Health Insurance Portability and Accountability Act (HIPAA) Overview

Transcription

1 Health Insurance Portability and Accountability Act (HIPAA) Overview Agency, Contract and Temporary Staff Orientation Initiated: 5/04, Reviewed: 7/10, Revised: 10/10 Prepared by SHS Administration & Samaritan Professional Development Page 1 of 8

2 Welcome to this online training! Learning Objectives Upon completion of the module the employee will: Know what HIPAA is and where it came from; Know why we should care about it; Have a basic understanding of the HIPAA standards and their impact on the culture of the organization; Know your role in HIPAA compliance; Discuss appropriate access to protected health information; List three methods available to provide security for patient data; Implement privacy measures for interoffice mail; Place confidential paperwork in the appropriate trash system in his / her department. What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act. It was originally intended to provide for the continuation of health insurance coverage for individuals when they changed jobs. Background: Where Did HIPAA Come From? Cost Concerns A New England Journal article stated that the United States spends about $400 billion each year on administrative services related to health care. That s around 20% of the total cost of health care each year in the United States. Congress estimated that approximately $87 billion could be saved annually if administrative processes could be improved by: Requiring more health care transactions to be conducted electronically, which would reduce paperwork; and By standardizing health care transactions. Privacy Concerns As more business is conducted electronically, however, it becomes more difficult to protect the privacy of personal data. A national survey revealed that the greatest concern of Americans in this century is that personal health or financial information will be accessible to those who may use or disclose it inappropriately. The increasing availability of personal information on the Internet adds to people s fears. Those fears are increasing as breaches of information security become more publicized, such as hackers and identity thieves accessing and misusing an individual s credit card number. Page 2 of 8

3 Breaches of Patient Privacy Arthur Ashe, the well-known tennis player, contracted AIDS from a blood transfusion and was diagnosed and treated in a Richmond, Virginia hospital. The family asked that this diagnosis be kept confidential, but the information was leaked from the hospital, creating a lot of public concern about the ability of hospitals to treat patient information confidentially. DNA information was used by Burlington Northern Railroad to deny employment to a job applicant. Some other examples of privacy breaches listed below are only a fraction of all cases. A bank accesses records and calls in loans of cancer patients. A medical student sells promising cases to a malpractice lawyer. A hospital Emergency Department employee shares patient information with an attorney for financial gain. Why Should You Care about HIPAA? The first reason is that HIPAA is the law. We don t have the option to simply ignore it. The second reason is that many of the HIPAA standards are incorporated into existing accreditation standards (such as the Joint Commission) as well as annual financial audit procedures. A third reason is that many of the HIPAA regulations make good common sense. Finally, we should care because every employee is impacted by HIPAA and could be penalized for violating HIPAA regulations. HIPAA Privacy and Security Standards Privacy vs. Security - Some Definitions First Page 3 of 8

4 HIPAA Privacy Rule Protected Health Information The Privacy Rule was developed to limit the ways in which information that can be used to identify an individual may be used inside a health care organization or disclosed to outside entities. Protected health information (PHI) is individually identifiable health information that is maintained or transmitted electronically, or in any other form or medium. This means PHI transmitted orally is protected, as well as information that is maintained or transmitted electronically or on paper. Consumer Rights Regarding Their Health Information The hospital is required to give patients a clear written explanation of how they can use and disclose their health information. This is called a Notice of Privacy Practices, and the Privacy Rule identifies specific information that the Notice must contain. Patient have rights to inspect and receive copies of their medical record, to amend their medical record with certain exceptions, to request confidential communications, limitations or restrictions of use or disclosure of PHI, and an accounting of disclosures made by the hospital. There is a duty to mitigate any harm and provide recourse if information is erroneously disclosed. Limitations on the Use or Disclosure of PHI PHI can be used or disclosed without patient authorization only for the purposes of treating the patient, receiving payment for health care services, and health care operations. In most cases, uses or disclosures for any other reason requires written authorization from the patient. o Patients are permitted under the Privacy Rule to revoke an authorization but not retroactively. The Privacy Rule requires that employees only look at the minimum patient health information necessary to do their job. This is called the minimum necessary standard. This standard is required and accepted best practices in the health care industry. o This means that no employee may look up medical information out of curiosity or concern for a family member, friend or anyone else. It is prohibited to simply look at the information (even if you don t tell anyone about what you see) if you are only doing it out of curiosity. You may only look at information for a legitimate business reason. o Inappropriately accessing, disclosing, or sharing PHI will result in disciplinary action up to and including termination. Staff members that do not have a need for PHI to do their jobs should not have access to it. Other Allowable Disclosures The hospital may, however, disclose PHI without the patient s authorization for such things as: o Health care oversight of the hospital, such as quality assurance activities; o Public health requirements; o Emergency or disaster circumstances; Page 4 of 8

5 o Current hospital patient directories; and o Law enforcement purposes. HIPAA Security Standards Electronic Protected Health Information The security standards were written to keep protected health information in electronic form or as it is referred to in the Security Rule, electronic protected health information (EPHI), from being accessed by unauthorized individuals inside and outside the hospital. It requires the hospital to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect that information. The Security Rule is organized into four categories: o Administrative procedures to ensure that threats or violations can be prevented, detected and resolved (security training, hiring practices, system audits); o Physical safeguards to protect EPHI from fire, disaster and unauthorized access (locks, keys, storage protection); o Technical security services to control and monitor access (passwords, audit trails, automatic logoff); o Network security to protect unauthorized access to data transmitted over a network (encryption, detection systems). Your Role and the Security Rule: Make every reasonable effort to protect the privacy of our patient s EPHI. Report any concern about suspected violations of the Security Rule to the SHS Privacy or Security Officer. Access to EPHI through the SHS computer systems should be for patient care or business purposes only. Personal medical information shall not be accessed through the SHS computer systems. Employees who would like to inspect or copy their personal medical information shall complete the proper authorization through the medical records department. SHS takes security issues seriously. Review the specific information provided in the following areas related to the Security Rule: Passwords Passwords should be changed on a regular basis and according to SHS policy. Passwords also should be changed when there is a concern that they might be compromised. o Users are held accountable for password protection. o Users should not share electronic passwords with anyone. o Users should not write down their password or send it via . Each employee is responsible for the security of his/her electronic mail account. Reduce the application to an icon or close the mailbox when not using . Virus Protection Data and software that have been exposed to any computer other than SHS computers must be scanned before installation. This includes downloads from the Internet. Page 5 of 8

6 attachments should not be opened if the sender is unknown. If a virus is suspected or detected: Immediately turn off your computer; Make notes as to what was observed; Contact the Information Services Department Help Desk at Transportation of PHI and EPHI, Including Rules for Laptop Computers Report any loss immediately to your manager or the Information Services Department. All important files must always be backed up to prevent loss of critical data. Back-up discs should be stored in a separate physical location from the computer. Management authorization is required when removing confidential, critical or proprietary data from the hospital. Security of Patient Data Floppy disks or CD s with confidential, critical or proprietary information should be stored in a locked drawer. Turn your computer off when not in use for an extended period of time. Office doors should be locked when the office is not occupied for extended periods of time. Screen protectors are available for computers which may be visible to the public. Employees Are Required to Report: Violations or suspected violations i.e., illegal activity of any kind; suspected use of virus or hacker programs; attempts to damage the SHS organization or an employee of SHS in any way; Inappropriate use of SHS computers i.e., using the computer to communicate inappropriate messages, jokes, or to make harassing or defamatory comments; Breaches of computer security i.e., attempts to circumvent established computer security systems or obtaining or trying to obtain the password of another user. Management Is Responsible for Monitoring Computer Activity in order to: Provide a professional work environment where inappropriate use of computers or SHS computer systems is not tolerated; Reduce the risk of liability and business interruption; Help prevent illegal acts and violation of individual rights. Audits Since audits of user access to the SHS computer systems are a legal requirement under the Security Rule, they will be used to verify appropriate use of the Internet and patient documentation systems. SHS computer systems shall be used principally for patient care or business purposes. Additional Privacy Measures to Review: FAX Machines FAX machines are located in areas that promote confidentiality. A cover sheet with instructions to follow if documents are sent to an unintended recipient should always be used. Page 6 of 8

7 When transmitting medical information: Contact the requestor prior to transmission of documents; and Contact the requestor after transmission to verify receipt of documents If the transmittal record shows that an incorrect number was dialed, immediately fax a cover sheet asking the recipient to call back and request that the documents be mailed back as soon as possible. Interoffice Mail All mail that contains PHI should be placed in a sealed envelope and clearly labeled with the recipient s name. It should then be put in an interdepartmental office envelope for distribution. Confidential Trash See your department specific policy for clarification. Confidential trash is defined as any material that contains: Financial; Administrative, and /or Clinical data And can be associated with the name of any of the following: Patient; Employee; Volunteer; and /or Physician. Confidential trash will be disposed of through established confidential trash systems within each department. A Final Thought Every SHS employee must be familiar with the vision and ethics of the SHS organization as it applies to confidential data, PHI and EPHI. We need to think about who has the legal right to access this information and what is the purpose of the disclosure. It is the responsibility of each employee to protect the privacy and security of confidential data, PHI, and EPHI whether it is on paper, electronic or oral communication. Page 7 of 8

8 Thank you! Page 8 of 8