Goals of training
Download
1 / 68

Goals of Training - PowerPoint PPT Presentation


  • 250 Views
  • Updated On :

Goals of Training. To increase your knowledge & understanding of what protected health information (PHI) is in this facility, and what threats may exist to its privacy and its security To enhance your awareness of your role in helping this facility follow HIPAA rules

Related searches for Goals of Training

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Goals of Training' - edita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Goals of training l.jpg
Goals of Training

  • To increase your knowledge & understanding of what protected health information (PHI) is in this facility, and what threats may exist to its privacy and its security

  • To enhance your awareness of your role in helping this facility follow HIPAA rules

  • To provide information about to whom you can go with questions about privacy, and about security

  • To inform you about your reporting responsibilities when HIPAA violations occur

  • To alert you to the possible penalties for violation of HIPAA law for both you and this facility

  • To protect the confidentiality of our consumer's Protected Health Information (PHI) in support of one of our values -- dignity, self-worth and individual rights.  It's the right thing to do!

  • To Understand that this same law also protects you as a consumer of health care.

NC DMH Privacy Training


Privacy regulations l.jpg
Privacy Regulations

IMPLEMENTATION DATE

April 2003

Security Regulations

(To Be Announced)

NC DMH Privacy Training


What is hipaa l.jpg
What is HIPAA?

  • Health Insurance Portability and Accountability Act of 1996 – a Federal Law

  • Portability

  • Administrative Simplification

  • Data Standardization

  • Security

  • Privacy

NC DMH Privacy Training


What is hipaa4 l.jpg
What is HIPAA?

  • Portability: Protects and guarantees health insurance coverage when an employee changes job

  • Accountability: Protects health data integrity, confidentiality and availability

  • Reduces Fraud and Abuse

  • Makes fraud prosecution easier (Medicare/Medicaid)

  • Reduces Paperwork

NC DMH Privacy Training


What is hipaa5 l.jpg
What is HIPAA?

  • Data Standardization

  • Establishes National Standards for Electronic Data Transmission Portability

    • Transactions (Enrollment, Eligibility, Claims, Payment and others), Codesets and Identifiers.

  • Establishes Standards for Protection of Health Information

    • Privacy (Operational, Consumer Control, Administration)

    • Security (Administrative, Physical, Technical, Network)

NC DMH Privacy Training


Why comply with hipaa l.jpg
WHY COMPLY WITH HIPAA ?

  • Avoid denied and or delayed reimbursements

    • DHHS agencies process claims bringing in more than $ 550 million in receipts annually.

    • Annual Medicaid disbursements totaling more than $4.6 billion.

  • May risk Accreditation. (e.g. Joint Commission on Accreditation on HealthCare Organizations:

  • Public relations and business risk issues

  • Benefit from long term healthcare cost reductions

  • Impose severe penalties for non-compliance

NC DMH Privacy Training


Definition privacy l.jpg
DEFINITION: PRIVACY

  • Privacy is the right of an individual to keep his/her individual health information from being disclosed.

NC DMH Privacy Training


Hipaa key terms as they relate to privacy of protected health information phi l.jpg
HIPAA KEY TERMS as they relate to privacy of Protected Health Information (PHI)

  • Privacy

  • Use

  • Disclose

  • Authorization

  • PHI

  • Minimum Necessary

NC DMH Privacy Training


Hipaa key terms defined l.jpg
HIPAA KEY TERMS Defined

  • Use - means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (Also see Part II, 45 CFR 164.50)

  • Disclose - Release or divulgence of information by an entity to persons or organizations outside of that entity. (Also see Part II, 45 CFR 164.501)

  • Authorization - The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, Protected Health Information (PHI) released for special Olympics activity.

  • PHI (Protected Health Information) - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

  • Minimum Necessary - When using any PHI, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”.

NC DMH Privacy Training


Privacy why the concern l.jpg

PrivacyWhy the concern?

NC DMH Privacy Training


Hipaa enforcement l.jpg
HIPAA Enforcement

  • CIVIL PENALTIES for failure to comply

    • $100 fine per person per violation

    • $25,000 fine per year for multiple violations

    • $25,000 fine cap per year per requirement.

    • You can be personally liable!

NC DMH Privacy Training


Hipaa enforcement12 l.jpg
HIPAA Enforcement

  • CRIMINAL PENALTIES for failure to comply

    • Knowingly or wrongfully disclosing or receiving PHI: $50,000 fine and/or one year prison time

    • Commit offense under false pretenses:

      $100,000 fine and/or five years prison time

    • Intent to sell PHI or client lists for personal gain or malicious harm:

      $250,000 fine and/or ten years prisontime.

    • Again, you can be personally liable!

NC DMH Privacy Training


Hipaa enforcement continued l.jpg
HIPAA Enforcement Continued

  • These penalties apply to oral, paper and electronic Protected Health Information (PHI).

NC DMH Privacy Training


Hipaa requires dmh to l.jpg
HIPAA Requires DMH to…..

  • Establish or Appoint

    • Policies and procedures to safeguard PHI

    • Privacy Officer

    • Security Officer

    • Privacy Officer and the Security Officer work with each facility’s HIPAA core team

    • Disciplinary actions policy

  • Provide HIPAA training to the workforce

    • As necessary and appropriate on Privacy Policies and Procedures

NC DMH Privacy Training


What is phi l.jpg
What is PHI ?

  • Protected Health Information - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

NC DMH Privacy Training


Where do we find phi l.jpg
Where do we find PHI?

  • 1.

  • 2.

  • 3.

  • 4.

  • 5.

  • 6.

  • 7.

NC DMH Privacy Training


Where do we find phi17 l.jpg
Where do we find PHI?

  • Medical records and billing records

  • Insurance/Benefit Enrollment and Payment

  • Claims adjudication

  • Case or medical management records

    (Note---it exists both on paper and electronically)

NC DMH Privacy Training


Examples of phi l.jpg
Examples of PHI

  • 1. Name

  • 2.

  • 3.

  • 4.

  • 5.

  • 6

  • 7

  • 8

  • 9

NC DMH Privacy Training


Examples of phi19 l.jpg
Examples of PHI

  • Names

  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code……….

  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..

  • Telephone numbers

  • Fax numbers

  • Electronic mail addresses

  • Social Security Numbers

  • Medical record numbers

  • Health plan beneficiary numbers

  • Account numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers, including license plate numbers

  • Device identifiers and serial numbers

  • Web Universal Resource Locators (URLs)

  • Internet Protocol (IP) address numbers

  • Biometric identifiers, including finger and voice prints

  • Full face photographic images and any comparable images…..

  • Any other unique identifying number, characteristic…..

+

NC DMH Privacy Training


Hipaa requires dmh to20 l.jpg
HIPAA Requires DMH to…..

  • Identify PHI Uses and Disclosures

    • WHO:

      • People who routinely use or disclose (or receive requests to) PHI in our Institutions/Facilities

    • WHAT:

      • Individually identifiable health information

    • HOW:

      • Written, oral, electronic communication

    • HOW MUCH:

      • Minimum necessary to accomplish purpose

NC DMH Privacy Training


Phi does not include l.jpg
PHI Does Not Include…..

  • Education records

  • Workman’s comp Records

  • Health information in your personnel record

  • Psychotherapy notes: (Treatment/Counseling by mental health professionals)

    • Kept separate from the medical record, usually in a clinician’s own file and not made part of the individual’s medical record.

NC DMH Privacy Training


Psychotherapy notes are not l.jpg
Psychotherapy Notes ARE NOT

  • The following are not considered psychotherapy notes and therefore are PHI:

    • Medication prescription and monitoring

    • Counseling session start and stop times, the modalities and frequencies of treatment furnished

    • Clinical test results

    • Any summary of the following items: diagnosis functional status, the treatment plan, symptoms prognosis, and progress to date

NC DMH Privacy Training


Who is affected l.jpg
WHO IS AFFECTED?

  • Employees who handle/use/know individuals’ Protected Health Information (PHI)

  • Health Care Providers (Health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically)

  • Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs)

  • Trading Partners - Electronically Exchange Protected Health Information

  • Business Associates - Perform services “on your behalf”

  • HIPAA also applies to you as a consumer of healthcare!

NC DMH Privacy Training


Case scenario presentations l.jpg
Case Scenario Presentations

  • How would we handle the following situations?

NC DMH Privacy Training


Challenge for dmh l.jpg
Challenge for DMH

  • If you do NOT know what or where PHI is,

  • andwho uses or asks for it,

  • You will be hard pressed to protect it.

NC DMH Privacy Training


How do individual staff protect phi your list l.jpg
How Do Individual Staff Protect PHI? (Your List)

  • 1.

  • 2.

  • 3.

  • 4.

  • 5.

  • 6.

  • 7.

NC DMH Privacy Training


How individual staff protect phi l.jpg
How Individual Staff Protect PHI

  • Close doors or draw privacy curtains/screens

  • Conduct discussions so that others may not overhear them

  • Don’t leave medical records where others can see them or access them

  • Keep medical test results private

  • PHI info should NOT be shared or viewable in public areas

  • Don’t leave copies of PHI at copy machines, printers, or fax machines.

  • Don’t leave PHI exposed in mail boxes or conference rooms.

  • Don’t share computer passwords or leave them visible

  • Don’t leave computer files open when leaving unlocked or shared work area

  • Secure PHI when no one is in the area, lock file cabinets and office doors

  • Safeguard PHI when records are in your possession

  • Return medical records to appropriate location

  • Dispose of paper containing PHI properly

  • Fax only if according to Center policy

NC DMH Privacy Training


How individual staff protect phi28 l.jpg
How Individual Staff Protect PHI

Don't ....

  • ……….Email with individuals’ identifiable information (1st name, last initial ok)

  • ……….Leave PHI in any public wall file trays unless enclosed in an interoffice envelope

  • ……….Discuss an individual in front of other individuals or visitors

  • ……….Leave diskette boxes containing PHI in unlocked areas

  • ……….Leave PHI for shredding in unlocked/undesignated area

  • ……….Place individuals’ full names on desk blotters

  • ……….Leave Rolodex files containing PHI accessible

  • ……….Leave individual/employee PHI lists publicly posted

  • ……….Leave records opened and unattended

  • ……….Bring personal computers for use at a Health Center

  • ……….Leave Center keys unattended

  • ……….Leave Rolodex files containing PHI accessible

  • WHETHER A HEALTH or FINANCIAL INTERVIEW,

  • OBSERVE THESE GUIDELINES !!!

NC DMH Privacy Training


Need to know principles l.jpg
“Need to Know” Principles

  • Necessary for your job

  • How much do you need to know?

  • How much do other people need to know?

NC DMH Privacy Training


How does need to know translate into hipaa l.jpg
How Does “Need to Know” Translate into HIPAA?

  • HIPAA’s Minimum Necessary rules :

    • Must provide only PHI

      • in the minimum necessary amount

      • to accomplish the purpose for which use or disclosure is sought

    • Minimum necessary does not apply when patient provides a valid, signed authorization for release of PHI

    • De-identified Information: De-identified information is PHI with all HIPAA identifiers removed.

  • Exceptions:

    • Disclosure to a health care provider for treatment

    • permissible uses or disclosures made by the patient.

    • Uses or disclosures made based on patient’s signed authorization.

    • Uses or disclosures required for HIPAA compliance

    • Use for legal proceedings, law enforcement, et.

NC DMH Privacy Training


Hipaa requires l.jpg
HIPAA Requires…

  • Notice of Privacy Practices

    • Purpose: to provide consumer with adequate notice of uses or disclosures of PHI

    • Must be written in plain language

    • Must be provided at the time of first service or assessment for eligibility

    • Has to provide Privacy Officer contact information

NC DMH Privacy Training


Hipaa consumer protections l.jpg
HIPAA Consumer Protections

  • Amendment

    • Consumers may request to amend PHI in medical records

    • That request may be referred to the facility Privacy Official

  • DMH facility may either grant OR deny the request

NC DMH Privacy Training


Hipaa consumer protections33 l.jpg
HIPAA Consumer Protections

  • Restrictions

    • Consumers may request that the facility restrict how it uses/discloses their PHI

    • Facility is NOT required to accept the request

    • If restriction is accepted, then follow it

      • Don’t deviate or depart from that restriction!

NC DMH Privacy Training


Hipaa consumer protections34 l.jpg
HIPAA Consumer Protections

  • Access

    • Consumers can access PHI

      • Inspect

      • Copy

    • Request for access MUST be in writing

    • Facility Must - Respond to request within 60 days;

      • May recover cost-based fee for copy, explanation, or summary of records

    • If access is denied, reason for that denial will determine if the consumer can appeal

    • Consumer must appeal to facility Privacy Official

NC DMH Privacy Training


Hipaa consumer protections35 l.jpg
HIPAA Consumer Protections

  • Accounting of Disclosures

    • Consumers have a right for an accounting of disclosures

      • Time frame: 6-year period

      • Clock starts: April 14, 2003

    • Applies to both written and oral disclosure

    • Specific to times, places, beneficiaries and content disclosures

NC DMH Privacy Training


Hipaa consumer protections36 l.jpg
HIPAA Consumer Protections

  • Verification

    • Facility must verify that

      • Person or agency requesting the PHI

      • Is who they say they are

    • Facility must document the verification.

NC DMH Privacy Training


Hipaa consumer protections37 l.jpg
HIPAA Consumer Protections

  • Complaint Procedure

    • HIPAA requirement

    • Allows a consumer to file a complaint if they believe we have improperly used or disclosed their PHI

NC DMH Privacy Training


Hipaa phi protections l.jpg
HIPAA PHI Protections

  • Staff Access to PHI

    • Purpose: to guide staff in keeping PHI confidential

    • Inappropriate access/use/disclosure of consumer PHI results in disciplinary action, possible other penalties.

NC DMH Privacy Training


Hipaa disclosure protections l.jpg
HIPAA Disclosure Protections

  • Authorization

    • Required to disclose PHI to person or agency outside the facility

    • Must be specific:

      • What PHI is to be shared

      • With whom

      • For what purpose

    • May be revoked

NC DMH Privacy Training


When no authorization is needed l.jpg
When No Authorization Is Needed…

  • Key examples:

    • Child abuse/neglect reports

    • Judicial/administrative proceeding

    • Law enforcement

    • To avert serious threat to health or safety

    • Audits

      • Management and Financial

    • When required by US DHHS

    • Program monitoring and evaluation

    • Certification of facilities and individuals

NC DMH Privacy Training


Privacy regulations relating to research marketing fund raising l.jpg

WHAT ELSE DOES HIPAA REQUIRE?

PRIVACY REGULATIONS RELATING TO RESEARCH, MARKETING, FUND RAISING

  • For Research, Marketing and Fund Raising purposes, all PHI must be De-identified Information.(De-identified information is PHI with all HIPAA identifiers removed.)

  • HIPAA still allows research to be conducted

  • Proper authorizations must be in place

NC DMH Privacy Training


What else does hipaa require l.jpg
What Else Does HIPAA Require?

  • Preemption of state law

    • Privacy Rule overrides any other state law unless that state law provides more protection for the consumer

NC DMH Privacy Training


Waiver of rights l.jpg
WAIVER OF RIGHTS

  • Waiver: Covered entities may not require individuals to waive their rights as a condition of:

    • Treatment

    • Payment

    • Enrollment

    • Eligibility

NC DMH Privacy Training


Refrain from intimidating or retalitory acts l.jpg
REFRAIN FROM INTIMIDATING OR RETALITORY ACTS

  • Protection for individuals exercising their rights or whistleblowers:

  • Covered entities may not

    • Intimidate

    • Threaten

    • Coerce

    • Discriminate against

    • Take any other retaliatory action

NC DMH Privacy Training


Questions l.jpg
QUESTIONS?

Privacy

  • If you are ever in doubt, always ask your Privacy Officer or their designee!

  • Remember, that person is your first line of response to privacy questions.

NC DMH Privacy Training


Key things to remember about privacy l.jpg
Key Things to Remember about Privacy

  • We must safeguard consumer records

  • Share only information necessary to do the work

  • Consumers have the right to ask about use and disclosure of PHI

  • DMH has Policies on HIPAA and you need to know them and follow them

NC DMH Privacy Training


Privacy vs security l.jpg
PRIVACY Vs. SECURITY

  • Privacy is the right of an individual to keep his/her individual health information from being disclosed.

  • Security is how we protect PHI from accidental or intentional disclosure, alteration, destruction or loss.

NC DMH Privacy Training


Safeguards l.jpg
SAFEGUARDS

  • NCSCC must have appropriate safeguards in place:

    • Administrative

    • Technical

    • Physical

  • Exceptions for preemption of state laws as agreed to by the US DHHS Secretary

    • More stringent

    • Public health investigation/intervention

    • Audits; management & financial

    • Program monitoring and evaluation

    • Certification of facilities and individuals

NC DMH Privacy Training


Required training topics l.jpg
Required Training Topics

  • Security Issues that Impact Privacy

    • General Security Awareness

    • System Access

    • Password Management

NC DMH Privacy Training


Purpose of security l.jpg
Purpose of Security

  • To protect the system and information from unauthorized access

  • To protect the system and information from unauthorized use

NC DMH Privacy Training


General security awareness l.jpg
General Security Awareness

  • Security (protecting the system and the information it contains) includes

    protecting against unauthorized access from outside and misuse from within

    • hardware and software (Physical Computer Systems)

    • personnel policies

    • information practice policies

    • develop disaster/intrusion/response and recovery plans

    • designate security responsibilities

    • develop protocols regarding activities and security at personnel and work station level

    • Safeguards from fire, natural and environmental hazards and intrusions

NC DMH Privacy Training


General security awareness52 l.jpg
General Security Awareness

  • Two Types of Security in HIPAA

    • Building\Physical Security

    • Computer\Electronic Security

NC DMH Privacy Training


General security awareness53 l.jpg
General Security Awareness

  • Building\Physical Security

    • Building\Work Area Access

    • Locks and Keys

    • Badges\ID

    • Security Officer

    • Printers\Copy\Fax Machines

NC DMH Privacy Training


General security awareness54 l.jpg
General Security Awareness

  • Building\Work Area Access

    • Sign into building

    • Show ID\Visitors Badge

    • Patient\Client Area Entry

NC DMH Privacy Training


General security awareness55 l.jpg
General Security Awareness

  • Computer\Electronic Security

    • Computers

    • Location of PCs

    • Passwords\Log On

    • E-mail

    • Faxes

NC DMH Privacy Training


Things to know about system access l.jpg
Things to Know about System Access

  • Don’t share the session

  • Report Discrepancies

  • Be aware that disciplinary action may result

  • Termination of Access

NC DMH Privacy Training


Pc and system protection l.jpg
PC and System Protection

  • Be aware of potential harm

  • Follow the e-mail policy

  • Don’t download non-DMH approved programs

  • Report unknown or suspicious e-mail, attachments

NC DMH Privacy Training


Password management l.jpg
Password Management

  • What is Password Security?

    • Don’t tell anyone your password.

    • Don’t write your password down anywhere

    • Change password if others know it

    • Enter your password in private

NC DMH Privacy Training


Password management59 l.jpg
Password Management

  • Guidelines for good passwords

    • Don’t

      • Choose password with more than 8 characters

      • Choose password that can be found in a dictionary

      • Choose password that uses public information such as SSN, Credit Card or ATM #, Birthday, date, etc.

      • Reuse old passwords or any variation

      • Use user id or any variation

NC DMH Privacy Training


Password management60 l.jpg
Password Management

  • Guidelines for good passwords

    • Do

      • No clear link to you personally

      • Six to 8 characters

      • Minimum of 2 alpha and 1 numeric

      • Use upper and lower case characters

      • Change to a completely new password

      • Memorize your password

NC DMH Privacy Training


Application role in security l.jpg
Application Role in Security

  • Role will dictate access

    • Only access to what you need in order to do the job

NC DMH Privacy Training


Key things to remember about security l.jpg
Key Things to Remember about Security

  • Security impacts privacy

  • Both building and computer security are important

  • Fundamentals of good password management

NC DMH Privacy Training


Top 10 privacy security practices l.jpg
TOP 10 PRIVACY & SECURITY PRACTICES

1. When in doubt, don’t give information out

2. Log off before you walk off from your computer

3. Double check fax numbers before sending

4. Do not send e-mails or use the internet unless the connection is secure and approved.

5. Identity of the caller before releasing confidential information.

6. Never share your password with anyone.

7. Maintain the security of all patient information in all its medium like paper, electronic and oral.

8. Discuss patient information in private locations

9. Access information on a need to know basis, only to do your job.

10. Dispose of confidential information according to proper procedures (ie. Locked Shred Bins)

NC DMH Privacy Training


Summary 1 l.jpg
SUMMARY -1

  • HIPAA - A Health Care Paradigm

    • Affects clearinghouses, patients.

    • Requires changes to business processes and applications, staffing plans, facilities and Information systems applications

    • Provides patients with rights

    • Shifts power in provider/consumer relationships

    • Introduces new legal liabilities

    • Conveys severe civil and criminal penalties payers, providers, employers, medical manufacturers, Pharmaceutical companies, employees

NC DMH Privacy Training


Summary 2 l.jpg
SUMMARY -2

  • HIPAA - is not going away

  • Healthcare industry wants standardization

  • Consumers want health information to be protected

  • HIPAA is not an option

  • HIPAA is doing business in the “New Millennium”

  • Implementation cost is short term

  • Operational benefit is long term

NC DMH Privacy Training


Where to go for more information l.jpg
Where To Go For More Information

US Department of Health and Human Services

- www.aspe.os.shhs.gov

Center for Medicare and Medical Aid Services

- www.cms/gov

Workgroup for Electronic Data Interchange (WEDI)

- www.wedi.org

Washington Publishing Company

- www.wpc-edi.com

North Carolina Division of Medical Assistance

- www.dhhs.state.nc.us/dms/

NC DHHS HIPAA Web Site

-http://dirm.state.nc.us/hipaa/

NC DMH Privacy Training


Any questions l.jpg
Any Questions?

NC DMH Privacy Training


Implementation date l.jpg
IMPLEMENTATION DATE

April 2003

NC DMH Privacy Training