Annual Compliance Training HITECH/HIPAA Refresher January 2015 Sisters of Charity of Leavenworth Health System, Inc. All rights reserved. 1
Annual Refresher Training Welcome to the SCL Health System Compliance Refresher online training module. This course will focus on the HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) laws that govern the privacy and security of Protected Health Information (PHI). After reviewing the following materials, you will be asked to complete a quiz. 2 2
Course Objectives Upon completion of this course, you should: Have a basic understanding of HIPAA - the law that protects patient health information; Know your reporting obligations if you suspect a privacy or security violation; and Understand changes to HIPAA under the new HITECH regulations. 3 3
Scenario Vanessa is being admitted to the hospital for a routine procedure. Although Vanessa knows the hospital and its staff are highly respected, she has some concerns about how her personal information will be shared. Staff members want to alleviate Vanessa s concerns and are willing to answer any questions she might have about how her Protected Health Information (PHI) is protected. Note: Protected Health Information (PHI) is information that: - Identifies, or can be used to identify, a specific individual; and - Relates to the individual's health, health care, or payment for care (past, present, or future). 4 4
What questions might Vanessa ask? How will my PHI be used? A health care provider (hospital or physician) may use or disclose your information for treatment, payment, or healthcare operations and when specifically permitted or required by law. The Notice of Privacy Practices describes these uses and disclosures in more detail. Other releases require your authorization." How will the provider limit the use of my PHI? A health care provider only permits those employees who have a need to know to access your health information. For example, clinicians who are treating you are allowed to access your information. Billing clerks are allowed to access your information to submit claims for payment." 5 5
What questions might Vanessa ask? How will SCL Health System prevent someone else from accessing my PHI? "All computers are password protected and have other safeguards. Paper with sensitive information must be filed in the patient record or placed in a secure bin to be shredded. SCL Health System also limits access to paper and electronic medical records and imposes disciplinary actions for inappropriate access." What are my rights as a patient? "Patients have many rights under HIPAA, including the right to request access to their medical record either by viewing or obtaining copies (paper or electronic*), an amendment to their medical record, restrictions relating to release of their record (including to health plans for self-pay situations*), and an accounting of the disclosures that have been made. *Added in HITECH 6 6
Key Points: Health Insurance Portability and Accountability Act (HIPAA) HIPAA imposes penalties on covered entities and individuals who fail to keep PHI confidential in accordance with the law. HIPAA applies to health care providers such as hospitals and physician offices. HIPAA also applies to health plans such as HMOs and health insurance companies. All of these organizations are considered covered entities under HIPAA. HIPAA s confidentiality rules fall under two main umbrellas: Privacy Rule grants individual rights with regard to their PHI and requires covered entities to protect all types of PHI Security Rule requires covered entities to safeguard electronic PHI 7 7
Key Points: The Health Information Technology for Economic and Clinical Health Act (HITECH) HITECH increases the penalties on covered entities and individuals who fail to keep PHI confidential in accordance with HIPAA to a maximum penalty of $1.5 million. HITECH allows patients to request a copy of their PHI in an electronic manner. HITECH allows patients to request a restriction of access by a health plan when the patient pays directly for his or her treatment. HITECH adds a section requiring covered entities to notify patients and the federal government of breaches of unsecured PHI. HITECH expands obligations for Business Associates (vendors) of covered entities. 8 8
Key Points: PHI PHI includes information in any format, including: Spoken Paper Electronic Mail Telephone Fax Patients are provided with a Notice of Privacy Practices ("NPP"). Note: A Notice of Privacy Practices is a notice that describes, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider s obligations with respect to the PHI. In general, patients over 18 years of age have control over their PHI. Parents have the right to access their minor children s health information (child under age 18). There are some exceptions to this rule, such as when the minor has the legal authority under state law to consent to certain health care services, or if the minor is emancipated. 9 9
Key Points: PHI Use and Disclosure SCL Health System uses PHI internally and discloses it outside its hospitals and clinics for various purposes. Some examples of each include: USE Doctors orders for treatment Nurses notes for quality review Patient Registration DISCLOSURE Public health reporting Claims submission to insurance companies for payment Accreditation organizations (for example, The Joint Commission) HIPAA requires a health care provider to have a legitimate treatment or business need to use or disclose PHI. Note: A Use is defined as the access to, or sharing of, PHI within a health care provider, such as a hospital or clinic. A Disclosure is the release of PHI to any person or entity outside the health care provider. 10 10
Key Points: PHI Treatment, Payment or Healthcare Operations (TPO) SCL Health System may use or disclose PHI for TPO in the following ways: Treatment Payment Health Care Operations Treatment of a patient referral, admission, consultation, diagnosis, treatment planning Payment for services to a patient preparing claims, submitting bills, and collection actions Health care operations administrative functions (such as quality improvement, peer review/credentialing, training programs, medical/legal reviews, compliance, fraud and abuse, disease prevention, business planning, complaints and grievances) 11 11
Key Points: PHI Public Health Reporting A health care provider may report PHI to meet state or federal public health reporting requirements without the authorization of the patient. For example, the following types of reports are commonly required by state law: Child Abuse or Neglect Certain infectious diseases (such as HIV and TB) Vital statistics births and deaths *Note: Many public health reporting requirements are specific by state.* 12 12
Key Points: PHI Opportunity to Agree or Object In some instances, a health care provider must provide the patient with an opportunity to agree or object (or opt-out) to the disclosure of the patient s PHI. These situations include: Whether the patient wants to be included in the facility directory (name, location in the hospital, and general condition) Whether the patient wants close family members and friends involved in the patient s care to stay informed about the patient s care or payment Whether the patient wants PHI available for fundraising purposes In other instances, we must first get the patient s written authorization before making a disclosure of the patient s PHI. Examples include: Disclosure to patient s employer Disclosure for marketing purposes 13 13
Check Point: What is PHI and how is it used A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written. True False A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company. True False At registration, patients are provided with the health care provider s Notice of Privacy Practices that explains how their health information may be used. True False 14 14
Check Point: What is PHI and how is it used A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written. True False X PHI may be in any format, including spoken, paper, telephone, electronic, mail and fax. A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company. True False X A provider may use or disclose PHI for payment of services to a patient. At registration, patients are provided with the health care provider s Notice of Privacy Practices that explains how their health information may be used. True X False Patients are provided with a Notice of Privacy Practices (NPP) that explains, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider s obligations with respect to the PHI. 15 15
Minimum Necessary Rule When using or disclosing PHI, you should always follow the Minimum Necessary Rule: The Minimum Necessary Rule means only accessing or disclosing PHI needed to do your job. SCL Health System has policies and procedures that reasonably limit its disclosures of, and requests for, PHI to the minimum necessary. A health care provider is not required to apply the minimum necessary standard for disclosures to, or requests by, a health care provider for treatment purposes. 16 16
Minimum Necessary Rule Ask yourself: Do I need to access this information for a work-related task I am assigned to do? What is the minimum amount of information I need to get the job done? (Note: this question does not apply if the use is for direct patient care by a physician or other provider) Remember: You may not access information that you do not have a business need to know. Access to PHI is recorded, monitored and audited by SCL Health System. 17 17
Incidental and Oral Communications Healthcare providers often need to discuss patient information where complete patient privacy is often difficult to achieve. Example: In a busy ER, a discussion between a patient and a doctor may be overheard by another patient. This is considered an incidental disclosure and is not a HIPAA violation, so long as reasonable safeguards were in place such as speaking with a lowered voice or using privacy curtains when available. The privacy rules requires that we take reasonable steps to minimize the chance of incidental disclosure to others. What can our facilities do to comply with the privacy rules with these issues? PHI should not be discussed in public areas, such as elevators or waiting rooms. Consultation rooms or other private areas should be used for discussions with family members. If sign-in sheets are used, they should only contain the minimum information necessary for registration purposes. The goal of the privacy rule is not to prevent needed discussions related to patients, but to make sure that when discussions need to take place, we are doing what is reasonable to protect a patient s PHI. 18 18
Reasonable and Permissible Uses and Disclosures Or Not? Identify whether the following uses and disclosures are reasonable and permissible, or not. Two health care professionals speaking with lowered voices in a treatment area. Talking loudly with a patient in a public area. Reading a medical record for curiosity. Sign-in sheet with only name and arrival time. Access PHI to perform a job-related function. Full name on tracking board Reasonable Not Reasonable 19 19
Reasonable and Permissible Uses and Disclosures Or Not? Identify whether the following uses and disclosures are reasonable and permissible, or not. Two health care professionals speaking with lowered voices in a treatment area. Talking loudly with a patient in a public area. Reading a medical record for curiosity. Sign-in sheet with only name and arrival time. Access PHI to perform a job-related function. Full name on tracking board. Reasonable Two health care professionals speaking with lowered voices in a treatment area. Sign-in sheet with only name and arrival time. Access PHI to perform a jobrelated function. Not Reasonable Talking loudly with a patient in a public area. Reading a medical record for curiosity. Full name on tracking board. 20 20
Check Point: Minimum Necessary and Incidental Disclosure 1.) Incidental disclosures are not permissible under any circumstances. True False 2.) You should always use or disclose the minimum amount of information necessary when completing a business task. True False 3.) You may access any PHI you want if you are a health care professional, even if the person is not your patient. True False 21 21
Check Point: Minimum Necessary and Incidental Disclosure 1.) Incidental disclosures are not permissible under any circumstances. True False X An incidental use or disclosure is one that cannot reasonably be prevented, is limited in nature, and occurs as a result of another permitted use or disclosure. 2.) You should always use or disclose the minimum amount of information necessary when completing a business task. True X False Remember to ask yourself "Do I need to access this information to do my job?" 3.) You may access any PHI you want if you are a health care professional, even if the person is not your patient. True False X You may not access information that you do not have a business need to know; and access may be periodically monitored depending on your facility. 22 22
Key Points: Security You should always follow proper password practices to safeguard PHI. Treat passwords as sensitive, confidential information No sharing of passwords! Log off or lock the computer when you leave your workstation. Create a strong password that is difficult to guess and is not based on your personal information. Use upper and lower case letters, numbers and other characters. Alert the IT department if you think your password has been compromised. Never disclose your password - no one should ask for your password. 23 23
Key Points: Security Paper containing PHI must either be filed in the correct record or placed in a secure, locked bin to be shredded. Computer screens should not be viewable by the public. Emails containing PHI to recipients outside SCL Health System including patients need to be encrypted. To trigger email encryption add [secure] to the Subject line. NO texting of PHI is currently allowed because no security features are available at this time. 24 24
Security Which of the following are good practices to follow at your work station? Select all that apply and click submit. o Using your date of birth as your password. o Logging off your system at the end of the day and whenever you leave your computer unattended. o Facing monitors away from public view or using a privacy screen. o Leaving sensitive documents on the counter in a public area. o Encrypting emails containing PHI that are sent outside the SCL Health System email network. o Texting PHI to physicians upon request. 25 25
Security Which of the following are good practices to follow at your work station? Select all that apply and click submit. Correct Answers: o Logging off your system at the end of the day and whenever you leave your computer unattended. o Facing monitors away from public view or using a privacy screen. o Encrypting emails containing PHI that are sent outside the SCL Health System email network. 26 26
Key Points Security: Email & Internet Use Guidelines EMAIL USAGE Do NOT use SCL Health System computers to: Send unencrypted sensitive information across the internet Exchange email for excessive nonbusiness use Transmit contents that are in bad taste Forward chain mail or non-business related attachments Open attachments from unknown persons as they may contain viruses Use personal email addresses for work communications INTERNET USAGE Do NOT use SCL Health System computers to: Participate in chat rooms Visit inappropriate or non-work related internet websites Download software from unknown sources Post confidential business information on public forums 27 27
Key Points Physical Security Standards Facility Security All associates, physicians, other caregivers, volunteers, contractors and students are to wear their ID badge while on SCL Health System premises. All visitors must be escorted by staff when in sensitive or restricted areas, such as Pediatrics, Nursery, Operating Room, or IT Department. Do not allow unauthorized persons to follow you into sensitive or restricted locations. Question individuals not wearing an ID badge or who appear suspicious. Contact Security if you see any unusual or suspicious individuals or activities. 28 28
Key Points Security Breach Notification* Report all breaches, regardless of the number of records involved, to the SCL Health System Privacy Officer or Care Site Compliance and Privacy Officer. What is a breach? A breach is any unauthorized access, use or disclosure of unsecured PHI. For example: Sending an email containing PHI to someone outside the SCL Health System email network without encrypting it. Giving one patient s discharge paperwork to another patient. Sending a fax containing PHI to the wrong number In some instances, we may be required to report breaches to the Department of Health and Human Services (DHHS) and notify the individuals affected. *Added in HITECH 29 29
Check Point: Security If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately. True False SCL Health System employees should wear identification badges at all times. True False If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security. True False 30 30
Check Point: Security If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately. True False X If you need to dispose of paper containing PHI, throw it away in a secure shredding bin. SCL Health System employees should wear identification badges at all times. True X False All employees and contractors should display an identification badge while on SCL Health System premises. If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security. True X False Do not hesitate to question individuals not wearing an ID badge or to alert Security if you see any suspicious individuals or activities. 31 31
Key Points: Patient Rights under HIPAA Patient rights under HIPAA include the right to: Request a restriction on further uses and disclosures of their PHI; Request communication by alternative methods or at alternative addresses; Access, inspect, or get a copy of their medical record; Request an amendment (correction) to their PHI; and Request an accounting of certain disclosures. SCL Health System has policies and procedures in place to support each of these rights. 32 32
Key Points: Patient Rights under HIPAA Prior to disclosing any PHI, you must verify the identity and the authority of the person making the request, if not already known. SCL Health System has policies or guidelines to assist you in this process. In general: When the request is made In person By telephone By fax Ask for SCL Health System or government-issued photo ID (such as a driver's license or passport) Several elements of personal information (such as caller name, address, phone #, and patient date of birth, last 4-digits of social security number, and date of last visit) Faxed requests should be written on official letterhead and you verify that the fax number matches the fax number on record 33 33
Check Point: Patient Rights under HIPAA A patient has the right to request a copy of his/her health record. True False A patient does not have the right to request a change to their medical record. True False 34 34
Check Point: Patient Rights under HIPAA A patient has the right to request a copy of his/her health record. True X False The right to request a copy to a patient s health record is one of many patient rights under HIPAA. A patient does not have the right to request a change to their medical record. True False X A patient does have the right to request an amendment (correction) to their PHI. 35 35
Key Points: Reporting You should always report any privacy or security issues. Reporting is key to ensuring SCL Health System is compliant with these important requirements. Options to report issues include: Your direct supervisor The Care Site Compliance and Privacy Officer The SCL Health System Privacy Officer The Care Site Information Security Officer The Integrity Hotline (anonymous) Occurrence Reporting System (Quantros) There is a non-retaliation policy for reporting any complaint or concern in good faith. Note: A non-retaliation policy ensures that an employee who reports suspected violations in good faith will not be subject to intimidation, threats, coercion or any retaliatory action. 36 36
Reporting Contacts for HIPAA Issues System Privacy/Security Team Donna Moranville System Privacy/Security Officer Howard Haile Chief Information Security Officer Care Site Compliance and Privacy Officers Exempla Saint Joseph Hospital Kathy Peeters Other Exempla Hospitals/Clinics Mary Crumbaker/Kathy Peeters St. Francis Health Center David Bowen Saint John s Health Center Jana Fein St. James Healthcare Stephanie Fantini Holy Rosary/St. Vincent Healthcare Patti Boltz St. Mary s Hospital & Medical Center Buzz Binder/Elaine Barnett See Compliance Page on The Landing for additional contact info. 37 37
Check Point: Reporting SCL Health System employees may only report issues to their direct supervisor. True False There is a non-retaliation policy for any employee who makes a complaint in good faith. True False 38 38
Check Point: Reporting SCL Health System employees may only report issues to their direct supervisor. True False X In addition to the direct supervisor, employees may report issues to the Care Site Compliance and Privacy Officer, the SCL Health System Privacy Officer, the Care Site Information Security Officer, or anonymously through the Integrity Hotline. There is a non-retaliation policy for any employee who makes a complaint in good faith. True X False The non-retaliation policy states SCL Health System will not tolerate retaliatory actions against an employee who reports an issue in good faith. 39 39