hipaa privacy and security confidentiality. before we begin… have the printed power point notes...
TRANSCRIPT
Before we begin…
Have the printed Power Point Notes pages in front of you on the left
Have attachments 1 and 2 in front of you on the right• Attachment 1 = Related Policies and
Procedures
• Attachment 2 = Quiz/Acknowledgement
HIPAA - A Brief Refresher
Health Insurance Portability and Accountability Act of 1996
What it does:• Protects the privacy and security of health information
(confidentiality)
• Improves the way health information is transferred
• Gives new rights to Clients, which give them greater access and control of their health information
The Big Privacy Rule Messages remain the same:
Client information• Keep it confidential!
Before Using or Disclosing Information Use the “Need to Know” Rule
When in Doubt…ASK!
Why are We Here Today? (Agenda)
Review some Basic Information about the HIPAA Privacy Rule• Protected Health Information (PHI)
• Client Rights under HIPAA
• Using and Disclosing PHI
• Complaint and Grievance Process
Define Roles and Responsibilities
Why are We Here Today? (Agenda)-
2
Review some Basic Information about the HIPAA Security Rule• Password Protection
• Workstation Use
Participants will know that there is a federal law that pertains to permitted and
required uses and disclosures of protected health information; what protected health information is
what confidentiality means what rights patients have to their information what the ramifications of violations are to each member of
the work force and the organization where to obtain policies and procedures on privacy and
security the importance of reporting--without fear of retaliation--
any suspected breaches of confidentiality
And…
Understand HIPAA Sanctions and Penalties
Review New Policies and Procedures Test your knowledge Practice Session
How Will HIPAA Affect You
Policies, procedures and practices• The Facility Use and Disclosure, Access and
Sanctions Policies, among others, have been updated to include HIPAA requirements
Our Actions and Decisions• Must be more conscious of privacy and
security all the time and in every interaction
• Be aware of the rules and stick to them
What is Protected Health Information (PHI)?
PHI is all health information about clients including:• Their medical or mental health condition
• Any treatment they’ve had or will have
• Clinical, billing and financial information
ALL of this information is protected and therefore CONFIDENTIALCONFIDENTIAL
PHI
Can be written, oral, automated, electronic or manual, email or a fax.
Is individually identifiable Some examples include:
• Name, address, birth date, social security number
HIPAA Makes us aware of using Information
Example:• I stop to speak with a peer in the hall about one of the
clients.
• Who’s around me?
• I could be breaching confidentiality
Example• I get up and walk away from my workstation
• I don’t log off because my screensaver will come up in 5 minutes
• I could be breaching confidentiality
Notice of Privacy Practices
Clients have a right to know how we will use and disclose their PHI
The Notice of Privacy Practices • Explains the client’s rights under HIPAA
• Tells them how to file a complaint/grievance
The Notice must be posted where clients can see it.
Notice Of Privacy Practices: Rights Under HIPAA Clients also have the right to
• Inspect and Copy records• Amend records under certain circumstances• Request an accounting of disclosures of PHI• Confidential Communications• Request Restrictions on uses and disclosures of PHI
• The Facility has the right to refuse the requested restriction
• If the client is conserved, access privileges will be processed through the conservator, public guardian, etc. and per facility policy.
• ALL requests for access should be reported to the Administrator and process through Medical Records
The Facility May Use or Disclose PHI
To provide services to Clients For the normal operations of the Facility If it is required by law (subpoena, etc.) To our Business Associates in the
course of providing services
Business Associates
The Business Associate• Signs an agreement with the facility to provide
services that include using, creating, and maintaining PHI for Clients of the Facility
• Ensures the facility that they are HIPAA compliant
• Must fulfill the roles and responsibilities stipulated in the Business Associate Agreement
Safeguarding Privacy & Security
Disclose only the amount of PHI necessary to accomplish the intended purpose
Staff access to PHI both written and electronic information is delineated by the Facility and is limited to only what is needed to perform job duties
Safeguarding Privacy & Security-2
You may inadvertently disclose information electronically by…• Using Public Internet
• Installing shareware or freeware
• Using Instant Messaging
• Improperly disposing of media (CD’s, etc) or computers, hard drives, paper
• Sending PHI over email that is unencrypted
Safeguarding Privacy & Security-3
The Facility• Sanctions Policy for Privacy and Security
Violations may have levels of violations• Level one violations
• Less severe infractions – sharing password, for example
• Level two violations• Disciplinary actions up to and including termination
• Must mitigate any harmful effects caused by privacy or security violations
The Bottom Line…
BE CAREFUL WITH PHI
• There are serious consequences to misuse and improper disclosure
• In addition to facility Sanctions there are possible Civil Penalties
The Use and Disclosure Policy
Outlines how the Facility may Use and Disclose PHI including staff access privileges
Assures that all Staff will maintain privacy in accordance with HIPAA
Delineates the requirements and procedures for the Facility’s Notice of Privacy Practices
Contact the Privacy Officer/Administrator/Medical Records When…
You have questions about whether or not something is PHI
You receive an authorization to release information
A Client• Asks to see or copy records• Wants to amend, correct records• Wants to restrict disclosure of PHI• Requests an alternate method of communicating
PHI
Authorizations
Required for release of protected health information
Must be HIPAA compliant authorization Forward any requests to the
Administrator and/or Medical Records
Receiving an Authorization
Another organization or person may request an client’s records by using their own authorization (Signed by the client)
• Refer these requests to Medical Records to ensure appropriate processing according to HIPAA Rules
Verification of Authority
Verify authority to request PHI regarding enrollment or other PHI maintained or created by you• Physical ID check, i.e. Driver’s License,
Medicare Card, etc
• Phone call to an office to verify authenticity of the requestor
Any doubts…refer to the Administrator or Privacy Officer
Client Access to Records
Refer requests to the Administrator and Medical Records• A written request is required
• If the person is conserved, that request must come through the conservator, public guardian, etc.
• The Physician should also be contacted to make sure that reviewing the record would not cause harm to the client
• If the request made involves a large volume of records and is very time consuming there may be a nominal charge to the client
Access to or Inspection of Records
Access or Inspection of records must be done through the Administrator/Medical Records
The Administrator/Medical Records may deny access when• PHI makes reference to another person
• PHI is not created by the Facility
And will• Notify the client/conservator of the denial in writing
Request for Copies of PHI
A written request is required The Facility may charge for copies of
records Refer all requests to the
Administrator/Medical Records
Confidential Communications
Provide confidential communications to the client to the extent possible• Fax
• Mail to an alternate address
Must be done through the Admissions Office
Requesting Restrictions on Release of PHI
Technically a right of the client Facility only releases
• To the client, as permitted
• By authorization of the client
• As permitted or required by HIPAA or required by law
• As part of Treatment, payment or healthcare operations
Privacy Violation Complaint and Grievance Procedure
The Facility must have a Complaint and Grievance Procedure for Privacy & Security Complaints
The client may complain to the Privacy Officer or Privacy Contact Person
If unsatisfied, the client may complain to the Secretary of DHHS, which is listed on the Notice of Privacy Practices
Reporting breaches
The staff must be able to report--without fear of retaliation--any suspected breaches of confidentiality
Reports may be made to your Privacy or Security Officer
Or directly to the Secretary of the Dept. of Human Services as listed on the posted Notice of Privacy Practice
Passwords The risk of breach is ranked high because
password cracking is still a very common form of hacking.
Passwords should• Not be written down in a place where they could be
accessed• Be required to be changed frequently• Have a combination of characters and letters and
cases• Not be words found in a dictionary (English or Foreign)• Never be shared
Workstation use
The risk is ranked medium for desktop workstations, and high for portable workstations due to their greater potential for loss or theft and generally weaker controls, including the human factor.
Do desktop workstations contain data inappropriately stored on the hard drive?• Private Programs, downloaded freeware, shareware
Have any of the workstation’s security configurations have been changed? (Security settings changes, for example)
Workstation use-2
Could “shoulder surfers” and other social engineers determine if passwords or other security-related information could be obtained from users of workstations?
Workstations, including printers, copiers, and faxes automatically connected to workstations, should also be safeguarded.
Key Positions Privacy Officer
• Overall responsibility for all Privacy Functions for the Facility• Responds to Clients
• privacy questions• complaints
Facility Contact Person • First Line of Defense for Privacy Questions and Issues
Security Officer• Overall responsibility for all Security Functions for the Facility• Responds to Facility
• IT Security questions• Problems, reports of possible breaches
Test Your Knowledge
See Attachment 2 – Quiz/Acknowledgement 1. The client has the right to access all
protected health information held by the Facility.• True or False?
2. A person’s address may be considered PHI?• True or False?
Test Your Knowledge
3. You may release PHI as long as there is a written request for you to do so?• True or False?
Test Your Knowledge
4. Privacy or Security Violations may result in termination of employment.• True or False
5. Sharing passwords is permissible as long as it is someone you work closely with.• True or False