Welcome to the 2007

Transcript Welcome to the 2007

Draft v. 11 03-31-09

Welcome to the Privacy and Security Training Session!

Disclaimers

 This HIPAA Privacy & Security Training Session is Copyright or used in commercial documents without the written permission of the copyright holder. This HIPAA Privacy & Security Training Session is provided “as is” without any express or implied warranty. This HIPAA Privacy & Security all state pre-emption issues related to this HIPAA Privacy & to be modified in order to comply with Wisconsin law.

 2009 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit Training Session is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed Security Training Session. Therefore, this document may need © Copyright 2009 HIPAA COW 2

Disclaimers continued…

 This is an example training session containing only some of the Privacy & Security topics which organizations are required to train. It is not legal advice and is not intended to cover all privacy & security laws’ training requirements. It may contain items not required by your organization and/or that need to be tailored to your organization’s P&Ps. It may also be too lengthy to provide in just one session. Slides are provided for informational purposes only.

HIPAA Topics Covered

         HIPAA Privacy & Security Contacts What is HIPAA?

Why Follow HIPAA?

HIPAA Definitions Who protects PHI?

Patient Rights Security Audit Trails Violations        Release of Information Identity Verification Documenting Disclosures Safeguarding Information BAAs & Other Agreements Your Role Reporting Violations © Copyright 2009 HIPAA COW 4

Privacy and Security and/or Compliance Committee Members

What is HIPAA?

  HIPAA is an acronym for the

ealth

nsurance

ortability &

ccountability

ct of 1996 (45 C.F.R. parts 160 & 164).

Provides a framework for the establishment of a nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information.

What is HIPAA?

  HIPAA Consists of three separate parts: 1) Privacy, 2) Security, and 3) Electronic Data Exchange HIPAA mandates accountability

SECURITY PRIVACY ELECTRONIC DATA EXCHANGE

Parts of HIPAA: 1. The Privacy Rule

      The Privacy Regulations went into effect April 14, 2003.

Privacy refers to the protection of an individual’s health care data.

Defines how patient information is used and disclosed.

Gives patients privacy rights and greater control over their own health information.

Outlines ways to safeguard Protected Health Information (PHI).

We also need to keep in mind Wisconsin privacy laws, such as WI Chapters 51, 146, 252 and DHS 92, which in some situations continue to protect patients’ rights more than the HIPAA Regulations.

 

Parts of HIPAA: 2. The Security Rule

Security (IT) regulations went into effect April 21, 2005.

Security means controlling: – The confidentiality of electronic protected health information (ePHI).

– How patient data is electronically stored.

– How patient data is electronically accessed.

Parts of HIPAA: 3. EDI

   Electronic Data Exchange (EDI) – defines the format of electronic transfers of information between providers and payers to carry out financial or administrative activities related to health care.

Information includes coding, billing and insurance verification.

The goal of using the same formats is to ultimately make the billing process more efficient.

Why Should Our Organization Comply with HIPAA?

   We must be committed to protecting our patients’ privacy.

[Organization] is placing trust in you to follow the policies. This is not an option, it is required.

Choosing not to follow these rules,

– Could put you at risk.

Why Should Our Organization Comply with HIPAA?

  The right thing to do is to: – Protect patient records.

– Protect business data.

– Protect patient data and reduce the risk of litigation to organizations.

There are significant penalties associated with non-compliance to organizations

and

employees of those organizations.

HIPAA Regulations

 The HIPAA Regulations require we protect our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media: – Verbal discussions (i.e. in person, on the phone, etc.).

– Written on paper prescription, x-ray order, referral form, explanation of benefits (EOBs), scratch paper, etc.).

(i.e. chart, progress note, encounter form, – In all of our computer applications/systems electronic health record (EHR), Practice Management, Lab, X-ray, Microsoft, etc.).

(i.e. – In all of our computer hardware/equipment laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones, patient care devices, servers, etc.).

This training session provides reminders of [Organization’s] policies and of how you, an employee or provider, are required to protect PHI.

Why is Privacy and Security Training Important?

    It outlines ways to prevent accidental and intentional misuse of PHI.

To make PHI secure with minimal impact to staff and business processes.

It’s not just about HIPAA – it’s about doing the right thing.

We should treat personal electronic data with the same care and respect as weapons grade plutonium -- it is dangerous, long lasting and once it has leaked, there's no getting it back. - Corey Doctorow © Copyright 2009 HIPAA COW 15

This training is designed to educate you on the importance of Privacy and Security   It is everyone ’ s responsibility to take the confidentiality of patient information seriously. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, regulations.

YOU

become involved with some facet of the privacy and security The law requires us to train you.

HIPAA Definitions

What is P rotected H ealth I nformation ( PHI )?

  

PHI

is Individually Identifiable Health Information (IIHI) relating to information about: Health/condition of an individual.

Payment for health care of an individual.

Reasonably identifies the individual (patient identifiers/demographics).

HIPAA Definitions

PHI Includes:

 Items in the record, such as: – Encounter/visit documentation – Lab Results – Appointment dates/times – Invoices – Radiology films and reports – History and Physicals (H&Ps), etc.

HIPAA Definitions PHI Includes: Patient Identifiers

PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.

HIPAA Definitions

PHI Includes

Patient Identifiers

Examples include:

         Names Medical Record Numbers Social Security Numbers Account Numbers   Web universal resource locaters (URLs) Any dates related to any individual (date of birth) License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses     Telephone numbers Fax numbers Email addresses Biometric identifiers including finger and voice prints Health plan numbers Full face photographic images and any comparable images  Any other unique identifying number, characteristic or code © Copyright 2009 HIPAA COW 20

HIPAA Definitions

  Use: when we review or use PHI internally (audits, training, customer service, quality improvement).

Disclose: when we release or provide PHI to someone (ex. an attorney, a patient, faxing records to another provider, etc.).

HIPAA Definitions

 What does releasing the “minimum necessary” PHI mean?

– To use or disclose/release only the minimum necessary to accomplish the intended purposes of the use, disclosure, or request.

– Requests from employees at [organization]:  Identify each workforce member who needs to access PHI.

 Limit the PHI provided on a “need-to-know” basis.

– Requests from individuals not employed at [organization]:  Limit the PHI provided to what is needed to accomplish the purpose for which the request was made.

HIPAA Definitions

   

What is TPO?

HIPAA allows us to

Use

of: and/or

Disclose

PHI for the purpose – –

reatment – providing care to patients.

ayment – the provision of benefits and premium payment.

–

perations – normal business activities (reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, etc.).

These terms are collectively referred to as

TPO

PHI used outside of

TPO

authorization.

TPO

job!

Why Do We Need to Protect PHI?

    It’s the law.

To protect our reputation.

To avoid potential withholding of federal Medicaid and Medicare funds.

To build trust between providers and patients.

– If patients feel that their PHI will be kept confidential, they will be more likely to share the information needed for their care.

Who or What Protects PHI?

   The Federal Government through the laws of HIPAA.

– Civil penalties up to $25,000

for Failure to Comply.

– Criminal penalties:    $50,000 fine and 1 year prison

for knowingly obtaining and wrongfully sharing information.

$100,000 fine and 5 years prison

for obtaining and disclosing through false pretenses.

$250,000 fine and 10 years prison

malicious harm.

for obtaining and disclosing for commercial advantage, personal gain, or

Our organization, through the Notice of Privacy Practices (NOPP).

You, by following our policies and procedures.

Enforcement

   The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! They will take action.

Office For Civil Rights (OCR). This is the agency that enforces the privacy regulations. They will provide guidance and monitor compliance.

Department of Justice (DOJ). This agency is involved in criminal privacy violations. Provides fines, penalties and imprisonment to offenders.

HIPAA Regulations

  Brought individual privacy rights to patients.

Require that we provide these rights to them.

Patient Rights: Access

 

Right to inspect and copy their PHI.

Situations where access may be denied or delayed:

– Psychotherapy notes.

– PHI compiled for civil, criminal or administrative action or proceedings.

– PHI subject to CLIA Act of 1988 when access would be prohibited by law.

– Access would endanger a person’s life or safety based upon a professional judgment.

– A correctional inmate’s request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution.

– A research study has previously secured agreement from the individual to deny access.

– Access is protected by the Federal Privacy Act.

– PHI was obtained under promise of confidentiality and access would reveal the source of the PHI.

Patient Rights: Alternative Communications



Right to request to receive

communication by alternative means or location. Examples: – The patient may request a bill be sent directly to him instead of to his insurance company.

– The patient may request we contact her on her cell phone instead of at her home telephone number.

Patient Rights: Special PHI Requests

 What should I do if a patient requests we

always

call a family member instead of her?

– Request patients with permanent and

Alternative communication requests

special/unique calling and/or mailing instructions to go to the [Patient Relations Department] or HIM Department to complete and sign a written request.

 

Patient Rights: Amendment Requests

–

Right to Request an Amendment or Correct PHI.

Situations where a request may be denied.

   [Organization] did not create the information.

Record is accurate according to the health care professional that wrote it.

Information is not part of the [Organization’s] record.

– A patient states there is an error in his electronic record and wants it corrected. What should I do?

Request the patient contact the HIM Department to request to have the record amended.

 

Patient Rights: Restrictions and AOD

Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes).

– We are not required to approve the request, but must make reasonable efforts to approve it, when possible.

Right to an Accounting of Disclosures (AOD).

– Must give information on disclosures of information released 

except

The Individual.

those that were given to:   TPO.

Law enforcement officials, correction institutions or national security.

Patient Rights: Right to Receive an Accounting of Disclosures of PHI

A. An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003.

B. A covered entity must suspend accounting of disclosures to a patient if an agency or law enforcement indicate the accounting is likely to impede the agency’s activity.

Patient Rights: Right to Receive an Accounting of Disclosures of PHI

C. Disclosures NOT requiring accounting include disclosures made: – For

reatment (to persons involved in the individual’s care), 2003.

ayment or

perations.

– To the individual subjects of the PHI.

– Incident to an otherwise permitted disclosure.

– Based on the individual’s signed authorization.

– For a facility directory.

– For national security or intelligence purposes.

– To correctional facilities or law enforcement on behalf of inmates.

– As part of a limited data set (see 164.514).

Patient Rights: Right to Receive an Accounting of Disclosures of PHI

D. Disclosures requiring accounting include: – Required by law – For public health activities – Victims of abuse, neglect, violence.

– Health oversight activities – Judicial/Administrative proceedings – Law enforcement purposes – Organ/eye/tissue donations – Research purposes – To avert threat to health and safety – For specialized government functions – About decedents – Workers’ compensation – Releases made in error to an incorrect person/entity (i.e. breach) © Copyright 2009 HIPAA COW 35

Patient Rights: NOPP

  Are we still required to request patients sign the Notice of Privacy Practices (NOPP) acknowledgment prior to their first visit?

–

Yes.

Please continue to request they sign the acknowledgment before they see a provider for their first appointment at [Organization].

– Patient signs the Acknowledgment of Receipt to confirm that they have been offered and/or received the Notice.

What is the purpose of the NOPP?

– Summarizes how [Organization] uses and discloses patient’s PHI.

   

Patient Rights: NOPP Reminders

If a patient or legal guardian refuses to take a NOPP, this is their right; do not force them to take one.

If a patient or legal guardian refuses to sign the acknowledgment form, document this on the form and in the system.

Once the patient turns 18, he/she must sign an acknowledgment form.

Host parents of a foreign exchange student may act on behalf of the student’s biological parent(s) and sign the NOPP acknowledgment form.

Patient Rights: Privacy Complaints

 Right to file a privacy complaint.

– Direct all requests or complaints regarding these rights to the Privacy Officer at [XXX-XXXX].

Security

   One key element of protecting our patient’s PHI lies in maintaining the security of our systems, which houses and transmits ePHI (electronic protected health information).

The HIPAA Security Rule outlines how we are to do this.

How do we protect our computer systems and our patients’ information in them?

Applying the Security Rule



Administrative Safeguards

– Policies and procedures of the organization are REQUIRED and must be followed by the employees to maintain security (i.e. disaster recovery of computer systems, use of the internet, use of email, faxing, use of voicemail, computer hardware and software standards).



Technical Safeguards

– Many technical devices are needed to maintain security. Examples include different levels of computer passwords, screen savers and devices to scan ID badges, data backups, disposal of media, encryption, audit trails. Computer and system processes are set up to protect, control and monitor information access.



Applying the Security Rule

Physical Safeguards. Many physical barriers and devices are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organization’s property and the health information.

 Personnel Security. Organizational policies and procedures manage the assignment of access authority to employees and other workforce members. Procedures should address employee transfers, role changes and terminations. Effective security and privacy training must be conducted.

Access to ePHI: UNs and PWs

 – – How do we control access to electronic protected health information (ePHI) in our computer systems? By requiring all users to utilize individually unique Usernames (UNs) and Passwords (PWs), we control access to the information in each of our computer systems and applications.

UNs and PWs control what users are able to access and help us identify what information users accessed in our applications.

Access to ePHI: UNs and PWs Cont.

  For these reasons, you may not share your UNs and PWs with anyone else (the only exception to this is to share a UN and PW with IS, computer problem).

necessary, for troubleshooting a When leaving a computer, ALWAYS: – Log off, OR – Lock the computer screen (Ctrl-Alt-Del and select lock).

This prevents other users from using your applications.

Access to ePHI: UNs and PWs Cont.



Creating strong passwords.

– Use at least 6-8 characters.

– Use a minimum of 2 letters and 1 number, and capital and lower case letters.

– Do not use pw’s that may be easily guessed, such as: names (spouse’s, pet’s, child’s, etc.), significant dates, words, favorite team names, etc.

Note: UN and PW controls are required by law.

TIP: Use a “pass-phrase” to help you remember your password such as: MbcFi2yo (My brown cat, Fluffy, is two years old).

Protect Your UNs and PWs

  Memorize your PW. Don’t post UNs and PWs on your computer, notebook, tablet, under your keyboard, etc .

– Lock up your UNs and PWs so they may not be accessed by anyone else.

If you believe one of your PWs has been compromised, request the IS Department to change it.

– If you think PHI may have been inappropriately accessed, discuss it with the Privacy Officer.

  

Help Protect Our Systems/Equipment

– It is your responsibility to protect [Organization’s] systems/ equipment/computers at all times.

Do not disable anti-virus software, malware protection, or any other security items unless directed by the IS Department.

If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only.

Family and friends may not utilize it.

Email Security

   It is against [Organization’s] policy to forward “joke emails”.

– “Joke” emails frequently have viruses attached to them and they take up a lot of space on our servers.

Refer to the Release of Information slides for emailing ePHI requirements. Please report it to the IS Help Desk if you receive a suspicious and/or threatening email.

Audit Trails of What I Access

  The Security regulations require this.

[Organization] conducts random audits of employee and provider access to determine: – Appropriateness of access, and – If access is in compliance with [Organization’s] policies.

Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc.

– If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate.

Audit Trails and HIPAA Violations

Audit Trails: Access to Own ePHI

 An employee viewed his own appointment list. Another employee accessed her own lab results from her own workstation (using her own password). Is this against [Organization’s] policies?

Audit Trails: Access to Own ePHI

 

Yes

, it is [Organization’s] policy that you may not directly access your own medical record, using your own password in any system/application.

PHI in the electronic medical record, scheduling/billing system, etc. are considered a part of your medical record. In fact, PHI in all [organization’s] systems make up your medical record.

– To view your medical record, contact the HIM/release of information department at [#].

– To view your appointment list, contact a receptionist in the department in which you schedule appointments.

– To view your billing information, contact the [billing area] at extension [#].

Audit Trails: Access to a Family Member’s PHI and Unassigned Tasks



A receptionist scheduled an appointment for her child in a different department/site than she works. Is this against [Organization’s] policies?

  

Audit Trails: Access to a Family Member’s PHI and Unassigned Tasks

Yes.

Only schedule appointments as assigned in the departments in which you work. If you don’t work in that department, call the receptionist in that department and request him/her to schedule the appointment.

Note: while scheduling this appointment, the employee may have viewed appointment information which she did not have the right to see.

Don’t schedule appointments for or otherwise view, access, edit, etc. family members’ PHI, unless it is a part of your assigned duties, it is an urgent matter,

AND

time.

Audit Trails: Access to PHI by a Coworker

 An employee requested a coworker to view his/her appointment list to find the last time the employee had a physical in Internal Medicine. Her coworker does not work in the Internal Medicine department. Is this against [Organization’s] policies?

 

Audit Trails: Access to PHI by a Coworker

Yes.

It is inappropriate to ask your coworkers to do this if it is not part of their regular assigned job responsibilities.

If you need to know when you had your last physical, call the department in which you had this appointment (or will be scheduling your next appointment).



Audit Trails: Securing Systems

When leaving his/her computer, an employee didn’t log off the electronic medical record; another employee then utilized it to look up her own and her family members’ transcriptions, appointment lists, medications, etc.

– Important Note: in this situation, both employees did not follow [Organization’s] P&Ps which require:    Logging off/securing all applications when unattended.

Using the password protected screensaver when leaving it unattended.

Not using another person’s login, unless they are training you and directly observing what you do.



Audit Trails: Accessing More Than the Minimum Necessary

A clinical staff employee is assigned to routinely view and update medications, blood pressure, pulse, and weight for each patient being seen by the provider with whom she works. She was curious and concerned about a particular patient’s health, and therefore viewed several other records, such as lab results, and specialist transcriptions. – Note: It was determined this was a breach of confidentiality as she was not requested by her provider and/or supervisor to access this patient’s additional records.

Audit Trails: Accessing More Than the Minimum Necessary

 We may only access the minimum necessary to complete our assigned job responsibilities. This means we may not access information out of curiosity and/or concern about a patient’s health.

The following slides provide examples of Privacy and Security violations to help you better understand how they occur so that you may help prevent them.

Security Violations: Downloading Onto PCs

 Users have downloaded music, pictures, screensavers, “Weather bug”, and other software onto [Organization’s] computer/laptop/tablet. Is this ok?



Security Violations: Downloading Onto PCs

– –

. We may not download anything onto our computers, laptops, notebooks, PDAs, etc. without the written permission from the [Director of IS or Security Officer].

  This includes not downloading from the Internet, CD, flash drive, DVD, disc, software, etc.

Why not? The [IS Department or Security Officer] verifies we have appropriate licenses

and

virus protection in place.

Did you know that downloading may slow down our systems?

Some downloads have interfered with the appropriate functioning of web based EHRs!



Security Violations: Downloading From PCs

If it is absolutely necessary to copy or save files onto removable media, obtain approval from your Supervisor and encrypt the file so that it may only be accessed by utilizing the password (ask the IS Department how to encrypt a file). – This includes downloading anything off our computers onto media such as a flash drive, USB, disc, CD, etc.

– Safeguard this removable media, and the password to access the information, at all times so that the information may not be inappropriately accessed.

– Immediately contact the IS Department and Security Officer if a device is lost or stolen.

Other Types of Security Issues and Incidents

   Theft (or loss) of a computer, laptop, PDA .

Inappropriate usage of [Organization] computers.

A technology-related situation which results in a significant adverse effect on people, process, technology, facilities, etc., such as: – A system “glitch” which results in ePHI being accessed and/or sent to an inappropriate recipient.

– A virus that prevents users from being able to access PHI.

What is Misuse of PHI?

U n a u t h o r i z e d:

 Access to…  Using…  Taking…  Possession of…  Release of…  Edit of…  Destruction of… Patient PHI Without Authorization.

Privacy Violations: How Do They Happen?

 What are some common ways breaches of confidentiality occur?

    

Privacy Violations: How Do They Happen?

Faxing to the wrong individual/location.

Wrong “sticky” patient label placed on a document, then it is handed to the wrong patient.

When typing a medical record number to look up an address, it is transposed. The lab results are then sent to the incorrect patient.

When searching for a patient’s address, her name is typed, her date of birth is not validated, and a patient with the same name is selected instead.

These can be prevented by double checking you have the right patient’s records prior to releasing PHI.

Privacy Violations: Incorrect Patient on a Form

  – Jane Doe’s name, medical record number, and date of birth was placed on a prescription and handed to Molly Sue. Is this considered a breach of confidentiality?

Yes.

If Molly Sue reads Jane Doe’s name on this form, or any other document, it is a breach of confidentiality.



Privacy Violations: Incorrect Records Released

A patient requested we send 2006 test results to her non-[Organization] provider. In addition to the 2006 test results, we also released 2004 and 2005 test results. Is this a breach of confidentiality?

Privacy Violations: Incorrect Records Released

 

Yes.

This is a breach of confidentiality as more information than was requested by the patient was released (the 2004 and 2005 test results).

– Always keep in mind we may only release the minimum necessary PHI to accomplish the purpose of the request – even when releasing to another treating provider, insurance company, etc.

Request the provider to return the 2004 and 2005 test results, and forward them with an incident report to the Privacy Officer .

Privacy Violations: Incorrect Patient’s Results Mailed

  – Lab results of one patient were mailed to a different patient. Is this a breach of confidentiality?

Yes.

It is a breach of confidentiality if the lab results include a different patient’s name.



Privacy Violations: Patient’s Records Sent to Wrong Company

– Patient records were sent to the wrong insurance company. Is this a breach of confidentiality?  Yes, because this insurance company does not provide coverage for this patient, they did not have a need to know anything about him/her.

Request the company return the incorrect records, document the disclosure, and forward it with an incident report to the Privacy Officer.

Release of Information (ROI)

         What PHI may I release?

– What WI Laws and Federal Regulations apply?

What information can be released without an authorization?

What are the steps in releasing information?

When is an authorization required?

How do I verify the authority and identify the requestor?

Are there any restrictions which do not allow this release?

Do I need to document the release?

Why do I need to be doing all this?

What are some practical release of information examples?

Please proceed to learn more about how to correctly release PHI

 

ROI: Applying the Steps

I received a request to release a patient’s PHI. What now? Whether releasing verbally or in writing, determine the following: – Is the requestor legally authorized to receive the PHI?

Important Note:

when uncertain, ask the HIM department, Privacy Officer, or obtain a signed authorization from the patient.

– Is a signed Authorization required?  If yes, determine if the Authorization is HIPAA and WI compliant (refer to next slide).

ROI: Valid Authorizations

Elements of a valid authorization: Client/Patient Name and date of birth.

Name of the individual or agency authorized to make the requested disclosure.

Name of the person or organization to whom the disclosure is to be made.

Purpose of the disclosure.

Specific description of the type and amount of information to be released.

If the release includes mental health, alcohol or drug abuse or test results, or developmental disability records, these must be specified.

If the release includes HIV test result, AIDS, or AIDS related disease, the statement “HIV test results” is required.

Statement on possibility of re-disclose by the recipient and that it is no longer protected by [organization].

Right to inspect a copy of the records released (required only for WI DHS 92 records).

ROI: Valid Authorizations

10.

11.

12.

13.

14.

Refer to the HIPAA COW Authorization Form located at http://hipaacow.org/home/PrivacyDocs.aspx

Elements of a valid authorization Cont.: Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits .

If the release involves marketing and direct or indirect remuneration to [organization] by a third party, include a statement reflecting this.

A statement of the right to revoke the authorization in writing, exceptions to the right to revoke, and how to request a revocation.

Expiration date or event.

Time period during which the authorization is effective.

Signature of client/patient or legal personal representative and date signed.

If signed by a legal personal representative, a description of his/her authority to sign.

A copy of the form is required to be given to the client/patient.

ROI: Authorization Required

Not

 There are times when an authorization is not needed.

ROI: Permitted Uses and Disclosures of PHI Without an Authorization

   Uses and disclosures of PHI for (TPO): –

reatment –

ayment – Health Care

perations Mandatory disclosures by law.

If use of the information does not fall under one of these categories you must have the patient’s signed authorization (written permission) before sharing that information with anyone.

ROI: When is an Authorization Required?

R el ea se to a tto rn ey R ele as e t co m o a pa lif ny e i ns ura nc e Authorization Required D isa bili ty v eri fic ati on R el ea se to th e pa tie nt R ep or tin g vi do ol en m es ce tic R ou tin e c la im fo r p ay m en t Authorization Not Required Tr ea ph tm ys en icia t b n y y ou r Fi lin g of a b irt h ce rti fic at e © Copyright 2009 HIPAA COW 78

ROI: General Wisconsin “Confidentiality” Laws

Statute

146.82, Wis. Stat.

51.30, Wis. Stat.

DHS 92 Adm. Code DHS 144, Adm. Code

Summary

Covers general medical health care PHI and authorization requirements.

Covers PHI relating to mental health, AODA, and developmentally disabled treatment, authorization requirements, and penalties.

Further covers confidentiality of mental health treatment records (with 51.30).

Covers release of immunizations between vaccine providers, and to schools specifically for minors.

ROI: General Wisconsin “Confidentiality” Laws

Statute

102.13 & 102.33 Wis. Stat.

610.70 Wis. Stat.

252.15, Wis. Stat.

Summary

Covers records reasonably related to a worker’s compensation claim and release to the employee (patient), employer, worker’s compensation insurer, or Department with a written request.

Covers disclosure of personal medical information by insurers.

Covers health care information relating to HIV testing and authorization requirements.

ROI: Other Regulations to Consider

Statute

42 CFR, Part 2

Summary

Federal Alcohol and Drug Regulations which covers use and release of a patient’s drug and alcohol abuse records in a federally assisted program.

ROI: Release Restrictions/ Alerts …



Is there an alert restricting access

(as would be the case of an adopted child)

?

– Alerts are located:

ROI: Identity Verification

   Prior to releasing PHI, ask the individual to

provide you

enough information to identify the patient, such as: – Name – Date of Birth – Address with – Other identifiers: Social security number, mother’s maiden name Identify someone other than the patient by requesting he

you

patient.

– Check a physical signature against a known one on file

provide

with all the above information, as well as his relationship to the – – – Make a call-back to a known number Ask for a photo ID Ask for a business card

Refer to the HIPAA COW Identity Verification Policy located at http://hipaacow.org/home/PrivacyDocs.aspx

Provide only the minimum necessary to safeguard PHI.

ROI: Authority Verification

   Once you know who the requestor is, be sure he or she has the right to access this information.

Routine requests from employees you know in our organization who have a need to know information for business reasons, are ok.

Unusual requests from individuals you don’t know can be risky, so before sharing PHI: – Ask your supervisor.

– And/or check your procedure.

Who are you?

ROI: Individual Needs to Find Patient In Any Setting

 If an individual would like to find out if a patient is in our facility, but the patient is not in our Facility Directory: – Do not confirm or deny the patient is here, until you…  Obtain the patient’s and individual’s names.

ROI: Individual Needs to Find Patient In Any Setting, Cont.

 Privately call the department in which the patient is located.

– That department asks the patient if their location and/or condition may be released to this individual.

  If the patient agrees, provide that information to the requesting individual.

If the patient is not in the facility, or does not agree to notify the requesting individual he/she is here, inform the requesting individual that you are unable to confirm or deny whether or not the patient is in the facility.

ROI: Hospital Facility Directory

   Patients have a right to opt in or out of the directory.

This right determines whether the hospital can provide information when a visitor or caller calls the hospital to ask about a patient.

Very limited amount of information may be provided to requesting individuals – name, location (room #), religious affiliation, general condition.

ROI: Minimum Necessary

  Release only the requested PHI, and only include sensitive PHI (mental health, HIV/AIDS, STDs, etc.) if specifically authorized.

Release the minimum necessary (note, this may be less than what was requested).

– Limit access to what is needed to accomplish the purpose for which the request was made (or that which was authorized).

– May not disclose an entire medical record unless it is specifically justified as the amount of PHI that is reasonably needed to accomplish the purpose for the use or disclosure.

ROI: Documentation

  Document the release, when required by law, and our organization’s policies [insert policies here]. Effective April 1, 2008, Wisconsin Statute 146 no longer requires documentation of disclosures for purposes relating to treatment (providing and coordinating care); payment (billing for services rendered); and health care operation (internal business).

ROI: Documentation

(Continued)

 Document the release, per WI Statute, HIPAA and our organization policies [insert organization policies here]. For example, HIPAA requires documentation of breaches, public health reporting, etc.).

ROI: Documentation

(Continued)



What are we required to document?

– Date of the disclosure – The name of the person the PHI was released

to (and address if known)

– A brief description of the PHI disclosed – The purpose of the release Other suggested items but not required: – Received date – Who released the information – How the information was disclosed * * Also required if information is from a 51.30 treatment record.

ROI: Documentation

 Why do we have to document when we release PHI (when required by law)?

– Patients have the right to request from us a record of what PHI was released and to whom (Accounting of Disclosures).

ROI:

Note: those steps must be followed each time you release information verbally and in writing.

 Wow! That’s a lot to know! Were you aware you can ask the HIM/release of information department to release PHI for you? – That’s right! If you aren’t absolutely 100% certain on whether or not you can (or how to) release information,

STOP

and ask for help by calling [number].

ROI: Family and Friends

    Patient present and alert – patient decides.

Patient incapable to make wishes known – inferred permission to discuss current care.

Care or payment.

– Information needed for patient’s care.

– Must clearly be involved in payment for care (involvement is obvious, patient stated so).

Notify family or friend(s): – When involved in their care.

– Of patient’s general condition.

– Of patient’s location.

– When patient’s ready for discharge.

– Of patient’s death.

Note: paper copies may not be released under these examples

ROI: Divorced Parents

 A parent calls to get information on their child. Can you release it?

– If the parents are divorced, either parent may get access to the records with a proper release. Assume that they can get records unless told otherwise.

– In the case where parental rights of one parent have been terminated, the parent with sole right is responsible to provide the information.

– When in doubt, call the parent who has physical placement to ask if the other parent is allowed to obtain records. If they say no, then they would be required to present the corresponding court documents. If they say “yes”, obtain permission and document what was provided.

ROI: Legal Guardians

 An individual calls to discuss appointment information with you for a patient and states he is the patient’s Legal Guardian, may I discuss this with the individual?

– Yes, after verifying the individual is the patient’s Legal Guardian and has access rights to the type of records being requested. Here’s how to verify:  [Organization list here…] © Copyright 2009 HIPAA COW 97

ROI: Step-Parents

 – A stepparent calls to discuss her stepchild’s care. May you discuss this with her?

, unless the step-parent is a legal guardian and we have the guardianship papers on file, or a legal guardian has provided authorization. – Step-parents may call to schedule appointments, but do not have access to their stepchildren’s PHI, without authorization by a legal guardian.

ROI: Foster Parents

 Can foster parents get information on the child they are caring for?

– Yes, if they have guardianship, other court papers, or an authorization from the birth parent, allowing them the right of access.

– If they don’t have any legal papers and a health care provider is in need of the information, you may release directly to the care provider.

ROI: Power of Attorneys



Refer to the ROI: Family & Friends slide if the POA HC is involved in the patient’s care

A patient’s power of attorney for health care (POA-HC) requests I discuss the patient’s care with her. May I?

–

No.

A POA-HC does not allow the POA-HC to have access to that individual’s medical and/or billing information until the patient has been deemed

incapacitated

(except in rare cases).

 In addition, before providing access to billing information, review the POA-HC to confirm it specifically allows this access

and/or

verify a Durable POA document is in place. – Basically, POAs don’t have any more rights than any other individual to discuss a patient’s care, billing, etc. until two physicians deem the patient incapacitated.

 If the patient has been deemed incapacitated, a document of incapacitation is located…[list here].



ROI: Workers’ Compensation PHI to an Employer

When releasing workers’ compensation records to an employer and/or work comp carrier, may I release the rest of the patient’s medical history (not related to the work comp claim with that employer)?

– – No.

The patient’s employer and work comp insurance carrier have the right to only those records reasonably related to the workers’ compensation claim/condition without an authorization.

Request the patient to sign an authorization form to release additional types of records.



ROI: to Another Facility

Can I release a patient’s address and/or insurance information to a nursing home?

– If you are not familiar with the individual, request the nursing home to provide you with the following information:  Patient’s name, date of birth, and address.

   Why the information is needed. – If they also treat the patient or pay their claims, continue.

The requestor’s name, name of the nursing home, and a direct telephone to the nursing home (switchboard).

Call the requestor back and request to be transferred to the individual. Then release the PHI.

– When uncertain, contact the patient and obtain authorization.

ROI: Leaving Messages

 A spouse answers the phone, or the voice mail picks up. What information may I provide? – State your first name and that you are calling from [Organization name] (include the site).

– Ask the patient to return your call, and provide your direct phone number.

– Do not provide lab results, or other detailed information, other than an appointment reminder.

– Example: “This is Sally from [Organization] calling for Johnny Doe. Please call me back at your earliest convenience at [number]. Thank you.” – Double check you ended the call.



ROI: Item Pick Up

A man arrives and requests to pick up a prescription for his neighbor. Now what?

– Request he provide you with the patient’s name, date of birth, address, and relationship to the patient.

– Confirm the patient’s and requestor’s information matches what the the patient provided when informing [Organization] this individual was picking up the prescription.

 If everything matches, this means the patient requested us to provide the prescription to his neighbor (according to our Item Pick Up Procedure).

– Request the man to sign the Item Pick up form and provide him with the prescription.



ROI: Faxing PHI

May we Fax PHI?

– Yes, we may fax PHI, but only when in the best interest of patient care or payment of claims.

– We may

not

fax sensitive PHI (HIV, mental health, AODA, STDs, etc.) – It is best practice to test a fax number prior to faxing PHI to it. If this is not done, then complete the following:   Restate the fax number to the individual providing it to you.

Obtain a telephone number to contact the recipient with any questions.

   Do not include PHI on the cover sheet.

Verify you are including only the correct patient’s information (i.e. check the top and bottom pages).

Double check the fax number prior to “sending” it.

ROI: Email

 

* Note to Organization: Depending on your Email policy, include either this slide, or the next slide, but not both

We may

not

communicate with patients through emails at this time. – The patient portal will provide the opportunity to electronically communicate with our patients.

When sending ePHI to other organizations for required business functions (i.e. treatment, payment or healthcare operations), encrypt the email [insert org. procedures here…].

ROI: Email

 

* Note to Organization: Depending on your Email policy, include either this slide, or the previous slide, but not both

We may communicate with patients through emails

only if

the patient has signed the organization’s privacy and security email agreement. When sending ePHI to anyone for treatment, payment or healthcare operations, encrypt the email [insert org. procedures here…] , and verify the organization’s confidentiality email disclaimer is included on the email.

And now, for some general safeguarding tips…

How else can I protect our patients’ PHI?

Safeguarding: Discussing PHI

 You never know who may overhear you discussing a patient. The patient or coworker could be the patient’s neighbor, best friend, cousin, etc… – Remember to talk quietly.

– – When possible, discuss PHI privately, such as behind a closed door.

Avoid having discussions in patient waiting rooms, elevators, cafeteria, etc.



Safeguarding PHI: Approaching a Coworker

You need to talk with a coworker, but she is talking with a different patient to schedule his appointment. What should you do?

– Provide your coworker with the privacy to finish working with that patient and approach her when she is done.



Safeguarding: Seeing a Patient Outside [Organization]

You’re walking through the grocery store one day, and see a [Organization] patient. What should you do?

– It’s ok to say hello but don’t ask the patient “how she’s doing” or questions about her health. It’s ok to listen if she offers to update you on her health.

– Let the patient approach you first, but don’t make it seem like you are trying to avoid her.

Safeguarding: Talking with Friends About Work

 You had a negative encounter with a patient and really need to vent to a friend after work. What can you discuss?

– Working in health care isn’t easy and patient confidentiality MUST be maintained at all times: – at work, during non-work hours and after your employment ends with the organization.

Here are some helpful tips…

 

Safeguarding: Talking with Friends About Work

Do not share with family, friends, or anyone else a patient’s name, or any other information that may identify him/her, for instance: – It would

not

be a good idea to tell your friend that a patient came in to be seen after a severe car accident.  Why? Your friend may hear about the car accident on the news and know the person involved.

not

inform anyone that you know a famous person, or their family members, were seen at this organization.

Safeguarding PHI: Media

 If I am contacted by the media, may I release PHI to them? If I am contacted by an individual offering to pay me for PHI, may I release it to them?

–

No!

You may not release PHI under either of these circumstances. Both are grounds for disciplinary action.

– Refer the requestor to the Privacy Officer.

Safeguarding PHI: Delivery

 I need to transport paper records/PHI to another department. Is it ok for me to do this?

–

Yes,

you may transport documents to another department, – Secure them so you don’t drop them:     Carry them close to your person.

Carry them in a facility designated bag, box, or container.

Ensure no names are visible.

Ensure that no records are left unattended.

Safeguarding PHI: Transporting Offsite

  When necessary to transport PHI externally: – Place in a

locked

briefcase, closed container, sealed self-addressed interoffice envelope; – Place PHI in the trunk of your vehicle, if available, or on the floor behind the front seat; – Lock vehicles when PHI is left unattended.

You may

not

transport patient charts between departments or offsite – unless authorized by the Director of HIM.

Safeguarding PHI: Interoffice Mail

 Send all PHI in sealed interoffice envelopes.

– Verify all PHI was removed from the envelope before stuffing it.

– Address them to the correct individual and department.

– Mark the envelope “confidential”.

– Confirm you are sending the correct PHI.

Safeguarding PHI: Paper

  Turn over/cover PHI when you leave your desk/cubicle so others cannot read it. – If you have an office, you have the option of closing your door instead.

Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI.

Safeguarding PHI: Paper Continued

  Don’t leave documents containing PHI unattended in fax machines, printers, or copiers.

Check your fax machine frequently so documents are not left on the machine.

 

Safeguarding PHI: Disposal

How should I dispose of confidential paper?

– Shred or place all confidential paper in the designated confidential paper bins.

 Does this include Post-it notes, scratch paper, envelopes, and old non-confidential documents we no longer need?

– No.

Please put these in the recycling paper bins!

 Does this include tissue, paper plates, cardboard, and pizza boxes?

– No. Please put these items in the regular trash or other appropriate recycling container!

How should I dispose of electronic media (floppy disk, CD, USB Drive, etc.)?

Facility Security

 How can I help protect our facilities? – Wear your ID Badge at all times (it helps identify you as an [Organization] employee/provider).

– Only let employees enter through employee entrances with you.

– – Keep hallway doors that lead to patient care areas closed.

Request vendors and contracted individuals to sign-in and obtain Vendor ID Badges when visiting a restricted area.

What are Restricted Areas?

 Restricted areas are those areas within our facilities where PHI and/or organizationally sensitive information is stored or utilized.

– Receptionist stations – Business office windows – HIM Department – Patient care hallways/treatment areas – Offices – Storage closets and cabinets – Accounting, Human Resources, Administration Offices, IS Department, etc.

– Employee meeting/rooms/kitchens in the departments – Areas containing potential safety hazards (ex. medical imaging, lab, nuclear medicine, etc.

Facility Security Continued…

– If you see someone in a restricted area not wearing a badge, kindly ask “May I help you?”  Escort the individual out of the restricted area and to the individual/area he/she is visiting.

Business Associate Agreements

 If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact the [Organization Privacy Officer] to obtain a Business Associate Agreement (BAA). Examples of when to obtain a BAA with a company include: – Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; and – Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Other Confidentiality Agreements

 When initiating a contract with a company to perform work for [Organization] which will direct access to PHI, request a Confidentiality Agreement be signed and forwarded to the [Organization Privacy Officer].

not

HIPAA and Your Role

   Remember, it is your responsibility, as a [Organization] employee or provider, to comply with all privacy and security laws, regulations, and [Organization’s] policies pertaining to them.

Employees and providers suspected of violating a privacy or security law, regulation, or [Organization] policy are provided reasonable opportunity to explain their actions.

Violations of any law, regulation, and/or [Organization] policy will result in disciplinary action, up to and including termination, according to [Organization] HR Policy #.

HIPAA Violations: -How Much is Enough? -How Much is too Much?

  There are three types of violations: – Incidental – Accidental – Intentional Insert [Organization’s] policy regarding types of violations and levels disciplinary action provided.

Incidental Violations

   If reasonable steps are taken to safeguard a patient’s information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure.

Incidental disclosures are going to happen…even in the best of circumstances.

An incidental disclosure is not a privacy incident. This type of disclosure is not required to be documented.

Accidental Violations



Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security

of confidential data: – Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately.

– Learn from the error and help revise procedures (when necessary) to prevent it from happening again.

– Assist in correcting the error only as requested by your leader or the Privacy Officer. Don’t cover up or try to make it “right” by yourself.

Accidental disclosures are Privacy Incidents and must be reported to your Privacy Officer immediately! It is required to document this disclosure.

Intentional Violations

  If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: – Disciplinary action, up to and including termination.

– Civil and/or criminal charges.

Examples include: – Accessing PHI for purposes other than assigned job responsibilities.

– Attempting to learn or use another person’s access information.

If you’re not sure about a use or disclosure, check with your Supervisor or the Privacy Officer

Reporting HIPAA Violations

 If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it.

– [Organization] may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistleblowing).

– Refer to the [HIPAA Intranet page] for more examples of what to report.

It’s Important to Report HIPAA Violations…

     So they can be investigated, managed, and documented.

So they can be prevented from happening again in the future.

So damages can be kept to a minimum.

To minimize your personal risk.

In some instances, management may have to notify affected parties of lost, stolen, or compromised data.

Incidental disclosures need not be reported, but if you’re not sure, report them anyway.

Patient Complaints

    

How May I Report a HIPAA Privacy Violation?

Directly to your Supervisor, who in turn reports it to the Privacy Officer.

Call or email the Privacy Officer.

Complete a HIPAA Incident Report form (#) which is located [on the HIPAA Intranet page] .

Email the internal “HIPAA Hotline” email group. Note: this is

not

anonymous as the sender will be known.

Leave a message on the HIPAA Hotline [insert #].

 

How May I Report a HIPAA Security Violation?

If it involves a breach of patient confidentiality, report it through the same methods listed for Privacy Violations.

If it does not involve a breach of confidentiality, report it through one of the following methods: – The same methods listed for Privacy Violations – Call or email the Technical Security Officer, Information Services Help Desk, or Director of Information Services.

HIPAA Information

Check out the [HIPAA Intranet page]. We will continue to add additional information for your reference.

Questions, Comments, Concerns…

Not sure which way to go?

Remember to Take the Test



To obtain credit for this session, remember to take the test after viewing this presentation.

Thank you, from....

Refer to the HIPAA COW website for privacy, security, and EDI reference materials http://hipaacow.org/home/home.aspx

The Privacy and Security Committees

and

n - hand

rotecting

ll

ccounts!

HIPAA COW Authors

   Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer Contributing authors: – Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant – Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant – Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records Supervisor – Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service – Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health Services – Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance Coordinator – Kim Pemble, Executive Director, WI Health Information Exchange (WHIE) – LaVonne Smith, Information Services Director, Tomah Memorial Hospital Reviewed by: HIPAA COW Privacy & Security Networking Groups © Copyright 2009 HIPAA COW 140