By the end of this course you will demonstrate:

Similar documents
2014 Core Training 1

PHI- Protected Health Information

HIPAA and Privacy Policy Training

HIPAA 101: Privacy and Security Basics

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Department of Health and Human Services Policy ADMN 004, Attachment A

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Education Level One For Volunteers & Observers

HIPAA Privacy & Security Training for Clinicians

HIPAA Orientation. Health Insurance Portability and Accountability Act

HIPAA POLICY PROCEDURE GUIDE

APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance Annual Mandatory Education

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Training for Staff and Volunteers

HIPAA And Public Health. March 2006 Delaware s Division of Public Health 1

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

SOUTHLAKE DERMATOLOGY 1170 N. Carroll Ave. Southlake, TX Main Fax

Annual Compliance Training. HITECH/HIPAA Refresher

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

A Privacy and Information Security Guide for UCLA Workforce. HIPAA and California Privacy Laws

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Pacific Medical Centers HIPAA Training for Residents, Fellows and Others

Clinician s Guide to HIPAA Privacy. I. Introduction What is HIPAA? Health Information Privacy Protected Health Information

HIPAA Training for Hospice Staff and Volunteers

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Health Information Privacy Refresher Training. March 2013

Patient Privacy and HIPAA/HITECH

Health Insurance Portability and Accountability Act HIPAA Privacy Standards

Sarasota Personal Medicine 1250 S. Tamiami Trail, Suite 202 Sarasota, FL Phone Fax

HIPAA Privacy. September 21, 2013

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Protecting Patient Privacy It s Everyone s Responsibility

DEPARTMENTAL POLICY. Northwestern Memorial Hospital

HIPAA Privacy Keys to Success Updated January 2010

Clinical Solutions. 2 Hour CEU

HIPAA and Health Information Privacy and Security

Keweenaw Holistic Family Medicine Patient Registration Form

Privacy & Information Security Training. For Health Science Workforce Members

How To Protect Your Health Information At Uni Of California

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

PRIVACY AND SECURITY SURVIVAL TRAINING

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

HIPAA Security Training Manual

MCCP Online Orientation

8.03 Health Insurance Portability and Accountability Act (HIPAA)

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

GONZABA MEDICAL GROUP PATIENT REGISTRATION FORM

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

HIPAA Privacy Policy & Notice of Privacy Practices

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

General Compliance. General Compliance Training. Course Overview. General Compliance. The intent of the Compliance Program is to:

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA In The Workplace. What Every Employee Should Know and Remember

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Privacy & Security Rules

Statement of Policy. Reason for Policy

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

Approved By: Agency Name Management

NORTHSTAR DERMATOLOGY, PA NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

DALLAS ALLERGY & ASTHMA CENTER

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

Privacy and Security For Managers

Privacy & Security Standards to Protect Patient Information

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

HIPAA Privacy Policies

Introduction to HIPAA Privacy

Privacy & Security of Patient Information 2010

Privacy Compliance Health Occupations Students

HIPPA Goes HITECH. Data Protection for Agents

HIPAA NOTICE TO PATIENTS

Advanced HIPAA Healthcare Provider

HIPAA Training For Research Investigators and Study Staff

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

The ReHabilitation Center Buffalo Street. Olean. NY

HIPAA POLICY PROCEDURE GUIDE

HIPAA Notice of Privacy Practices

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

Population Health Management Program Notice of Privacy Practices

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

Notice of Privacy Practices

Additional Information

NC DPH: Computer Security Basic Awareness Training

HIPAA Security Manual Administrative Security/Omnibus Rule

NOTICE OF PRIVACY PRACTICES

New Perspective Counseling Services Child/Teen Intake Form

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

NOTICE OF PRIVACY PRACTICES

TIVERTON PSYCHOLOGICAL SERVICES 2128 MAIN ROAD TIVERTON, RI Phone: ; Fax:

HIPAA and You The Basics

HIPAA SECURITY AWARENESS

Transcription:

1

By the end of this course you will demonstrate: 1. that HIPAA privacy rules protect privacy and security of confidential information. 2. your responsibility for use and protection of protected health information (PHI), including the electronic health record. 3. an awareness of fines and penalties for privacy violations. 4. that you must not put a client* name or any PHI in an email subject line. 5. that you must not post PHI to social media. 6. how to report an actual or suspected Privacy Breach * The term client includes patients & long-term care residents 2

Recent Privacy Violations: Backpacks & laptops with PHI stolen from locked cars Briefcase/ packets with PHI stolen while out in public Client information and memorials posted on internet blogs PHI sent insecurely on electronic devices such as unencrypted cell phones, PDA s, flash drives, or personal emails Misdirected emails, faxes, and mail Emails, faxes, and mail sent without the required DPH coversheet Lost charts Unauthorized access to electronic client records Result: Expensive Fines to DPH 3

HIPAA is the Health Insurance Portability and Accountability Act HIPAA Federal privacy law: protects client privacy and only allows sharing of protected information for the purposes of: Treatment Payment Operational purposes (such as quality management and risk management) requires that information sharing must be kept to the minimum amount of information necessary to do our jobs this is known as the minimum necessary rule identifies fines and other consequences for violations California has additional laws: We are held to the most strict standard 4

These laws apply to institutions and individuals Unauthorized access includes the inappropriate viewing of client medical information without the direct need for diagnosis, treatment, or other lawful use OR the loss of client medical information whether in paper or electronic format Licensed facilities are required to report known or suspected Privacy Breaches within 5 days to the California Department of Public Health (CDPH) Licensed facilities must also notify the affected client(s) within 5 days after breach detection 5

YOU are responsible to follow SFDPH policies and procedures to protect the privacy and security of information Random audits of inappropriate access are regularly conducted Contractors and Business Associates of DPH must comply with all Privacy laws, and there is direct liability for noncompliance YOU MUST Report known or suspected Privacy Breaches to your Privacy Office immediately. 6

Privacy violations may carry penalties under Federal HIPAA, State Privacy Laws, and DPH Policies: HIPAA: Criminal Penalties: $50,000 - $1,500,000 fines and imprisonment up to 10 years HIPAA: Civil Penalties: $100 - $25,000/ year fines and more fines if multiple year violations 2009/2013 federal HITECH (Health Information Technology for Economic and Clinical Health) laws added even stricter penalties State Laws: Fines and penalties apply to individuals and institutions up to $250,000 Violations may jeopardize an individual s professional license Various DPH disciplinary actions up to termination 7

PHI is information that can be individually identified as belonging to a particular person either living or dead: Personal Identifiers (name, medical record number, etc.) Health status Care received Payment of services Demographics (age, gender, zip code, etc.) Protections apply to all types of communication: Verbal Paper documents Electronic data An individual s privacy rights continue after the person s death 8

Client Rights: Notice of HIPAA Privacy Practices Every client is provided with the DPH Notice of HIPAA Privacy Practices upon admission What the HIPAA Notice does: Informs the client that DPH may use and disclose PHI without the client's authorization ONLY for treatment, payment and health care operations Advises the client of their right to ask to see, read and obtain a copy of information used to make decisions about their care Provides information about how to file a complaint if they feel their privacy rights have not been maintained Gives the client the opportunity to sign the Notice Clients of Mental Health services must be given the Notice Annually 9

Client Rights: Access to the Health Record The Health Record is the property of the facility Clients can request a copy of their Health Record through Medical Records DO NOT give out any part of the health record on your own Even if you are subpoenaed, ONLY the Medical Records staff can release the requested records 10

We can share the minimum necessary information with those that have a need to know for purposes of Treatment, Payment, or Operations including: Diagnosis and treatment Referrals Coordination of health care with any health provider in any discipline who has medical or psychological responsibility for the client Follow the DPH Privacy Matrix when deciding to share PHI 11

DPH Privacy Policy Matrix *including knowledge of Mental Health, Substance use/ Abuse, HIV/AIDS, STD Description of PHI Who may disclose it? Who may receive it? General Health* Mental Health* Drug/Alcohol Treatment Program* HIV/AIDS CCSF Health Service Provider Network* General Health Provider Mental Health Provider Drug/Alcohol Treatment Program Provider HIV/AIDS CCSF Health Service Provider Patient s providers and providers staff for the purpose of treatment, diagnosis, or referral Any healthcare provider (any discipline) "who has medical or psychological responsibility for the patient" Only another member of the client's treatment team WITHIN the specific drug/alcohol treatment program Exception: a medical emergency Only another HIV Health Service provider who registers client in ARIES database. All other circumstances require signed authorization 12

A signed Authorization for Release and Disclosure of PHI is required before sharing: For any purpose other than Treatment, Payment or Operations Before a Substance Abuse Treatment program may share PHI outside their own program Before City and County of S.F. HIV Health Services providers may share PHI with providers outside of the ARIES system (used by HIV Health Service providers) 13

Disclosures to family, relatives, friends No information may be disclosed to a family member, relative, or close personal friend regarding treatment or health status Get written authorization from the client prior to sharing any information about mental health, substance abuse, sexually transmitted disease, HIV/AIDS, or developmental disabilities. 14

If the client is a minor: Authorizations to release PHI must come from the parent/legal guardian If the services fall under the DPH Minor Consent Policy, the Minor may authorize disclosures Authorizations are NOT required for minors who are dependents or wards of the court when information used is for purposes of coordinating care with county social workers probation officers another person legally authorized to have care and custody of a dependent or ward of the court 15

Special Case for Public Health Activities In conducting certain limited Public Health Activities, authorized DPH staff may access PHI without individual authorization, including for the purposes of: reporting of disease, injury, and vital events (e.g., birth or death); conducting public health surveillance, investigations, and interventions (e.g., outbreaks, partner elicitation and notifications); and; providing the SF Medical Examiner information needed to carry out duties authorized by law. Contact the Privacy Office if you have questions 16

All DPH staff must refer media requests to the Public Information Officer DPH programs should not release or publish identifiable photos, videos or any other information about clients with diagnoses or services for mental health, substance abuse, or HIV / AIDS, even if the client authorizes or requests you to do so This policy applies to media in any publication, brochure, and training materials PHI may NOT be used for marketing or fundraising 17

Do Not access records of employees even if they ask you or give you permission unless authorized to do so as part of your job If authorized to access employee PHI as part of your job, the minimum necessary and confidentiality rules still apply Employees are prohibited from accessing their own records and records of family members 18

Data Security Policies Guiding Principle: You are responsible for protecting data, information, workstations, portable electronic devices used in your job from: LOSS DAMAGE MISUSE 19

All staff are required to follow DPH Data Security Policies Log off anytime you leave your computer unattended Do not allow others to use a computer under your log on Place your monitor so it cannot be read by unauthorized persons Be present at the fax and printer when documents print out Discard documents with PHI only in the confidential bin / shredder Never recycle documents with PHI or re-use to save paper 20

Use complex passwords and change passwords regularly when using DPH computer systems Do not share passwords, even with IT or your supervisor Do not store passwords where anyone else might discover them If you feel you must write down your password to remember it: Keep it under lock and key Do not label it password Write only a hint that will remind you of the password 21

Never put personal identifiers of a living or dead client in the subject line of an email Always confirm the recipient s email address before sending PHI Email only the minimum necessary and only between DPH or UCSF providers with a need to know (i.e. emails ending in sfdph.org or ucsf.edu) Never send PHI to personal or home emails such as gmail Always put the official confidentiality statement as a permanent signature statement for all of your emails Emails to clients are limited to appointment reminders- put the client email address in the BCC: line to avoid inadvertent disclosure For SFGH and LHH Only: Type the word Secure: in the subject line for any email containing PHI 22

If you receive an email that does not follow DPH policies: Call or email the sender to respectfully let them know Never choose reply to all Never forward to others unless it is to refer to the Privacy Office for follow up in this case, make sure you remove any PHI from the subject line 23

Electronic Devices present new challenges to privacy & confidentiality DPH prohibits the storing or use of client data on privately owned portable devices, such as cell phones, flash drives, memory sticks, and lap tops All portable devices issued by DPH or UCSF must be encrypted or have a security token When traveling, keep portable devices with you at all times and guard against theft or loss Loss of a device with PHI that is not encrypted is a reportable privacy breach, even if the loss occurs in another city or state Have I.T. staff render PHI on devices unreadable before discarding or recycling the device 24

When you participate in personal blogs/ social media remember: Never share any client information or share details of a client situation that you have experienced from your work Never post pictures of clients Posting of client information or sharing details of a client situation can result in a privacy violation which may subject you to disciplinary action, individual fines and penalties and professional sanctions which could impact your professional license Social media includes Twitter, Facebook, blogs, etc. 25

Research Data HIPAA regulates how PHI may be obtained and used for research. This is true whether the PHI is completely identifiable or partially de-identified in a limited data set A researcher or health care provider cannot use PHI in research without the appropriate HIPAA documentation, including authorization or an IRB-approved waiver Research that proposes to use SFDPH sites or recruit clients from SFDPH programs must be approved in advance by the appropriate SFDPH Administrator and by an IRB Researchers must abide by the SFDPH Conduct of Research Policy http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/h IPAAPrivacyConductResearchPol051311.pdf 26

Any actual or suspected breach must be reported to your Privacy Office immediately You may also report anonymously to the DPH Privacy Hotline at 415 206-2354 DPH has a non-retaliation policy for employees that register complaints 27

NAME REPRESENTING PHONE Alice Gleghorn Lorraine Killpack Community Programs/ Population Health Division 415 255-3722 415 255-3732 Jill LeCount Laguna Honda Hospital 415 759-4500 Maggie Rykowski San Francisco General Hospital Campus 415 206-4294 Joe Goldenson Jail Medical Services 415 995-1701 28

DPH Privacy and Data Security Policies: http://www.sfdph.org/dph/comupg/oservices/medsvs/hipaa/default.asp Link to official DPH cover sheet for ALL faxes and mail: http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/formphicvr Sht4FaxInterofficeyMailAdopted05132010.pdf SFDPH Email confidentiality statement to copy and paste to permanent signature line: This message and any attachments are solely for the intended recipient and may contain confidential information. If you are not the intended recipient, any disclosure, copying, use or distribution of this message and any attachments is prohibited. If you have received this communication in error, please notify sender by reply e-mail and immediately and permanently delete this message and any attachments. 29

Before completing and receiving credit for the Annual Privacy and Security training, you MUST: 1. Read and sign the User Confidentiality, Security, and Electronic Signature Agreement (This form can be downloaded from the DPH website) http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/form- ConfidSecElecSigAgrmnt06252010.pdf 2. Take and pass the Annual Privacy Quiz 3. Give your Privacy Certificate to your supervisor 30

SFDPH values patient privacy as an important part of our mission to provide quality healthcare and trauma services with compassion and respect. Thank you for helping us protect the privacy and security of our patients and staff. 31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information