integrating hipaa into your compliance program fifth annual national congress on health care...
TRANSCRIPT
Integrating HIPAA Into Your Compliance Program
Fifth Annual National Congress on Health Care ComplianceFebruary 7, 2002
Glenna S. JacksonVice President Compliance, MedStar Health
Diane H. MeyerChief Privacy Officer & Senior Project Manager, Enterprise Solutions Group
Interim Privacy Officer, MedStar Health
© 2002 MedStar Health & Enterprise Solutions Group
2
Seven Elements of an Effective Compliance Program
Organization
Policy
Training
Monitoring
Communications
Responding to Concerns
Discipline
© 2002 MedStar Health & Enterprise Solutions Group
3
M ed S tar Hea lthC o rpo ra te C om p lian ce
D irec torC o n n ie F a ir ley
F rank lin S qu areH o sp ital
K end ra W hye
G eo rge to w n M ed icalC en ter
E llen C lem en te
G o od S am aritanH o sp ital
K en W a lsh
H arb or H osp italC en ter
E ileen S m ith
N atio n alR eh ab ilita tion
H o sp italP au l R ao
U n io n M em o rialH o sp ital
A nne F lood
W ash in gto n H o sp italC en ter
G lenna Jack son
H o sp italC o m plian ce
H o m e H ea lthM arga re t T e rry
M edS T ART ran spo rt
D av e Zw ersk i
N u rsin g Ho m esE llio t R o th
M edS tarE n te rpr ise
In c .
M edS tarP h ysic ian P artn ers
S usan T heuns &M ik e S ach tleben
M ed S tar R esearchIn s titu te
A lic ia K en ley
L abo rato ryC o m plian ceM iche le B est
C A S IC ecile S ou the rland
C en tra l Bu s in essO ffice
S ue W h iteco tton
D ivers ifiedB u s in esses
M ark M eg inn is
B altim o reS k illed N urs ing
E llio t C ahan
M edStar HealthVice President,
ComplianceGlenna Jackson
Organization
© 2002 MedStar Health & Enterprise Solutions Group
4
Organization
Expansion of existing Compliance Committee for HIPAA Implementation Process
Once implementation is complete, Privacy Officer and Compliance Officer coordinate on-going privacy compliance management
Key areas of representation for expanded Compliance Committee = HIPAA Implementation Task Force
OperationsClinical
IS
© 2002 MedStar Health & Enterprise Solutions Group
5
Organization
Implementation Task Force Representation Considerations
Medical Records Patient Financial Services Compliance/Risk Management Admissions Outpatient services IS Facilities Legal Marketing/Public Affairs Fundraising Operations/Planning Business Affairs Human Resources/Labor
Relations Patient Relations
Physicians Nurses/Patient Care Services Pharmacy Lab Residents/Teaching Physicians Relations Referrals Clinical - major product lines:
– Research– Emergency– Cancer Services– Heart Services– Women’s Services– Surgical Services– Radiology
© 2002 MedStar Health & Enterprise Solutions Group
6
Organization
Compliance Officer
Privacy Officer
Security Officer
Implementation Task Force / Expanded Compliance Committee
Patient Privacy Advisory Council
© 2002 MedStar Health & Enterprise Solutions Group
7
Policy
Code of Conduct and Compliance Policies
Enterprise-wide policy review for privacy gap analysis – where are we now, where do we need to go?
Modification of existing policies (examples: patient access to records, patient amendment of records, release of information for marketing purposes)
Development of new policies (examples: accounting of disclosures, Notice of Privacy Practices, Business Associate Agreements)
Policies for on-going compliance monitoring
© 2002 MedStar Health & Enterprise Solutions Group
8
Policy
Information Capture for development of the Notice of Privacy Practices
Does your department handle Protected Health Information (PHI) in any of the following ways? Create new PHI in electronic records Create new PHI in paper-based records Add PHI to records created by others Transfer PHI to another department within your hospital or business unit Receive PHI from another department within your hospital or business unit Disclose PHI to persons or entities outside your hospital or business unit Receive PHI from persons or entities outside your hospital or business unit Maintain PHI in electronic records in your department Maintain PHI in paper-based records in your department Review PHI created or compiled by others for other than treatment or paymentOther (explain)_________________________________ Not applicable: This department does not handle PHI
Please complete the sections below only for each of the boxes checked above
© 2002 MedStar Health & Enterprise Solutions Group
9
Policy
What PHI is created (added)? For what purpose is PHI created (added, transferred, received, disclosed, reviewed)?Treatment___ Payment___ Other (please describe the purpose) To which other departments (outside entities) is PHI transferred (received)? How is PHI transferred (received)? (original paper-based records, copies of paper based records, fax, email, telephone, etc.) What specific information is transferred (received, maintained, viewed)? (clinical information, demographic information, billing information, etc.) How is disclosure authorized? (written patient consent, required by law or regulation, required by contract, approved by IRB, etc.) In what format is PHI maintained (paper-based records, electronic-based records, CD’s, images, films, videotapes, etc.) Where is PHI maintained (in you department, in another location within the facility, off-site storage, etc.) How long is PHI maintained?
Information Capture for Notice Development (continued)
© 2002 MedStar Health & Enterprise Solutions Group
10
Policy
Policy Template
Policy Title Purpose Policy Statement Scope of Policy Definitions Responsibilities Exceptions What Constitutes Non-Compliance Explanation and Details/Examples Requirements and Guidelines for Implementing The Policy Related Policies Procedures That Are Absolutely Linked To the Policy Legal Reporting Requirements Reference to Laws or Regulations of Outside Bodies Right To Change or Terminate Policy
© 2002 MedStar Health & Enterprise Solutions Group
11
Training
Orientation Training now – begin to raise level of awareness
Workforce training required on organization’s privacy policies and procedures
Required training conducted towards completion of implementation – if privacy policies are changed, affected workforce must be retrained
Training customized to workforce needs – 3 levels Clinical staff – staff directly involved with patient treatment Staff in contact with patient information Staff with minimal/no contact with patient information
eLearning platform – if you’ve been considering it, now’s a good time
© 2002 MedStar Health & Enterprise Solutions Group
12
Code of Conduct
and
General Compliance
Do You Know the Code?
General
Compliance
© 2002 MedStar Health
13
Patient Confidentiality
• MedStar Health collects information about a patient’s medical condition, history, medication, and family illnesses in order to provide the best possible care.
© 2002 MedStar Health
14
Patient Confidentiality, continued
• MedStar Health realizes the sensitive nature of patient information and is committed to maintaining its confidentiality.
• We do not release or discuss patient-specific information with others unless it is authorized by:– law,
– the patient’s written consent, or
– departmental policy
© 2002 MedStar Health
15
What is HIPAA?
• Health Insurance Portability and Accountability Act– A law designed to make
sure your personal health information is private and secure.
© 2002 MedStar Health
16
Privacy
• What does privacy mean?– Controlling who is
allowed to get into information
– The right to keep information about themselves from being released
© 2002 MedStar Health
17
Security
• What does security mean?– the ability to control the
ways to get into information, and
– to protect information from:• changes,
• destruction
• loss, and
• accidental or intentional release to people who did not have permission to receive it.
© 2002 MedStar Health
18
HIPAA’S COVERED ENTITIES• Who is affected by HIPAA?
1) Health care entities who transmit any
health information in electronic form
for any of the following eight basic transactions:
• Claims
• Electronic remittance advice
• Eligibility
• Authorization
• Enrollment
• Coordination of Benefits
• Claims Status
• Premium Payments
© 2002 MedStar Health
19
Who is affected by HIPAA?, continued
2) Health Plans:• Group health plans that have fifty or more participants
• Health insurance issuers
• Health Maintenance Organizations (HMOs)
• Medicare Parts A and B, Medicaid Title 19
3) Clearinghouses - includes billing services,
repricing companies, community health management
information systems and value added networks
© 2002 MedStar Health
20
Protected H ealth Inform ation
• W hat does H IPAA cover?– Protected Health Inform ation
(PH I)• Individually identifiable health
inform ation that is sent or kept in any form or m edium (i.e., electronic, oral, written)
© 2002 MedStar Health
21
Permission to use PHI
• Consent– The patient gives permission to use and
release PHI for:• treatment
• payment, and
• health care operations
• Authorization– The patient gives permission to use PHI
for all other purposes.
© 2002 MedStar Health
22
Uses & Releases Requiring an Opportunity for the Individual to Agree or Disagree
• You must provide the individual an opportunity to agree or disagree to the use and release of PHI for the following purposes:– Inclusion in a facility directory
– Release to clergy
– Release to others involved with the patient’s care
– Release to family members
© 2002 MedStar Health
23
Penalties
• Violations of HIPAA standards could result in the following:– 1-10 year jail sentence
– $100.00-$250,000.00 in fines
© 2002 MedStar Health
24
Monitoring
No external audit for HIPAA Audit potential = every patient, every day Internal compliance review critical
Review for Privacy vulnerabilities before they become problematic – include patient point of view
Similarities to OIG Work Plan and Documentation & Coding compliance review
Similarities between Qui Tam Suits and Whistleblower provisions of HIPAA Privacy Rule
Expand to include Business Associates, Volunteers, Vendors, Physicians not on staff
HIPAA Enforcement Notice of Proposed Rule Making planned
JCAHO inclusion of Privacy© 2002 MedStar Health & Enterprise Solutions Group
25
Communications
Include Patient Education - process for privacy concerns or complaints
Establish policies and compliance review for publicity and media release
Develop a logo and tagline
“Just Do It Right”
“Protecting Patient Privacy”
Articles in Compliance newsletters and email updates
© 2002 MedStar Health & Enterprise Solutions Group
26
Responding to Concerns
Compliance protocol for handling issues applicable to HIPAA Privacy
Similar forms for logging complaints, ranking risk, tracking resolution
Similar reporting process
Hotline Employees – internal compliance hotline Patients – interface with customer service
Goal is to resolve privacy issues internally It is everyone’s right to complain directly to HHS Compliance Officer and Privacy Officer response
© 2002 MedStar Health & Enterprise Solutions Group
27
Discipline
HIPAA Privacy Rule: “A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures.” No detail provided in regulation
Privacy violation disciplinary action policies incorporated into existing Compliance and HR policies
Extend existing disciplinary process and mechanisms to apply to Privacy violations
Workforce awareness of HIPAA Civil and Criminal penalties for violations of the Privacy Rule
© 2002 MedStar Health & Enterprise Solutions Group