HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Transcription

1 HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N 1

2 COURSE OVERVIEW This course is broken down into 4 modules: Module 1: HIPAA Omnibus Rule - What you need to know to remain compliant with NEW regulations! Module 2: HIPAA Privacy Rule Basics Summary of the Privacy Rule and how to identify and safeguard confidential information. Module 3: Uses, Disclosures & Individual Rights Learn to who, for what, and how much PHI can be disclosed, & what members can request of their PHI. Module 4: Other Requirements Administrative responsibilities including sanctions, mitigation, breach notifications, accounting for disclosures and more. 2

3 HIPAA THE OMNIBUS RULE Module 1 W H A T Y O U N E E D T O K N O W T O R E M A I N C O M P L I A N T W I T H T H E N E W R E G U L A T I O N S!

4 Privacy Rule: PRIVACY VS. SECURITY VS. BREACH VS. HITECH VS. OMNIBUS HIPAA is the federal Health Insurance Portability and Accountability Act of 1996 (aka the HIPAA Privacy Rule) which went into effect April 14, It gives you rights over your health information and sets rules and limits on who can look at and receive your health information. It protects all PHI in any form or media whether electronic, paper or oral. Security Rule: The HIPAA Security Rule applies only to electronic PHI (ephi). This rule requires covered entities to adopt additional safeguards of ephi insuring the confidentiality of data that is created, received, used, maintained or transmitted. (April 20, 2005) 4

5 PRIVACY VS. SECURITY VS. BREACH VS. HITECH VS. OMNIBUS Breach Notification Rule The Breach Notification Rule requires entities to notify affected individuals, the Secretary of the Department of Health & Human Services and, in some cases, the media when they discover a breach of an individual s unsecured PHI (8/2009). HITECH Act: The Health Information Technology for Economic and Clinical Health (HITECH) Act expands certain HIPAA Privacy and Security requirements to cover Business Associates and to provide individuals with additional rights to access and control the use of their PHI, among other things (2009). 5

6 PRIVACY VS. SECURITY VS. BREACH VS. HITECH VS. OMNIBUS The Omnibus Rule (aka Final Rule): Omnibus, defined, is a collection of several works on a similar topic, reprinted in one volume. The Omnibus Rule (Final Rule) is a final set of regulations modifying the HIPAA Privacy, Security and Enforcements Rules to implement various provisions of the HITECH Act. The Omnibus Rule was introduced on January 25, 2013 to: Greatly enhance a patient s privacy protections, Provide individuals new rights to their health information, and Strengthen the government s ability to enforce the law. Plan s had until September 23, 2013 to comply with the Final Rule. 6

7 SO WHAT HAS CHANGED? Some of the biggest changes that you should know are: Some privacy issues that we could address internally under the old rules will now have to be reported to the Department of Health and Human Services (HHS). If HHS determines Piedmont (or it s delegated entity) was negligent, we could face significantly higher penalties. 7

8 SO WHAT HAS CHANGED? HIPAA Rules now directly apply to our Business Associates, but we can still be held responsible for their actions. A Business Associate is any person or business who performs certain functions on Piedmont s behalf that involves the use of PHI. Piedmont must have valid Business Associate Agreements (BAAs) with them that assure they will appropriately safeguard any PHI they create or receive on Piedmont s behalf. All Business Associate Agreements have to be updated to comply with the new Final Rule. 8

9 SO WHAT HAS CHANGED? There are now stronger limitations on the use of PHI for marketing and fundraising purposes, and we can no longer sell PHI without individual authorization. Members now have more rights as to how they may receive copies of their PHI. They may also restrict a physician from disclosing information to Piedmont concerning a treatment for which the individual paid for the treatment out-of-pocket in full. 9

10 SO WHAT HAS CHANGED? Piedmont s Notice of Privacy Practices (NPP) had to be modified to incorporate these changes. Our updated notices now include: Describing uses and disclosure of PHI for which an authorization is required from the member; Stating that any uses or disclosures not described in the NPP require the member s authorization; Informing members of their right to be notified in the event of a breach of unsecured PHI. 10

11 OUR RESPONSIBILITIES Piedmont is committed to acting honestly, diligently, and quickly to prevent and address incidents related to PHI. We rely on you to be diligent in your protection of PHI and to immediately report if you ever feel PHI has been compromised in any way. 11

12 HIPAA BASICS Module 2 S U M M A R Y O F T H E P R I V A C Y R U L E A N D H O W T O I D E N T I F Y A N D S A F E G U A R D C O N F I D E N T I A L I N F O R M A T I O N.

13 WHAT IS PHI? Protected Health Information (PHI) is any information, including demographic information, created, maintained, received or transmitted by a covered entity that relates to health status, provision of health care or payment for health care, and can be used to identify the individual. Common Examples of PHI include: Name Medical Record No. Clinical Notes SSN Names of Relatives Claims Data HICN Dates of Service Enrollment Data Date of Birth Benefit Information Eligibility Data PHI can be information, combined or alone, that can lead to the identification of a member. 13

14 PHI CAN BE STORED OR SHARED BY: Verbal Communication Paper Documents Electronic Data 14

15 VERBAL COMMUNICATION When talking about PHI, make sure you are: Sharing only with someone who needs to know the information to perform their job. Speaking where others (including family members and friends) cannot hear, if possible. Giving only the minimum amount of information necessary. Be aware of your surroundings! Avoid discussing PHI in public areas such as restrooms, elevators, and reception desk area. When conversations in open areas cannot be avoided, remember to keep your voice low. 15

16 PAPER DOCUMENTS Store PHI appropriately to reduce the potential for incidental use or disclosure. File or cover PHI on your desk when you leave each day. Lock drawers and offices when possible. When discarding printed PHI, place in the locked shredding bins until the time it is destroyed. 16

17 ELECTRONIC DATA Use strong passwords and change them every 90 days. Store all PHI on the network drive unless absolutely necessary to perform your job. All laptops and portable devices used to store PHI data must be encrypted. Lock your workstation when leaving the work area. Position computer monitors so that unauthorized persons cannot easily view information on the screen. Printers, copiers and fax machines should be located in areas not easily accessible to unauthorized persons. 17

18 PASSWORD PROTECTION A strong password for your network account and other applications is a basic protection mechanism. While it is tempting to create a generic password that is easy to remember, it is not very secure. Two rules for stronger passwords: Create a password of eight characters in length. Passwords should contain at least one each: Capital letter Lowercase letter Number 18

19 PASSWORD PROTECTION TIPS Change passwords often. Contact your IT Help Desk if you suspect your password has been compromised. Create a different password for each system or application, if applicable. Do not reuse passwords until 6 other passwords have been used. Do not use generic information that can be easily obtained like family member names, pets names, birth dates, phone numbers, vehicle information, etc. NEVER share your password with anyone. 19

20 ING PHI Only the minimum necessary to meet the requestor s needs. Verify the accuracy of the address before sending any PHI. When ing PHI outside of the Piedmont internal network, always send it securely by encrypting PHI. Check with your Privacy Officer or IT Department as to what systems or procedures you should follow to encrypt s. All containing PHI should contain an confidentiality notice. Immediately report any violation of these guidelines to your Supervisor or the Privacy Officer. 20

21 INTERNET THREATS Phishing is unwanted ( spam ) that tries to trick you into revealing confidential information, like passwords or credit card information. Usually an (or text) alerts you to a problem with your account and asks you to click on a link and provide information to correct the situation. These s look real and often contain the organizations logo and trademark. The URL in the resembles the legitimate web address. Combat Internet Threats NEVER provide your password to anyone via . 21

22 INTERNET THREATS CONT. Be suspicious of any that; Requests personal information. Contains spelling and grammatical errors. Asks you to click on a link. Is unexpected or from a company or organization with whom you do not have a relationship. If you are suspicious of an DO NOT click on the link provided in the . DO NOT open any attachments. DO NOT provide personal or financial information. DO forward the to your IT Help Desk and follow their instructions. 22

23 APPROPRIATE USE OF COMPUTERS AND S Piedmont computers and accounts are for official business. Employees are permitted limited personal use of them. Personal use should not: Disrupt employee productivity; Disrupt service or cause congestion on the network; Engage in inappropriate activities. Do not use personal accounts to conduct Piedmont business or to send confidential information. Your personal account is often less secure than your work issued account, so limit access from Piedmont computer systems. 23

24 MOBILE DEVISES & STORAGE MEDIA Employees who use mobile devices such as smart phones/tablets or laptops, or storage media such as CDs or USB drives, have additional responsibilities for protection of PHI that is housed on those devices. Do not store PHI on mobile devises or external storage media unless it is absolutely necessary. If it is necessary, then the device MUST be inspected and cleared through your IT department to ensure all the necessary protections are in place. If any mobile devise or external storage media is lost or stolen, you must immediately REPORT it to the Privacy Officer or Compliance Department. 24

25 FAXING PHI Limit faxed information to the minimum necessary to meet the requestor s needs. Always use a cover page that includes destination contact information, sender contact information, and a confidentiality statement. When sending faxes, always double check the recipient s fax number before pressing the send key. Promptly remove any received documents and follow the instructions on the cover page for delivery. If you receive a fax not intended for Piedmont or you receive notification of a fax from Piedmont going to the wrong location, notify your department manager and the Privacy Officer. The sender needs to be notified or the material needs to be returned to Piedmont or destroyed, and in some circumstances, we must log the disclosure error. 25

26 USES, DISCLOSURES & INDIVIDUAL RIGHTS Module 3 L E A R N T O W H O, F O R W H A T A N D H O W M U C H P H I C A N B E U S E D A N D D I S C L O S E D, A N D W H A T M E M B E R S C A N R E Q U E S T O F T H E I R P H I.

27 KNOW YOUR MEMBER S RIGHTS The HIPAA Rules give members the right to: Inspect and copy PHI. Amend PHI. Request restrictions on certain disclosures including that a health plan not be informed of treatment for which the patent paid entirely out of pocket. Receive confidential communication by alternative means or location. Prohibit the sale of their PHI, or its use for marketing or research. Receive an accounting of disclosures of PHI to third parties. File a complaint about a HIPAA privacy violation. 27

28 USES AND DISCLOSURES OF PHI PHI CAN be disclosed to others without the individual s written authorization for the purposes of: Treatment (providing care), Payment (claim payment), CAN Health plan operations (i.e. audits), If requested by member or legal representative, To help with public safety issues (i.e., preventing disease), Some health research (some does require authorization), To comply with the law, To respond to organ and tissue donation requests, To work with a medical examiner or funeral director, Workers compensation, law enforcement, government request, To respond to lawsuits and legal actions. 28

29 USES AND DISCLOSURES OF PHI CONT. PHI CAN NOT be disclosed to others without the individual s written authorization for the purposes of: Marketing Sale Research and Fundraising Disclosures to attorneys or other third parties that are not otherwise permitted or required by law Sensitive PHI including: Mental health information Confidential HIV-related information Alcohol or substance abuse information Genetic information 29

30 VERIFYING IDENTITY The member has the right to choose someone to act for them. Regardless of whether a member or their representative is requesting the PHI, we must verify the identity and the authority of them. Identity can be verified by: Obtaining a validly issued Photo ID. If by phone, ask the caller for the member s name and date of birth. For personal representatives, Proof of power of attorney, Health care proxy, Signed letter from member authorizing the person to act on their behalf, Letter of administration or other authority to act on behalf of a decedent. 30

31 VERIFYING IDENTITY CONT. For public officials, Presentation of agency ID badge, official credentials or other proof of government status, Appropriate government agency letterhead, Written statement of legal authority, Pursuant to a warrant, subpoena, or other legal process issued by a grand jury or other legal authority. Verification in an Emergency: In the event of an emergency clinical situation, we may disclose PHI without authorization where the member is unable to agree or object to disclosure due to incapacity if, in the exercise of professional judgment, disclosure is in the best interest of the member. When Verification is NOT Required: PHI may be lawfully disclosed to prevent or lessen a serious and imminent threat to the health or safety of a person or the public if disclosure is made to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further investigation is required. 31

32 OBTAINING VALID AUTHORIZATION If the use or disclosure requires a written authorization, the PHI can not be used or disclosed unless it is accompanied by a valid authorization. A valid authorization must contain: A description of the info to be used or disclosed. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. Name or other specific identification of the person(s) authorized to make the request. A description of each purpose of the requested use or disclosure. Name or other specific identification of the person(s) to whom we may make the requested use or disclosure. Signature of the individual and date (and for personal representatives, proof of authorized status). If the request for disclosure is not accompanied by a written authorization, Piedmont may provide the requestor with a General Authorization for Release of Confidential Information Form. 32

33 MINIMUM NECESSITY You should always make reasonable efforts to only use or disclose (or request from another health care provider) the minimum amount of PHI required to achieve the particular use or disclosure. Standard criteria to take into consideration includes: The purpose and importance; Who is requesting the information; The extent of additional persons with access to the PHI; Other factors and information specific to each request. Exceptions to minimum necessary requirements include: Disclosures to or requests by health care provider for treatment. Disclosures made to the individual who is subject to the PHI. Disclosures made pursuant to an authorization signed by member. Disclosure made to the secretary of HHS. Disclosures required by law. 33

34 OTHER REQUIREMENTS Module 4 A D M I N I S T R A T I V E I N C L U D I N G S A N C T I O N S, M I T I G A T I O N, B R E A C H N O T I F I C A T I O N S, A C C O U N T I N G O F D I S C L O S U R E S A N D M O R E.

35 TRAINING REQUIREMENTS This training is intended for all Piedmont Community HealthCare and Piedmont Community Health Plan workforce members. All employees, volunteers or other individuals that use or have access to Piedmont member information must complete this training within 90 days of hire and annually thereafter. Additional training will be provided as needed for changes in federal or state rules or regulations. 35

36 ACCOUNTING OF DISCLOSURES OF PHI Member s have the right to receive an accounting of disclosures which requires us to maintain a database of the following disclosures: To Health and Human Services, If require by law, For certain public health activities (births/deaths, etc.), For health oversight activities such as FDA, For certain research purposes, To avert a serious threat to health or safety, For specialized government functions, For worker s compensation, For certain marketing or fundraising, About decedents for cadaveric organ donation, Disclosures not permitted by law. 36

37 ACCOUNTING OF DISCLOSURES CONT. Disclosures that DO NOT need to be included in the database are disclosures: To carry out treatment, payment and health care operations (TPO), Pursuant to an authorization, To the individuals about their own PHI, To persons involved in the individual s care or other notification purposes, For national security or intelligence purposes, To correctional institutions or law enforcement custodial situations, Incidental to a use or disclosure otherwise permitted or required, That occurred prior to the compliance date of April 14, 2003, When the right has been temporarily suspended by a health oversight agency or law enforcement official, As part of a limited data set. 37

38 TRACKING DISCLOSURES Any Piedmont workforce member who discloses PHI for any reason (by request or in error) other than listed on the previous slide must complete a Disclosure Report including: Date the disclosure was requested or identified and date of the disclosure; Name of the person or entity who received the PHI and address, if known; Brief description of the PHI disclosed (e.g. a particular diagnosis or injury, particular test results, birth date, etc.); Brief statement of the purpose of the disclosure, whether by request or in error, and describe the purpose or how the error occurred; If the disclosure was made in error, also include follow-up action taken regarding retrieval or destruction of the PHI, cause of the error, and any corrective action steps taken. The Disclosure Report must be given to the Privacy Officer who will complete any additional steps required including adding it to Piedmont s Accounting of Disclosures Log. 38

39 BREACHES According to the Final Rule, most unauthorized uses or disclosure of PHI will likely be considered breaches. It is now more important than ever that each workforce member remember: What is expected of them each day to protect member information and minimize unauthorized uses and disclosures of PHI, and How to report their concerns if they suspect PHI has been disclosed, exposed, or misused in any way. 39

40 WHAT ARE THE PENALTIES FOR PRIVACY & SECURITY BREACHES? There are disciplinary, civil and criminal penalties for failure to comply with HIPAA regulations. Fines can range from $100 - $50,000 per violation. One incident could result in numerous violations and therefore multimillion dollar fines. Criminal penalties could result in jail time of 1 10 years. Piedmont will impose appropriate disciplinary action against workforce members who violate HIPAA or Piedmont Privacy Policies and Procedures up to and including termination. Failure to report a violation is a violation! 40

41 MITIGATION REDUCE Mitigate, defined, is to reduce, minimize or lessen the force, intensity or impact of a suffered loss. THE If Piedmont learns of a harmful effect resulting from the use or disclosure of PHI, all necessary steps, to the extent practicable, will be taken to mitigate such harmful effects. HARM Employees should notify their supervisor, the Privacy Officer or Compliance Department immediately so that any additional steps to mitigate the harm can be taken. 41

42 BREACH NOTIFICATIONS Piedmont must investigate all breach incidents and provide timely notification as necessary and appropriate to: Affected Individuals HHS Credit Reporting Agencies Other Federal Agencies Media Outlets 42

43 REPORT If you believe or suspect that PHI may have been put at risk, you have a responsibility to REPORT those concerns to the Privacy Officer or Compliance Department immediately. The new Final rule shortens the timeframe in which we must investigate and report any findings to HHS. The minute you believe there is a problem, let us know. The sooner we know, the better chances we have to limit the damage to the individuals involved. 43

44 ISSUES THAT SHOULD BE REPORTED Loss of confidential information or equipment containing confidential information Stolen laptop Lost smart phone Misplaced member records Misuse of information, system access or sharing of passwords Accidental or unauthorized disclosures of PHI Misdirected faxes and mail Human error Overheard conversations Inappropriate social media posts When in doubt, trust yourself. Report any issues of concern. Let the Compliance Department investigate. 44

45 WHO TO REPORT TO Immediately report suspected breaches of PHI to any of the following: The Compliance Department Your Department Manager or Supervisor Anonymously getintouch.com The Compliance Officer Brenda Grant Immediately report suspected computer security threats to the Help Desk 45

46 SAFEGUARD REMINDERS Never share your passwords with anyone. Lock your computers when you leave your work area. File or cover PHI on your desk when you leave for the day. Do not discuss PHI in public areas. When discarding PHI, place documents in locked shredding bins. When ing PHI outside of Piedmonts internal network, always send it securely and include an Confidentiality Notice. When faxing PHI, double check the recipients fax number and number dialed before sending and include a Fax Confidentiality Trailer. Always, always report misuse of PHI. 46

47 HIPAA POLICIES AND PROCEDURES We are providing a link to Piedmont s HIPAA Policies and Procedures as an additional resource. Please refer to the Policies and Procedures for complete guidance on HIPAA rules and regulations that are applicable to all employees. 47

48 CONGRATULATIONS! You have successfully completed Piedmont s HIPAA Privacy and Security Training. 48