hipaa privacy training for associates - hays med · pdf filehipaa privacy training for...
TRANSCRIPT
HIPAA PRIVACY TRAINING FOR ASSOCIATES
HAYS MEDICAL CENTER
CHRISTY STAHL, CPC
COMPLIANCE MANAGER
&
PRIVACY OFFICER
HIPAA
HaysMed’s Privacy
Officer is Christy Stahl.
She is responsible for
the oversight of
HaysMed’s compliance
with the HIPAA privacy
regulations. She also
investigates any alleged
privacy violations.
Associates
You will notice the term “Associates” is used throughout this
training. “Associates” is a broad term that represents all the
following individuals who are associated with HaysMed:
• Employees
• Volunteers
• Students
• Other trainees
• Members of the Board of Directors
• Locum Tenens
• Contract Staff
• Independent Contractors
• Other persons whose conduct is under the direct control of
HaysMed (whether or not they are compensated by HaysMed
for such services)
HIPAA
LESSON ONE
Welcome to the introductory lesson on the
HIPAA Privacy and Security Rules
HIPAA
COURSE RATIONALE
In this course, you will learn about:
• Federal regulations concerning patient
confidentiality and computer security
• How those regulations impact your job
duties/training at HaysMed
HIPAA
COURSE GOALS
After completing this course, you should
• know the rules regarding the use and disclosure of protected health information
• Understand safeguards to protect patient privacy
• Appreciate the importance of computer security
HIPAA
COURSE OUTLINE
Lesson 1 – this introductory lesson gives you the course
rationale, goals, and outline
Lesson 2 – provides an overview of the HIPAA Privacy and
Security Rules
Lesson 3 – explains the rules regarding use and disclosure of
patient information
Lesson 4 – addresses patients’ rights concerning their health
information
Lesson 5 – talks about safeguards to protect patient privacy and security
HIPAA
LESSON 2
Overview of the HIPAA Privacy and Security
Rules
HIPAA
Welcome to Lesson 2 for an overview of the HIPAA
Privacy and Security Rules
After completing this lesson, you should:
– Understand where the rules came from
– Appreciate why we have these rules
– Know the consequences of violating the rules
HIPAA
• HIPAA stands for the Health Insurance
Portability and Accountability Act of 1996
• HIPAA is a federal law that was enacted by Congress
and signed by the President in 1996
HIPAA
As part of the HIPAA law, Congress directed the
U.S. Department of Health and Human Services
(DHHS) to develop regulations that would:
protect patient privacy
protect the security of health information stored
and transmitted electronically
HIPAA
The final HIPAA Privacy Rule became effective in April 2003
The final HIPAA Security Rule became effective in April 2005
These rules regulate the way covered entities handle protected health information
HIPAA
The HIPAA Privacy and Security Rules only apply to covered entities
We refer to covered entities as CEs
There are three types of CEs:
Health Care Providers (e.g., hospitals, physicians, nursing
homes, pharmacies)
Health Plans (e.g., health insurance companies, employee-
sponsored health plans)
Healthcare Clearinghouses (organizations that process
insurance claims)
HaysMed is a CE, so the hospital, its physician clinics, and Associates must comply with the HIPAA Privacy and Security Rules
HIPAA
The HIPAA Privacy and Security Rules
regulate how we safeguard, use, and
disclose Protected Health Information or
PHI.
PHI includes all individually identifiable health
information
PHI is not limited to paper documents. It includes
data and oral communications
HIPAA
Health information includes:
- Past, present, or future physical or mental health or
condition of an individual
- Provision of health care to an individual; or
- Past, present, or future payment for the provision of
health care to an individual.
Information is protected regardless of how sensitive it may be
HIPAA
Health information is individually identifiable if:
- identifies an individual
- provides some basis from which someone could identify
an individual if they really wanted to
HIPAA
Examples of information that is considered “identifying”:
- name, address, telephone number, fax number, email
address
- birth date, admission date, discharge date
- social security number, medical record number, account
number
- information about relatives, employers, etc.
- vehicle ID number, URL address
Examples of PHI
All of the following constitute PHI:
- A lab test report that lists only the patient’s medical record number
- A conversation between two nurses about the patient in Room 202
- A message on an answering machine asking John Doe to call his
doctor’s office
- A receipt for payment of an office visit co-payment
Examples of PHI
- Patient Photos
- Status boards in the Electronic Medical Record
- Emails containing patient information
- Patient Discharge Instructions
HIPAA
Consequences of violating the HIPAA Privacy and Security Rules
- Significant government fines and penalties against HaysMed
- Up to $50,000 per violation
- Criminal penalties against the individuals involved in the violation
- Expensive civil lawsuits brought by individuals against HaysMed and its Associates
- Damage to HaysMed’s reputation in the community
- For licensed individuals (e.g., nurses, therapists), disciplinary action by their licensing board
HIPAA
• Consequences of violating HaysMed’s HIPAA policies:
- For HaysMed employees, disciplinary action by HaysMed, up to and including termination
- For students, termination of their training at HaysMed
- For contracted individuals, termination of their contract with HaysMed
- Understand that HaysMed is obligated to report licensed Associates to their licensing agencies when the Associate violates HIPAA
HIPAA
You have completed Lesson 2 on the purpose of the HIPAA Privacy and Security Rules
HIPAA
Remember:
• The HIPAA Privacy and Security Rules regulate the way covered
entities safeguard, use, and disclosure protected health information
PHI is any information relating to a person’s health, healthcare, or payment for healthcare services that contains something that could be used to identify the person
• PHI is not limited to paper documents. It includes electronic data and oral communications
• The consequences of violating these rules can be severe for HaysMed and its Associates
HIPAA
Lesson 3
Uses and Disclosures of PHI
HIPAA
Welcome to Lesson 3 on uses and disclosures of PHI
After completing this lesson, you should be able to:
- List uses and disclosures of PHI allowed under the
HIPAA Privacy Rule
- Recognize what must be included in written permission
for uses and disclosures
- Define “minimum necessary” use or disclosure
HIPAA
Competing Interests
The HIPAA Privacy Rule tries to balance two competing
interests:
- No. 1: protect patient privacy
- No. 2: allow the flow of PHI when needed to
ensure high quality healthcare and protect
public health
HIPAA
A CE cannot use or disclose PHI without the
patient’s authorization unless an exception applies
Exceptions are based on the purpose of the use or
disclosure, as opposed to the type of PHI involved
Lets look at some of those exceptions
HIPAA
Treatment, Payment, Health Care Operations
Use and disclosure of PHI is permitted without patient
authorization if the purpose of use or disclosure is
- treatment
- payment
- health care operations
HIPAA
Treatment
HaysMed may use and disclose PHI to treat its
patients
HaysMed may disclose PHI to other healthcare
providers for them to treat their patients
HIPAA
Payment
HaysMed may use and disclose PHI to obtain
payment for services it provides.
HaysMed may disclose PHI to another CE as
necessary for that CE’s payment purposes
HIPAA
Health Care Operations
HaysMed may use and disclose PHI for health care operations, which include:
- management functions necessary to support treatment or payment
- quality assurance activities
- utilization review activities
- audits
- credentialing
Research activities and marketing do not qualify as health care operations
HaysMed may disclose PHI to another CE for that CE’s health care operations only if that CE has a pre-existing treatment relationship with the patient
Opportunity to Opt Out
HaysMed may use or disclose PHI in the following ways without a written authorization if the individual has the opportunity to agree to or prohibit or restrict the use or disclosure:
- HaysMed may use a patient’s name, location in the facility, religious affiliation, and condition described in general terms to maintain a facility directory. HaysMed may disclose this information to clergy or, with the exception of religious affiliation, to other persons who ask for the person by name
HIPAA
Business Associates (BAs) • Third parties that access or create PHI on behalf of HaysMed for
purposes other than treatment
• Must have written Business Associate Agreement (“BAA”) with
HaysMed regarding use of PHI
• BAs subject to certain provisions of HIPAA Privacy and Security
Rules
• HaysMed liable for BA if BA acts as HaysMed’s agent
HIPAA
- HaysMed may disclose to a patient’s family member, close
personal friend, or other person identified by the patient PHI
directly relevant to such person’s involvement with the patient’s
care or payment for services
- HaysMed may use or disclose PHI to notify a family member,
a personal representative of the individual, or other person
responsible for the individual’s care
HIPAA
Other Permitted Uses and Disclosures Without Written Authorization
The HIPAA Privacy Rule includes several other exceptions that permit use and disclosure of PHI without written authorization
- as specifically required by law
- for public health activities (e.g., reporting disease or injury)
- to report victims of abuse, neglect, or domestic violence
- for health oversight activities by the government
- in judicial and administrative proceedings
HIPAA
Continued:
- for law enforcement purposes
- to disclose information to coroners, including medical
examiners, or for the purpose of cadaveric organ, eye and
tissue donations
- to avert a serious threat to health and safety
- to a funeral director as necessary to carry out duties with
respect to decedent
- for specialized governmental functions
- for workers compensation claims
HIPAA
Special Rules for Certain Types of
Disclosures
Use and disclosure of PHI for the following purpose
without an authorization is permitted in limited
circumstances
- marketing
- fundraising
- research
HIPAA
Special Rules for Certain Types of PHI
Certain types of PHI are subject to special
protections under state and federal law - HIV/AIDS information
- records of treatment in a federally-assisted drug and alcohol
treatment program
- information relating to patients of community mental health
centers, community service providers, psychiatric hospitals,
or state institutions for the mentally retarded
Even if a particular use or disclosure is permitted without an authorization under the
HIPAA Privacy Rule, such use or disclosure may be prohibited under these rules
HIPAA
Authorizations
If no exceptions applies, HaysMed must obtain a
written authorization from the patient (or personal
representative) before using or disclosing the
patient’s PHI
Authorization Required Elements
To be effective, a written authorization must include: - Description of PHI to be used or disclosed
- Description of the purpose of the use or disclosure
- Description of the persons or class of persons that may use PHI or to who the PHI may be disclosed
- Revocation and re-disclosure instructions
- Notice that HaysMed must treat the patient regardless of whether authorization is given
- Expiration date or triggering event
- Individual’s signature or personal representative’s signature and authority
HaysMed has a standard Authorization Form it uses to release PHI.
• You may access or discuss PHI only to extent necessary to
perform job duties
• Electronic audit trails track each time you access a record
(including status boards)
• If you access or discuss any patient’s PHI without a legitimate
job-related reason for doing so, you will be disciplined,
including possible termination
– Regardless of location (at work, at home, in a social setting)
– Includes friends and family members
Role-Based Restrictions
HIPAA • Breach Notification
– If a patient’s PHI is breached, HaysMed must provide
specific written notice of such breach to that patient within
60 days of discovery
– Must submit annual reports to the government
– Breach = improper use or disclosure + potential for harm to
the individual
– HaysMed must review every improper use or disclosure to
determine if it constitutes a breach
– Failure to document such review = HIPAA violation
• Associates must report all improper uses or
disclosures of PHI to HaysMed’s Privacy Officer
Enhanced Enforcement
• Department of Health and Human Services must investigate any complaint
which may involve willful neglect
• State Attorneys General may bring action to enjoin violations or obtain
damages
• Penalties reinvested in enforcement activity
• Individual harmed by violation eligible for portion of any penalty
Five Factors For Breech Evaluation
1. Nature and extent of violation
2. Nature and extent of harm resulting from
violation
3. History of prior compliance and violations
4. Financial condition of violator
5. Such other matters as justice may require
Tier 1
Violation not known or
reasonably known
Tier 2
Violation due to
reasonable cause, but
not willful neglect
Tier 3
Violation due to willful
neglect, if corrected
Tier 4
Violation due to willful
neglect, if not corrected
At least $100 per
violation, $25,000 max
for identical violations in
calendar year
At least $1,000 per
violation, $100,000 max
for identical violations in
calendar year
At least $10,000 per
violation, $250,000 max
for identical violations in
calendar year
At least $50,000 per
violation, $1.5 million
max for identical
violations in calendar
year
Civil Monetary Penalties
• Employees and other agents may be held
criminally liable for HIPAA violations
Criminal Penalties
• No laptops at meetings if viewing patient information
• Do not view/work on medical records where other can see the patient’s information
• Lock down computer monitors
• Be cautious in selecting a patient’s name when printing documents from Access E-Forms
• Obtain assistance before communicating with law enforcement
• Remove patient history information before handing the clipboard to the next patient
• Double check fax numbers before faxing
Lessons Learned
Minimum Necessary Rule
Any use or disclosure must be limited to the minimum amount of information necessary to accomplish the specific purpose of the use or disclosure.
HIPAA
The minimum necessary rule does not apply to:
- uses and disclosures for treatment purposes
- uses and disclosures made pursuant to an authorization
- disclosures to the person who is the subject of the information
- disclosures required by law
Associate Access to PHI
An Associate may access or discuss any patient’s
PHI only to the extent necessary to perform
his/her job duties
An Associate who accesses or discusses any
patient’s PHI (including family members) without
a legitimate job-related reason for doing so will be
subject to discipline up to and including
termination
HIPAA
What To Do If You Have Questions
The rules concerning use and disclosure of PHI can be confusing
If you have a question concerning these rules, contact HaysMed’s Privacy Officer, Christy Stahl
- 785-623-2188 work #
- 785-623-1821 cell #
HIPAA
You have completed Lesson 3 on uses and disclosures of PHI
HIPAA
Remember:
- you cannot use or disclose PHI without written authorization unless an exception applies
- uses and disclosures for treatment, payment, and health care operations are permitted
- there are several other exceptions that apply in specific circumstances
- a written authorization must contain specific information to be valid
- All improper uses or disclosures of PHI must be reported to the Privacy Officer to determine if breach notification is required
- an associate who uses or discloses a patient’s PHI without a job related reason for doing so will be disciplined
- Seek guidance from your supervisor or the Privacy Officer before disclosing any protected healthcare information to a police officer
- if you have questions concerning uses and disclosures of PHI, contact HaysMed’s Privacy Officer
HIPAA
Lesson 4
Patients’ Rights Concerning Their PHI
HIPAA
Welcome to Lesson 4 on patients’ rights
concerning their PHI
After completing this lesson, you should be able to:
- identify patients’ rights concerning their PHI
- assist a patient who wants to exercise one of those rights
HIPAA
Right to Access PHI
HaysMed must give a patient access to inspect and
copy his or her PHI maintained in a designated
record set
A patient wanting access must submit a written
request to the Medical Records Department
HIPAA
Right to an Accounting
A patient may request accounting of HaysMed’s uses and disclosures of the patient’s PHI made within the last 6
years
Such an accounting does not include uses or disclosures for treatment, payment, or health care operations or uses and disclosures authorized by the patient
A patient wanting an accounting must submit a written request to the Privacy Officer
HIPAA
Right to Request Amendments
A patient can request that PHI be amended if he or she believes it is not accurate
HaysMed can deny such request if the information is accurate and complete or not created by HaysMed
A patient seeking an amendment must submit a written request to the Privacy Officer or to the Medical Records Department
HIPAA
Right to Request Restrictions
A patient may request HaysMed restrict those uses
or disclosures permitted without authorization
Such request must be made in writing to the Privacy
Officer or to the Medical Records Department
HaysMed is not required to agree to such request
HIPAA
Right to Receive Confidential
Communications
A patient may request that HaysMed communicate with him
or her by alternative means or at alternative locations (e.g.,
only contact the patient at a certain telephone number)
HaysMed must abide by all reasonable requests
If a patient makes such a request to you, make sure such
request is communicated to the appropriate people and
documented appropriately
HIPAA
You have completed Lesson 4 on patients’ rights concerning their PHI
HIPAA
Remember:
A patient has the right to: - access his/her PHI
- obtain an accounting of HaysMed’s disclosures of his/her PHI
- request an amendment to his/her PHI
- request restrictions on uses and disclosures permitted without an authorization
- receive confidential communications
HIPAA
Lesson 5
Administrative Requirements
HIPAA
Welcome to Lesson 5 on administrative requirements
When you complete this lesson, you should be able to:
- identify the administrative requirements the HIPAA Privacy Rule imposes on HaysMed
- understand the importance of following safeguards to prevent improper disclosures of PHI
HIPAA
Notice of Privacy Practices
• HaysMed must give all of its patients a written
Notice of Privacy Practices
• Patients are requested to sign an acknowledgement
of receipt
• A copy of the Notice is available on HaysMed’s
website, www.haysmed.com
Safeguards
All Associates must follow safeguards to prevent improper uses and disclosures of PHI
As part of your work, you will have conversations with patients, family member, co-workers involving PHI. You must take care to avoid others overhearing those conversations
Never leave documents containing PHI unattended where they could be accessed by unauthorized persons
Safeguards
Never share your computer password with anyone else
Never allow anyone else to use your computer password
If you have reason to believe the security of your password has been compromised, notify the Privacy Officer immediately
Safeguards
Always wear name badges to prevent unauthorized
individuals from having access to PHI
Confirm identity of person with whom speaking
and follow procedures when leaving messages
Keep all PHI within HaysMed’s facility unless job
duties specifically require otherwise (this is the
rule, not the exception)
Safeguards
Always lock doors
Be cautious when stuffing envelopes with
patient information
Double check fax number before sending
PHI and always use a fax cover sheet
• Lock down your computer before leaving it
– Alt + Q
– Ctrl + Alt + Delete
• Do not get caught in a phishing attack
• Beware of social engineering
• Do not plug an unknown USB into your
computer
Everyday Safeguards
Email has become a vital tool for communication in today’s healthcare delivery environment. This tool, however, does not come without risks.
First off, it is extremely easy to send Protected Health Information in near real time. This is very valuable when done correctly. We are trying to remind associates, when it is necessary to send any sensitive data to a non-HaysMed email account, be sure to send it securely. This is accomplished by using the word “secure” in square brackets anywhere in the “Subject:” line of the email (e.g. [secure] ). This will allow the recipient to retrieve the email through a secure website.
Secondly, this note is a caution to users that email is a favored mechanism of “bad-actors” with malicious intent who are continually trying to compromise HaysMed’s network resources. Associates need to always remain vigilant with messages they receive. Exercise extreme care when clicking website links received via email; as a general rule, you should never click an unsolicited link and you should never give your login information if prompted after clicking these types of links (see example malicious email message below).
Dear Account Owner,
We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of your mailbox. CLICK HERE to upgrade your account to Outlook Web Apps 2015. If your settings is not updated today, your account will be inactive and cannot send or receive message any longer. Sincerely, -IT Department Microsoft Corporation. All rights reserved
Security of the HaysMed network is everyone’s responsibility and we look to you to help to keep our data secure.
Scott Rohleder
Hays Medical Center
http://www.haysmed.com
Phishing Attack
Secondly, this note is a caution to users that email is a favored mechanism of “bad-actors” with malicious intent who are continually trying to compromise HaysMed’s network resources. Associates need to always remain vigilant with messages they receive. Exercise extreme care when clicking website links received via email; as a general rule, you should never click an unsolicited link and you should never give your login information if prompted after clicking these types of links (see example malicious email message below).
Dear Account Owner,
We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of your mailbox. CLICK HERE to upgrade your account to Outlook Web Apps 2015. If your settings is not updated today, your account will be inactive and cannot send or receive message any longer. Sincerely,
-IT Department Microsoft Corporation. All rights reserved
Phishing Attack
Safeguarding Electronic PHI (e-PHI)
Computer Security Measures:
▪ Passwords and access codes ▪ User profiles
▪ Audit logs ▪ Encryption
▪ Physical location of equipment ▪ Data back-up
▪ Firewalls, virus detection
▪ Password-protected screensavers
▪ Removal and destruction
HIPAA
Your duties and responsibilities
Do not disclose password or access code to any person (except
authorized IT staff)
Do not ask anyone to disclose his/her password or access code
Do not store PHI on any hard drive (both work and personal devices)
Do not transmit any PHI (e.g., e-mail) unless properly encrypted
(Contact IT Department for directions on encrypting messages)
HIPAA
Mobile devices (CDs, flash drives, memory
cards, cell/smart phones)
Restrict use of mobile devices for storage or transmission of e-PHI
To the extent possible, password protect mobile devices
Return mobile devices for proper destruction to IT Department
• Includes Facebook, Twitter, LinkedIn, school
blogs, etc.
• You are personally and legally responsible for content you post on any social networking site
• Even when using privacy settings, you should treat all postings as public information
Social Media
An Associate shall adhere to all provisions of the Confidentiality Agreement when posting on any social networking site. An Associate shall not post to any social networking site during work hours, unless an Associate’s job description requires such posts to be made as part of maintaining a Hays Medical Center sponsored social networking page.
Social Media
1. Do not post any information about a HaysMed patient, even if you do not identify the patient by name or otherwise
Friends and family members --only if your knowledge of such person’s condition is based solely on personal
experience
2. Do not blog or post comments, messages, or other content anonymously when commenting about HaysMed or any HaysMed physician or employee
3. When blogging or posting comments, messages, or other content regarding HaysMed, you must affirmatively state that your views are not those of HaysMed
Social Media – Three Rules
HIPAA
Other Administrative Requirements
To comply with the HIPAA Privacy Rule, HaysMed must:
- discipline Associates, Vendors, and Agents that violate the HIPAA Privacy Rule
- maintain a complaint/grievance process for complaints about HIPAA Privacy Rule violations
- take action to mitigate any bad effect of inappropriate disclosure or use of PHI to the extent possible
HIPAA
Reporting Concerns
If you believe there has been a violation of the
HIPAA Privacy Rule, report that information to
the Privacy Officer as soon as possible
HIPAA
Immediately report any of the following to Christy Stahl,
HaysMed Privacy Officer:
• Any lost or stolen device (laptop, cell phone, memory card, etc)
• Any lost or stolen paper records
• Any potential compromised password
• Any suspected unauthorized access to PHI
• Any postings of PHI to any website
• Any unauthorized disclosure of PHI (no authorization form, no
applicable exception)
HIPAA
Prohibition on Waiver and Retaliation
HaysMed will not require any person to waive his or
her rights under the HIPAA Privacy Rule as a
condition of treatment or payment of benefits
HaysMed strictly prohibits any sort of retaliation,
intimidation, or discrimination against persons
exercising their rights under the HIPAA Privacy
Rule
HIPAA
You have completed Lesson 5 on the HIPAA Privacy Rule’s administrative requirements
HIPAA
Remember:
- you must act to protect patient confidentiality
- you will be disciplined if you do not follow proper safeguards
- you must report suspected violations of the Privacy Rule to HaysMed’s Privacy Officer
Your Responsibilities
• Comply with the HIPAA Privacy Rules
• Follow the Confidentiality Agreement
• Do not take any PHI out of the facility
• Do not access your medical record or the medical record of your family members on your own – make request at the Medical Records Department (Health Information Management)
• Do not access any medical records unless your job/training requires you to access a patient’s medical record
• Do not have an Associate, Physician, or any other person access a record for you
• Never use PHI in an educational presentation unless the patient has signed an Authorization
Your Responsibilities
• Do not view patient status boards for other departments
• Never text any information about a patient
• Do not discuss patients with persons outside HaysMed
• Do not discuss your training experience at HaysMed on Facebook, MySpace or Twitter…………….even if you do not mention patient names
• Associates that are students must de-identify all information used, unless your HaysMed supervisor gives you approval to obtain an authorization from the patient
• Never take a picture of a patient or a patient’s information with your cell phone
• Never give any documents to a patient until you verify the identity of the patient and verify the documents