2014 Core Training 1

Transcription

1 2014 Core Training 1

2 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System policies and procedures related to privacy & security Your Responsibilities for: Protecting confidential and sensitive information Good computer practices Reporting privacy breaches and security incidents 2

3 Key Privacy Laws/ Regulation HIPAA (the Health Insurance Portability & Accountability Act) Is the Federal law, passed in 1996, which requires us to protect the privacy of PHI (protected health information) that is electronic (ephi) and physical. PHI includes at least one of the following 18 identifiers: Name Postal address All elements of dates except year Telephone number Fax number address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary number Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code, or characteristic 3

4 Key Privacy Laws/ Regulation In 2013 HIPAA was updated with: The Final Omnibus Rule, and The HITECH Act. This update to HIPAA includes: Increased fines and penalties for privacy violations Additional responsibility for not just employees, but also business associates to protect PHI Patient Rights Updates to the Security Rule and Breach Notification requiring organizations to share when a breach has occurred, not just if it caused harm to the individual 4

5 HIPAA Penalties Expanded penalties include: HIPAA Civil Penalties $100 $1,500,000/year fines; and more fines if multiple year violations HIPAA Criminal Penalties $50,000 $250,000 fines & Imprisonment up to 10 years State Laws Fines and penalties apply to individuals as well as health care providers, up to a maximum of $250,000 May impact your professional license & Imprisonment up to 10 years Huntsville Hospital Health System Up to and including termination 5

6 Our Responsibilities: and Protected Health Information 6

7 Our Responsibilities We are required by HIPAA to keep PHI secure by: Communicating privacy rights with our patients Patient s Rights with PHI include: Access and the ability to receive a copy of one s own PHI (paper or electronic formats) Request amendments to information Request restriction of PHI uses and disclosures Restrict disclosure to health plans for services self paid in full ( self pay restriction ) Request alternative forms of communications (mail to P.O. Box not street address, no message on answering machine, etc.) Accounting of the disclosures of PHI 7

8 Our Responsibilities We are required by HIPAA to keep PHI secure by: Ensuring you only view, use, and share PHI when required for your job. The NPP allows PHI to be used and disclosed for purposes of Treatment, Payment, or Operations (TPO) Use: Accessing, Viewing, and Using PHI within the department or with business associates Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the department. Ensuring Minimum Necessity for accessing PHI, that means users access the minimum amount of information necessary to perform their duties Protecting access to confidential/ sensitive information Reporting privacy breaches immediately to the Privacy Officer 8

9 Our Responsibilities: to Patients HIPAA requires we communicate patient s right to privacy by: OFFERING a Notice of Privacy Practice (NPP), which Advises Patients of their privacy rights And is posted in public registration areas & our website ATTEMPT to get a signature on the Patient Acknowledgement Agreement (PAA), acknowledging receipt of the NPP This is required, except in emergency situations And if not we must document the reason why 9

10 Our Responsibilities: to Patients HIPAA requires we get the proper release for PHI: GETTING WRITTEN PERMISSION if we release PHI for a reason other than TPO (Treatment, Payment or Operations) Exception is for immunization records for children, in states that require those records 10

11 Our Responsibilities: to Patients SPECIAL DIRECTIONS for Facility Directory During registration are asked about being in the directory Only the location and general condition my be disclosed if someone asks for the patient by name If the patient objects, DO NOT acknowledge that the patient is in the facility. SPECIAL DIRECTIONS for Fundraising Additional rules apply for those involved in fundraising, see Policies Policy

12 Privacy & Security: Our Individual Roles 12

13 Our Role in Protecting PHI We are each responsible to protect PHI: Follow policies and procedures Protect the privacy and security of information Asking your Supervisor or Manager for guidance All Policies and Procedures for the Health System are listed on Pulse/Hotlist/HIPAA 13

14 Our Role: Protecting Physical PHI Handling PHI Double check the address, or fax number when mailing or faxing Only fax PHI to a secure fax (inside a secure area) Use the approved Huntsville Hospital Health System cover sheet containing a confidentiality statement. Check printers, faxes, and copier machines when you are finished Don t leave PHI on your desk, lock it up Double check when handing documents to patients/family members 14

15 Our Role: Protecting Physical PHI Taking PHI offsite You must first obtain approval from your supervisor. Never leave PHI unattended in your bag, briefcase or car (even if it s locked in the trunk!) All devices that access ephi or Huntsville Hospital Health System must be password protected Access PHI remotely Disposal of paper documents Shred PHI First! Then use the Trash: Recycle and trash bins are NOT all secure Shred bins only work when papers are put inside the bins 15

16 Our Role: Protecting Audible PHI Avoid Discussing PHI in public areas Be aware of your surroundings when talking Do not leave PHI on answering machines Don t speak too loudly, or to the wrong person Ask yourself, What if my information was being discussed like this? 16

17 Our Role: Protecting ephi For electronic protected health information Avoid unauthorized computer access by: Protecting your user ID Protecting your password Logging out of programs that access PHI when not in use 17

18 Our Role: Protecting ephi For electronic protected health information All devices used to access ephi must be password protected, including: Your HH Personal laptop ipad/tablet iphone/smartphone Did You Know?? Even if you don t intentionally save PHI onto your device, your Huntsville Hospital Health System files may download to your device without your knowledge. 18

19 Our Role: Protecting ephi Encrypt all s with PHI going to addresses that do not end theheartcenter.md compone.org dmhnet.org hhsys.org firstcomm.org hgala.org namci.com namci.org How To Encrypt ; always start with: [Encrypt] or Secure: in the subject line of the 19

20 Our Role: Protecting ephi Practice Safe ing Do not open, forward, or reply to: Suspicious s Suspicious attachments Or unknown website addresses NEVER provide your username and password to an request Delete spam and empty the Deleted Items folder regularly It is your responsibility when communicating to send all PHI securely 20

21 Our Role: Protecting ephi Do not share patient PHI on social media, that means anything from your work at the Health System Even if information is public Information obtained from your patient/provider relationship is confidential 21

22 What to do: Reporting a Suspected Breach of PHI? 22

23 Our Role: Reporting a Breach PRIVACY BREACH: Report when PHI is: Physically lost or stolen Misdirected to others outside of HH Health System, including: PHI verbal messages left for the wrong person Misdirected mail, fax or containing PHI When user does not use secure with PHI Posted to Huntsville Hospital Health System intranet, internet, websites, Facebook, Twitter IMMEDIATELY REPORT TO: Privacy Officer at (256) /9257 Your Supervisor IT Security at (256)

24 Our Role: Reporting a Breach PRIVACY BREACH: Report when: PHI is part of a Security Incident: When an electronic device is lost/stolen When any unusual or suspected information is missing The loss and/or theft of any form of ephi Unusual computer activity IMMEDIATELY REPORT TO: Privacy Officer at (256) /9257 Your Supervisor IT Security at (256)

25 Our Role: Reporting a Breach FAX PRIVACY BREACH: Report if: You send a fax containing PHI to the wrong phone or fax number You receive a fax in error Immediately: Alert the sender Do not use or disclose the information IMMEDIATELY REPORT TO: Privacy Officer at (256) /

26 Our Role: Reporting a Breach IMMEDIATELY REPORT any known/suspected PRIVACY BREACHES to the Privacy Officer at (256) or 9257 In every circumstance, you will need to provide the following information: Date and time the breach was discovered Name and contact information of the person who discovered the breach The specific information disclosed The number of individuals who had their information disclosed How the breach happened Actions taken following detection The department contact for follow-up 26

27 In Review 27

28 In Review: It s Our Job to Protect PHI It is the Law to Protect our Patient s privacy HIPAA law was developed to protect the privacy of our patient s health information It is only appropriate to share, use, access PHI when it is needed to do our job. We must follow Health System policies Protecting verbal, written, and electronic information Use safe computing and practices Report suspected privacy & security incidents Privacy Breaches Security Breaches Privacy Officer at (256) /9257 IT Security at (256) And if you don t know, Ask! 28

29 The Course is Finished! What happens at Huntsville Hospital, Stays at Huntsville Hospital. Time to Take the Test 29