Protecting Privacy & Security in the Health Care Setting

Transcription

1 2013 Compliance Training for Contractors and Vendors Module 3 Protecting Privacy & Security in the Health Care Setting For Internal Training Purposes Only.

2 After completing this training, learners will understand: General HIPAA and HITECH Guidelines (Privacy vs. Security) What is Protected Health Information (PHI) The Rule: Treatment, Payment, Healthcare Operations Penalties for Non-Compliance Where to locate policies and procedures Reporting processes

3 PROPERTIES Allow user to leave interaction: Show Next Slide Button: Completion Button Label: 9/21/12 After viewing all the steps Show For Internal upon completion Training Purposes Only. Do Next Slide not copy. Do not distribute. Rev. 10/6/09

4 What Is HIPAA & HITECH HIPAA Federal law (1996) giving patients the right to have their information kept private and secure. Protects all patient identifiable health information in any form. HITECH Expands and enhances HIPAA Privacy and Security Rules Increased regulatory enforcement and penalties for non-compliance

5 PROPERTIES Allow user to leave interaction: Show Next Slide Button: Completion Button Label: 9/21/12 After viewing all the steps Show For Internal upon completion Training Purposes Only. Do Next Slide not copy. Do not distribute. Rev. 10/6/09

6

7 To receive the Notice of Privacy Practices (Access a copy by clicking here.) To request restrictions on uses & disclosures of PHI To be assured of Confidential communications To have the ability to request access to, inspection of, amendment of and copy of PHI To limit reporting to health plans, IF the procedure or visit and subsequent treatment was paid for with cash. To receive an accounting of disclosures for third party disclosures upon request

8 Treatment to use or share PHI to treat a patient to share PHI with that patient for public health purposes for disclosure to our vendors under a written contract (aka Business Associate) Payment Coding Billing Medical Records Accounting Healthcare Operations Planning Management Training Improving quality Providing services Education A written patient authorization is required for any disclosure outside of treatment, payment, or healthcare operations.

9 Public Health Requirements Health Oversight Activities Judicial & Administrative Proceedings Public Safety Government Proceedings Workers Compensation Organ Donation

10 SCENARIO: Family Members and PHI A patient asks the hospital not to disclose any medical information to her sister. She submits the request in writing and the facility agrees. Later, the patient has to be admitted to the hospital. Her sister visits the hospital and asks the provider of an update on her sister s condition. Can the provider discuss this information with the patient s sister? ANSWER: No. In this case, because the patient specifically requested confidentiality, the provider cannot release any information. When a patient asks us to not share their personal information with a family member and we agree, we cannot disclose any information to that family member in any form, at any time.

11 Quality and Education Programs You can talk about patient conditions in provider education programs and in programs to improve quality outcomes. Prescriptions Can be discussed with the patient via telephone Voice Messages Messages can be left but only include minimum necessary No sensitive information

12 SCENARIO: Good Intentions A provider receives an errant fax of a prescription request for a member who she knows from church. From the member s prescription she can see that the member s diagnosis is serious. Later that day, the provider mentions this to another friend who attends the same church and knows the member. She then asks the church secretary to put the member on the church prayer chain. Suddenly, several hundred people know of the member s illness. Is this an acceptable disclosure of information? ANSWER No, the inappropriate disclosure of this information would be a potential HIPAA violation. We are required to protect our patients information from any unauthorized disclosure. When the provider received the fax in error, she should have notified the Compliance department and then securely destroyed the document.

13 The goal when protecting electronic information is to ensure the Confidentiality, Integrity, and Availability (CIA) of critical systems and confidential information. Click here to access IT policies.

14 You are not permitted to use your personal electronic devices for business purposes. Never leave your company-issued electronic device in a visible location in your vehicle. It must be lock in your trunk or taken with you. Never send text messages containing PHI. Texts are not encrypted so they are not secure. Always encrypt containing PHI. Type confidential in the subject line of your . Always report any potential breach of information including stolen equipment.

15 Create a paper trail When in doubt, get an authorization If no authorization and in doubt, do not disclose PHI Segregate medical records Implement internal policies governing access to PHI Never allow health information to be reviewed by employees that do not have a need to know If a breach occurs, contact Corporate Compliance immediately for assistance

16 Violation Minimum Penalty (Per Violation) Maximum Penalty (Per Violation) Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $ Cap at $25,000 $50, Cap at $1.5 million Due to Reasonable Cause and not due to willful neglect $1, Cap at $100,000 $50, Cap at $1.5 million Up to 1 year in prison Due to willful neglect but corrected within the required time period $10, Cap at $250,000 $50, Cap at $1.5 million Up to 1 year in prison Due to willful neglect and not corrected $50, Cap at $1.5 million $50, Cap at $1.5 million Up to 10 years in prison

17 Technical Releases that do not result in inappropriate use or disclosure of PHI Report to Compliance immediately. Meet with supervisor to review the policies that were violated. Repeated violations may lead to disciplinary action including suspension or termination. Unintentional Releases that result in inappropriate use or disclosure of PHI Report to Compliance immediately. Meet with supervisor to review the policies that were violated. The violation may lead to suspension or termination. Repeated violations may lead to disciplinary action including termination. Intentional Report to Compliance immediately. An allegation of intentional release may result in the immediate suspension of the accused pending the outcome of the investigation. If it is determined to be intentional and deliberate, the employee will be terminated immediately and reported to HHS as required by law.

18 SCENARIO: Your Password Information You are reviewing hard copy medical records when a colleague walks in and asks you to look up a patient for her in the computer system. She then says, I know you re busy. Why don t you just give me your username and password so that I don t have to bother you? Is this okay? ANSWER No, this is not an acceptable practice. Never share your user name and/or password with anyone. Even our IT department will never ask you for your username or password. By sharing, you are breaching IT Security policies. This can compromise the security of our systems as well as put you at risk if someone uses your password information to access information inappropriately.

19 SCENARIO: We Never Received the Fax You fax a document to another physician s office; however, that office calls later to indicate that they never received the fax. You confirm the number and find that you faxed it to the wrong number. What do you do? ANSWER If the recipient did not receive the fax: You must attempt to retrieve the errant fax OR ensure that it is securely destroyed. Notify the Corporate Compliance department to report the disclosure. Notate the disclosure in the patient s disclosure log. In the future ALWAYS verify the fax number before sending PHI as this is an unsecure method of transmission.

20 SCENARIO: Quick Stop at the Grocery Store A provider leaves her laptop computer bag on the floorboard of the front seat of her car while going into a grocery store to pick up a few items. She also has a folder containing member names and other PHI on the seat. She puts the folder into the laptop bag and runs into the store. Is this a HIPAA violation? ANSWER Yes. This is a potential HIPAA violation because the computer and its PHI have not been adequately secured. Never leave your laptop unsecured in your vehicle. While our laptops are generally encrypted, it is your responsibility to ensure the physical security of your laptop. Lock in your trunk (utilizing a cable lock) or better, take it with you. In addition, hard copy medical records should NEVER be placed in the same bag as your computer. This increases the risk of PHI being stolen and would be considered a serious breach.

21 SCENARIO: Quick Stop at the Grocery Store A provider leaves her laptop computer bag on the floorboard of the front seat of her car while going into a grocery store to pick up a few items. She also has a folder containing member names and other PHI on the seat. She puts the folder into the laptop bag and runs into the store. Is this a HIPAA violation? ANSWER Yes. This is a potential HIPAA violation because the computer and its PHI have not been adequately secured. Never leave your laptop unsecured in your vehicle. While our laptops are generally encrypted, it is your responsibility to ensure the physical security of your laptop. Lock in your trunk (utilizing a cable lock) or better, take it with you. In addition, hard copy medical records should NEVER be placed in the same bag as your computer. This increases the risk of PHI being stolen and would be considered a serious breach.

22 Your Compliance Team WellMed Medical Group, Compliance Department 8637 Fredericksburg Rd, Suite 360 San Antonio, TX General Questions: Teresa Jacobs, Corporate Compliance Officer:

23 Your Responsibility Know what s right. Ask for clarification if necessary Do what s right. Follow policies and procedures Tell us if you think something isn t right. Every healthcare provider has an obligation to make a good faith report of any activity within the agency that appears to violate compliance policies, procedures or statutes Zero tolerance for retaliation Your Reporting Options Talk to your hiring manager Contact the Compliance Dept compliance@wellmed.net Call Directly Submit an Anonymous Report: Confidentiality is protected to the extent allowed by law. For Internal Training Purposes Only

24 This course requires a 100% passing score to receive credit for completing the training. Please click on the below link to access the quiz or copy/paste the address into your web browser: Module 3: Privacy and Security Rules Quiz Hands-On Compliance