annual hipaa education
TRANSCRIPT
Has been a federal privacy regulation since 2003. Covers privacy and security of health information.
Reviewed in annual education
Taught in new employee orientation
The facility Security Officer is Michael Boudreaux
The facility Privacy Officer is Alane Bryan
Does not replace HIPAA—it gives it TEETH!
Requires a breach notification policy
Encourages EHR adoption
Provides strict data protection regulations for more secure patient privacy
Violation Type Each Violation Repeat Violations/Yr.
Did not know $100 - $50,000 $1.5 million
Reasonable Cause $1,000 - $50,000 $1.5 million
Willful Neglect – Corrected $10,000 - $50,000 $1.5 million
Willful Neglect – Not Corrected
$50,000 $1.5 million
•Healthcare organizations or providers may be held liable for violations.
•Individual employees may be prosecuted or may be sued for civil penalties.
Must notify individuals and HHS and, in some cases the media, of any substantiated breaches within 60 days.
Breaches affecting 500 or more patients will be posted to the HHS.gov website.
Four factors are used to determine if low to high probability of PHI is compromise:
1. The nature and extent of the PHI involved in the incident Is the PHI sensitive information i.e. Social Security Numbers, or
infectious disease test results2. The unauthorized recipient of the PHI
Is another physician receiving the PHI?3. Whether the PHI was actually acquired or viewed4. The extent to which the risk to the PHI has been mitigated
Was it immediately destroyed?
Mass General
California Breaches
BCBS of TN Breach
Individual Prosecution
Personal Gain
Stolen laptops/computers
Lost CDs
ID theft/Social Security Numbers
Medicare Fraud
Access to EMR with no job-related need
Using Social Networking to talk about patients
Discussing PHI with employees or family who do not have a job-related need
Looking at EMR out of concern or curiosity
Telling others that a patient was “in” for treatment
Discussing progress or prognosis in front of family without permission
Using chart to get information to use against patient in lawsuit or divorce
Looking in minor child’s EMR
Taking a peek for “educational purposes”
Starting conversations with “Don’t tell anyone I told you this, but…”
Sharing computer access/passwords
Treatment, Payment, Operations
Some law enforcement exceptions
Public health reporting
When in doubt, get a Signed Release
Disclose “minimal necessary” amount of PHI
Patients/family members requesting patient information AFTER DISCHARGE should be referred to the HIM Department
If a patient requests information during an admission, make sure the report is FINAL before giving the information to the patient or to their designee (document the designee). We do not release information unless it is in a FINAL status.
Discuss patient information as quietly as possible
Try not to say the patient’s name repeatedly Make sure paper containing PHI makes it to a shred bin Shred bins should be dumped in large bins each day Use fax cover sheets with the confidentiality clause Do not leave messages with too much information Wear your employee ID badge at all times Do not take pictures in patient care areas. Patients ,
their names, or their family members may be visible without you realizing it. It is not worth the risk!!
Use workstations for intended purposes No gaming, no unauthorized downloading of files,
personal emails are subject to access by P&S Surgical Hospital
Log-off or lock your computer when you are not using it
Make sure others cannot view your computer screen
Keep passwords secure
Use your own individual password
Avoid sharing passwords
Trigger encryption for emails containing PHI being sent outside the organization
If photos must be taken of a patient, use a P&S camera or device; NEVER use your personal camera or smart phone
Never share proprietary or confidential information in blogs or on social media sites
Report potential breaches, inappropriate disclosures, or otherwise suspect behavior to your direct supervisor, the Privacy Officer, the Security Officer, or the Corporate Compliance Officer
End of presentation