1 / 53

HIPAA Privacy & Security Training Module

HIPAA Privacy & Security Training Module. What we want to accomplish. Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI Define PHI Identify how and when it is used and disclosed Identify the right amount of PHI to use or disclose Talk about patient rights under HIPAA

owen-small
Download Presentation

HIPAA Privacy & Security Training Module

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy & Security Training Module

  2. What we want to accomplish • Understand HIPAA Privacy Rule • Understand who it applies to • Discuss PHI • Define PHI • Identify how and when it is used and disclosed • Identify the right amount of PHI to use or disclose • Talk about patient rights under HIPAA • Understand a breach • Review responsibilities and safeguards

  3. What is HIPAA? • Health Insurance Portability and Accountability Act of 1996 • Federal law • Comprised of Five Sections • Administrative Simplification • Electronic Transactions and Code Sets Rule • Privacy Rule • Security Rule

  4. Privacy Rule v. Security Rule • Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information • Security Rule defines how to protect protected health information in electronic form, called ePHI

  5. Protected Health Information Electronic Protected Health Information Minimum Necessary User Identity Patient Rights Password Management Notice of Privacy Practices Appropriate Use of Computing Devices Privacy Policies Security Policies Privacy Officer Security Officer Reporting Privacy Concerns Reporting Security Concerns Education The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered: HIPAA PRIVACY HIPAA SECURITY

  6. HIPPA Privacy Officer • Maintains appropriate measures to guard against unauthorized access to PHI. • Ensures compliance through adequate training programs and periodic audits. • Maintains HIPAA policies and procedures.

  7. Other important rules • HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act • Breach Notification Rule • HIPAA Omnibus Rule • Changed the Breach Notification Rule Don’t forget about state law!

  8. What is the Privacy Rule? • Personal health information must be safeguarded by organizations and the individuals who work there • Patients have rights to gain access to their medical records and restrict who sees their health information • Organizations must train their workforce on the privacy requirements • Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed • Punishes individuals and organizations that fail to keep patient information confidential

  9. Who is Covered? • Health Plans • Healthcare Clearinghouses • Healthcare Providers that conduct standard transactions in electronic form that involve PHI Known as “Covered Entities”

  10. Business Associates (BA) • Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI) • Law firm • Pharmacist consultant • Medical Director • Record Storage Company • Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA

  11. What is Protected Health Information (PHI)? • Individually identifiable health information • That relates to an individual’s past, present or future health care, or • That relates to health care services provided to the patient, or • That relates to payment for care • Created or received by a Covered Entity or Business Associate • In any form: paper, electronic or oral

  12. Individual Identifiers of PHI • Name • Address • Telephone No. • Finger or voice prints • Social security number • Vehicle/device serial no. • Health plan number • Certificate/license No. • Account Number • Names of relatives • Names of employers • Fax number • Birth date/admission & discharge dates • Photographic images/X-rays • Medical record number • Account Number • Email, IP address, web URL

  13. Notice of Privacy Practices (NPP) • Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity. • NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity. • NPP for health care providers must be: • Distributed at the first instance of service, • Posted at the service site, • Posted on the website if one exists. • All employees should be aware of the NPP.

  14. When does HIPAA allow use or disclosure of PHI? • Permitted by law • Treatment • Payment • Health Care Operations • Public interest and public benefit • Permission by the resident/patient • Authorization

  15. Incidental Uses and Disclosures • Incidental use or disclosure • Occurs as a by-product of a permissible use or disclosure using reasonable safeguards • Cannot be reasonably prevented • Must use reasonable safeguards • Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it

  16. Accidental Uses and Disclosures • Accidental use or disclosure • Potential breach • Attempt to retrieve it, or limit exposure or risk to the information • Report the incident immediately • Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage

  17. Minimum Necessary • Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.” • Example: An insurance company requests a patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent. • Minimum necessary does not apply when PHI is used or disclosed: • For treatment purposes, • To the individual, • When you obtained an authorization, • When required by law.

  18. Need to know • Determine the information you need to know to do your job • Access information only if you have a need to know it • Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit.

  19. Patient Rights Receive a Notice of Privacy Practices Right to Access Right to an Accounting of Disclosures Restriction of Use of PHI Confidential Communications Request Amendment File Complaint (Covered Entity and Office of Civil Rights)

  20. What would you do? A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public. A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record. You notice a list of names and current medications in the trash can.

  21. Disclosure that must be tracked • Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request. • The following disclosures need to be tracked: • Required by law (i.e. reports of abuse to a public health authority) • Required for public health activities (i.e. reporting of disease) • For health oversight activities (i.e. audits by an oversight agency) • Reports of abuse (i.e. to the police, medical staff) • For law enforcement purposes (i.e. to identify the perpetrator of a crime) • To the coroner (i.e. for identifying a deceased person) • To avert a threat of serious injury (i.e. disclosure to a person who can prevent the threat or to law enforcement) • Unlawful or unauthorized disclosure (i.e. inadvertent disclosures)

  22. What is a breach? An impermissible use or disclosure that compromises the security or privacy of the PHI. A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment.

  23. Examples of Possible Breaches Throwing PHI in the trash or dumpster (without being shredded); Sharing PHI with those who do not have a need to know; Posting another person’s PHI on your Facebook page; Faxing a document containing PHI to the wrong fax number; PHI that has been lost or stolen.

  24. What if a breach occurred? Report incidents to your supervisor as soon as they occur or are discovered LPO investigates to determine if the incident is a breach

  25. Breach Notification • A breach requires notification within a required time from the date the breach was discovered or should have been discovered: • Individual, within 60 days • HHS – OCR, within 60 days if > 500 individuals involved • HHS – OCR, annually within 60 days of the end of the calendar year if < 500 individuals • Media, within 60 days if more than 500 individuals involved

  26. OCR Audits / Investigations Permanent audits in planning stage Complaints can trigger an investigation A breach can trigger an investigation

  27. Penalties for Non-Compliance Individual can be responsible, not just the Covered Entity or Business Associate • Civil Money Penalties • Violation but you did not know or could not have known • $100 per violation with annual maximum of $25,000 for repeat violations • Violation due to reasonable cause and not due to willful neglect • $1,000 per violation with an annual maximum of $100,000 for repeat violations • Violation due to willful neglect but corrected within required time period • $10,000 per violation with annual maximum of $250,000 for repeat violations • Violation due to willful neglect and not corrected • $50,000 per violation with annual maximum of $1.5 million

  28. Penalties, cont. • Criminal Penalties • Knowingly committed the offence • Up to $50,000.00 • Up to one year in prison • Committed under false pretenses • $100,000 • Up to five years in prison • Committed for financial gain or malicious harm • $250,000 • Up to ten years in prison

  29. Headlines, Reported Breaches • Southwest General Health Center • Notified 480 patients that a binder containing their personal and health information had gone missing • Phoenix Cardiac Surgery • Appointments were available to the public on internet-based calendar • Paid $100,000 to settle claims of lack of HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients • Nursing Assistant in Florida sentenced for HIPAA crime • Former nursing assistant of assisted living facility in sentenced to 3 years in prison for stealing and selling patient information • Ordered to pay $12,000 in penalties • UCLA School of Medicine • Researcher terminated and in retaliation accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times • Sentenced to 4 years in prison

  30. General Safeguards • Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data • When you talk about it • When you fax it • When you store it • When you use it • When you disclose it • When you dispose of it • Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know

  31. General Safeguards, cont. Confidential verbal conversations should be conducted away from others who do not have a need to know. Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so. Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby.

  32. General Safeguards, cont. Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash! Keep information you hear about a resident to yourself. Share only with those who have a need to know. Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know.

  33. General Safeguards, cont. • Notify security if you see an unescorted visitor in a private area. • Computer screens where PHI is viewed should be turned away from the view of visitors. • Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.

  34. HIPAA Security Rule Security Rule defines how to protect protected health information in electronic form, called ePHI

  35. HIPAA: Security Rule • Four Requirements of Security: • Ensures confidentiality, integrity, and availability of electronic PHI. • Protects against possible threats and hazards to the information. • Hackers, viruses, natural disasters or system failures. • Protects against unauthorized uses or disclosures. • Ensures compliance by the workforce through • security regulations and policies/procedures. • Three Components of Security: • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  36. HIPAA: Security Rule Administrative Safeguards: • Documentation kept for 6 years. • Internal system audits minimize security violations. • Logins, file accesses, and or security incidents. • Information access management: • Access to PHI based on what is needed to preform the job. • Once computer access is requested, it will take 48-72 hours to implement due to complexity of security system. • Security awareness and training: • Security updates, incident reporting, log-in, and password management. • Security incidents will be reported if suspected or if there is an actual breach.

  37. HIPAA: Security Rule Physical Safeguards: • Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. • Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel. • Workstation use and security. • Log on as themselves. Log off prior to leaving the workstation, • Inspect the last logon information, report any discrepancies. • Comply with all applicable password policies and procedures. • Close files not in use.

  38. HIPAA: Security Rule Technical Safeguards: • Access controls: • User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access. • User passwords reset every 180 days. • All passwords must consist of at least eight (8) alphanumeric characters (numbers and letters). • Passwords cannot be reused until after three (3) different generations have been used. • Six (6) failed logon attempts will cause the user account to be locked out. The account is locked out for (30) minutes and then reset. • Computer Desktops automatically lock after 17 minutes of inactivity. • Citrix sessions automatically close after 30 minutes of inactivity. • CareVoyant sessions automatically close at different intervals depending on place within the program. • CareTracker sessions automatically close at different intervals depending on place within the program

  39. HIPPA Security Officer • Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards. • Oversees and/or performs on-going security monitoring of organization information systems. • Ensures compliance through adequate training programs and periodic security audits. • Ensures security standards comply with statutory and regulatory requirements. • Maintains HIPAA security policies and procedures.

  40. Who is responsible for HIPAA? EVERYONE at Elmcroft: • Support Center Staff: • IT Staff: • Implement safeguards for the computer systems. • Local Privacy Officer: • Clinical Staff and Physicians: • Create and access the majority of resident information. • Managers and Supervisors: • Develop and implement policies and procedures that relate to security and ensure their staff are trained properly. • Clerical Staff: • Create and access resident information. • Volunteers: • Have access to resident information in various settings • Vendors and Contractors • May have access to resident information

  41. Tips for HIPAA Security Compliance Log on and off the network appropriately. Never let others use your ID or work under your ID. Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media. E-mail may be, but is not always, a secure form of data transmission. Do NOT e-mail PHI unless using encrypted means. Use caution in opening e-mail files from unknown sources. Do NOT access non-permitted information or give non-permitted information to unauthorized employees. Be aware of, and report, security threats to the Security Officer.

  42. Tips for HIPAA Security Compliance Passwords must be treated as sensitive and confidential information. Never share your password with anyone for any reason. Passwords should not be written down, stored electronically, or published.

  43. Tips for HIPAA Security Compliance • Be sure to change initial passwords, password resets and default passwords first time you log in. • Use different passwords for your different accounts. • Create passwords that are • not common, • avoid common keyboard sequences, • do not contain personal information, such as pets, birthdays or kid’s names.

  44. Tips for HIPAA Security Compliance Protect sensitive information on lists and reports with social security numbers (SSNs). Limit access to lists and reports with SSNs to those who specifically need SSNs for official business. Never store SSNs or use lists with SSNs on laptops or home computers. Save and store sensitive information only on Elmcroft servers managed by IT staff.

  45. Tips for HIPAA Security Compliance Never copy sensitive data to CDs, disks, or portable storage devices. Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.). Lock printed materials with sensitive data in drawers or cabinets when you leave at night. When done with printed sensitive material, shred them.

  46. Tips for HIPAA Security Compliance Remove sensitive materials from printer right away. If problem with printer, turn off printer to remove sensitive material from printer’s memory. Personally deliver sensitive materials to recipient or distribute information electronically using the email system. Arrange for shared electronic files that requires user ID and password.

  47. What do we do? Complete initial and annual HIPAA training Read the Notice of Privacy Practices (NPP) Understand how HIPAA regulations impact your job function and responsibility Check with your supervisor if you are uncertain Ask for additional training if required It is our responsibility to ensure confidentiality of our residents’ health information.

More Related