680 likes | 979 Vues
Goals of Training. To increase your knowledge & understanding of what protected health information (PHI) is in this facility, and what threats may exist to its privacy and its security To enhance your awareness of your role in helping this facility follow HIPAA rules
E N D
Goals of Training • To increase your knowledge & understanding of what protected health information (PHI) is in this facility, and what threats may exist to its privacy and its security • To enhance your awareness of your role in helping this facility follow HIPAA rules • To provide information about to whom you can go with questions about privacy, and about security • To inform you about your reporting responsibilities when HIPAA violations occur • To alert you to the possible penalties for violation of HIPAA law for both you and this facility • To protect the confidentiality of our consumer's Protected Health Information (PHI) in support of one of our values -- dignity, self-worth and individual rights. It's the right thing to do! • To Understand that this same law also protects you as a consumer of health care. NC DMH Privacy Training
Privacy Regulations IMPLEMENTATION DATE April 2003 Security Regulations (To Be Announced) NC DMH Privacy Training
What is HIPAA? • Health Insurance Portability and Accountability Act of 1996 – a Federal Law • Portability • Administrative Simplification • Data Standardization • Security • Privacy NC DMH Privacy Training
What is HIPAA? • Portability: Protects and guarantees health insurance coverage when an employee changes job • Accountability: Protects health data integrity, confidentiality and availability • Reduces Fraud and Abuse • Makes fraud prosecution easier (Medicare/Medicaid) • Reduces Paperwork NC DMH Privacy Training
What is HIPAA? • Data Standardization • Establishes National Standards for Electronic Data Transmission Portability • Transactions (Enrollment, Eligibility, Claims, Payment and others), Codesets and Identifiers. • Establishes Standards for Protection of Health Information • Privacy (Operational, Consumer Control, Administration) • Security (Administrative, Physical, Technical, Network) NC DMH Privacy Training
WHY COMPLY WITH HIPAA ? • Avoid denied and or delayed reimbursements • DHHS agencies process claims bringing in more than $ 550 million in receipts annually. • Annual Medicaid disbursements totaling more than $4.6 billion. • May risk Accreditation. (e.g. Joint Commission on Accreditation on HealthCare Organizations: • Public relations and business risk issues • Benefit from long term healthcare cost reductions • Impose severe penalties for non-compliance NC DMH Privacy Training
DEFINITION: PRIVACY • Privacy is the right of an individual to keep his/her individual health information from being disclosed. NC DMH Privacy Training
HIPAA KEY TERMS as they relate to privacy of Protected Health Information (PHI) • Privacy • Use • Disclose • Authorization • PHI • Minimum Necessary NC DMH Privacy Training
HIPAA KEY TERMS Defined • Use - means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (Also see Part II, 45 CFR 164.50) • Disclose - Release or divulgence of information by an entity to persons or organizations outside of that entity. (Also see Part II, 45 CFR 164.501) • Authorization - The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, Protected Health Information (PHI) released for special Olympics activity. • PHI (Protected Health Information) - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…) • Minimum Necessary - When using any PHI, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”. NC DMH Privacy Training
PrivacyWhy the concern? NC DMH Privacy Training
HIPAA Enforcement • CIVIL PENALTIES for failure to comply • $100 fine per person per violation • $25,000 fine per year for multiple violations • $25,000 fine cap per year per requirement. • You can be personally liable! NC DMH Privacy Training
HIPAA Enforcement • CRIMINAL PENALTIES for failure to comply • Knowingly or wrongfully disclosing or receiving PHI: $50,000 fine and/or one year prison time • Commit offense under false pretenses: $100,000 fine and/or five years prison time • Intent to sell PHI or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prisontime. • Again, you can be personally liable! NC DMH Privacy Training
HIPAA Enforcement Continued • These penalties apply to oral, paper and electronic Protected Health Information (PHI). NC DMH Privacy Training
HIPAA Requires DMH to….. • Establish or Appoint • Policies and procedures to safeguard PHI • Privacy Officer • Security Officer • Privacy Officer and the Security Officer work with each facility’s HIPAA core team • Disciplinary actions policy • Provide HIPAA training to the workforce • As necessary and appropriate on Privacy Policies and Procedures NC DMH Privacy Training
What is PHI ? • Protected Health Information - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…) NC DMH Privacy Training
Where do we find PHI? • 1. • 2. • 3. • 4. • 5. • 6. • 7. NC DMH Privacy Training
Where do we find PHI? • Medical records and billing records • Insurance/Benefit Enrollment and Payment • Claims adjudication • Case or medical management records (Note---it exists both on paper and electronically) NC DMH Privacy Training
Examples of PHI • 1. Name • 2. • 3. • 4. • 5. • 6 • 7 • 8 • 9 NC DMH Privacy Training
Examples of PHI • Names • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code………. • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death…….. • Telephone numbers • Fax numbers • Electronic mail addresses • Social Security Numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger and voice prints • Full face photographic images and any comparable images….. • Any other unique identifying number, characteristic….. + NC DMH Privacy Training
HIPAA Requires DMH to….. • Identify PHI Uses and Disclosures • WHO: • People who routinely use or disclose (or receive requests to) PHI in our Institutions/Facilities • WHAT: • Individually identifiable health information • HOW: • Written, oral, electronic communication • HOW MUCH: • Minimum necessary to accomplish purpose NC DMH Privacy Training
PHI Does Not Include….. • Education records • Workman’s comp Records • Health information in your personnel record • Psychotherapy notes: (Treatment/Counseling by mental health professionals) • Kept separate from the medical record, usually in a clinician’s own file and not made part of the individual’s medical record. NC DMH Privacy Training
Psychotherapy Notes ARE NOT • The following are not considered psychotherapy notes and therefore are PHI: • Medication prescription and monitoring • Counseling session start and stop times, the modalities and frequencies of treatment furnished • Clinical test results • Any summary of the following items: diagnosis functional status, the treatment plan, symptoms prognosis, and progress to date NC DMH Privacy Training
WHO IS AFFECTED? • Employees who handle/use/know individuals’ Protected Health Information (PHI) • Health Care Providers (Health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically) • Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs) • Trading Partners - Electronically Exchange Protected Health Information • Business Associates - Perform services “on your behalf” • HIPAA also applies to you as a consumer of healthcare! NC DMH Privacy Training
Case Scenario Presentations • How would we handle the following situations? NC DMH Privacy Training
Challenge for DMH • If you do NOT know what or where PHI is, • andwho uses or asks for it, • You will be hard pressed to protect it. NC DMH Privacy Training
How Do Individual Staff Protect PHI? (Your List) • 1. • 2. • 3. • 4. • 5. • 6. • 7. NC DMH Privacy Training
How Individual Staff Protect PHI • Close doors or draw privacy curtains/screens • Conduct discussions so that others may not overhear them • Don’t leave medical records where others can see them or access them • Keep medical test results private • PHI info should NOT be shared or viewable in public areas • Don’t leave copies of PHI at copy machines, printers, or fax machines. • Don’t leave PHI exposed in mail boxes or conference rooms. • Don’t share computer passwords or leave them visible • Don’t leave computer files open when leaving unlocked or shared work area • Secure PHI when no one is in the area, lock file cabinets and office doors • Safeguard PHI when records are in your possession • Return medical records to appropriate location • Dispose of paper containing PHI properly • Fax only if according to Center policy NC DMH Privacy Training
How Individual Staff Protect PHI Don't .... • ……….Email with individuals’ identifiable information (1st name, last initial ok) • ……….Leave PHI in any public wall file trays unless enclosed in an interoffice envelope • ……….Discuss an individual in front of other individuals or visitors • ……….Leave diskette boxes containing PHI in unlocked areas • ……….Leave PHI for shredding in unlocked/undesignated area • ……….Place individuals’ full names on desk blotters • ……….Leave Rolodex files containing PHI accessible • ……….Leave individual/employee PHI lists publicly posted • ……….Leave records opened and unattended • ……….Bring personal computers for use at a Health Center • ……….Leave Center keys unattended • ……….Leave Rolodex files containing PHI accessible • WHETHER A HEALTH or FINANCIAL INTERVIEW, • OBSERVE THESE GUIDELINES !!! NC DMH Privacy Training
“Need to Know” Principles • Necessary for your job • How much do you need to know? • How much do other people need to know? NC DMH Privacy Training
How Does “Need to Know” Translate into HIPAA? • HIPAA’s Minimum Necessary rules : • Must provide only PHI • in the minimum necessary amount • to accomplish the purpose for which use or disclosure is sought • Minimum necessary does not apply when patient provides a valid, signed authorization for release of PHI • De-identified Information: De-identified information is PHI with all HIPAA identifiers removed. • Exceptions: • Disclosure to a health care provider for treatment • permissible uses or disclosures made by the patient. • Uses or disclosures made based on patient’s signed authorization. • Uses or disclosures required for HIPAA compliance • Use for legal proceedings, law enforcement, et. NC DMH Privacy Training
HIPAA Requires… • Notice of Privacy Practices • Purpose: to provide consumer with adequate notice of uses or disclosures of PHI • Must be written in plain language • Must be provided at the time of first service or assessment for eligibility • Has to provide Privacy Officer contact information NC DMH Privacy Training
HIPAA Consumer Protections • Amendment • Consumers may request to amend PHI in medical records • That request may be referred to the facility Privacy Official • DMH facility may either grant OR deny the request NC DMH Privacy Training
HIPAA Consumer Protections • Restrictions • Consumers may request that the facility restrict how it uses/discloses their PHI • Facility is NOT required to accept the request • If restriction is accepted, then follow it • Don’t deviate or depart from that restriction! NC DMH Privacy Training
HIPAA Consumer Protections • Access • Consumers can access PHI • Inspect • Copy • Request for access MUST be in writing • Facility Must - Respond to request within 60 days; • May recover cost-based fee for copy, explanation, or summary of records • If access is denied, reason for that denial will determine if the consumer can appeal • Consumer must appeal to facility Privacy Official NC DMH Privacy Training
HIPAA Consumer Protections • Accounting of Disclosures • Consumers have a right for an accounting of disclosures • Time frame: 6-year period • Clock starts: April 14, 2003 • Applies to both written and oral disclosure • Specific to times, places, beneficiaries and content disclosures NC DMH Privacy Training
HIPAA Consumer Protections • Verification • Facility must verify that • Person or agency requesting the PHI • Is who they say they are • Facility must document the verification. NC DMH Privacy Training
HIPAA Consumer Protections • Complaint Procedure • HIPAA requirement • Allows a consumer to file a complaint if they believe we have improperly used or disclosed their PHI NC DMH Privacy Training
HIPAA PHI Protections • Staff Access to PHI • Purpose: to guide staff in keeping PHI confidential • Inappropriate access/use/disclosure of consumer PHI results in disciplinary action, possible other penalties. NC DMH Privacy Training
HIPAA Disclosure Protections • Authorization • Required to disclose PHI to person or agency outside the facility • Must be specific: • What PHI is to be shared • With whom • For what purpose • May be revoked NC DMH Privacy Training
When No Authorization Is Needed… • Key examples: • Child abuse/neglect reports • Judicial/administrative proceeding • Law enforcement • To avert serious threat to health or safety • Audits • Management and Financial • When required by US DHHS • Program monitoring and evaluation • Certification of facilities and individuals NC DMH Privacy Training
WHAT ELSE DOES HIPAA REQUIRE? PRIVACY REGULATIONS RELATING TO RESEARCH, MARKETING, FUND RAISING • For Research, Marketing and Fund Raising purposes, all PHI must be De-identified Information.(De-identified information is PHI with all HIPAA identifiers removed.) • HIPAA still allows research to be conducted • Proper authorizations must be in place NC DMH Privacy Training
What Else Does HIPAA Require? • Preemption of state law • Privacy Rule overrides any other state law unless that state law provides more protection for the consumer NC DMH Privacy Training
WAIVER OF RIGHTS • Waiver: Covered entities may not require individuals to waive their rights as a condition of: • Treatment • Payment • Enrollment • Eligibility NC DMH Privacy Training
REFRAIN FROM INTIMIDATING OR RETALITORY ACTS • Protection for individuals exercising their rights or whistleblowers: • Covered entities may not • Intimidate • Threaten • Coerce • Discriminate against • Take any other retaliatory action NC DMH Privacy Training
QUESTIONS? Privacy • If you are ever in doubt, always ask your Privacy Officer or their designee! • Remember, that person is your first line of response to privacy questions. NC DMH Privacy Training
Key Things to Remember about Privacy • We must safeguard consumer records • Share only information necessary to do the work • Consumers have the right to ask about use and disclosure of PHI • DMH has Policies on HIPAA and you need to know them and follow them NC DMH Privacy Training
PRIVACY Vs. SECURITY • Privacy is the right of an individual to keep his/her individual health information from being disclosed. • Security is how we protect PHI from accidental or intentional disclosure, alteration, destruction or loss. NC DMH Privacy Training
SAFEGUARDS • NCSCC must have appropriate safeguards in place: • Administrative • Technical • Physical • Exceptions for preemption of state laws as agreed to by the US DHHS Secretary • More stringent • Public health investigation/intervention • Audits; management & financial • Program monitoring and evaluation • Certification of facilities and individuals NC DMH Privacy Training
Required Training Topics • Security Issues that Impact Privacy • General Security Awareness • System Access • Password Management NC DMH Privacy Training
Purpose of Security • To protect the system and information from unauthorized access • To protect the system and information from unauthorized use NC DMH Privacy Training