Transcript hipaa - Optima Health

HIPAA FOR THE
WORKPLACE 2012
COURSE GOAL
The goal of this training is to help
ensure that all Optima employees are
prepared to protect the privacy and
security of our members’ health
information.
LEARNING OBJECTIVES
After review of this training and successful
passing
completion of the quiz, you will be able to:
• Discuss the 3 different Acts that comprise
the Administrative Simplification regulation;
• Demonstrate comprehensive understanding of
privacy and security measures for our members; and
• Understand how to prevent, identify and report
violations or breaches.
HIPAA OVERVIEW
• The Privacy Rule governs who has access to protected
health information (PHI).
• The Security Rule specifies a series of administrative,
technical and physical security procedures to assure the
confidentiality, integrity and availability of ePHI.
• The American Recovery and Reinvestment Act (ARRA)
goal is to establish secure electronic health records for
all Americans by 2014.
• The Health Information Technology for Economic
and Clinical Health Act (HITECH)
• ARRA/HITECH brings changes to the
HIPAA regulations in 3 categories:
– Breach notification
– Business Associate responsibilities
– Penalties
HITECH and ARRA RULES
HITECH is designed to encourage health care
providers to adopt health information technology in
a standardized manner and to protect private
health information.
ARRA is the direct result of modifications in the
HIPAA Privacy, Security and Enforcement Rules
and strengthens health information privacy and
security protections. ARRA specifically addresses:
– Breaches
– Electronic Health Records(EHR)
– Personal Health Records (PHR)
THE PRIVACY RULE
The Privacy Rule is designed to protect
individuals’ health information (PHI) and
allows individuals to:
•
•
•
•
•
get a copy of their medical records
ask for changes to their medical records
find out and limit how their PHI may be used
know who has received their PHI
have communications sent to an alternate location or by
an alternate means
• file complaints and participate in investigations
GUIDELINES FOR USING &
DISCLOSING PHI
You may disclose information, without a member’s
authorization, to the appropriate authorities:
• if required by law, court order, etc.
• to public health officials, FDA, etc.
• for abuse or domestic violence
• to help law enforcement officials
• to notify of suspicious death
• to provide information for workers’ compensation
• to assist government actions
• to help in disaster relief efforts
• to avert a serious threat to health or safety
• for health oversight activities
YOUR RESPONSIBILITIES
You are required to:
• disclose PHI – limit the information you share with a
person to what he or she needs to know
(“minimum necessary” guidelines)
• use PHI according to HIPAA-approved
guidelines for access, accounting, amendment,
and restriction of PHI
• only access the PHI necessary to complete your
job duties
• maintain confidentiality & security of member
information at all times
ALTERNATE ADDRESS
Members and Personal Representatives have the right to
request alternate confidential means of receiving
communications that includes PHI.
Send the completed request to the Director of Compliance:
• Must be in writing
• Must indicate the alternate address or
specifications for the alternative means of
communication
• Must be signed
• If requestor is a Personal Representative, must provide
legal proof of their authority to represent the
Member
VERIFICATION FOR
RELEASE OF PHI
• Prior to making any verbal disclosures of PHI, you must
verify the requestor’s identity by asking several
identifying questions, i.e., address, birth date, member
number, etc.
• You may discuss billing questions, benefit information,
etc. without having an Authorization form signed.
• Protected health information may be given to
custodial parents, adults acting in Loco
Parentis, emancipated minors, Designated
Representatives and Designated Agents as long
as an authorization and/or legal documents are
on
file.
MENTAL HEALTH and
SUBSTANCE ABUSE
• Federal law protects all information about a
member with a current or past diagnosis of
substance abuse and/or mental disorder.
• These laws override the HIPAA laws.
• Protected health information cannot be disclosed
without a signed authorization.
• Limited mental health information can
be discussed with a minor’s custodial
parent.
MINORS
• Federal and State Laws protect Minor’s (under the age of
18) health care rights.
• Staff may discuss a minor’s health information
with custodial parents except for:
– Pregnancy and family planning
– Sexually transmitted diseases
– Substance abuse
– Mental health, if treatment consent given by minor only
• All discussions should be limited to the minimal amount of
information necessary to resolve the question.
• If unsure about procedures for releasing information, seek
advice from your supervisor or the Compliance
Department.
EMAILS
In your daily job responsibilities, email is used to
communicate with staff, members, providers and vendors.
Remember:
• Emails about members should only be shared
with those who have a need to know this
information in connection with their specific
job function(s).
• Emails sent externally should be encrypted.
• The Email system cannot be used by employees to express
discriminatory views, threaten or harass employees or
to advertise information that brings personal
or financial gain.
ENCRYPTED EMAIL
ENCRYPTED EMAIL PROCESS for messages to an
external email user (non-Sentara):
• The sender needs to insert [secure] in the subject
line.
• The recipient(s) needs to register for an
IRONPORT (POSTX) mailbox to receive/view the
message.
• The message never leaves Sentara’s Network in an
email format, therefore it is only viewed as a web
page over https.
FAXES
• Avoid faxing confidential information. If you send a
fax to an incorrect number, report the incident
immediately to your Supervisor or Manager.
• Verify fax numbers prior to transmission to ensure
the fax will be going to the correct person.
• Use the Optima Health Fax Cover Sheet located
on Wavenet.
• The Fax Cover Sheet should contain a confidentiality
notice requesting notification if the fax went to the
wrong person.
PRIVACY/SECURITY
BUSINESS ASSOCIATES (BAs)
• Performs services to/for Optima Health that
involves the use or disclosure of member PHI.
• Optima Health Business Associate Agreement (BAA)
requires specified written safeguards for PHI.
• ARRA requires BAs to comply with all the same
regulations as Optima Health.
• Optima’s Business Associates have the same
penalties for violations as Optima.
• Business Associate Agreement (BAA)
must be included with contract.
THE SECURITY RULE
The Security Rule is designed to keep secure
the transfer and storage of electronic
health information (ePHI) by enforcing:
• Administrative Procedures: These measures manage the
selection, development, implementation and maintenance
of security measures and include workforce security,
security training, policies & procedures.
• Technical Safeguards: The technology that protects
ePHI and controls access and transmission security.
• Physical Safeguards: Physical measures to protect the
electronic information systems and related buildings and
equipment from natural and environmental hazards and
unauthorized intrusion.
PROTECTING ePHI
Every organization has its own rules for internal and
external storing and transferring of information,
also known as EDI (electronic data interchange).
You are required to:
- use passwords
- log off computer systems when you leave
your desk
- turn monitors so that they are not visible
to others
- dispose of disks and CDs properly (Contact the
IT Dept for disposal assistance)
- always save PHI to shared directory – not
personal drives
WHAT IS A BREACH?
A breach is defined as the acquisition, access, use
or disclosure of unsecured PHI which is not
permitted by the HIPAA Privacy Rules and which
compromises the security or privacy of the PHI.
– Unsecured PHI is any member health
information that is not secured through
encryption or an approved destruction process
that renders the PHI unusable, unreadable or
indecipherable to unauthorized individuals.
– PHI can be in any form or medium including
electronic, paper or oral.
HITECH BREACH CHANGES
When a breach is identified, Optima Health is to
notify each individual whose unsecured PHI has
been, or believed to have been accessed, acquired
or disclosed.
Business Associates must notify Optima as well as
the individual whose PHI was disclosed.
The first day the breach is discovered, or
there is reason to suspect that a breach
has occurred, is counted as the first day.
Required notifications must occur without
unreasonable delay (no more than 60
calendar days after discovery).
REPORTING HIPAA VIOLATIONS
OR BREACHES
• If a HIPAA violation, breach or possible breach occurs,
complete the Member Disclosure Tracking Form and the
HIPAA Breach Form.
• Give it to your supervisor who will send it to the
Director of Compliance.
• Reports may be made without fear of intimidation,
coercion, threats, retaliation, or discrimination.
• If you have questions about the Privacy Rule and how it
affects your job, talk to your supervisor, compliance
personnel or call the Sentara Integrity Hotline at
1-800-981-6667.
• Be sure to notify your supervisor and/or the
Director of Compliance even if you are not
sure the error is a breach.
OPTIMA BREACH HISTORY
2010
2011
21
32
Sent to wrong provider/group/Business Associate
4
8
Sent to wrong member
5
6
Email violation
2
6
Fax violation
1
8
Encryption violation
4
2
Physical security/equipment violation
5
2
Remedial action: PHI returned/destroyed
7
20
Remedial action: staff training
10
9
Remedial action: computer/physical security enhanced
2
4
Remedial action: staff disciplinary action
0
0
TOTAL BREACHES/VIOLATIONS
This is the end of the 1st
Module of the 2012 Optima
Health Compliance Course.
Please begin Quiz #1.
Thank you!