HIPAA Privacy & Security Health Insurance Portability and Accountability Act

Transcription

1 HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center

2 Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would affect the entire healthcare industry. Purpose to: Protect the privacy of patients' health information; and Protect the security of patients' health information. These rules, which will be discussed in this course, are known as the Administrative Simplification provisions or requirements.

3 What is Protected Health Information (PHI)? Protected Health Information (PHI) is any health information that may identify the patient. There are 18 PHI identifiers that apply to patients, their relatives, employers or household members. Name Address Dates directly related to patient Telephone Number Fax Number addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate/License Number Any vehicle or device serial number Web URL Internet Protocol (IP) Address Finger or voice prints Photographic images Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) Age greater than 89

4 More on PHI PHI comes in many forms such as paper documents, what we hear or overhear and what we see. All forms of PHI including that which we see or overhear should be treated confidentially. Examples are: Seeing your neighbor in the waiting area. Overhearing Doctor Patient conversations. Medication forms.

5 This privacy section of HIPAA covers: 1. Patient rights 2. Uses and Disclosures of PHI 3. Minimum Necessary 4. Policies, Procedures and Documentation

6 Patient Rights HIPAA requires St Elizabeth Medical Center to provide a Notice of Privacy Practices ("Notice") to our patients. The Notice: Lets patients know what St. Elizabeth Medical Center is doing to protect their PHI. Informs patients about their privacy rights. Explains to patients how they can exercise their privacy rights. Provides the title and phone number of a contact person if the patient wants more information or wishes to file a complaint.

7 Patient Rights (continued) The Notice of privacy practices is presented to each patient as they are registered. The notice informs the patient that they have a right to: Receive the Notice of the Privacy Practices of SEMC. Request Additional Privacy Protections and Confidential Communications. Obtain Access to their PHI. Request an Amendment to their PHI. Receive an Accounting of the Uses and Disclosures of their PHI.

8 Uses and Disclosures of PHI A patient signs an authorization to use or disclose PHI form which allows SEMC to use and disclose PHI for purposes other than payment, treatment or healthcare operations. Authorizations are obtained on a case-by-case basis and are needed each time a different use or disclosure is desired. Once an Authorization is provided, the patient can revoke or cancel the Authorization. Before any PHI is released, you must follow the facility procedures for verifying the identity of the person requesting the information.

9 Accounting of Disclosures Patients have a right to ask for an accounting of disclosures of their medical information. Basically this is a report that lists the places where St. Elizabeth has disclosed patient information for purposes other than payment, treatment or health care operations. As a St. Elizabeth workforce member you are required to account for disclosures. Some examples of potential areas where accounting of disclosures applies are: Public Health Authorities Food and Drug Administration Health Oversight Judicial and Administrative Proceedings Law Enforcement

10 Uses and Disclosures of PHI Another term associated with the use and disclosure of PHI is Business Associate. A Business Associate is "a person or organization that uses or receives PHI from a facility in order to perform or assist the facility with some activity or function." Some of SEMC s more common Business Associates include: Independent Contractors, Consultants, Lawyers, Auditors, Information System/Data Processing Vendors and Billing Companies. For a facility to disclose PHI to a Business Associate, a written contract, agreement or other arrangement must be in place that meets regulatory standards and requirements.

11 How do we dispose of PHI when we are finished with it? Place it in the shredding container!

12 Minimum Necessary What is the Minimum Necessary Standard? The minimum necessary standard requires SEMC workforce members to access or give out the least amount of PHI possible to accomplish their job. The minimum necessary standard does not apply when information is requested to treat a patient.

13 Privacy Policies, Procedures and Documentation As part of the privacy practices, SEMC is required to have written policies and procedures relating to PHI and information practices. Below is a general listing of the types of policies and procedures our facility has available: Employee Access of PHI Minimum Necessary/Need to Know Disclosure of PHI to Personal Representatives Verification of Persons Requesting PHI Confidential Information and Equipment in Public Places

14 HIPAA Security Requirements The Security Rule's requirements are organized into three categories: administrative safeguards manage security measures and workforce conduct to protect EPHI. physical safeguards protect information systems, buildings and equipment from natural and environmental hazards. technical safeguards technologies used to protect EPHI and control access to it.

15 What is Electronic Protected Health Information? EPHI is PHI created, received, stored or transmitted electronically. Examples of EPHI include, but are not limited to: Demographic information about a patient contained in SEMC information systems such as Medstar, Clinstar and Allegra. A note regarding a patient stored in your Palm Pilot. Billing information that is saved to a CD or disk. A digital radiograph of a patient stored on your hard drive.

16 What is electronic media? Electronic media is any device that can store EPHI. computer networks personal computers (PC s) laptop computers personal digital assistants (PDAs) handheld computers magnetic tapes disks compact disks (CDs) other means of storing electronic data such as memory sticks NOTE: Department manager approval is required prior to placing PHI onto any portable device or electronic removable media.

17 Passwords are a very important part of EPHI security Password Expectations Keep your passwords confidential. Avoid maintaining a paper record of passwords. Change passwords when there is an indication of compromise or when necessary to share with Information Systems for troubleshooting a problem with your computer. Do not use the same passwords for business and personal accounts. Change passwords at regular intervals (90 days). Do not include passwords in any automated log-on process, including web pages.

18 What does a good password consist of? Passwords should be: A minimum length of 8 characters. incorporate at least 2 of the following characteristics: lower case letters (a-z) upper case letters (A-Z) numbers (0-9) punctuation or characters # $ % ^ & * ( ) _ - + = { } [ ] : ; \ /? < >,. ~ `) Words that are not found in a dictionary. No personal information such as: names, pets, birth dates, etc. that can be easily guessed. Examples : ilgakcgc (I Love golfing at Kenton County golf course) %mhi30yo% (% my husband is 30 years old %) mvi0521! (my Vacation is 0521!)

19 Computer Access Access to confidential information and EPHI is granted to individuals on a need-to-know basis. If you believe that someone else is inappropriately using your ID or password, immediately notify the Information Systems Help Desk. Workstations will be used only for authorized business purposes related to the duties and responsibilities of SEMC workforce members. SEMC workforce members will take all reasonable and required precautions to protect the confidentiality, integrity, and accessibility of confidential information. Computers will not be used to engage in any activity that is illegal under local, state, federal, or international law or in violation of SEMC policy. Do not access inappropriate or offensive websites, engage in gambling, send malicious s, or download copyrighted materials.

20 What is Social Engineering? Social engineering is a term used for tricking someone into giving out information like passwords that will compromise system security. Note: Don t be afraid to ask questions as to why someone is accessing a PC if they look out of place. Notify your supervisor, Security department or Information Systems help desk to report any suspicious activity. Here are some tricks used by social engineers: An unknown person (with or without an SEMC badge) asks for your ID code and password. Someone without an ID badge is using (or attempting) to use a PC without approval. Someone asks for your ID Code and password by phone.

21 Locking the Computer When leaving a computer unattended, lock the computer or log-off. (If you share a computer, log off when you are finished, do not lock the computer. If your computer does not have the ability to lock, log out of your system). To lock the computer: 1. Press CTRL, ALT, Delete keys on the keyboard to lock the computer. 2. On the pop up window, click on the Lock Computer button.

22 Destruction of Electronic Media Destruction of SEMC Electronic Media will be accomplished in the following ways: Send large quantities of used CDs and diskettes to the Housekeeping Department Call IS to destroy all computer equipment besides CD s and diskettes. Reuse of Storage Devices or Removable Media It is ok to re-use media within SEMC (take precautions such as reformatting before re-using). No storage devices are to be re-used outside of SEMC. Any media that cannot be re-used within SEMC should be disposed of.

23 Confidentiality Extends to the Home If SEMC allows you to perform your work from home, you are responsible for maintaining the privacy and security of all confidential materials e.g. patient charts, computers and confidential working papers. All SEMC confidential materials should be kept in a location that is not accessible to others.

24 Using and Transporting EPHI Off-Site Confidential information, including EPHI, is not to be removed from SEMC without prior approval. Maintaining the privacy and security of all confidential information that you transport, store or access off-site is your responsibility.

25 Data Backup If you have access to the Information Systems network, store EPHI in your network directory folder (Information systems backs up the network directories on a nightly basis). EPHI that is stored on local PC s is not backed up.

26 EPHI access auditing: All SEMC computer systems are subject to a regular audit review. The audit review may include: EPHI that you have accessed. Internet sites that you accessed.

27 Software/Hardware Protection Anti-virus software is present on all required information systems. Never bypass or disable anti-virus software. attachments are scanned for viruses prior to delivery. Delete s before opening when they appear suspicious, or if you do not know the sender. If you suspect or detect a problem, notify the Information Systems Help Desk.

28 More information to prevent virus and malicious software. Do not install hardware of any kind. Do not install personal software or download Internet software, such as : Screensavers, Kazaa, Limewire, Weatherbug, Anti-virus software, Pop-up blockers Downloading Internet software onto your computer may install spy ware without your knowledge and cause programs to run slower or not function properly.

29 HIPAA Penalties for Non-Compliance Employee Discipline: Violations by SEMC workforce members may result in disciplinary action, up to and including termination from employment with SEMC. You are personally responsible for the access of any information using your login. Severe civil and criminal penalties: In addition, you can be subject to civil and criminal penalties imposed by the federal government up to $250,000 and 10 years in prison.

30 Thank you for completing the HIPAA Overview Module.