330 likes | 455 Vues
American Behavioral Annual Compliance HIPAA Training. Getting Back to the Basics. 2014. Training Objectives. Review HIPAA Privacy and Security requirements Review American Behavioral standards and practices developed to comply with HIPAA Privacy and Security requirements
E N D
American BehavioralAnnual Compliance HIPAA Training Getting Back to the Basics 2014
Training Objectives • Review HIPAA Privacy and Security requirements • Review American Behavioral standards and practices developed to comply with HIPAA Privacy and Security requirements • Review your responsibilities for ensuring compliance with Privacy and Security requirements • Review consequences of non-compliance
What is HIPAA? • The Health Insurance Portability and Accountability Act (HIPAA) • Signed into law in 1996 • Adopted Privacy Rules (2003) that protect health data (referred to as PHI) and provide members with certain rights about their health • Adopted Security Rules (2005) that protect electronic health data (referred to as e-PHI) • Amended by the HITECH Act of 2009 • Amended by the Omnibus Rule to enhance patient privacy protection effective 9/24/2013 • New rules and guidance continue to be issued to strengthen the requirements
What is Protected health information? (PHI) Protected Health Information is any information, including demographic information, transmitted or maintained in any medium (electronically, on paper, via spoken word) that is created or received by a health care provider, health plan or health care clearinghouse that relate to the past, present or future physical or mental health condition of an individual, or past, present or future payment for the provision of health care to the individual and can be used to identify the individual.
PHI Identifiers The following identifiers of an individual or of relatives, employers or household members of the individual are considered PHI: • Names • Postal addresses smaller than state • All elements of dates (except year) such as birth date, admission/discharge date, date of death • Telephone numbers • Fax numbers • Email addresses • Social security numbers • Medical record numbers • Health plan ID numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers including license plates • Device identifiers and serial numbers • Web Universal Resources Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger and voice prints • Full face photographic images and any comparable images • Any other unique identifying numbers, characteristics, or codes
What is Personally identifiable information? (PII) Personally Identifiable Information is information that can be used to distinguish or trace an individual’s identity (e.g., name, social security number, member number, etc.), alone or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). PII may also be referred to as personally identifiable data or individually identifiable information. NOTE:Although PII alone is not health information, it must be protected the same as PHI. Whenever PHI is referenced in this presentation, the same standard applies to PII!
Types of Data to Protect EVERYTHING! • Written documentation and paper records • Electronic databases and information stored on a computer, laptop, memory card, mobile device, flash drive, etc. • Verbal communication (spoken words, voicemail messages, etc.) • Photographic images
Work-Related Need to Know • PHI is to be accessed for work-related purposes only – those that relate to Treatment, Payment or health care Operations (TPO – defined later in this presentation) • Your access to PHI must be restricted to only the information necessary for you to perform your job • This protects you
Minimum Necessary • When HIPAA allows a use or disclosure of PHI, you should use only the minimum PHI necessary to accomplish the purpose of the use or disclosure • Exceptions: • Treatment of the member • Purposes for which a member has signed a HIPAA authorization • Disclosures by law • When sharing information with the member or his/her legal representative
De-identified Health Data • De-identified health data: • Excludes all 18 elements (PHI identifiers listed previously in this presentation) • Cannot include any information that can be used alone or in combination with other information to identify the member who is the subject of the information • Whenever possible, use de-identified health information instead of PHI De-identified data is not PHI and is not protected by the Privacy Rule. * Consult the Privacy Officer to ensure data has been sufficiently de-identified when in doubt
How and Where is PHI Stored? • Know “how” and “where” you should store PHI • Paper files should be stored in a filing cabinet or secure location when not in use (or at a minimum, turned facedown) • PHI stored in electronic databases, document logs, spreadsheet applications, etc. must be password protected and saved to a secure location, such as a department folder.
System Reminders (Protecting electronic-PHI) • Store important documents in a secure location (such as your user area or in a department folder) • Lock your screen before leaving the room (never leave your computer unlocked when unattended)
Email Reminders • All emails must include confidentiality notice (see next slide for example) • When sending an email, be very careful to choose the correct recipient’s name • Choosing the wrong name could result in a HIPAA breach!
Fax Reminders • Always verify fax number before dialing • Must use a approved fax sheet that includes a confidentiality notice
Storage & Disposal Safeguards • Place all data containing confidential information in the shred bins when no longer needed • Hand shredding is not sufficient
PHI Uses and Disclosures(Member authorization not required) Member authorization not required to disclose PHI to: • Public health and governmental agencies, law enforcement officials and other authorities as required by law (forward these requests to the Privacy Officer for processing) • Comply with legal proceedings, such as a court or administrative order or subpoena, etc.
PHI Uses and Disclosures Member authorization not required to disclose PHI to the: • Member (who is the subject of the PHI) • Member’s Power of Attorney (POA) or Legal Guardian (ordered by the court or protective order) • American Behavioral must have proof of the individual’s legal authority • Legal document must specifically authorize health disclosures • Parents covered on the same American Behavioral policy of a child age 13 or younger • If the child is 14 or older, the child must authorize the disclosure ***ALWAYS ask the individual for at least two forms of ID to validate their identity***
Emergency Disclosures Member authorization not required to disclose a member’s PHI to the member’s family or friends in emergency situations where the member becomes incapacitated or unable to agree or object • Generally, management should approve emergency disclosures, but use your best judgment – if there is not time for approval, document the situation thoroughly and notify your supervisor afterwards
Long-term Incapacitated Members Member authorization notrequired to disclose a member’s PHI to the member’s family or friends when a member becomes incapacitated long-term (or expected long-term) • Requires proof of long-term incapacity • Can disclose to the member’s spouse or parent, or to an individual over age 19 that is the member’s child/brother/sister/next of kin • Requires completion of a Personal Representative Attestation for Long-Term Incapacitated Members
General Plan Information Member authorization not required for disclosure of general plan information publically available on American Behavioral’swebsite to family members and friends involved in a member’s care, such as: • Evidence/Certificate of Coverage • Attachment A (commercial members) • Formulary • Provider/Pharmacy Directory • Other General Plan Information • *It is permissible to release information to a friend or relative if we have obtained a signed Appointment of Representative (AOR) Form
Other Non-PHI Information Member authorization not required when we: • Share other non-PHI information with family members and friends involved in the member’s care • Verify certain information for those involved in the member’s care
PHI Uses and Disclosures For non-emergent situations, we can disclose to the member’s family and friends if the member authorizes the disclosure: • The member can appoint someone as their personal representative. Both the member and the appointed representative must sign the form
PHI Uses and Disclosures For non-emergent situations, we can also disclose PHI to a member’s family or friends through a verbal authorization from the member
PHI Uses and Disclosures • Any other disclosure not listed previously requires the member’s authorization • Examples of disclosures requiring authorization: • Requests from attorneys/law offices • Requests from medical record companies • Requests from medical suppliers/vendors wanting to market their products or services without a treatment referral from a physician • Requests from employers • Plans (self-insured employer groups) may designate specific associates authorized to receive PHI • Fully insured employers should never receive PHI without a member’s authorization
Members’ HIPAA Rights • Right to confidential communications • Right to access their PHI • Right to request we amend our records • Right to an accounting of disclosures we have made concerning their PHI • Right to file a privacy complaint • Right to request a restriction on how we use/share their PHI
HIPAA Breaches • A breach occurs when PHI is “acquired, accessed, used or disclosed” in an unauthorized manner that compromises the security or privacy of the information • Examples: • Accessing PHI without a work-related need to know • Sharing PHI with those who do not need to know • Sending an email/fax containing PHI to the wrong recipient • Loss or theft of records containing PHI
HIPAA Breach Examples • Texas HIPAA Blunder affects 277k • July 2013 - Texas Health Harris Methodist Fort Worth notified some 277,000 patients that their PHI was compromised after several hospital microfilms, which were supposed to be destroyed, were found in various public locations. • Lesson: Make sure all PHI is disposed of properly! • Advocate Health Slapped with Lawsuit After Massive Data Breach • August 2013 - Advocate Health Care reported the second largest HIPAA breach when four unencrypted laptops were stolen from its facility, compromising over 4 million patients’ information. Advocate has now been slapped with a class action lawsuit filed by affected patients. • Lesson: Portable devices must be secured at ALL times (even when not in use) and must be encrypted!
Breach Reporting • Under the Breach Notification Rule (part of the Health Information Technology for Economic and Clinical Health (HITECH) Act) individuals whose PHI is compromised must be notified in writing within 60 days of discovery of a breach • All breaches must be reported to HHS • HHS posts information about breaches at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Timely Reporting • It is imperative to report HIPAA incidents immediately
Penalties and Enforcement for Non-Compliance • The Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR) enforces tiered civil penalties • Monetary penalties range from $100 per violation up to 1.5 million per calendar year • State attorneys general can pursue civil suits against persons violating HIPAA • U.S. Department of Justice enforces criminal penalties • Criminal penalties for “wrongful disclosure” include fines of $50,000 to $250,000 and up to 10 years in prison NOTE: Penalties and fines apply to associates – not just to covered entities!
Common HIPAA Pitfalls • Sending PHI via unencrypted email • Faxing or emailing PHI to the wrong recipient • Leaving PHI unattended at copiers, on printers and fax machines, in conference rooms, in public locations, etc. • Discussing PHI in common places or with others who do not need to know the information
Final Reminders • Protect PHI the way you would want someone to protect your PHI • Make HIPAA Privacy and Security a priority!
Additional Resources • American Behavioral Resources • American Behavioral’sInformation Security Handbook (I:\HIPAA\Information Security Handbook_9_2012.pdf) • American Behavioral’sNotice of Health Information Practices (available in EOCs, COCs and on American Behavioral’swebsite at http://www.American Behavioralhealth.com/Privacy/Default.aspx) • American Behavioral’sFax Coversheet (I:\HIPAA) • American Behavioral’sAppointment of Representative Form (I:\HIPAA) • American Behavioral’sHIPAA Policies & Procedures (I:\HIPAA\HIPAA Policies and Procedures) • HHS Resources • HHS HIPAA Q & A’s (http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html)