Transcript HIPAA Privacy and Security Release of Information TRAINING

Introduction to Client Confidentiality:
Privacy & Security
(HIPAA/Release of Information)
DAVID LAWRENCE CENTER
1
7/18/2015
Introduction
You will learn about:

PRIVACY
-Authorization to Release Information

SECURITY
-Password protection
-Encryption

STANDARDIZATION OF TRANSACTION CODE
SETS
-Standardization of HIPAA transaction standards (5010)
-Modification of Medical Data Code Sets (ICD-10-CM)
DAVID LAWRENCE CENTER
2
7/18/2015
HIPAA
Health Insurance Portability and Accountability Act

Privacy
–
Privacy Rule protects all forms of Protected Health Information (PHI) including ePHI (electronic, paper, or
oral)
Protected Health Information:
Names
Addresses
Employers
Relatives Names
DOB
Telephone and fax numbers
SSN

PHI – Protected Health Information: which is any client identifying information which if
disclosed would provide identifying information about a client and / or their treatment.

ePHI – Electronic Protected Health Information any PHI that is stored, held or transmitted,
either permanently or temporarily in any electronic format.
–
Examples: Email, Documents (Word, Excel, PowerPoint or plain text); electronic reports saved for
printing at a later date; PDA’s; Electronic Health Record; Enterprise systems; network shares.

Portability-ensures that individuals moving from one health plan to another will have continuation
of coverage and will not be denied coverage under the pre-existing-condition clauses.

Accountability-significantly increases the federal governments fraud enforcement authority for
privacy and security

Administrative Simplification- August 2000 standardizes electronic transmissions of health care
data
DAVID LAWRENCE CENTER
3
7/18/2015
Client Rights to Privacy
•
•
Right to have access to their information
Request amendments to their information (DLC has the right to
approve or deny their request)
•
•
Request revocation of their previously signed authorizations
at any time; Any information previously released will not be
impacted by the revocation.
Request an accounting of disclosures
1. Paper records-Access to Records Log
2. Electronic Records-Access is monitored by IT through Profiler
Reporting System.
DAVID LAWRENCE CENTER
4
7/18/2015
Accessing and Requesting Protected Health
Information

Authorization to Release Information- must be completed and on file
in order to disclose information.
-Clinical Records Department process requests on paper or in electronic format
-Fees ($1.00/page) (No charge for healthcare providers, Prison Health Services, Medical Examiner,
and Department of Children and Families)
-Required to respond within 7 business days
-Who can complete the Authorization to Release Information?
– Client
– Biological Parent/Guardian
– Proxy
– Guardian Ad Litem-with appropriate court documentation.


Basic information is disclosed by signing the Authorization- if
additional information is requested the client must initial the items and
specify if “Other”.
Authorization is not required for treatment, payment and
operations.
DAVID LAWRENCE CENTER
5
7/18/2015
Accessing and Requesting Protected Health
Information

Access to information may be temporarily denied to the client.

Authorization from the treatment provider to release information to the
client will be required in the instances identified below:
– DCF Involvement for Abuse and Neglect
– Baker Act admission for Suicide Attempts if requested within 30 days of discharge
– Custody cases

Why is this required: If a client is requesting information that the
provider feels could be harmful to that client we have the right to
temporarily deny the request.

If denied the Health Information Record Denial Request must be sent to
the client.
DAVID LAWRENCE CENTER
6
7/18/2015
DLC’S responsibility to protect
clients rights are:


Control who can access information-”Do I need to know
this to do my job?”
Acknowledge/Notify client’s of their rights
HIPAA Acknowledgement Form-Client only needs to sign once, unless
major changes are made to the document




Provide training to all staff
Sanction Policy
Policy and Procedures- Access on Center’s Intranet, Your
program supervisor or office manager and Quality
Assurance.
Documentation- Assure errors in the electronic clinical
record are appropriately corrected using the void
function. Assure entries in clinical records are not
deleted.
DAVID LAWRENCE CENTER
7
7/18/2015
DLC’s HIPAA Compliance
Officers

Privacy Officer – Sharie Boscaglia

Security Officer - Faron Richards

Facility Security - Gary Boivin
DAVID LAWRENCE CENTER
8
7/18/2015
Who Can see what ?

DLC is consider a “Covered Entity” which requires us to comply with HIPAA
privacy and security regulations. (“covered entity” includes most providers, clearinghouses and health
plans)

Any organization receiving PHI from DLC is mandated to have a Business
Associate Agreement which requires them to comply with HIPAA regulations.
(exceptions are those who routinely receive PHI as part of treatment, payment or operations; otherwise a specific
authorization is required)

Only authorized personnel can see the physical chart or any electronic version or
representation thereof.

Authorized Personnel are defined as those individuals directly involved in
treatment, billing, records or auditing of the information. These individual are
allowed access and only then in direct correlation with their job responsibilities.

Clinical personnel not assigned to the treatment team are prohibited to review the
chart – unless for peer review, auditing purposes or referral to program.

Administrative personnel should have limited access to the client’s record unless it
directly relates to their job. (Medical Records, auditing, reporting, scheduling)
DAVID LAWRENCE CENTER
9
7/18/2015
SECURITY

Security
– Security covers specifically
electronic PHI (ePHI) which is
being held, stored or
transmitted.
DAVID LAWRENCE CENTER
10
7/18/2015
Security

The Security Rule requires us to establish
Administrative, Physical and Technical
safeguards, to control access to electronic
protected health information in order to ensure:
– Confidentiality – No accidental or intentional
disclosure to unauthorized recipients.
– Integrity – Data has not been altered or destroyed in
an unauthorized manner. In no instance should
information be deleted from a record.
– Availability – Accessible and useable upon demand
by an authorized entity.
DAVID LAWRENCE CENTER
11
7/18/2015
Security

Technology has allowed us to compile a large amount of protected data in our Information
Systems. Loss of any of these systems and subsequently the loss of the data contained therein
would have a devastating impact on the agency.

Technology Security –Passwords, encryption etc
Keep your passwords secret – known only to you, Never share it with anyone.
You are responsible for anything done on the system under your login ID. You are never permitted to share login and
password information., this is considered a serious offense and corrective action may be taken..
Commit your password to memory and change it often
If you forget your password or suspect it has been compromised in any way contact IT Helpdesk to have it reset for you.
Select passwords not easily guessed. Always include at least one number and/or a special character such as $ # ! &
Never leave your system while you are logged on – always use Ctrl-Alt-Del and lock computer.
Do not write password down and leave it in a conspicuous place such as on your monitor or under the keyboard

Contingency/Disaster Plan

DLC has Security Procedures in place and can be located on the intranet.

Use common sense never leave PHI on Fax or Printer for others to see. Security is not just a computer issue.
Faxing information to an incorrect fax number is considered a breach of confidentiality. The use of memory
sticks and key fobs are against center policy.

Electronic access is managed by security level in Profiler which is based on provider type, tree view and
treatment team participants
DAVID LAWRENCE CENTER
12
7/18/2015
Security

3 ways to enter buildings, KEY, key fobs, Electronic key pad

Discard all documents with PHI in proper locked container or use
crosscut shredder.

Loading of personal computer programs on DLC computer
equipment is NOT permissible.

The integrity of data on any Information System is the responsibility
of every employee. Each person should verify the data they enter into
the system by spot checking or data sampling to ensure it is in the
proper location and is correct.

Any PHI that is going to be sent via email outside the Center must be
put into a MS-Office document and encrypted. Then send via email
attachment. PHI should never be included in the in “subject” line or
content of email of the email. If you are required to email PHI as part of your job duties please
contact IT to ensure you are following adequate password and policy procedures.
DAVID LAWRENCE CENTER
13
7/18/2015
Why Security is Important?
Public Trust
 Morally and ethically the right thing to do.
 Good business practice
 Protection against liability claims and law
suits
 Avoids financial penalties and possible
imprisonment

DAVID LAWRENCE CENTER
14
7/18/2015
REPORTING BREACHES

Employees are required to notify the Privacy or Security Officer when they
breach a HIPAA standard or witness or discover any other individual breaching
a standard.

We are required to follow our policy on violations and they must be enforced.

Effective November 30, 2009 HIPAA standards allow for penalties up to
$250,000 per violation and up to 10 years imprisonment for breaches.
• Civil penalties of $25,000 for Failure to Comply
• Criminal penalties such as:
• $50,000 fine and 1 year in prison for knowingly obtaining and wrongfully sharing information;
•
$100,000 fine and 5 years in prison for obtaining and disclosing through false pretenses;
•
$250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage,
personal gain, or malicious harm.
DAVID LAWRENCE CENTER
15
7/18/2015
TRANSACTION CODE SETS



Transaction Code Sets- a set of codes
standardized by HIPAA used for billing
purposes.
Improved the efficiency and effectiveness
of the health care system by leading to cost
reductions and improvements in benefits
from electronic health care transactions.
Has enhanced security of protected health
information.
DAVID LAWRENCE CENTER
16
7/18/2015
WHY COMPLY?



It’s a Federal Law!
There are Civil and
Criminal Penalties.
Enforced by the
Office of Civil
Rights
DLC requires it
It’s a good business
practice
DAVID LAWRENCE CENTER
17
7/18/2015
PLEASE COMPLETE QUIZ
THE END
DAVID LAWRENCE CENTER
18
7/18/2015