final gygax training module_ attempt 2
TRANSCRIPT
Basic HIPAA information............................... Slides 3-7
Training Scenarios....................................... Slides 8-18
Conclusion ................................................. Slide 19-20
References ................................................ Slide 21
LECTURE OVERVIEW
Health Insurance Portability and Accountability Act
Established in 1996
2 Main parts: Privacy and Security
Privacy Basics Standards developed to “address the use and disclosure of
individual’s health information or Protected Health information (PHI)” (3)
WHAT IS HIPAA
ALL employees of the organization must follow HIPAA Privacy Rules
WHO MUST COMPLY WITH HIPAA
Figure 1
Basic Definition: identifiable health related information about an individual
3 elements of PHI(1):
Individual is identified
Health conditions or related information (e.g. Legal proceedings)
Information is held by a Covered Entity (CE)
WHAT TO SAFEGUARD: PROTECTED HEALTH INFORMATION
US Dept of Health and Human Services states the Privacy Rule’s “Basic Principle”: (3) “ ...purpose is to define and limit the circumstances in which an
individuals [PHI] is used or disclosed by [CEs]…”
2 ways use and disclosure can be done: Permitted Uses
To the individual Treatment, Payment, Operations (TPO) 12 public interest and benefit situations Individual agreement/objection of additional uses and disclosures Incidental Uses or disclosures Limited Data set
Authorized Uses
Please visit the website for additional information: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html ***Contact the Privacy Officer with any questions or concerns***
HOW TO COMPLY WITH HIPAA
Definition: A Privacy rule requirement that restricts access to PHI to those who need the information to complete the task it was meant for (1).
Information obtained is limited to the minimum necessary to complete the task.
Be familiar with your specific department’s policies and procedures as well as the organization’s.
MINIMUM NECESSARY
Ensure information: is being released to an authorized person fits the minimum necessary standard to complete the task has a valid date is available to be released
Written authorization Oral authorization Or qualifies under authorized exceptions
request has been documented
Use professional judgment: Make sure the information being requested will not cause: - individual harm - relationship damage between individual and organization
RELEASE OF PHI GUIDELINES
We will now discuss 4 different scenarios:
Identify the problem
Discussion
Implement the solution
PART II: TRAINING SCENARIOS
Situation:You have an electronic health record. When an error is made in the record, it is the policy of the facility to allow the person who has made the error, to totally delete it from the system
The Problem: This breaks 3 Elements Integrity- record is accurate and complete Authenticity- record is authentic Non-Repudiation- record is undeniable
Brodnik states the goal of the Security Rule is to “...protect ePHI from unauthorized access, alteration, deletion and transmission.” (1)
SCENARIO 1
General rules when dealing with an electronic health record:
Records should never be deleted
When revision is required: The individual making the correction needs to identify the incorrect data flag it provide a link
Refer to Our Organization’s procedures and policies, in the rare instance a deletion would need to be made or contact the Privacy Officer
SCENARIO 1 SOLUTION
Access Control List has been established
Establishment of access controls to categorize which roles have the authorization to delete records.
Parameters have been put in place by categories organized by roles and groups.
Access rights have been implemented to identify the user and certify that the user has the rights to complete the request.
If you do not have sufficient authorization rights for the task at hand please discuss how to proceed with your supervisor or the HIM manager
SCENARIO 1 SOLUTION
Situation:Patients are allowed to amend the health record directly into the electronic health record with no supervision of staff
The Problem: Patient’s have the ability to change their health records affecting:
Integrity
Authenticity
Non-repudiation
SCENARIO 2
In compliance with HIPAA regulations, individuals must have the right to request amendments to their records.
Patient Amendment Process:
Patient must complete an official request Written form Reason for amendment
HIM department will process the request and contact the patient
SCENARIO 2 SOLUTION
Situation:When a visitor is on a nurses station, the screens to the computers are visible and readable by the visitor leaving a patient PHI totally available to the public
The Problem: Adequate measures are not being taken to secure patient records privacy.
SCENARIO 3
Workstation Use and Security Policies have been updated to include the following requirements:
Workstation locations must be in monitored areas Workstation screens need to be adjusted away from public
view Use of applicable screen devices such as protectors to block
peripheral views recommended Auto-time outs have been enabled on all workstations Password re-entry is required Security training and awareness program completion is
required for all employees who use workstations
SCENARIO 3 SOLUTION
Situation:When on the elevator, physicians, nurses, a custodian, and a patient registrar, discussed patients by name, health care problem, and in one case, an ongoing litigation case about a malpractice suit.
The Problem: Breaches have occurred and Organizational and Individual level
Employees have failed to protect the privacy of PHI
The minimum necessary standard has been violated
SCENARIO 4
Employee Awareness Standards
Employees abide by Minimum Necessary Rule and HIPAA Privacy rule
SCENARIO 4 SOLUTION
It is important to note that there are penalties for non compliance
Civil Penalties: range from $100/ violation to $25,000 max per calendar year
Criminal Penalties: range from $50,000 fine and 1 year imprisonment to $250,000 fine and 10 years imprisonment
PENALTIES FOR NONCOMPLIANCE
THINKS TO REMEMBER
Closing thoughts:
We must uphold the responsibility of ensuring patient information (PHI) is protected and that patients know their rights.
We must respect individuals, workforce members and the organization to act respectfully, and in accordance to standards
20
REFERENCES
REFERENCES
1) Brodnik, MS, McCain, MC, Rinehart-Thompson, LA, Reynolds, RB. Fundamentals of Law for Health Informatics and Info Mgmt. Chicago: AHIMA Press, 2008. p. 134, 140, 159, 176, 179, 182, 214-5, 217, 222.
2) Hughes, G. Laws and regulations governing the disclosure of health information (updated). AHIMA 2002 Nov [ cited 2012 May 21]; Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_016464.hcsp?dDocName=bok1_016464
3) The HIPAA privacy rule’s right of access and health information technology. Available from: URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/.../eaccess.pdf
4) The five Ws of HIPAA. Available from: URL: som.ucsd.edu/webfm_send/4665
5) Health and Human Services Website. Available from: URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
6) Wiedemann LA, Hjort B. HIPAA Privacy and Security Training (Updated). AHIMA 2010 Nov [cited 2012 May 20]; [1 screen]. Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509
Fiigure 1: University of Southern Alabama [Online Image] Available at: http://www.southalabama.edu/healthprofessions/
21