Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA PowerPoint Presentation

HIPAA

117 Vues Download Presentation
Télécharger la présentation

HIPAA

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HIPAA Health Insurance Portability and Accountability Act HIPAA is a law that JIRDC staff must follow. This program will focus on the rights of people who live at JIRDC and their guardians. As a consumer of health care, you also have these rights. Click to go to the next slide.

  2. The Health Insurance Portability and Accountability Act (HIPAA) • What is HIPAA? • What does this mean to us at JIRDC? • What are the six Privacy Rights? • What is Protected Health Information (PHI)? • What do we do with PHI? • What rules must we obey here at JIRDC? • What happens to us if we don’t? Click to go to the next slide.

  3. HIPAA - What is it? • Congress passed a law – the Health Insurance Portability and Accountability Act (HIPAA) - in order to require insurance companies, hospitals, and other health care providers to protect people’s privacy. • JIRDC has been classified as a health care provider, so we must meet the requirements of this law. Click to go to the next slide.

  4. What does it mean to us? • People who live at JIRDC and their guardians have six Privacy Rights. • We must understand what Protected Health Information (PHI) is. • We must be very careful with PHI and learn to use “minimum necessary.” • All staff must receive Privacy training. Click to go to the next slide.

  5. Residents Have Six Privacy Rights Please click to read each of the rights. • The right to receive a copy of JIRDC’s Notice of Privacy Practices • The right to inspect and receive a copy of information in files we keep • The right to request a change in information • The right to know who we have shared their information with • The right to request restrictions on who we share information with • The right to request an alternative method of contact Because the people living at JIRDC each have a legal guardian, the guardian will be the person who exercises these rights. Click to go to the next slide.

  6. 1 Notice of JIRDC Privacy Practices • We have developed a detailed notice of JIRDC privacy practices explaining how Protected Health Information (PHI) is handled for treatment, payment, and health care operations and explaining the Privacy Rights. • The social workers are responsible for sending a JIRDC Notice of Privacy Practices to each guardian. Click to go to the next slide.

  7. 2 Access of Individuals to PHI • JIRDC residents and their guardians have a right to inspect certain records that we keep. • The request begins with the completion of a “Request for Consumer Access to Protected Information Form.” • If we receive a request by an individual to view their record (all or part), we must act on the request within 30 days. Click to go to the next slide.

  8. Location of JIRDC Records JIRDC has identified certain records that may be inspected. The primary records are: • record in the home • record housed in the Resident RecordsDepartment The log book is an example of a record that may not be inspected because it contains information about more than one person. Click to go to the next slide.

  9. Location of Request Form Each guardian must sign a form when requesting to see the records. The Social Worker or Home Coordinator will have this form. Although we have 30 days to allow access, it should not take long to reply to a request. Click to go to the next slide.

  10. 3 Amending PHI • If a guardian feels that some information in the record is not correct, he may ask for a change to be made. • Residents and their guardians have the right to request amendments to PHI by completing a “Request for Amendment of Health Care Information” form. • We must respond to requests for amendment within 60 days. • If we determine the PHI is accurate and complete, it does not have to be amended. Click to go to the next slide.

  11. 4 Accounting of Disclosures of PHI • A guardian may ask to see a record of individuals who have seen the resident’s chart for the 6 years prior to the request. • This does not include disclosures for treatment, payment, or operations. • This also does not include disclosures to the individual or guardian or to law enforcement. • No information must be provided about disclosures that occurred prior toApril 14, 2003. Click to go to the next slide.

  12. 5 Requesting Restrictionson Disclosures of PHI • Guardians may request that we limit the use and disclosure of health information about residents for the purposes of treatment, payment, and operations. • We are not required to agree to their request to limit the number of people who view the record. • If we do agree to it, we must follow the agreed restrictions (except for emergency treatment). Click to go to the next slide.

  13. 6 Receiving PHI - Alternative Means or Alternative Locations • Guardians usually prefer that information be mailed to their home addresses and that phone calls be made to their home phones. However, a guardian may ask JIRDC to use a different address, phone number, e-mail, FAX, etc. Click to go to the next slide.

  14. 6 Receiving PHI - Alternative Means or Alternative Locations • We must provide our guardians with the opportunity to receive PHI communications by alternative means or at alternative locations (such as a work address instead of a home address). • We must oblige all reasonable requests. Click to go to the next slide.

  15. Refraining from Retaliation • Guardians who want to exercise their rights should not receive any negative responses from staff. • JIRDC must not intimidate, threaten, coerce, discriminate, or retaliate against any person attempting to exercise their rights under the privacy regulations. • All staff must “remain neutral” toward guardians choosing to exercise their rights. Click to go to the next slide.

  16. Protecting Confidential Information Learned at JIRDC • ALL information about a person who lives at JIRDC which is learned as a result of performing your job is confidential information. • According to state law, all JIRDC employees are responsible for assuring confidentiality. • If you don’t protect information about people who live at JIRDC, you can be fined, suspended, or dismissed from your job. • The Federal HIPAA law focuses on Protected Health Information (PHI). Click to go to the next slide.

  17. What is Protected Health Information (PHI)? • Any health information that can be identified to a person is PHI. • We are using a very liberal definition of “health information” that includes treatment, care, and demographic information. • The fact that a person lives at JIRDC is PHI. • PHI can be dates (except just year); record number; Social Security Number; full face photographic image; or any other unique, identifying information. Click to go to the next slide.

  18. Recognizing PHI When You See It • PHI is not just information in the resident record. PHI can look like anything. PHI can be spoken, such as a conversation or answering machine message. PHI can be written, such as on a piece of paper, a computer monitor, or a chalkboard. Click to go to the next slide.

  19. Recognizing PHI When You See It • PHI reveals something about a person’s past, present, or future health or condition. • PHI is individually identifiable (gives a reasonable basis for determining a person’s identity). PHI is about a specific person. You may know the person if you hear their name or if you can guess who it is by the information that is provided. Click to go to the next slide.

  20. Rule 1 It can look like anything • Data appearing on computer monitors • Lab test results • Resident schedule boards • A conversation about a resident’s health • An appointment reminder left on a guardian’s answering machine • File server backup tapes • Financial records Click to go to the next slide.

  21. Rule 2 It reveals something about health • It does not have to be present health. It can also be past or future health. • It does not have to be about bad health. “Joe is feeling fine” also qualifies as PHI. • Since knowledge that a person lives at JIRDC strongly implies a “diagnosis” of mental retardation, this also qualifies as PHI. Click to go to the next slide.

  22. Rule 3 It is individually identifiable • This means that someone seeing or hearing the health information can identify the person it’s about. • The information must provide a “reasonable basis” for determining the person’s identity. • When health information is paired with unique identifiers (like client number or a photograph) it is always PHI. Click to go to the next slide.

  23. What do we do with PHI? • Protect it! Keep it private by not leaving it lying around where it can be seen. • Except for treatment reasons, provide the “minimum necessary” to meet the needs of the requestor. • “Minimum necessary” means providing just enough information to meet the needs of the requestor and no more. Click to go to the next slide.

  24. Some things we do to protect PHI • Pick up all meeting handouts and erase blackboards when meetings are done. • Working on PHI? When you leave for lunch, cover it up AND lock it up. • Talking PHI on the phone? Keep your voice low if you might be overheard. • Avoid mentioning PHI at restaurants. Click to go to the next slide.

  25. ? ? ? ? ? ? ? ? ? Dealing with PHI: Test Yourself Five situations related to “minimum necessary” follow. Read each situation. Determine if each situation was handled correctly. Click to go to the next slide.

  26. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #1 • Mary is escorting four residents to a movie. As they are leaving, Mary’s supervisor tells her to make sure Phil gets to sit very close to the screen because he is having some vision problems stemming from developing cataracts. Was this situation handled correctly? Click to go to the next slide.

  27. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #1 • Since treatment of Phil’s cataracts was not involved, the “minimum necessary” rule applies here. It was appropriate for Mary’s supervisor to tell her to make sure Phil gets to sit very close to the screen because he is having some vision problems. It was not necessary to mention his cataracts. This is NOT “minimum necessary.” Click to go to the next slide.

  28. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #2 • Mary has been asked to drive Phil to a shoe store and help him purchase new shoes. Mary’s supervisor tells her to make sure Phil’s new shoes have good arch support because he has heel spurs. Was this situation handled correctly? Click to go to the next slide.

  29. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #2 • Selecting the proper shoes is a big part of the treatment of heel spurs. Communicating the fact that Phil has heel spurs was for treatment reasons, so the “minimum necessary” rule does not apply. It was appropriate for Mary’s supervisor to mention the heel spurs. It would also be appropriate for Mary to mention it to the store clerk. This is a treatment situation and “minimum necessary” does not apply. Click to go to the next slide.

  30. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #3 • A JIRDC advocate is interviewing Mary about a bruise that has appeared on Phil’s arm. Mary answers questions about the bruise, but decides not to tell the advocate about two other bruises on Phil’s leg since this information does not seem to meet the “minimum necessary” rule. Was this situation handled correctly? Click to go to the next slide.

  31. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #3 • The advocate’s investigation of possible abuse is a part of Phil’s treatment at JIRDC and the “minimum necessary” rule does not apply. Mary should have mentioned the leg bruises to the inquiring resident advocate. Advocates have the right to see all information. “Minimum necessary” does not apply. Click to go to the next slide.

  32. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #4 • Phil’s mother shows up unexpectedly with a copy of JIRDC’s Notice of Privacy Practices in her hand. She wants to examine Phil’s chart. Mary remembers this is a new right, takes her to the chart, and lets her examine it. Was this situation handled correctly? Click to go to the next slide.

  33. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #4 • Requests to examine records must be handled by the Home Coordinator. Mary should have helped Phil’s mother submit her request to the Home Coordinator in writing (required) and should not have allowed her to examine any records. A guardian must complete a written request to see the record. Click to go to the next slide.

  34. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #5 • Phil suddenly develops very shallow breathing and is taken to Grace Hospital’s emergency room. Staff take Phil’s resident record with them. The entire record is made available to emergency room physicians as they attempt to determine the cause of Phil’s shallow breathing. Was this situation handled correctly? Click to go to the next slide.

  35. ? ? ? ? ? ? ? ? ? Dealing with PHI – Scenario #5 • The sharing of Phil’s PHI with the staff at Grace Hospital was for treatment reasons. The “minimum necessary” rule does not apply. This is a treatment situation and “minimum necessary” does not apply. Click to go to the next slide.

  36. Rules We Must Follow at JIRDC JIRDC staff have many rules regarding the handling of PHI. Many of the rules involve how computers are used. ALL of the rules involve common sense. Click to go to the next slide.

  37. Some Rules We Must Follow • PHI must be secured when no one is in the area – no open log books. • No PHI should be viewable in public areas. • No PHI should be sent in e-mail (except password-protected attachments). • No PHI should be left at copy machines, fax machines, or conference rooms. • Discarded PHI must be shredded. Click to go to the next slide.

  38. Computer Rules We Must Follow • Computer monitors showing PHI must be positioned for privacy. • Computer passwords must not be shared and must be reasonably “un-guessable.” • Computer passwords must not be left visible or hidden where they can be found. • Computer users must log-off the network when leaving computers unattended. Click to go to the next slide.

  39. More Rules We Must Follow • If you notice your login name has been changed while you were away from your computer, report it to Computer Services. • If you see an “intruder lockout” message while logging into the network, report it to Computer Services. • Pay attention to any unusual login names that show up on your computer. Report what you see to Computer Services. Click to go to the next slide.

  40. Even More Rules We Must Follow • We must not discuss a resident within the hearing of other individuals or visitors. • We must not leave keys unattended. • When sharing resident health information, we must share the “minimum necessary” (except for treatment reasons). • JIRDC must sanction staff for violations of the Privacy rules. Click to go to the next slide.

  41. Security Awareness at JIRDC All JIRDC staff are responsible for keeping data secure. Computer data should be kept safe by the person who created the disk, CD, or printout. All security incidents must be reported as soon as possible. Click to go to the next slide.

  42. Security Awareness • JIRDC data must be kept secure at all times. Staff who use computers and staff who do not use computers are responsible for protecting information. • Information created on JIRDC computers is considered property of JIRDC and the State of NC regardless of how information is stored. Click to go to the next slide.

  43. Security Awareness Continued • Computer printouts, floppy disks, or CDs which are found not under direct observation of a responsible data owner should be picked up by the person who finds them and turned in to their supervisor. Click to go to the next slide.

  44. Security Awareness Continued • A security incident is a violation, or imminent threat of violation, of computer security policies. Notify your supervisor or the JIRDC Computer Help Desk as soon as possible if you suspect a security incident has occurred. Click to go to the next slide.

  45. Workforce Privacy Sanctions If staff break the rules, there are 3 levels of violations and punishments. The 1st level is “accidental.” The 2nd level is “purposeful.” The 3rd level is “malicious.” Malicious violations are the most serious and can result in loss of jobs and criminal prosecution. Click to go to the next slide.

  46. Workforce Privacy Sanctions- Accidental Violations - • This violation occurs when an employee unintentionally or carelessly accesses or reveals resident information to others without a legitimate need to know. • Examples: Discussing a resident in a public area without discretion; sharing your network password. • Sanctions include verbal counseling and training or written counseling and training. Click to go to the next slide.

  47. Workforce Privacy Sanctions- Purposeful Violations - • This violation occurs when an employee accesses or discusses information about a resident for purposes other than the care of the resident or to perform one's specific job responsibilities. • Examples: Using another employee’s login name and password; looking up resident information out of curiosity. • Sanctions include written counseling and training or suspension and training. Click to go to the next slide.

  48. Workforce Privacy Sanctions- Malicious Violations - • This violation occurs when an employee accesses or reveals resident information to others for personal gain or with malicious intent. • Examples: Destroying or altering data intentionally; releasing information in an attempt to harm a resident or JIRDC. • Sanctions include written counseling and training, termination, and prosecution. Click to go to the next slide.

  49. Failure to Comply Penalties • $100/violation/person, up to $25,000 per person per year per standard violated JIRDC and the employee can be punished for violations. The following fine is for JIRDC: Click to go to the next slide.

  50. Failure to Comply Penalties • Up to $50,000 and 1 year in prison for inappropriate use of PHI • Up to $100,000 and 5 years in prison for using PHI under false pretenses • Up to $250,000 and 10 years for intent to sell or use PHI for personal gain or malicious harm The remaining fines and jail time apply to the employee: Click to go to the next slide.