HIPAA & YOU A practical guide to privacy and security for MTs. Theresa Leppert, RHIT
Who is Theresa Leppert, RHIT, LMT and why is she presenting on the topic of HIPAA? Theresa Leppert, RHIT, LMT
HIPAA – Health Insurance Portability & Accountability Act. • PHI – Protected Health Information • CE – Covered Entity • BA – Business Associate • ARRA – American Recovery and Reinvestment Act • HITECH – Health Information Technology for Economic & Clinical Health Vocabulary/abbreviations
I know what HIPAA is already, okay…. <Scratches head> but what the heck is ARRA and/or HITECH? American Recovery and Reinvestment Act (The Stimulus Plan) Health Information Technology for Economic and Clinical Health Act HIPAA, ARRA, HITECH
Under HITECH, physicians can qualify for up to $44,000 in Medicare bonus incentives, and/or $65,000 in Medicaid bonus incentives if they demonstrate “meaningful use” of an Electronic Health Record. • What is meaningful use? • So how does ARRA and/or HITECH affect me? • As a patient, that means in the near future (if not now), your medical providers will have an electronic record on you. • As an MT…… Well, I am sure you have already seen changes in our industry. ARRA/HITECH
Medicare HITECH timeline ARRA/HITECH FAQs
Medicaid HITECH Timeline ARRA/HITECH FAQs
Hospitals • Skilled nursing facilities • Nursing facilities • Home health entities • Long term care facilities • Health care clinics • Community mental health centers • Renal dialysis Facilities • Blood Centers • Ambulatory Surgery Centers • Emergency medical svc providers • Federally qualified health centers • Group practices • Pharmacies • Laboratories • Physicians (MD, DO, DDS, DDM, DPM, OD, DC) • Practitioners (PA, NP, CNS, CRNA, CNM, CSW, Psy, RD) • Indian Health Svc Providers • Rural Health Clinics • Therapists Who is eligible for HITECH Incentives? ARRA/HITECH FAQs
Free clinics that do not bill Medicare or Medicaid • Physical therapists • Hospital-based physicians • Acupuncturists and other holistic providers • Any practice not eligible for Medicare or Medicaid payments Who is NOT eligible for HITECH incentives?
I am the owner of an MTSO, what do I need to focus on? Well, best practices dictate: • Confidentiality Agreement • Secure work area • Destruction of PHI • Email encryption • Voice files/Demog systems – passwords! MTSO Owners
The MTSO should require assurance (contractually!) of the following for offsite computer security purposes: • Work computer ONLY, password protected • Firewalls • Antivirus, Malware, and Operating System UTD • No gaming/music file-sharing programs • Repairs – remove PHI! • Contract terminations – Destruction Certification MTSO Owners – cont’d
I work at home, what do I need to focus on? • Secure location • Screen facing away • Password protected • Screen saver/Auto Logoff • Consider privacy screen • Shredder At-Home MTs WEDI-SNIP Security and Privacy Workgroup
Be ALERT to potential risks! The following can mitigate those risks…. • Shred anything that has PHI • Never leave PHI unattended • De-identify reports (i.e. sample rpts, QA rpts) • Encrypt Emails! • Don’t hold PHI any longer than needed • Restrict others from using your work PC At-Home MTs – cont’d
Does anyone still fax? YES! How can I mitigate my risk? • Only fax if absolutely necessary • Use a coversheet – and have a disclosure statement on coversheet! • Double- and triple-check fax numbers (Preprogram if possible!) • Retain coversheet and fax confirmation for 1 year To Fax or not to Fax?
Unintentional breach • Deliberate unauthorized access without PHI disclosure • Deliberate unauthorized disclosure or deliberate tampering without personal gain • Deliberate unauthorized disclosure for personal gain What is considered a BREACH? HIPAA Compliance for MTs
Depends on the level of the breach! • Unintentional • Contact recipient, ask to destroy the PHI • Document situation/said destruction • Notify privacy officer (if you have one.) • Deliberate – all of the above, plus: • Institute disciplinary process, possible immediate termination We had a breach – now what?
(Yes, I said FUN!) • This website has some HIPAA Games that are great training tools – I highly recommend these! (Choose Security and Privacy Challenge) • http://www.healthit.gov/providers-professionals/privacy-security-training-games How to make HIPAA fun
Medical Identity Theft! • In 2013, medical-related identity theft accounted for 43% of all ID thefts in the United States. • The US Dept. of HHS says since 2009, between 27.8 million and 67.7 million medical records have been breached. So why is all this so important?
Illegal or bogus treatment – fraudulent claims • Theft of medical services, from simple ER visits to complex surgeries • To obtain prescription drugs Motives for MID theft
Ruined Credit • Loss of Healthcare Coverage • Inaccurate records that are difficult to correct. • Legal troubles The price of M.I.D. Theft
A bill for medical services you didn’t receive • A call from a debt collector about a medical debt you don’t owe • Medical collection notices on your credit report • A notice from your health plan about reaching benefit limit • Denial of insurance because your records show a condition you do not have Signs of M.I.D. Theft
ARRA/HITECH FAQs - http://www.arrahitechsolutions.com/ARRA_HITECH_Act_FAQ_s.html#What_is_HITECH • MT’s Checklist by WEDI-SNIP Security and Privacy Workgroup. • HIPAA Compliance for MTs - http://support.mededocs.com/documents/HIPAA_Compliance_for_MTs.pdf • HIPAA Privacy and Security – AHDI online resources. http://www.ahdionline.org/Resources/DocumentsandStandards/HIPAAPrivacyandSecurity/tabid/272/Default.aspx • Economic Stimulus Act Expands HIPAA, funds Health Information Technology. http://www.ssd.com/files/Publication/18eaf3fa-2703-47f7-bcde-a1031986bcf4/Presentation/PublicationAttachment/84c34466-763f-4c83-b8de-a1dcea0d7041/Healthcare_Alert_Economic_Stimulus_Act_Expands_HIPAA_Funds_Health_Information_Technology_022009.pdf • “Safeguarding PHI: Focus Points for Offsite Transcriptionists” Diane Hatch and Renee M. Priest, CMT. Sources
“HIPAA for MTs” Version 1.0 from AAMT.org • Select Medical Frequently Asked Questions • 2014-2015 Select Medical HIPAA Awareness – Non-Workforce Edition • HealthIT.gov Security Training Games - http://www.healthit.gov/providers-professionals/privacy-security-training-games • “Medical Identity Theft” Consumer Information from FTC. http://www.consumer.ftc.gov/articles/0171-medical-identity-theft • “The Rise of Medical Identity Theft In Healthcare” by Michael Ollove. http://www.kaiserhealthnews.org/stories/2014/february/07/rise-of-indentity-theft.aspx • “Medical Identity Theft” by Coalition Against Insurance Fraud. http://www.insurancefraud.org/scam-alerts-medical-id-theft.htm Sources – Cont’d