HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Similar documents
Patient Privacy and HIPAA/HITECH

HIPAA Orientation. Health Insurance Portability and Accountability Act

HIPAA and Mental Health Privacy:

HIPAA Compliance for Students

2014 Core Training 1

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HIPAA Compliance Annual Mandatory Education

HIPAA 101: Privacy and Security Basics

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy and Security

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

MCCP Online Orientation

HIPAA 101. March 18, 2015 Webinar

PHI- Protected Health Information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Statement of Policy. Reason for Policy

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Privacy. September 21, 2013

Guadalupe Regional Medical Center

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

HIPAA Training for Staff and Volunteers

Alliance for Clinical Education (ACE) Student HIPAA Training

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

HIPAA Privacy Keys to Success Updated January 2010

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Training for Hospice Staff and Volunteers

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA and Privacy Policy Training

Health Information Privacy Refresher Training. March 2013

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Protecting Patient Privacy It s Everyone s Responsibility

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Department of Health and Human Services Policy ADMN 004, Attachment A

HIPAA Policies and Procedures

By the end of this course you will demonstrate:

C.T. Hellmuth & Associates, Inc.

TABLE OF CONTENTS. University of Northern Colorado

Information Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Information Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA ephi Security Guidance for Researchers

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Privacy and Security

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

TriageLogic Information Security Policy

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA OVERVIEW ETSU 1

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Sarasota Personal Medicine 1250 S. Tamiami Trail, Suite 202 Sarasota, FL Phone Fax

University of Cincinnati Limited HIPAA Glossary

Montclair State University. HIPAA Security Policy

Virginia Commonwealth University Information Security Standard

HIPAA PRIVACY AND SECURITY AWARENESS

Bradley D. Powell, PhD NOTICE OF PRIVACY PRACTICES: Effective June 1, 2004

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA PRIVACY POLICIES & PROCEDURES. Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING

Authorized. User Agreement

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA Security Rule Compliance

HIPAA and Health Information Privacy and Security

PRIVACY BREACH POLICY

HIPAA Privacy & Security Rules

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

OCR/HHS HIPAA/HITECH Audit Preparation

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

HIPAA Business Associate Agreement

COMPLIANCE ALERT 10-12

NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

HIPAA Security Training Manual

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Client Privacy Notice (HIPAA)

Transcription:

HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees

WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. It is a Federal Law that protects consumer's health information from people who aren't involved in the consumer's direct treatment. HIPAA covers virtually all Protected Health Information (PHI). This includes information in any format including written, electronic, or oral.

PRIVACY AND CONFIDENTIALITY Privacy is the right of an individual to decide how much, when, and in what manner personal information can be shared with others. Confidentiality - As a professional you are legally and ethically required to make sure that consumer information communicated to you stays private and confidential.

WHAT IS PHI? PHI stands for Protected Health Information and is any health information that may identify the consumer. There are 19 identifiers and any health information that includes even one identifier is PHI and is protected by HIPAA.

19 PHI IDENTIFIERS 1. Name 2. Address 3. Dates directly related to the consumer 4. Telephone number 5. Fax number 6. Email address 7. Social Security Number 8. Medical Record Number 9. Health Plan Beneficiary Number 10. Case Number 11. Certificate/license number 12. Vehicle or device serial number 13. Web URL 14. IP Address 15. Finger or Voice Prints 16. Photographic images 17. Any other unique identifying number, characteristic or code 18. Age greater than 89 19. Genetic Information

HIPAA PRIVACY RULES Consumers have the right to inspect and receive copies of their health information. However, if a health care professional believes that the information could be harmful the consumer can be denied access. Consumers can also request an amendment or restrictions.

HIPAA IS INTENDED TO PROTECT THE USE AND DISCLOSURE OF PHI Disclosure means the release, transfer, or divulging in any manner of PHI to anyone outside of SCCMHA. All disclosures require consumer authorization except the following: Treatment (including coordination of care and referrals to other providers) Payment (activities related to reimbursement) Operations (training programs, accreditation, credentialing, and quality improvement activities) When required by law (suspected abuse or neglect) Use means the sharing of PHI within the SCCMHA community and should follow the Minimum Necessary Rule.

MINIMUM NECESSARY RULE The minimum necessary rule is a very simple concept: When performing a task only disclose the minimum amount of PHI necessary. For example, it is not necessary to release a consumers address, phone number, list of medications, medical record number, and diagnosis, if the requester only needs the diagnosis.

NOTICE OF PRIVACY PRACTICES Our Notice of Privacy Practices must be posted in a common area where consumers can see it and must also be handed out at the earliest possible appointment. Each employee should read and understand the agency s Notice of Privacy Practices.

PROTECTING CONSUMER PRIVACY BY EMPLOYEES SCCMHA has policies and procedures in place to make sure that all staff have appropriate access to electronic PHI to perform their jobs. SCCMHA is obligated to take measures to prevent inappropriate access. All staff have the responsibility to be familiar with and follow these policies and procedures to protect PHI.

NEED TO KNOW This requires that employees access and share private consumer information only on a need to know basis as part of their job duties. Employees should only view information related to the job they are doing. Under no circumstances should employees access a consumer s clinical record unless they need the information to perform their job duties. Snooping is against agency policy and could result in suspension or termination. SCCMHA monitors the access of consumer clinical records on a regular basis to ensure this policy is being adhered to.

HIPAA SECURITY RULE The HIPAA Security Rule sets standards to specifically safeguard Electronic PHI (EPHI) This rule covers the physical protection of the clinical records, as well as the policies and procedures regarding access to those records. SCCMHA must take all necessary precautions to ensure that confidential consumer information remains secure.

HIPAA SECURITY RULE Administrative Safeguards require SCCMHA to: Adopt a written set of privacy policies and procedures Have data back up and disaster recovery procedures Conduct internal audits to identify potential security violations Have a process for addressing and responding to security breaches

HIPAA SECURITY RULE Physical Safeguards: The Security Rule requires that SCCMHA implement policies and procedures to limit physical access to the paper clinical chart. We must also limit physical access to the facility in which they are housed while ensuring that authorized access is allowed. SCCMHA must also address workstation use including removal of information from high traffic areas and repositioning of monitor screens.

HIPAA SECURITY RULE Technical Safeguards: The Security Rule also requires that SCCMHA implement policies and procedures to limit and control access to the electronic information systems that maintain electronic PHI (ephi). We must also ensure that electronic data has not been changed or erased in an unauthorized manner.

PORTABLE MEDIA Portable media including USB flash or thumb drives, CD s, laptops, smart phones, and ipads, are extremely convenient but also present a tremendous security risk. Whenever possible portable devices should be kept secure at the office where physical security protections are better. Portable devices should be encrypted and password protected. Avoid keeping PHI on portable devices that must leave the office. If a portable device containing sensitive information is lost or stolen, report it immediately to the privacy or security officer.

HIPAA SECURITY RULE Any system is only as secure as its weakest link. In may cases a security problem can be fixed with a simple change in your own behavior or a gentle reminder to a colleague. However, if you find a problem that you cannot correct contact the Privacy or Security Officer. There are policies and procedures in place to control physical access to sensitive equipment including computers, printers, faxes, etc. However, be sure to keep keys and badges in a safe place and notify the facility manager immediately about anything that is lost or stolen.

CONSUMER RIGHTS Consumers must be given a notice of privacy practices at the first possible appointment. Consumers may review the notice prior to signing the consent. If consent is not obtained due to emergency or communication barriers it must be obtained as soon as feasible.

CONSUMER RIGHTS Consumers have the right to request restrictions on use and disclosure of PHI. Consumers have the right to access and amend their PHI. Consumers have the right to file a complaint with the Privacy Officer, the Security Officer, or the Secretary of the United States Department of Health and Human Services. Consumers have the right to receive a list of PHI disclosed for the 6 years prior.

BEST PRACTICES FOR ENSURING PRIVACY Only access consumer information you need to do your job limit to minimum necessary. Keep consumer records and other documents containing PHI out of sight. Remove faxes containing PHI or other confidential information. Documents with PHI must be placed in a shredding bin or shredded when no longer needed. Do not talk about consumers in public areas or where you could be overheard. Protect your computer with alpha-numeric passwords you should never share or write down your password.

BEST PRACTICES FOR ENSURING PRIVACY Do not include PHI in an email unless it is encrypted or you are using a secure email system (secure desktop). Log off the computer and any other open files when not in use. Keep computer screen out of direct sight of others or use a privacy screen as necessary. If you see any staff violating these best practices give them a helpful reminder don t just ignore it. If appropriate report problems or violations to the privacy or security officer.

SANCTIONS / ENFORCEMENT Fines/ Penalties Fines for HIPAA violations rage from $100 to $50,000 per violation and up to $1.5 million per calendar year. Sanctions for employees breaching confidentiality range from consultation to termination, depending on the breach

BREACH NOTIFICATION If a consumer's health information is breached, SCCMHA must do the following: Notify the consumer within 60 days of the discovery. Notify the media and the Secretary of Health and Human Services (HHS) if the breach involves more than 500 consumers. If the breach involves fewer than 500 consumers, SCCMHA must keep a log and submit it to the Secretary of HHS on an annual basis. Notify our affiliation - AAM (PIHP).

IDENTITY THEFT Medical identity theft is the most common type of identity theft in our country. To prevent identity theft the Federal Government issued the Red Flag Rule. This affects all consumers who make payments to our agency or arrange for payment to be made to our agency through an insurance company. It is a preventative measure to ensure that our consumer's identities are not being stolen.

PREEMPTION OF HIPAA RULES According to HIPAA health care agencies need to follow HIPAA rules or state laws, whichever is more stringent. In the case of SCCMHA we follow HIPAA and the Michigan Mental Health Code to protect our consumer's privacy.

WHO TO CONTACT If you have questions or need to report a HIPAA violation, please contact: Privacy Officer - Debie Hoenshell (989) 723-0870 privacyofficer@shiacmh.org Security Officer Doug Meylan (989) 723-0790

CONGRATULATIONS! You have finished the materials for this course. Remember to complete the test and survey to have this course marked as complete.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information