HIPPA

Download Report

Transcript HIPPA 

Introduction to the
HIPAA Information
Privacy and Security Rule
2012 Update
“What is it, and how does it affect me?”
CPC Multi-Specialty Group
Page 1



The misspelling of the name of a large animal
often see at the zoo?
A secret code word meaning “Let’s go nuts
and drive ourselves crazy”!
A new set of Federal Regulations which health
care facilities had to comply with beginning
on April 14, 2003
CPC Multi-Specialty Group
Page 2


Health Insurance
Portability and
Accountability Act
of 1996
One set of Federal
Health Care
regulations with
many parts
 Insurance Portability
 Privacy
 Security
CPC Multi-Specialty Group
Page 3



Before you look at any patient health
information(PHI), ask yourself, “Do I need to
know this to do my job?
Follow CPC’s procedures for disposing of
patient medical and financial information
Tell your supervisor if you see patient
information in an open trash container
CPC Multi-Specialty Group
Page 4

Protected Health Information (PHI)
Information related to any healthcare
provided to a person. This includes
demographic information that can be
used to identify the patient. Information
that can be used in some manner to
identify the person (e.g. social security
number) is also considered PHI.
CPC Multi-Specialty Group
Page 5
◦
Tornado, Hurricane, Flood, and
Tsunami
◦
Credit Card and Identity Theft
◦
Accusations of Falsified Records
CPC Multi-Specialty Group
Page 6
Under the HIPAA Privacy Regulations,
patients have the right to:
 Receive the Notice of Privacy Practices
 Request an amendment to their PHI
(Protected Health Information)
 Inspect and request a copy of their PHI
 Know to whom their information is being
disclosed
in certain situations
 Request restrictions on use and disclosure
of their PHI
 Request confidential communications of
their PHI

CPC Multi-Specialty Group
Page 7
◦
Protect against any reasonably
anticipated threats or hazards to the
security or integrity of such
information.
◦
Protect against any reasonably
anticipated uses or disclosures of such
information that are not permitted
under the Privacy Rule.
◦
Ensure compliance by the CPC
workforce.
CPC Multi-Specialty Group
Page 8
Integrity
PHI or EPHI is not altered
or destroyed in an unauthorized
manner.
Availability
PHI or EPHI can be
accessed as needed by an
authorized person.
Confidentiality
PHI or EPHI is accessible only by
authorized people and processes
when needed.
Remember it is a “Need to Know”… not a “Curious as to what happened”.
CPC Multi-Specialty Group
Page 9





The HIPAA information security standards have four
primary areas of focus:
Administrative Safeguards: Steps taken to manage and
oversee security processes and promote compliance
with the HIPAA Security Rules
Physical Safeguards: The actual hands-on access to
computer hardware, restricted areas, and CPC facility
Technical Safeguards: Processes to identify the level of
access and type of information individuals are
permitted to open and see on the computer systems
Documentation Requirements: Policies and Procedures
that are put in place to support the Security
Requirements
CPC Multi-Specialty Group
Page 10





Assigned a privacy
officer/privacy manager
Developed written
policies and procedures
for employees to follow
Provided privacy
training to all
employees
Providing a way for
patients and others to
file complaints
Providing discipline for
employees who don’t
follow the privacy
practices
CPC Multi-Specialty Group
Page 11
The Notice of Privacy
Practices contains:



An explanation to our
patients of how their Health
Information is used and
disclosed
An explanation of patient
rights as defined by the
HIPAA privacy regulations
The Notice of Privacy
Practices is:
 Available in a paper copy
 On the CPC web site
CPC Multi-Specialty Group
Page 12





Provide a copy of the privacy notice to all
patients
Allow the patient an opportunity to ask any
questions he or she may have
Obtain the patient’s acknowledgement of
receipt of the privacy notice
Retain the acknowledgement of the privacy
notice
In an emergency, we document the reason
and give the patient a copy of the notice at
a later time
CPC Multi-Specialty Group
Page 13
 Treatment
 Payment
 Healthcare
Operations
CPC Multi-Specialty Group
Page 14

Communication
between health care
providers for the
purposes of treatment:
◦ Between physicians and
nurses
◦ Between facilities
◦ Between the facility and
other providers, including
physicians
 Does not require
authorization
CPC Multi-Specialty Group
Page 15


Communication
between the facility
and a payer, usually
a health insurance
company, to pay for
the treatment of
services rendered
by the facility on
behalf of the
patient
Does not require an
authorization
CPC Multi-Specialty Group
Page 16

Information used to perform certain
business functions at CPC:
o
Management and
administration
Health care insurance contracting
Quality management
Case management
Health care agency oversight
Accrediting organizations

Does not require an authorization

used to
o
o
o
o
o
CPC Multi-Specialty Group
Page 17





As required by law
For public health
activities as related to
victims of abuse,
neglect or domestic
violence
Health oversight
activities
Judicial and
administrative
proceedings
Law enforcement
purposes under certain
circumstances





Organ, eye or tissue
donation purposes
Research purposes
To avert a serious
threat to health or
safety
Specialized
government functions
Workers’compensation
CPC Multi-Specialty Group
Page 18






To an attorney
To schools
To physicians not treating you during your
admission
To supplemental insurance companies
To the patient and/or family member
CPC requires a valid ID from each patient
before releasing the records to the patient
CPC Multi-Specialty Group
Page 19
◦
Assignment of the HIPAA Information Security
Officer and the supporting security team
◦
Making sure only the appropriate people have
access to our systems, applications, and data
◦
Establishing education requirements for keeping
our workforce trained and informed
◦
Putting methods in place for reporting and
tracking security incidents
◦
Contingency planning to ensure CPC can
continue operation in case of an emergency
Business Associate Agreements
◦
CPC Multi-Specialty Group
Page 20

The Information Security team includes:
◦ Chief Compliance & HIPPA Privacy
Officer and IT Security Manager:
◦ Leah Hassell

Representation from Administration, Human
Resources and CPC Physicians
CPC Multi-Specialty Group
Page 21

◦
◦
◦
Under HIPAA regulations, we are required to
trace who is accessing what records, and at
what time, for all our systems containing EPHI.
To ensure that only the correct people have access to
systems applications and data, user IDs, passwords,
and access to systems and software are carefully given
and monitored.
User IDs and application access must be requested by
supervisors and managers only.
When an associate leaves CPC or changes jobs,
supervisors must inform the Privacy Team.
Keep system access “Need to Know”!
CPC Multi-Specialty Group
Page 22

◦
◦
◦
We are also required to keep our workforce trained and
informed on HIPAA Privacy and Security and any
changes that may come up. You will…
Be required to annually complete an online refresher course
or attend a training session.
Be trained on any privacy and/or security issues associated
with any application software or computer systems you will
use in your daily work.
Receive regular reminders about privacy, confidentiality,.
viruses, keeping passwords secure, and any attempts to
break into CPC systems or software.
Keep aware… don’t read about yourself in the newspaper!
CPC Multi-Specialty Group
Page 23

As well as having our computer systems
monitor any data activities, we also must
have a way for our people to report any
suspicious activity.


Call Administration
Contact any Compliance Team member
Keep us aware… so we don’t read
about each other in the
newspaper!
CPC Multi-Specialty Group
Page 24

◦
◦

It is important to ensure CPC can continue
operation in the event of an emergency. This
means making sure we have:
Disaster recovery plans for all systems and all facilities
Backing up all our data and systems
We highly recommend using My Documents as
the folder for all your local application files. That
will help us implement a new backup
methodology that is coming soon.
Store your local files in My Documents to
help us keep your systems backed up.
CPC Multi-Specialty Group
Page 25

Cartoon copyrighted by Mark Parisi, printed with permission.
CPC Multi-Specialty Group
Page 26



All relationships that we have with vendors,
temporary agencies, contractors, etc. that
involve the access and/or exchange of EPHI
are covered under special documents called
Business Associate Agreements (BAA).
It is very important that these documents be in
place for any Business Associates that will be
given access to patient information.
If you are unsure whether a BAA exists, please
ask your Operations Manager.
Before you distribute EPHI, make sure it is
covered… with a BAA!
CPC Multi-Specialty Group
Page 27

Facility access deals as much with personal security
as it does with system security:
◦
CPC policy requires that you wear your badge at all times.
◦
If you are unsure who someone is or why they are in your
area… ask. They will be happy to tell if it is a valid
reason.
◦
Keep doors and closets closed and locked. If you see a
door open that shouldn’t be, contact your facility security.
Also, keep any filing cabinet locked if it contains PHI.
The best question you can ask to keep us all
safe and secure… “May I Help You?”
CPC Multi-Specialty Group
Page 28


◦
◦
By now, we are all used to keeping patient charts and
printouts away from easy viewing… And now we all use
computers to look up a lot of the same information and enter
the same data about our patients.
The same care we take with patient charts is important for
electronic systems too!
Turning a monitor a bit so it can’t be easily seen by
someone standing at the nurses station.
Putting a printer or fax machine in a different place, so
someone can’t walk by and pick up the output.
If it was the patient’s chart, how would I protect it
from being seen?
CPC Multi-Specialty Group
Page 29
◦
◦
◦
◦
Every CPC employee will be assigned a unique User ID
when they are hired.
It is the supervisor’s duty to determine what system
access is needed by the associate, and to apply for it.
Close your application session to log off when you are
done… You don’t want others to enter data using your
ID!
Do not change the default settings for automatic
logoff on any PC. These settings are mandatory under
HIPAA regulations.
Remember… your User ID is like your unique
fingerprint in the system.
CPC Multi-Specialty Group
Page 30

◦
◦
◦
We are required to ensure all transactions in
our systems have not been altered or
destroyed by unauthorized means:
System transactions are logged and can be traced
back to the User ID.
You are responsible for any data changes or
deletions made with your User ID.
Make sure that you log off each terminal when you
walk away from it.
Don’t let other users make you
responsible for their errors…
LOG OUT!
CPC Multi-Specialty Group
Page 31

The other part of your unique system access
is your password. It is very important to
keep it secure.
◦
◦
Never share your password with anyone.
Never leave your password on your monitor, under your
keyboard, in a desk drawer, etc.
◦
Use the following rules when creating a password. A
good password will contain at least:
 6 characters (some systems require more)
Passwords are like your ATM PIN…
keep them secret.
CPC Multi-Specialty Group
Page 32
Cartoon copyrighted by Mark Parisi, printed with permission.
CPC Multi-Specialty Group
Page 33
◦
◦
Never email EPHI to anyone without explicit
directions from your supervisor to do so,
and exactly how to send it.
Use extreme caution when sending EPHI via
email internally. Double and triple check
the email address to make sure you don’t
send it to the wrong person – without a
“need to know”.
Email is a powerful tool
Use it wisely!
CPC Multi-Specialty Group
Page 34

HIPAA regulations require documentation of policies
and procedures for day-to-day operations, along with
specifics for any workforce members that access EPHI.
◦
The primary purpose of the procedures and
documentation is to identify how to protect
information from improper access, use and
disclosure.
◦
Procedures help associates and other workforce
members understand what they can do to protect
information and data.
◦
If you need a copy of your medical records via
Intergy, you must come to your manager or Medical
Records clerk with a valid picture ID to obtain your
records. Do not just print them out of the system.
Policies and Procedures are the keys to Compliance…
Keep yourself informed!
CPC Multi-Specialty Group
Page 35
◦
◦
◦
◦
◦
◦
Keep your HIPAA Security Team and IT personnel “in
the know”.
Know the required procedure before information
can be released – not only to patients, but also to
other individuals, entities, and business associates.
Access only your patient’s records.
Keep your password secure and hard to guess.
Be aware of shoulder surfing.
Log off your computer sessions when not in use.
Only you can prevent unauthorized EPHI
exposure!
CPC Multi-Specialty Group
Page 36
 Go
to the medical records clerk at the
facility of which you are a patient
 Take your drivers license or some
proof of ID with you
 Ask them for a copy of your medical
records
CPC Multi-Specialty Group
Page 37


While working on the fourth floor, Snow White
noticed that her neighbor Chester Test was
walking down the hall in a hospital gown and
pushing an IV pole. When she went home
later that day, she told her husband that she
saw their neighbor on the cancer unit.
What might be wrong with this situation?
CPC Multi-Specialty Group
Page 38



Snow White is waiting in the outpatient
clinic. Nurse Jones enters the waiting room
and call out, “Snow White.”
While still in the waiting room, Nurse Jones
asks Snow White, “Have you been taking
your Prozac for your depressions?”
What might be wrong with this situation?
CPC Multi-Specialty Group
Page 39

Cullman Primary Care, P.C.
CONFIDENTIALITY STATEMENT
I, ______________________, understand that in the
performance of my duties as an employee of CPC, I am
required to have access to and am involved in the
processing of patient care or patient care data. I
understand that I am obliged to maintain the
confidentiality of this data at all times. I understand that a
violation of these confidentiality considerations may result
in disciplinary action, including termination of my
employment.
I certify by my signature that I understand the
issues concerning the privacy and confidentiality
consideration of patient care.




CPC Multi-Specialty Group
Page 40
Remember…
Security is a chain that is only
as strong as its weakest link.
Don’t be the weakest link!
CPC Multi-Specialty Group
Page 41
Hear No
Protected Health
Information
CPC Multi-Specialty Group
Page 42
See No
Protected Health
Information
CPC Multi-Specialty Group
Page 43
Speak No
Protected Health
Information
CPC Multi-Specialty Group
Page 44


Proceed to the test. 100 % is required for
completion.
Good luck!
CPC Multi-Specialty Group
Page 45