introduction phi rights protecting phi investigating & reporting hipaa training shelly vrsek...
DESCRIPTION
Introduction PHI Rights Protecting PHI Investigating & Reporting What HIPAA is Why it is important to you How persons served control their personal health information, and the related rights, exceptions, and disclosures The education and protection of the rights of persons served How we investigate and report breaches of confidentialityTRANSCRIPT
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
HIPAA TrainingShelly VrsekDirector of Quality
Privacy Officer
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Today you will learn about the Health Insurance Portability and Accountability Act (HIPAA) and how to implement our HIPAA policies in your work
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
What HIPAA is
Why it is important to you
How persons served control their personal health information, and the related rights, exceptions, and disclosures
The education and protection of the rights of persons served
How we investigate and report breaches of confidentiality
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Because you are
a covered function
Why are you
attending this HIPAA training?
HIPAA is a set of standards
for the protection of certain
health information
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
3. Elected Covered Entity
A program we have voluntarily elected as a covered entity, for the
purposes of information sharing in our
continuum of care
Examples at LSSM include:
The Terraces and HCA
2. Business Associate
We may sign a Business Associate Agreement with another covered entity if either party is doing work
that includes health information of shared clients
Examples at LSSM include: TRS as well as any program
doing business with Community Mental Health
1. Covered Entity
You are a program that directly bills medical
insurance for services that you provide
Examples at LSSM include: Home Health,
Skilled Nursing, Occupational Therapy,
and Outpatient Therapy
Covered functions must follow HIPAA
policies
Let’s learn the 3 ways at LSSM that you
can be considered a covered function
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
The rights of those we serve, to view and
change their records
How we communicate those
rights
How we investigate and report
unauthorized disclosures
Covered
functions have
expectations related to
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Now that we know about covered functions, let’s define some new terms that will be helpful as we learn about how HIPAA impacts those we serve
1. Protected Health Information (PHI)
2. Authorization
3. Uses and Disclosures
4. Minimum Necessary
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
1. Protected Health Information (PHI)
Individually identifiable health information relating to:
• The past, present, or future physical health condition of a person served,
• Provision of health care to a person served, or
• Payment for the provision of health care to a person served.
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
PHI is considered identifiable if it contains any of the following:
Names Addresses Dates Telephone Numbers
Fax Numbers
Email Addresses
Social Security Numbers
Medical Record Numbers
Health Plan Beneficiary Numbers
Account Numbers
Certificate / License Numbers
Vehicle Identifiers & Serial Numbers
Device Identifiers & Serial Numbers
Web Universal Resource Locators
Internet Protocol Address Numbers
Biometric Identifiers
Full Face Photographic Images
Any Other Unique Identifying Number, Characteristic, or Code
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
2. AuthorizationsPermission to release PHI.
3. Uses and DisclosuresInstances where we release PHI with or without authorization.
3. Minimum NecessaryEmployees must only access, request and disclose what they need to know or what is absolutely necessary to carry out their duties. This does not apply when a person served is requesting his/her own information.
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Now let’s learn about how persons served may control their PHI and the related rights, exceptions, and disclosures
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Inspect and obtain copies of their PHI
Request to change their PHI
Request an accounting of certain disclosures of their PHI
Request to restrict the use or disclosure of their PHI
Receive PHI communications confidentially
File complaints concerning the use or disclosure of their PHI
1.
3.
2.
5.
4.
6.
Persons Served by a Covered Program Have the Right to:
The 6 rights of persons served,
regarding their PHI
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
The chart includes genetic
information
The chart identifies
individuals who have reported
abuse, per the law
The chart includes PHI of others,
including family members
The chart includes the identity of any records related to foster care or adoption, per applicable
laws
The request includes psychotherapy notes that are kept separately from the chart by the therapist
In some cases, persons served do not have the right to review information in their records, and information cannot be released to others for the following reasons:The 5 exceptions to the rights of persons served, regarding their PHI
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
A director, administrator or the Privacy
Officer will make decisions about many of these requests
Notify your supervisor right away
What should you do if a person served
makes a request or
complaint regarding
their PHI?
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Now let’s learn the ways that we may
disclose PHI
With authorization
Written
Verbal
Without authorization
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
In most situations, we
must have written
authorization from persons
served to disclose or use their
PHI
They provide written authorization by signing an Authorization to Disclose
Health and Service Information
form
Disclosing PHI with Written Authorization
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
In some situations,
persons served can verbally
authorize, object to, or restrict
the disclosure of their PHI
These situations could include
• For inclusion in a facility directory
• When third parties are present (PHI can be shared with family and friends)
Disclosing PHI with Verbal Authorization
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
To other covered functions for the
purpose of treatment
For payment of healthcare operations
To report abuse, neglect or
domestic violence
To report a crime For disaster planning
For public health activities
When the person served cannot agree
(and a representative is not
available)
In other unusual situations, per the
approval of our Privacy Officer
Disclosing without written or verbal authorization is allowable in the following situations:
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
It is our responsibility to protect the PHI of persons served and to educate them about their rights
Let’s learn how we do this
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
LSSM protects the PHI of
persons served and educates
persons served about their PHI
rights by
Ensuring that staff understand HIPAA and the rights of persons
served
Utilizing the Notice of Privacy Practices
Utilizing Business Associate Agreements
Assessing and mitigating risk
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Ensuring that staff understand HIPAA and the rights of persons served
1. We require staff to complete this HIPAA training and review and adhere to our HIPAA policy
2. We require staff to complete our Confidentiality training and review and adhere to our Confidentiality and Information Technology (IT) policies
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Utilizing the Notice of Privacy Practices (NOPP)
1. This document outlines all of the rights of persons served under HIPAA, and how they can access assistance
2. We must make a good faith effort to have the person served or a personal representative sign the NOPP at the start of service
3. If we cannot obtain a signature, we must make a note on the NOPP to explain the circumstances, and send it to the next of kin
4. We cannot deny treatment if the person served or personal representative decline to sign the NOPP
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Utilizing Business Associate Agreements 1. When we use a contractor for services, it may be
necessary for them to use or disclose the PHI of those we serve • Examples: software for medications or charting,
food service providers, or landlords
2. Each contractor with access to PHI must sign a Business Associate Agreement with us. This ensures that they know to comply with HIPAA.
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Assessing and Mitigating Risk1. The Risk Management Team reviews
incident reports, training, and situations 2. The IT team monitors security, and limits
access to our data3. Breach assessment investigations are
conducted each time staff report a situation (verbally or through our Incident Reporting system)
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
We are at financial and reputation risk for breaches
The government can fine our organization as well as our individual employees
Fines are mostly assessed for intentional breaches for personal gain, or in situations where the PHI of many
persons is releasedIn ever case, LSSM must notify anyone affected, which
could result in legal consequences
In cases where more than 500 individuals are affected, we must also notify the media
The risks for persons served could involve
compromised dignity, loss of work, identity theft
or other personal situations
Breaches of Confidentiality
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
1. Immediately report it to your supervisor, then to the Privacy Officer
2. Enter the information into the Incident Reporting System
What should you do if you
suspect a breach of
confidentiality?
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Privacy Officer
The Privacy Officer will work with you
and your supervisor to investigate the
breach
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
Reports the breach to the proper authorities
Works with you to notify the
persons served who may be affected
Works with you and your team to prevent
this type of breach from happening again
Privacy Officer
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
We’ve learned about:Types of covered
functions6 PHI rights5 PHI exceptions3 PHI disclosures4 ways we protect and
educate about PHIReporting and
investigating breaches
Introduction PHI Rights Protecting
PHIInvestigating & Reporting
To Do:1. Review the HIPAA
policies2. Complete the
Confidentiality training3. Review the
Confidentiality policies4. Review the IT policies