HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Transcription

1 HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline Self-Study Module Requirements Read all program slides and complete test. Complete the Training Acknowledgement Form at the end of the Self-Study Module. Submit test along with the Training Acknowledgement form to your manager or supervisor COMPLETION OF THIS TRAINING MODULE IS MANDATORY! HIPAA SELF TRAINING MODULE The Health Insurance and Portability & Accountability Act (HIPAA) requires that Unity provide training to members of the Unity workforce on HIPAA and the specific HIPAA requirements that may affect the work you do for Unity Health Care, Inc. 1

2 Objectives Training Module Objectives To provide an overview of HIPAA and its impact on your duties at Unity. To provide information about your responsibilities with regard to patient privacy. To provide information about where to go if you have a question or concern about Unity s privacy policies and practices. What is HIPAA? HIPAA Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Requires Unity Health Care to protect the privacy and confidentiality of Protected Health Information (PHI). HIPAA Security Requires Unity Health Care to protect the confidentiality, integrity and availability of electronic protected health information (e-phi). Who has to follow HIPAA? Everyone who works for, or with Unity Health Care. This Means You! 2

3 What is Protected Health Information? Protected Health Information is any individually identifiable patient information including demographic data (name, address, age) that relates to the individual s past, present or future physical or mental health condition, the provision of health care to the individual, or the past, present, or future payment for the provision of services to the individual. Privacy Rule Basic Principles of the Privacy Rule define and limit the circumstances under which an individual s protected health information may be used or disclosed by covered entities such as Unity Health Care. A covered entity may not use or disclose protected health Information except: (1) as the Privacy Rule permits or requires; or (2) as the patient (or the patient s personal representative) authorizes in writing. Permitted Uses and Disclosures Unity Health Care is permitted to use and disclose Protected Health Information without a patient s authorization for the following purposes and situations: For treatment, payment, and health care operations; For public interest and benefit; For research purposes when a limited data set is used, and If required by law or regulation 3

4 Mandated Disclosures Required Disclosures - In some cases we are required to disclose PHI. A covered entity must disclose protected health information: (a) to individuals (or their personal representatives) when they request access to, or an accounting of disclosures of their protected health information; and (b) to HHS when it is undertaking a compliance investigation, review, or enforcement action. When is patient authorization required to release PHI? Unity Health Care must obtain the patient s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations (or otherwise permitted, or required by the Privacy Rule). Notice of Privacy Practices Unity Health Care is required to provide all of our patients with our Notice of Privacy Practices and to have them sign an acknowledgement that they have received the Notice. 4

5 Appropriate Access to PHI Access to PHI including electronic medical records systems (ecw & Logician) is granted to workforce members so that they can accomplish their work related duties. Any access that is not work-related is not permitted. Appropriate Access to PHI Do not access PHI of friends, family members, coworkers, VIPs, ex-spouses, etc., that information is required to perform your job duties. In the event that you encounter the information of an individual previously known to you, please alert your supervisor. Do not access your own electronic medical record, demographic or appointment information directly. Follow the same procedures as all other patients to obtain this information. Do not share your access or passwords to systems with anyone, even if a co-worker needs access to the same information to do their job. You are responsible for all system activity performed under your unique User ID and password. Security Rule Requirements The HIPAA Security Rule requires Unity to ensure that electronic PHI is: Confidential health data or information is not made available or disclosed to unauthorized persons. Integrity of health data is maintained - information has not been altered or destroyed in an unauthorized manner. Available health data or information is accessible and useable upon request by an authorized person. 5

6 Electronic Protected Health Information - ephi Electronic Protected Health Information (ephi) is: An individual s health or financial information that is used, created, received, transmitted or stored by Unity using any type of electronic information resource. Information in an electronic medical record (e.g. ecw, Logician), patient billing information transmitted to a payer, digital images, and information when it is being sent electronically by Unity to another provider, or a payer. HIPAA requires Unity to use appropriate safeguards when creating, using, transmitting, and storing ephi ephi, mobile devices, and secure ephi must not be stored on mobile devices like laptops, smart phones, USB drives, etc. unless the information will be encrypted on the device; smartphones with access to the Unity system, must be password protected. Similarly, s containing patient information to non-unity addresses must be encrypted. Sending Secure All patient information sent by outside of Unity Health Care (i.e. to a non-unity address) must be encrypted. To send containing PHI include the prefix Secure: (without the quotation marks) in the subject line. Secure must be the first word in the subject line and needs to be followed by a colon : 6

7 Sanctions for failing to comply with UHC s Privacy Policies and HIPAA Unity Sanctions UHC management will apply appropriate and consistent sanctions against workforce members - including employees, volunteers, trainees and others who work for UHC under our direct control, and who fail to comply with UHC s privacy policies and procedures. Sanctions may include, verbal reprimand, demotion, suspension, and/or termination. Sanctions for failing to comply with UHC s Privacy Policies and HIPAA (cont d.) Federal Sanctions Civil money penalties range from $100 to $1,500,000; Criminal penalties range from $50,000 to $250,000 and imprisonment from 1 to 10 years; Suspension or exclusion from Federal programs; Loss of your professional license to practice; and Jail Remember, protecting patient privacy is YOUR responsibility! Tips for Keeping PHI Safe (cont d.) Do not share your passwords under any circumstances. Remember that YOU are responsible for actions taken with your Password and ID Log-off or lock workstations even if you re just stepping away for a moment. (ctrl+alt+delete) Secure loose notes and other paper records that contain PHI in an area not immediately accessible to the public or individuals without a work-related reason to access. Be cautious when printing patient information. If you must print, be mindful of where it s left, to whom it s given, and how it s disposed. Shred or deposit all unwanted paper that could contain PHI into designated shred bins. 7

8 Tips for Keeping PHI Safe (cont d.) Do not discuss patient information in public areas Remote access same rules apply. Be sure you have a password set on your home computer and that you are using a secure network. i.e you re not using a public Wi-Fi to access secure data. Data files do not download to a non-unity computer, jump drive, or external storage. If you need to store data on a mobile device, ensure that it s an encrypted device. Contact Unity IT ( ) for assistance. The attachment may not give you a choice, then be sure to delete, empty recycle bin, and delete any download directory files Tips for Keeping PHI Safe (cont d.) Passwords use strong passwords, and use different passwords for each system Do not remove data (paper or electronic) from Unity without the express permission of your supervisor. Social media do NOT discuss work related items Unity runs employee access reports Unity monitors database activity reports Remember Look at an individual s PHI only if you need it to do your job, Use an individual s PHI only if you need it to do your job, Give an individual s PHI to others when it s necessary for them to do their jobs, Talk to others about an individual s PHI only if it s necessary to do your job. 8

9 Do you have a question or concern about Unity s Privacy Practices? Send an to hipaa@unityhealthcare.org OR Call the HIPAA Hotline at OR Joanne Adams Privacy Officer Unity Health Care, Inc th Street S.E; Suite 120 Washington, DC jadams@unityhealthcare.org HIPAA Post-test 1. What is PHI? a. An individual s Protected Health Information b. An individual s health, billing, or payment information that is created or received by a health care provider or health plan c. Protected Health Information is information that can be used to identify an individual d. PHI is an individual s information that is protected by the HIPAA legislation. e. All of the above. 2. When can Unity use or disclose PHI without patient consent? a. For treatment of a patient b. For processing payments for care c. For management operations d. For the public s benefit e. All of the above. 3. Who has to follow HIPAA at Unity Health Care? a. My supervisor and other administrators, managers and directors. b. Employees working in direct patient care c. Everyone d. I do not know HIPAA Post-test (cont d.) 4. You can discuss patients on social media as long as no names are mentioned. A. True B. False 5. You can be imprisoned for violating HIPAA. A. True B. False 9

10 HIPAA Post-test (cont d.) 6. What are the possible consequences for failure to comply with the HIPAA law a) Termination b) Jail time and fines c) Suspension or exclusion from Federal Programs d) Loss of License e) All of the above. 7. Which of the following is considered PHI? a) Patient s name b) Date of birth c) Photo d) Phone number e) All the above 8. A patient authorization is always required to disclose PHI. a) True b) False 9. What are two mandated disclosures? HIPAA SELF-TRAINING MODULE ACKNOWLEDGEMENT FORM Print name (Last, First) Date completed: Department/Position: Acknowledgement Statement I have completed the HIPAA self-training module and post-test. Signature: Date: Supervisor Signature: Date: 10