Hello and welcome. I am here to discuss the Health

Transcription

1 The University of Texas at Austin University Compliance Services Hello and welcome. I am here to discuss the Health Insurance Portability and Accountability Act (HIPAA) and the conforming Texas Law (Texas Health & Safety Code, Chapter 181) which strengthens HIPAA and makes it applicable to more areas of The University of Texas at Austin. 1

2 General HIPAA Privacy Training is an introductory course designed to educate the University of Texas at Austin personnel regarding regulations related to the Health Insurance Portability and Accountability Act (HIPAA). 2

3 This course has been designed to provide you with an understanding of the Privacy Regulations of the Health Portability and Accountability Act of 1996 (HIPAA) as well as the conforming Texas Law (Texas Health & Safety Code, Chapter 181) and their impact on UT Austin and its employees. Our goal in this course is to: Provide you with an overview of the HIPAA requirements on maintaining the privacy and confidentiality of Protected Health Information (PHI) Enable you to begin thinking about how the HIPAA rules may affect your work routine; and Explain how you and UT Austin may be fined for violating HIPAA rules. 3

4 After successfully completing this course, you will be able to: Understand what the HIPAA Privacy Regulations are and what they do; Know who the Privacy Regulations apply to and when you must be in compliance; Know what constitutes PHI and what this term means; and, Understand the penalties for failure to comply with the Privacy Regulations. 4

5 The University of Texas at Austin University Compliance Services Sept HIPAA, the Health Insurance Portability and Accountability Act of 1996, was passed to simplify claims processing and payment in the health care industry. Congress delegated to the Department of Health and Human Services (DHHS) the responsibility of establishing mandatory privacy and security standards to comply with the requirements of the federal law. In response, DHHS has issued federal regulations for: Simplifying of payment transactions, known as Electronic Data Interchange (EDI); Security; and Privacy. 5

6 HIPAA is one of the most far reaching pieces of federal health care legislation ever enacted... HIPAA affects: Health Plans, Health Care Clearinghouses, Health Care Providers that transmit health information in an electronic form (i.e. covered entities ); Business Associates of covered entities; and Employers (self-funded f d groups). 6

7 HIPAA also affects other entities that come into possession of health information, such as universities. These entities are called hybrid entities. The University of Texas at Austin is a hybrid entity and the University and its employees must comply with HIPAA. 7

8 Texas Law ( 181) affects: Any person who for commercial, financial or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected t health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site. All of the above processes would make an entity a Covered Entity under Texas Law ( 181). 8

9 Protected health information (PHI) means individually identifiable health information: Transmitted by electronic media; Maintained in electronic media; or Transmitted or maintained in any other form or medium. (paper, oral) Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Rights and Privacy Act (FERPA); and Employment records held by a covered entity in its role as an employer, such as HRS records showing an employee s ADA status. 9

10 Regardless of where you work in the University, it s important to understand what privacy and confidentiality mean when protecting personal health information. PHI is identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic communications. Persons have the right to control who has access to their PHI. PHI is private and limited to those who need the information for treatment, payment, and healthcare operations. Only those people who are authorized to use and disclose PHI will have access to PHI. Disclosures should be limited to the Minimum Necessary for the recipient to do the job. For example, if a physician is treating a patient for a current broken ankle, University Health Services shouldn t release records on the patient s measles last year. Hospitals, healthcare organizations and universities have always upheld strict privacy and confidentiality policies. However, in response to situations in which private medical information has ended up in the wrong hands, the U.S. government has strengthened the laws protecting privacy and confidentiality. 10

11 The HIPAA Privacy Regulations were written in response to patient concerns that their medical information was not being protected. The following factors led to the creation of HIPAA Privacy Regulations: - The increased use of electronic information technology; - Advances in genetic research and availability of individuals genetic information; and, - Increased efforts to market health care products to consumers. Government representatives especially wanted to address the issue of electronic data transmissions. The Department of Health and Human Services ended up creating the Privacy Regulations with the permission of the legislative bodies. 11

12 What objectives do the Privacy Regulations accomplish? They give people more control over their health information. They set boundaries on the use and disclosure of health records. They establish appropriate p safeguards that all people who participate in or are associated with the provision of healthcare must achieve to protect the privacy of health information. They hold violators accountable, with civil and criminal penalties that can be imposed if they violate people s privacy rights. They strike a balance when public responsibility requires disclosure of some forms of data for example, to protect public health. 12

13 How does HIPAA achieve these objectives? The Privacy Regulations prohibit UT Austin and its employees from using or disclosing an individual s PHI without an authorization from the individual, unless the use or disclosure of PHI is for Treatment, Payment, Healthcare Operations, or in other specialized and limited situations. ti Additionally, UT Austin must investigate violations, sanction wrongful conduct, and make process changes when required. 13

14 Why is confidentiality important? People have a right to control who will see their medical information. Trust is an essential part of our work. Health information is among the most sensitive data collected on individuals. 14

15 A person has the right to receive a notice of UT Austin s privacy practices. In order to satisfy the HIPAA regulations UT Austin must: Make available its notice of privacy practices to all persons whose PHI The University maintains. Provide the notice prior to the treatment of the patient, or their participation in a study, or other program. UT Austin must obtain a written acknowledgment of the person s receipt of the Notice of Privacy Practices. UT Austin is only required to provide the Notice of Privacy Practices to the person one time. The written acknowledgement must be obtained once after April 14, For emergency situations, UT Austin personnel must provide the notice and obtain the person s signature as soon as it is practical to do so. This means UT Austin must obtain a signature from the person as evidence the person received a copy of the notice or document that t the person refused to sign and why. These individuals will also be required to document the receipt of the notice or refusal in our records. 15

16 Under the privacy regulations, UT Austin and its employees may use and disclose PHI for: - Treatment, - Payment, - Healthcare operations, - Certain permitted uses or disclosures, or - As required by law. However, if UT Austin or UT Austin employees have been asked to release PHI for any other reason than those above, the person must complete UT Austin s Authorization for the Use and Disclosure of PHI by UT Austin. This form must be maintained in our records. People also have the right to revoke their authorization at any time and UT Austin can no longer rely upon the authorization to release information. 16

17 HIPAA allows people the limited ability to control the use and disclosure of their PHI. People can request a restriction of uses and disclosures or confidential communications. Requests for restrictions or confidential communications must be retained in our records. The following is an example of restrictions of uses and disclosures. A person knows that her sister-in-law works in the speech and language clinic where the patient has an appointment. The patient may request that the sister-in-law not have any access to her medical record or information. For confidential communications a person can request that UT Austin not call him or her at home or a patient may request, on a per visit basis, that test results, etc., be sent to a different address. 17

18 HIPAA assures people the right to access their PHI (for inspection or copying). Guidelines for granting a person s request for PHI include the following: A person may request a copy of his or her medical records, except for psychotherapy notes. A reasonable charge for this service is allowed by law. 18

19 HIPAA allows people the right to request amendment, or an addendum to, their medical record. Any change to a medical record requires the approval of the physician and/or institution and may be denied. For example: A person may disagree with what is in his/her medical record and request that the information be amended. d The physician/researcher asked to make the amendment may refuse to do so, but must review the request. If the physician/researcher agrees to make the amendment, no changes are made to the original record. Instead, an amendment page is added to the record. 19

20 HIPAA allows people the right to receive an accounting of disclosures of their PHI that have been made within the previous six years (other than those made for treatment, payment or healthcare operations or as a result of an authorization). Records of each disclosure for purposes other than treatment, t t payment, or health care operation must be kept so that this information is available to the person upon request. If you disclose PHI for purposes other that treatment, payment of health care operations, you must record the disclosure. 20

21 HIPAA guarantees a person the right to file a privacy complaint at any time. A person or employee may file a complaint by contacting the Office of Institutional Compliance at (512) or may file an anonymous report by calling (877) You may also file a complaint with the Institutional Privacy Officer, Jeff Graves, at (512) Contact information for the Privacy Officer is available on the HIPAA page of the Institutional Compliance website. After a complaint has been filed, a formal investigation will take place. 21

22 Printers and copiers used for printing of PHI should be in secure, non-public locations. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored. Printed versions of PHI must not be left unattended and open to compromise. PHI printed to a shared printer must be promptly removed. Remember, PHI is very personal health information and should be treated as such. 22

23 At UT Austin, the responsibility to protect the confidentiality and integrity of protected health information is a shared responsibility by staff, faculty, volunteers, students, administrators, business associates, and others. This responsibility has always been a part of the UT Austin culture. Not only is it required by law, professional ethics, and accreditation requirements; but it is the responsible thing to do. 23

24 These kinds of privacy breaches have led to new Federal Regulations: In the introduction to new Federal standards governing the confidentiality and disclosure of health information, the Department of Health and Human Services (DHHS) cited a number of examples of privacy breaches that have occurred within healthcare organizations. These are the kinds of breaches that led to new Federal regulations governing the privacy of health information. The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut. A Michigan-based health center accidentally posted the medical records of thousands of patients on the Internet. A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. A banker who also sat on a county health board gained access to patients records and identified several people with cancer and called in their mortgages. These examples of deliberate and accidental disclosures of information underscore the importance of establishing and maintaining effective processes for handling patient information. Source: Pew Internet & American Life Project

25 PHI includes any paper or electronic file which contains personally identifiable health information. One of the largest issues at UT Austin is the amount of stored paper PHI we maintain. Security measures, to safeguard stored PHI in files, documents, letters, invoices, etc. should be established. Some of these measures include: Ensuring that doors to storage rooms are locked, Assisting departments in establishing procedures to control access to rooms or file cabinets where PHI is stored, and Adding physical security measures such as doors, locks, etc. to ensure that PHI is safeguarded. 25

26 Outside of regular working hours, keep your desk and work area clean and be sure to keep any PHI locked in filing cabinets, unless the immediate area can be secured from unauthorized access. When not in use, PHI must always be protected from unauthorized access. When left in an unattended room, such information must be appropriately secured. If PHI is stored on diskettes, CD-ROM or other removable data storage media, it cannot be combined with other electronic information. Stored PHI must be stored separately from non- PHI data. PHI stored in medical equipment (e.g. EKG, Ultrasound, etc.) must be kept secure and disposed of correctly. HIPAA regulations require PHI documents be retained for a minimum of six years. 26

27 An end-of-day checklist is a great way to remember the steps necessary to secure your work area before you head out the door. Even airline pilots would not consider leaving the cockpit without their shut down checklist. It s the smart way to ensure your work area is PHI secure. Check around your work area for files, notes, records, documents, CDs, diskettes, etc. which may contain PHI. Secure files containing PHI through the following methods: lock it in a filing cabinet lock the door to your office, and lock the storage room. Check the printer, fax, copy machine, and meeting room to be sure no PHI has been unintentionally left. Check for post-it notes, phone messages, or reminders of things to do which contain PHI and place in a locked cabinet. Lock up your Day Timer, calendar, or scheduling book if entries have been made which contain PHI. Make sure there is no PHI accidentally discarded in the waste basket. Secure your computer by requiring password access. (Never share your password with anyone. You are personally responsible for the usage and access attributed to your password.) Check things you are taking home to make sure you haven t accidentally picked up a file containing PHI. 27

28 All personnel must strictly observe the following standards relating to disposal of PHI. Paper or hardcopy PHI must not be discarded in trash bins. Instead, this information must be personally shredded or placed in a secured recycle bag or recycle bin. Printed material containing PHI shall be disposed of in a manner that ensures confidentiality. If paper records containing PHI are in your possession, it is your responsibility to make sure they are discarded properly. 28

29 Electronic files containing PHI can create a potential breach in the HIPAA privacy rule if they are not properly removed or deleted. A privacy breach can occur if the device is sold or transferred to another department and the PHI remains on the hard drive. Fortunately, if the device is updated and maintained through normal UT Austin channels, the IT personnel will wipe the hard drive of its contents prior to returning it to the leasing depot. However, if you are using your own laptop or a device not obtained through normal UT Austin channels, you are personally responsible for managing the content t on that t device and should use a wipe utility to remove any old files prior to selling or passing your computer along to a family member or friend. 29

30 UT Austin should protect the facsimile (fax) transmittal of PHI and hold individuals responsible for following the proper procedure when PHI is sent via facsimile. Personnel must make reasonable efforts to ensure that they send the fax transmission to the correct destination including: Preprogramming frequently used numbers into the machine to prevent misdialing errors. Periodically and/or randomly checking all speed-dial numbers to ensure their currency, validity, accuracy, and authorization to receive confidential information. For a new recipient, the sender must verify the fax number by requesting the recipient submit a faxed or request for PHI, which would include the fax number of the recipient. Periodically reminding those who are frequent recipients of PHI to notify UT Austin if their fax number is to change. When faxing PHI, UT Austin personnel must use an official UT Austin Fax Cover Sheet. 30

31 Manage PHI received via fax as confidential. Fax machines used for PHI shall not be located in areas accessible to the general public but rather must be in secure areas, and the department director or designee is responsible for limiting access to them. Each department is responsible for ensuring the incoming faxes are properly handled. Immediately remove the fax transmission from the fax machine and deliver it to the recipient. 31

32 PDAs, Palms, and other Portable Electronic Devices pose a significant security risk because they may contain confidential patient information and are portable. As a result, they are more at risk for loss, theft, or other unauthorized access. Keep the following guidelines in mind when using a PDA that contains PHI: Don t leave your PDA unattended unless it is locked up. Keep your PDA in its proper carrying case when transporting it from location to location. Don t let anyone else use the PDA for any purpose, including your family and/or associates, patients, patient families, or unauthorized employees or agents of UT Austin. Password protect and secure your PDA. Immediately report any lost, damaged, malfunctioning, or stolen equipment or any breach of security to the Information Privacy Officer. To the extent possible, PDAs must have virus protection software installed and operational and you must update the virus protection software regularly. 32

33 Sending containing PHI requires special consideration and safeguards. For example: ing of PHI is only allowed within your department. containing PHI must be treated confidentially. When using , UT Austin faculty and employees must limit the information transmitted to the minimum necessary to meet the requester s needs and use de-identified PHI whenever applicable. All employees should frequently review the policy, because the policy may be subject to change based on pending federal regulations. 33

34 If you witness activity that you believe is improper regarding PHI privacy, you should report such activity to the UT Austin Office of Institutional Compliance or the Institutional Privacy Officer. You may contact the Institutional Compliance Office by either calling the direct number or by anonymously reporting the activity through the Fraud/Abuse and Privacy Hotline. The phone number to the Office of Institutional Compliance is (512) The phone number to the Fraud/Abuse and Privacy Hotline is (877) The phone number for Jeff Graves, the Institutional Privacy Officer, is (512) Contact information is on the HIPAA page of the Institutional Compliance website. 34

35 Once the Office of Institutional Compliance or Institutional Privacy Officer receives a complaint, it will be reviewed and any and all required actions will be taken to fully investigate the matter. Information gathered through the Office of Institutional Compliance or the Institutional Privacy Officer investigation shall remain confidential to the extent necessary to comply with UT Austin s policies and procedures. Any privacy-related complaint made by a patient, faculty member, employee, student, or volunteer at anytime must be forwarded to the Office of Institutional Compliance or Institutional Privacy Officer. 35

36 No UT Austin employee shall intimidate, coerce, or threaten any person when that person reveals, in good faith, and through the proper channels, action that the person believes is improper. UT Austin s non-retaliation policy ensures that all employees shall be allowed to freely discuss and raise questions to managers or to the appropriate personnel about situations they feel are in violation of federal and state law, UT Austin and UT System policy, and/or accreditation and regulatory requirements. Note: The Office of Institutional Compliance will review any allegation of retaliation and assure that a proper investigation is conducted as appropriate. Anyone found to have retaliated against an employee or patient will be subject to adverse employment action, up to, and including, termination. 36

37 UT Austin has a duty to mitigate privacy violations of the University s policies and procedures, and state and federal privacy laws. One aspect of mitigation includes UT Austin s privacy rules. 37

38 Mitigation may include, but is not limited to, the following: Retraining of employees who violate UT Austin s policies, procedures, and mission; Taking operational and procedural corrective measures; Taking employment actions to retrain, reprimand, or discipline employees as necessary, up to and including termination; Addressing problems with business associates; Incorporating mitigation solutions into the University s HOPPM (Handbook of Operating Procedures and Policy Memoranda) policies; Addressing faculty, staff, volunteer and student violations. 38

39 There are large civil and criminal penalties for failure to comply with HIPAA. These penalties apply to individual employees, as well as UT Austin as an institution. Criminal Penalties (based on criminal intent: knew better, but did it anyway) Civil fines (based on negligence: accident & situations where you should have known better) $100 per violation/day, up to $25,000 per violation/year $50,000 plus up to 1 year imprisonment for a knowing violation $100, plus up to 5 years imprisonment for an offense under false pretenses $250,000 plus up to 19 years imprisonment for an offense with the intent to profit, gain, or harm Exclusion from the Medicare provider list 39

40 Failure to comply with HIPAA also violates UT Austin policies. Any employee who violates these policies may be subject to disciplinary action. In addition to HIPAA s civil and criminal penalties, violations of HIPAA may lead to UT Austin disciplinary action including: Verbal warnings Written warnings Suspension Termination 40

41 Now that we have defined HIPAA and its objectives, let s take a look as some everyday examples of privacy violations. Dr. Too Loud is a popular professor in Clinical Psychology. Dr. Loud s boisterous personality, however, tends to penetrate through the walls of the office. On one occasion, he was talking to a colleague over the phone and described d Mrs. Jones PHI in detail. This conversation was heard by everyone down the hall. Another day, he was heard in the cafeteria talking to Mr. Smith, a patient, about his condition. Dr. Loud has created verbal violations of the HIPAA rules in both of these examples. He probably bl has no idea how his voice carries from his office to the other rooms. What should you do if you work with someone like Dr. Loud? If you suspect a verbal violation is taking place, alert the person to the fact that their voice carries and that others can hear what is being said, or notify your immediate supervisor. HIPAA compliance is a team effort. Unintentional violations can be easily avoided with a heightened sense of awareness. 41

42 A new faculty member has fully embraced technology because she received a Palm pilot as a Ph.D. graduation present. Dr. Technology has been hot-synching/downloading her Palm pilot to her computer at home. She has never questioned this practice because one of her buddies who is a professor in the Department of Communication Sciences and Disorders views records on his home computer all the time. Dr. Technology decides to upgrade her home computer and donates her old home computer to her church. However, Dr. Technology does not know that information regarding her patients has been circulating through the church administrative offices and Bible study groups because Dr. Technology did not remove the information from her home computer prior to donating it. 42

43 Ms. O. So Helpful has worked for University Health Services for over ten years and is considered a highly valued employee. She seems to know exactly what the doctors need, even before they ask. It s her job to keep things moving smoothly and to avoid delays if possible. She neatly places each patient s medical record at the counter for the doctor to pick up as he enters the room. She also places a Post-it note on top of each chart alerting the doctor as to the reason for the visit. These charts are in plain view of other patients who are paying out and scheduling appointments at the counter. Ms. O. So Helpful s good intentions are creating an environment of written violations. Any patient or even a delivery person could read a patient s personal medical history while waiting at the counter. What should you do if you observe this type of activity? The best approach is to talk to your immediate supervisor and allow them to work with Ms. O. So Helpful to come up with an alternative approach. Or, if you have a good rapport with Ms. Helpful, you could alert her to the violation and suggest a strategy session at the next staff meeting for alternative solutions. Whichever course you choose, the behavior must stop immediately. Again, HIPAA compliance is everyone s responsibility. 43

44 This concludes our presentation on General HIPAA Privacy Training. Just review the questions at the back of this book and answer all questions to receive credit for the training. 44