Transcript School presentation design template

Getting Back
to the Basics
2014




Review HIPAA Privacy and Security
requirements
Review American Behavioral standards and
practices developed to comply with HIPAA
Privacy and Security requirements
Review your responsibilities for ensuring
compliance with Privacy and Security
requirements
Review consequences of non-compliance







The Health Insurance Portability and Accountability Act
(HIPAA)
Signed into law in 1996
Adopted Privacy Rules (2003) that protect health data
(referred to as PHI) and provide members with certain
rights about their health
Adopted Security Rules (2005) that protect electronic
health data (referred to as e-PHI)
Amended by the HITECH Act of 2009
Amended by the Omnibus Rule to enhance patient
privacy protection effective 9/24/2013
New rules and guidance continue to be issued to
strengthen the requirements
Protected Health Information is any information,
including demographic information, transmitted or
maintained in any medium (electronically, on paper, via
spoken word) that is created or received by a health
care provider, health plan or health care clearinghouse
that relate to the past, present or future physical or
mental health condition of an individual, or past,
present or future payment for the provision of health
care to the individual and can be used to identify the
individual.
The following identifiers of an individual or of relatives, employers
or household members of the individual are considered PHI:
Names
Postal addresses smaller than state
All elements of dates (except year) such as
birth date, admission/discharge date,
date of death
Telephone numbers
Fax numbers
Email addresses
Social security numbers
Medical record numbers
Health plan ID numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
including license plates
Device identifiers and serial numbers
Web Universal Resources Locators
(URLs)
Internet Protocol (IP) address
numbers
Biometric identifiers, including finger
and voice prints
Full face photographic images and
any comparable images
Any other unique identifying
numbers, characteristics, or codes
Personally Identifiable Information is information that can
be used to distinguish or trace an individual’s identity
(e.g., name, social security number, member number, etc.),
alone or when combined with other personal or
identifying information which is linked or linkable to a
specific individual (e.g., date and place of birth, mother’s
maiden name, etc.). PII may also be referred to as
personally identifiable data or individually identifiable
information.
NOTE: Although PII alone is not health information, it must be
protected the same as PHI. Whenever PHI is referenced in this
presentation, the same standard applies to PII!
EVERYTHING!




Written documentation and paper records
Electronic databases and information stored on a
computer, laptop, memory card, mobile device,
flash drive, etc.
Verbal communication (spoken words, voicemail
messages, etc.)
Photographic images
PHI is to be accessed for work-related purposes
only – those that relate to Treatment, Payment or
health care Operations (TPO – defined later in this
presentation)
 Your access to PHI must be restricted to only the
information necessary for you to perform your job
o This protects you

When HIPAA allows a use or disclosure of PHI, you
should use only the minimum PHI necessary to
accomplish the purpose of the use or disclosure
Exceptions:


o
o
o
o
Treatment of the member
Purposes for which a member has signed a HIPAA
authorization
Disclosures by law
When sharing information with the member or his/her
legal representative
De-identified health data:

o
o

Excludes all 18 elements (PHI identifiers listed previously in this
presentation)
Cannot include any information that can be used alone or in
combination with other information to identify the member who is
the subject of the information
Whenever possible, use de-identified health information
instead of PHI De-identified data is not PHI and is not
protected by the Privacy Rule.
* Consult the Privacy Officer to ensure data has been sufficiently de-identified
when in doubt
Know “how” and “where” you should store PHI

Paper files should be stored in a filing cabinet or secure
location when not in use (or at a minimum, turned
facedown)
o PHI stored in electronic databases, document logs,
spreadsheet applications, etc. must be password protected
and saved to a secure location, such as a department
folder.
o


Store important documents in a secure location
(such as your user area or in a department folder)
Lock your screen before leaving the room (never
leave your computer unlocked when unattended)
All emails must include confidentiality notice (see next
slide for example)
When sending an email, be very careful to choose the
correct recipient’s name


o
Choosing the wrong name could result in a HIPAA breach!


Always verify fax number before dialing
Must use a approved fax sheet that includes a
confidentiality notice
Place all data containing confidential information in the shred bins
when no longer needed
o
o
Hand shredding is not sufficient
Member authorization not required to disclose PHI to:
 Public health and governmental agencies, law
enforcement officials and other authorities as required
by law (forward these requests to the Privacy Officer
for processing)
 Comply with legal proceedings, such as a court or
administrative order or subpoena, etc.
Member authorization not required to disclose PHI to the:
Member (who is the subject of the PHI)
Member’s Power of Attorney (POA) or Legal Guardian
(ordered by the court or protective order)


o
o
American Behavioral must have proof of the individual’s legal
authority
Legal document must specifically authorize health disclosures
Parents covered on the same American Behavioral policy of
a child age 13 or younger

o
If the child is 14 or older, the child must authorize the disclosure
***ALWAYS ask the individual for at least two forms of ID to
validate their identity***
Member authorization not required to disclose a
member’s PHI to the member’s family or friends in
emergency situations where the member becomes
incapacitated or unable to agree or object

Generally, management should approve emergency
disclosures, but use your best judgment – if there is not
time for approval, document the situation thoroughly
and notify your supervisor afterwards
Member authorization not required to disclose a
member’s PHI to the member’s family or friends when a
member becomes incapacitated long-term (or expected
long-term)



Requires proof of long-term incapacity
Can disclose to the member’s spouse or parent, or to an
individual over age 19 that is the member’s
child/brother/sister/next of kin
Requires completion of a Personal Representative Attestation for
Long-Term Incapacitated Members
Member authorization not required for disclosure of general
plan information publically available on American
Behavioral’s website to family members and friends involved
in a member’s care, such as:
 Evidence/Certificate of Coverage
 Attachment A (commercial members)
 Formulary
 Provider/Pharmacy Directory
 Other General Plan Information
 *It is permissible to release information to a friend or
relative if we have obtained a signed Appointment of
Representative (AOR) Form
Member authorization not required when we:
 Share other non-PHI information with family
members and friends involved in the member’s
care
 Verify certain information for those involved in the
member’s care
For non-emergent situations, we can disclose to the
member’s family and friends if the member authorizes the
disclosure:

The member can appoint someone as their personal
representative. Both the member and the appointed representative
must sign the form
For non-emergent situations, we can also disclose PHI to
a member’s family or friends through a verbal
authorization from the member
Any other disclosure not listed previously requires the
member’s authorization
Examples of disclosures requiring authorization:


o
o
o
o
Requests from attorneys/law offices
Requests from medical record companies
Requests from medical suppliers/vendors wanting to market
their products or services without a treatment referral from a
physician
Requests from employers
Plans (self-insured employer groups) may designate specific associates
authorized to receive PHI
• Fully insured employers should never receive PHI without a member’s
authorization
•
Right to confidential communications
Right to access their PHI
Right to request we amend our records
Right to an accounting of disclosures we have made concerning
their PHI
Right to file a privacy complaint
Right to request a restriction on how we use/share their PHI
A breach occurs when PHI is “acquired, accessed,
used or disclosed” in an unauthorized manner that
compromises the security or privacy of the
information
 Examples:
oAccessing PHI without a work-related need to know
oSharing PHI with those who do not need to know
o Sending an email/fax containing PHI to the wrong
recipient
oLoss or theft of records containing PHI







Texas HIPAA Blunder affects 277k
July 2013 - Texas Health Harris Methodist Fort Worth notified
some 277,000 patients that their PHI was compromised after
several hospital microfilms, which were supposed to be
destroyed, were found in various public locations.
Lesson: Make sure all PHI is disposed of properly!
Advocate Health Slapped with Lawsuit After Massive Data
Breach
August 2013 - Advocate Health Care reported the second largest
HIPAA breach when four unencrypted laptops were stolen from
its facility, compromising over 4 million patients’ information.
Advocate has now been slapped with a class action lawsuit filed
by affected patients.
Lesson: Portable devices must be secured at ALL times (even
when not in use) and must be encrypted!



Under the Breach Notification Rule (part of the Health
Information Technology for Economic and Clinical Health
(HITECH) Act) individuals whose PHI is compromised
must be notified in writing within 60 days of discovery of a
breach
All breaches must be reported to HHS
HHS posts information about breaches at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/b
reachnotificationrule/breachtool.html

It is imperative to report HIPAA incidents immediately
The Department of Health and Human Services (HHS),
through the Office for Civil Rights (OCR) enforces tiered
civil penalties

o
Monetary penalties range from $100 per violation up to 1.5
million per calendar year
State attorneys general can pursue civil suits against
persons violating HIPAA
U.S. Department of Justice enforces criminal penalties


o
Criminal penalties for “wrongful disclosure” include fines of
$50,000 to $250,000 and up to 10 years in prison
NOTE: Penalties and fines apply to associates – not just to
covered entities!




Sending PHI via unencrypted email
Faxing or emailing PHI to the wrong recipient
Leaving PHI unattended at copiers, on printers and
fax machines, in conference rooms, in public
locations, etc.
Discussing PHI in common places or with others who
do not need to know the information


Protect PHI the way you would want someone to
protect your PHI
Make HIPAA Privacy and Security a priority!

American Behavioral Resources
oAmerican Behavioral’s Information Security Handbook
(I:\HIPAA\Information Security Handbook_9_2012.pdf)
oAmerican Behavioral’s Notice of Health Information Practices
(available in EOCs, COCs and on American Behavioral’s website at
http://www.American Behavioralhealth.com/Privacy/Default.aspx)
oAmerican Behavioral’s Fax Coversheet (I:\HIPAA)
oAmerican Behavioral’s Appointment of Representative Form
(I:\HIPAA)
oAmerican Behavioral’s HIPAA Policies & Procedures
(I:\HIPAA\HIPAA Policies and Procedures)

HHS Resources
oHHS HIPAA Q & A’s
(http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html)