Compliance & HIPAA2017 Annual Education

1

The purpose of this education is to UPDATE and REFRESH understanding of:

The purpose of this education is to UPDATE and REFRESH your understanding

of:

Aultman’s Compliance Program.

The HIPAA rules and PROTECTING OUR PATIENT’S confidential information.

2

3

Aultman’s Compliance Program

The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government.

Written policies and procedures and standards of conduct.

A Compliance Officer that is accountable and responsible for the program.

Effective education and training.

Lines of communication for reporting compliance concerns.

Disciplinary action for non-compliance.

Routine auditing and monitoring to identify risks.

Procedures for responding promptly to non-compliance and undertaking corrective action.

The 7 elements of an effective Compliance Program are…

4

So… what does the Compliance Department at Aultman actually do?

Demonstrates a good faith effort to comply with federal, state, and local regulations.

Establishes procedures to prevent, detect, and correct non-compliance.

PROTECT our organization, workforce members, and customers.

Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization.

Promote the continued effort to DO THE RIGHT THING.

Provides a method for employees to report potential problems.

Serves as a resource to resolve compliance issues.

But wait!THERE’S MORE…

Aultman’s Compliance Department strives to…

What is expected of me?

5

Follow Aultman’s Code of Conduct.

Carry out your job duties with INTEGRITY and HONESTY.

Know the laws and regulations that apply to your job.

Exercise good judgment and do the right thing when performing your job.

Report suspected compliance concerns orproblems to the Compliance Department.

Fraud, Waste, and Abuse (FWA)

Fraud, Waste, and Abuse can occur in many different formats.

For example...Billing for services not furnished or that are medically unnecessary could be considered FWA.

An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse.

The government is devoting substantial resources to prevent and

detect FWA.

If you have a concern or

question about how things are being done, it is important that you report your

concern.

Additional information regarding FWA, and the False Claims Act, can be found in the Aultman Employee Handbook or CMS’s Fraud & Abuse: Prevention, Detection, and Reporting Fact Sheet.

6

How do I report a Compliance Concern?Discuss concerns with your manager or another member of the management team.

Contact the Compliance Department at (330) 363-3380 or Ext. 33380 or compliance@aultman.com.

Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline.

Employees reporting in good faith will not be subject to retaliation.

I have a concern…

7

What is HIPAA?

HIPAA is a federal law which:

Regulates and sets standards for protecting patient privacy andconfidentiality of Protected Health Information (PHI).

Describes how we may use and disclose health information.

Expands patient’s rights regarding their health information.

Includes penalties for privacy violations.

8

Any and all health information that could identify a particular person.

Protected Health Information (PHI) :

Name & address, age, date of birth, social security number, clinical information, test results, diagnosis, photos, employer.

Breach:

May require notification of patient and government.

PHI can be shared without patient authorization for:

When someone obtains, views, or discloses PHI inappropriately.

Treatment – anyone who has a treatment relationship with the patient.

Payment – for billing and collection activities.

Healthcare Operations – business activities, including quality improvement and teaching.

Report any potential breaches to the Compliance Department.

9

Why is Patient Privacy Important?

Patients place TRUST in us to protect their most private information.

If patients don’t trust us with their private information…

They may be reluctant to disclose important information that is vital to their care.

Our community reputation could be damaged.

Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL

obligation, as well.

They may go elsewhere to receive treatment.

10

What can I tell my patient’s friends and family?

Obtain patient approval before sharing PHI.

Oral or written approval is acceptable.

Document it in the medical record.

Use the Privacy Communication tab in Cerner or paper form.

Patient may change his/her mind at any time.

Use professional judgment when patient is unconscious

or incapacitated.

Utilize the Minimum Necessary Standard.

Family & friends should be actively involved in care in order to receive PHI.

When in doubt, do not disclose information!

Remember, you can consult your manager or Compliance for guidance.

11

Mobile DevicesMobile devices such as

laptops, tablets, smartphones, and USB

flash drives that contain confidential Aultman information must be

password protected and encrypted, when

possible.

Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted.

The Joint Commission prohibits the texting of patient care orders.

12

Audits

HIPAA rules require that all our electronic systems have the capability to produce an audit trail.

This allows us to:

Investigate any patient complaint regarding HIPAA.

Run specialized reports that can show, for example, if a user accessed a co-worker’s medical record.

13

See who has accessed patient records and when.

Conduct random audits of employee access.

Did you know?Snooping into electronic medical records is the most

common type of HIPAA violation at Aultman.

Aultman policies DO NOT PERMIT workforce members to look up their own

medical information, or that of family, friends, co-workers, or patients of

interest.

Sn ping

This applies to all forms of medical

information

14

They’re my records… why can’t I have access?

When receiving health care services, employees are like any other patient.

As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department.

A signed Authorization Form does not permit workforce members to directly access anyone’s information via Aultman’s various electronic systems.

Aultman’s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal,

please contact the Registration Department.

15

What’s the big deal?

The reason for these restrictions is the HIPAA Minimum Necessary Standard, also known as “the need to know rule.”

Under this HIPAA standard, you are only permitted to access information you need to do your job and disclose only information to others to do their

job.

Looking up your own information or the

information of a family member does NOT meet

this standard!

The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations.

Aultman’s disciplinary process is outlined in the Employee Handbook. 16

Social Media

17

Social media websites are a great tool for sharing all kinds of information,

BUT NEVER

for sharing any kind of patient information, even in general terms!

Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later).

THINK….before

you post!

18

Computer & Email Security

Log off or lock your computer when leaving your workstation.

To lock your screen press:

EmailAll emails sent to another Aultman email are secure.

Emails sent externally that contain Protected Health Information MUST be encrypted.

Type [SECURE] anywhere in the subject line to

encrypt an email.

User IDs and Passwords

Everyone must have a unique user ID and password and they are responsible for all activity that occurs under that combination.

Mandatory password changes are required a minimum of every 90 days.

Passwords should be strong to increase security.[Secure]

19

Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source.

Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software ontotheir device.

Phishing Schemes

20

How to spot a phishing email

Spelling and bad grammar

If you notice mistakes in an email, it may be malicious.

The hyperlinked URL is differentHover your mouse over the address in the “from” field to see if the website domain matches that of the site the email should have originated from.

Call to action

Often they will trick youinto clicking on a link to reactivate your account or to remove a hold. Don’t click on the link, but instead log onto your account in question directly through their website.

You Won!!

A common scam is to send an email that says you won a prize for a contest you never

entered. Requesting personal information

Reputable organizations will not ask for personal information in an email.

Make a donationUnfortunately, phishing emails might ask for a donation to a legitimate cause, such as the American Red Cross. To be safe, contact organizations directly to make donations.

21

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid.

Installed through email attachments, infected downloads, or visiting malicious websites or links.

Only open attachments, install downloads, orvisit websites from known and trusted sources.

H E A LT H C A R E

22

If you feel you have fallen victim to

ransomware or a phishing scheme,

please contact our IT Security Department

IMMEDIATELY at:

EPHIsecurity@aultman.com

Help.Desk@aultman.com

23

There are resources available to learn more about the HIPAA

Privacy and Security Regulations

This is a document we are required to give all patients. It summarizes our policies

and procedures in regards to the requirements of HIPAA.

This is our internal system that contains all of Aultman’s HIPAA Privacy and Security policies and procedures.

Can be accessed through the employee portal under “Resources” then “Policies & Procedures”.

24

Notice of Privacy Practices (NPP)

PolicyTech

Issues we’ve seen at Aultman

Random audit revealed an employee accessed their co-worker’s records.

A group of employees posed for a picture while at work that was posted tosocial media. Patient PHI was visible on the computer behind them. Employees

were receiving harassing phone

calls from a patient’s family demanding

protected information.Guidance was

provided to the staff.

A patient was sent home with

another patient’s discharge

instructions or clinical summary.

Lab report was faxed to the wrong

physician office. A family member found a nurse’s report paper with patient PHI on the ground in the hallway.

25

A department requested guidance on proper storage of PHI in their offices.

Questions?Kelly Martinelli Aultman Medical Group Compliance Officer

Ext. 46493 or (330) 433-1493 kelly.martinelli@aultman.com

Valerie Waldorff Aultman Orrville Hospital Compliance Liaison Ext. 35425 or (330) 363-5425 valerie.waldorff@aultman.com

Karen Wulff Integrated Health Collaborative Compliance & Privacy Officer Ext. 33115 or (330) 363-3115 karen.wulff@aultman.com

Direct questions regarding Systems and Technology Security to:

Barbara McGill – HIPAA IT Security Officer/AnalystExt. 39784 or (330) 363-9784; barbara.mcgill@aultman.com

Tim Regula Chief Compliance and Privacy Officer

Ext. 37448 or (330) 363-7448

tim.regula@aultman.com

Compliance Department Ext. 33380 or compliance@aultman.com

26

orEPHIsecurity@aultman.com submit a Help Desk Ticket via the Employee Portal.

HIPAA regulations require Aultman to provide on-going

compliance education for all employees and other members of

the Aultman workforce. We have created a post-test to

demonstrate your understanding of the information provided in

this education. Every employee must complete the post-test and

answer 80% of the questions correctly.

Please proceed to the post-test now.

27

Tan

a R

od

gers

BSN

, RN

20

17