DOB), and treating physician, but also of secondary identifiers through which a user could deduce the patient’s identity. To be completely de-identified, the following identifiers of the individual (or of relatives, employers, or household members of the individual) must be removed: • Names • address information smaller than a state (street address, city, county, zip code) • names of relatives and employers • all elements of dates (except year) including DOB, admission date, discharge date, date of death • all ages over 89 • telephone numbers • fax numbers • email addresses • Social Security Number • medical record number • health beneficiary plan number • account numbers • certificate/license number • vehicle identifiers, including license plate numbers • device ID and serial number • Universal Resource Locator (URL) • Identifier Protocol (IP) addresses • biometric identifiers, including finger and voice prints • full face photographic images and comparable images • any other unique identifying number, characteristic, or code SPECIAL NOTE: Whenever possible, de-identified PHI should be used for quality assurance monitoring and routine utilization reporting.

  6. A Notice of Privacy Practices is required! Covered entities must provide a notice that tells a patient how they may use and share their health information and how the patient can exercise their health privacy rights. In most cases, a patient will get this notice on their first visit to a covered entity.

  7. Refrain from discussing PHI in public areas, such as elevators, hallways and reception areas, unless doing so is absolutely necessary to provide treatment to one or more patients such as in a disaster situation. We all want our privacy protected when we are patients – it’s the right thing to do. Don’t be careless or negligent with PHI in any form. HIPAA and Texas state law require us to protect a patient’s privacy.

  8. Disclosure of PHI without Permission HIPAA BREACHES CAN BE COSTLY! Employees can lose their jobs, contractors can lose their contracts and everyone is subject to civil liability as well. Unauthorized disclosure of policies and procedures surrounding a patient’s health information must be reported. Anyone who knows or has reason to believe that another person has violated one or more rules under HIPAA has the right to report the matter promptly to his or her supervisor, the MCH Compliance Office or the government agency named The Office of Civil Rights. The incident will be thoroughly investigated. We are required by law to attempt to remedy the harmful effects of any breach. • = + Disclosures without proper authorization can carry hefty fines---and those fines are not limited to covered entities. Individuals may be fined also. Fines and penalties for HIPAA violations are higher when the offense is deliberate. A recent court case resulted in prison time for employees who stole and used patient information to obtain health care using the stolen information.

  9. SECURING PHI Protecting Patient Privacy requires us to secure the patient’s information. ePHI (Electronic Protected Health Information) is any computer-based patient health information that is used, created, stored, received or transmitted using any type of electronic information resource such as a personal computer, laptop computer, tablet computer, smartphone or cellphone. Because technology is continually evolving, the list will change but the generally accepted rule is----if it’s electronic, it’s covered by HIPAA. Physician portal users are assigned a unique user id for login purposes. Using someone else’s user id and/or password is not allowed. All access to the physician’s portal at MCH is logged. If you allow someone to use your log-in credentials and they do something illegal, you get the blame. You can be written up, lose your computer access and/or get fired for something someone else did while using your log-in credentials.

  10. Remember: YOU are responsible for everything that occurs under your MCH login. Log off before leaving a workstation unattended. This will limit accidental access of ePHI under your user id. • At MCH, there is a policy that passwords are not to be written down or posted. Passwords cannot be sent in in any kind of electronic communication such as email or in a text message. • If you think someone knows your password, immediately contact the Information Technology Computer Support Center at extension 1385 to report the breach and to get your password changed. • Where possible, computers in clinical settings at MCH are set to “lock” (or log off) after 5 minutes of inactivity. Automatic screen savers are used to prevent accidental exposure of ePHI.

  11. BUG BE GONE! Computers at MCH are standardized to limit damage to PHI, the computer and the computing environment. Malware (or malicious software) is any program or file that is harmful to a computer. Malware includes: viruses, worms, Trojan horses, spyware and adware. It is any computer program that causes a computer to act in unexpected ways and has the intention of causing mischief or damage. The computing environment at MCH is checked hourly for malware. Our aim is to keep buggy software off our network and if an infection occurs to stop it at the lowest level as quickly as possible.

  12. Signs your computer might contain malware: • Reduced performance (your computer slows or “freezes”) • Windows opening by themselves • Missing data • Unusual toolbars appearing on your web browser Contact the IT Computer Support Center at 1385 if you experience problems you think might be malware related.

  13. INFORMATION ON THE MOVE FAXING is permitted. A cover sheet containing a confidentiality statement must always be included. Always check the fax number prior to dialing it. Double check the number you typed in on the fax screen before pressing the send button. Fax numbers change and many faxes have been received by people who should not receive them. ENCRYPTIONIf you must send PHI in email to someone outside MCH, you must contact the I.T. Department so you can have the hospital approved encryption product installed on your computer or the PHI must be de-identified. De-identification of PHI means removing any information that can reasonably be used to link that information back to an individual.

  14. MAIL TIPS You may receive email from people you do not know. You may also receive email you did not request. Any time those situations arise, become suspicious and don’t open them. Think about it. Did you mail something by FedEx? No? Don’t open the email that “says” it’s from FedEx. Is your bank The First Federal Bank of Somewhere? No? Don’t open the email from The First Federal Bank of Somewhere even if they say they absolutely have to have your account information or they’re going to shut your account down. These sorts of emails fall under the heading of spam and phishing (pronounced “fishing”.) The sender is trying to be sure they have a good email address so they can send more spam or more phishing attempts. These emails can also try to get you to send them sensitive information that can put your identity at risk. Don’t be tricked. Be very suspicious of emails with attachments on them. Also do not open email from someone whose name you do not recognize. Especially do not open emails with attachments from people whose name you do not recognize. Before Facebook and Twitter, email was considered the fastest growing form of communication ever. Email and social networking are very dangerous subjects when mixed with HIPAA. HIPAA requires that PHI sent over an open network (the Internet) be encrypted. Email, Facebook and Twitter messages are all sent over an open network (aka the Internet). Facebook and Twitter are not currently approved for use by MCH employees and patient information should never be talked about on Facebook or Twitter. If you have not read the MCH Policy on social networking, please read MCH-3058.

  15. PORTABLE STORAGE DEVICES Don’t store ePHI on portable storage devices. If you MUST store PHI on a device that is portable, either de-identify it or encrypt it. Delete it when it is no longer needed and always protect the device from loss and damage. Remember that you are solely responsible for anything you do with protected health information.

  16. THE 15 COMMANDMENTS OF HIPAA Doing the right thing is the right thing to do! Engaging in wrongful activities could result in disciplinary action up to, and including, loss of computer access, termination of employment and/or individual civil fines, criminal liability and prison time.

  17. ***Pop-up blockers will prevent users from completing Chart Deficiencies on the Portal*** Helpful Tips When Using Physician Portal To navigate through the module pages always use the Return Links on the module page or click the Module TAB button, it is best NOT to use the back button on the Web browser tool bar. The PIN Number Pad that allows the user to log into the Chart Deficiencies module is considered a pop-up in Microsoft Internet Explorer. You must turn off any pop-up blockers before attempting to work in the Deficiencies Module.

  18. Web Access to Physician Portal through Medical Center Hospital Web Page http://www.mchodessa.comClick on the link For Physicians then the link Physician Portal

  19. Medical Center HospitalIntranet Home Page**Inside of MCH** • Select Physicians from the navigation bar on the MCH Intranet • Then select Physician Portal • Or type URL address: https://portal.echd.org/portal • URL address for eMed Radiology Image - https://images.echd.org

  20. System Requirements to Complete Charts Via Portal

  21. YOU MUST WATCH THE ENTIRE VIDEO Video will automatically begin

  22. You have completed the training portion of our Online Education *Note* You may have to click Continue on a Certificate Error to access the Testing webpage. * You WILL have to register the first time you take this test.

More Related