No Slide Title

Download Report

Transcript No Slide Title 

DMC HIPAA Privacy and Security
DMC’S COMMITMENT TO
COMPLIANCE:
HIPAA PRIVACY and SECURITY
DMC Corporate Audit and Compliance Department
Detroit Medical Center©
Reviewed: January, 2009
Page 1 of 16
DMC HIPAA Privacy and Security
HIPAA RULES
Security
Privacy
• Became law on
April 14, 2003
• Became law on
April 21, 2005
• Information
regarding patients
is confidential.
This information is
Protected Health
Information (PHI)
• Information regarding
patients maintained,
stored, and transmitted
electronically is
Electronic Protected
Health Information
(EPHI)
General Rule: Information about our patients should only
be used or disclosed as authorized.
Page 2 of 16
DMC HIPAA Privacy and Security
USING AND DISCLOSING PHI
• PHI disclosure is permitted for purposes of:
• Treatment
• Payment
• Hospital Operations
• Use is limited to the “Minimum Necessary” to
conduct your job duties
• Policies exist to guide the disclosure of
information (DMC policy 1 HIM 153)
• Accessing your own information is inappropriate
and may result in disciplinary action
Page 3 of 16
DMC HIPAA Privacy and Security
PROTECTED INFORMATION
PHI includes
information:
EPHI includes
information:
• On paper
• On your computer
hard drive
• In a computer
• Orally communicated
• On floppy disks, CDs
or magnetic tapes
• In any other form
• Sent via the Internet - By e-mail
- Other means
Page 4 of 16
DMC HIPAA Privacy and Security
EXAMPLES OF PHI AND EPHI
• Name
• Street Address, City, County, Zip Code
• Dates: Birth, Admission, Discharge or Date
of Death
• Numbers: Social Security, Medical Record,
FIN, Patient Account, Health Plan
Beneficiary
• Telephone or Fax Numbers
• E-mail Address
Page 5 of 16
DMC HIPAA Privacy and Security
SECURING PHI
Privacy Rule
Security Rule
• DO NOT share passwords
or login ID
• DO NOT write down
password where others
may access it.
• Change your password
every 90 days
• Choose passwords that are
NOT easily guessed
• Use password protected
screensavers, suspense
mode and keyboard locks
• Log-off your computer
when you will be away a
significant period of time
• “Suspend” when you will
be away from your
computer for a short period
of time
• Position monitors out of
view of the public eye
Page 6 of 16
• Place disks or tapes in a
secure location
• Immediately report anyone
outside of DMC IS Security
asking for your password
DMC HIPAA Privacy and Security
SECURING PHI
Privacy Rule
• Use caution and respect patients’ privacy
when discussing protected health information
in public
• Read and understand the policies and
procedures relating to HIPAA Privacy and
Security (DMC policy 1 CG 035)
• When using or disclosing PHI, limit the PHI to
the minimum necessary to accomplish the
intended use or disclosure
Page 7 of 16
DMC HIPAA Privacy and Security
SENDING PHI AND EPHI
E-mail
• E-mail with PHI sent
outside the DMC should
be encrypted. The steps
to encrypt e-mail are:
- Type SECURE in capital
letters in the subject line
- E-mail will be sent to a
secure holding site
- The receiver will get a
notification e-mail with
instructions on retrieving
the secure e-mail
Page 8 of 16
Faxes
• Double check fax
number
• Use cover page which
includes your contact
information
• If fax is received by the
wrong location, have
the fax destroyed or
returned to you
DMC HIPAA Privacy and Security
PROTECTING YOUR COMPUTER AND PHI
• DO NOT open any unknown attachments, files
or unrecognizable e-mails
• Report any suspicious activity, such as new
software or hardware appearing on your
computer to the DMC Help Desk
• DO NOT install unapproved software/hardware
or use unapproved e-mail, such as Hotmail,
Yahoo, etc.
• Contact your manager/supervisor or the DMC
Help Desk if you believe someone may have
logged onto your computer
Page 9 of 16
DMC HIPAA Privacy and Security
EMERGENCY DOWNTIMES
The DMC has a contingency plan to address
system access during power failures,
disasters, weather hazards, or other situations
limiting access to patient data:
• Know the recovery plan as it relates to your job
• Know the related policies (available on the DMC
Intraweb)
• Know how to report emergencies
• Know how the emergency may impact patient care
Page 10 of 16
DMC HIPAA Privacy and Security
SECURING PHI ON WIRELESS DEVICES
The biggest risk to PHI on Personal Digital
Assistants (PDA) and laptops is theft. Secure
PDA’s and Laptops:
• Always use password protected screen saver
• Passwords should be kept secure and confidential
• Back-up data
• Consider encrypting PHI
• Install and use virus protection software
• Lock devices in a secure location when not in use
• If device is stolen, an incident report should be filed
Page 11 of 16
DMC HIPAA Privacy and Security
PENALTIES FOR
HIPAA VIOLATIONS
• Disciplinary action up to and including
termination
• Exclusion from participation in Medicare and
Medicaid programs
• Jail sentences for employees, administrators
and physicians:
HIPAA Specific –
- Up to One Year for misuse of protected health information
- Up to Five Years for misuse of PHI under false pretenses
- Up to Ten Years for misuse with intent to sell, transfer or
use PHI for commercial advantage, personal gain or
malicious harm
Page 12 of 16
DMC HIPAA Privacy and Security
PENALTIES
HIPAA violations may result in millions of
dollars in fines:
• $50,000 for misuse of protected health information
• $100,000 for misuse of PHI under false pretenses
• $250,000 for misuse with intent to sell, transfer or use
PHI for commercial advantage, personal gain or
malicious harm
Page 13 of 16
DMC HIPAA Privacy and Security
HIPAA REPORTING
DMC will take disciplinary action for breaches of
privacy and information security, up to and including
termination:
• You are required to understand the law, and how it
affects your job
• Even an “accidental” disclosure could have
consequences
• As a condition of employment, employees agree to
read and abide by the policies and procedures
covering HIPAA
• Individuals should immediately report any observed
or suspected HIPAA breach to - Your manager/supervisor
- Corporate Audit and Compliance Department at: 1.313.993.0317
- Compliance Hotline at: 1.888.484.9200
Page 14 of 16
DMC HIPAA Privacy and Security
HIPAA SUMMARY
• Safeguarding PHI is everyone’s job. If you
have questions or concerns about your
responsibility in protecting patient health
information:
- Talk to your supervisor
- Send your questions to [email protected]
- Call Corporate Audit and Compliance
Department at: 1.313.993.0317
Page 15 of 16
DMC HIPAA Privacy and Security
SUMMARY
We hope this NetLearning course has been both
informative and helpful.
Feel free to review this course until you are confident
about your knowledge of the material presented.
Click any of the following menu selections located on the
left side of the screen:
• Take Test button to complete the requirements for this
course
• My Records button to return to your CBL Courses to
Complete list
• Exit button to close the Student Interface
Page 16 of 16