HIPAA Training

Description

HIPAA training slides for staff

Reviews

Shared by: Jennifer Zarate

Tags

Stats

views:: 197
rating:: not rated
reviews:: 0
posted:: 4/13/2009
language:: English
pages:: 0

Public Domain

What is HIPAA? Medical Staff Training PMSA What Is HIPAA? What is HIPAA? HIPAA is the common term for the Health Insurance Portability and Accountability Act of 1996 as proposed by the Kennedy-Kassenbaum Bill. HIPAA, Title II required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions. Who Does it Affect? In many ways, it affects everyone. • On a personal level as a patient or family member of a patient • On a professional level as you work in a medical practice. • The practice that you work for must protect patient’s rights, this is done by policies and training. Culture of Accountability Something all practices should have: • Accountability is being answerable or responsible for something and in this case HIPAA. In a medical practice, everyone is responsible for protecting the patient’s confidentiality. Why Was It Created? HIPAA was designed to focus on the portability between insurance plans. Later the Security and Privacy Standards were added and the inefficiencies in healthcare systems were addressed. With the advancement of electronic health records, HIPAA has become an important topic for all practice staff to become aware of ensure patient’s privacy. Security The Security standards are to ensure administrative, technical and physical safety practices are put into place to protect the patient’s health information. HIPAA also requires that standards are developed to help the transfer of information for treatment, payment and operations to ensure coordination of benefits and timely treatment of patients with access to pertinent health information. Privacy The Privacy standards ensure the protection of patient privacy and address the use and disclosure of health information and the ability for patients to request changes and review the information. The purpose of HIPAA includes the establishment of Privacy standards and includes a set of standards for code sets for transactions, unique health identification numbers and a standard for electronic signatures and prescriptions. What Would You Do? The new Nurse Practitioner has told the entire practice that HIPAA is not his responsibility. It is the staff’s problem and not to bother him with this training. He knows everything he needs to know, so just don’t bother him with your “silly updates” anymore. If you were the manager, what would you do? If you were the staff, what would you do? Need to Know Based upon information obtained from the Office for Civil Rights under the Department of Health and Human Services http://www.hhs.gov/ocr/hipaa/ the patient data that may be shared on this need to know basis and limited access. What Information is Projected? • Conversations the doctor has about care or treatment with nurses and others • Information about the patient in their health insurer’s computer system • Billing information about the patient at your clinic Covered Entities The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is a health care provider, clearing house, or health plan that conducts certain transactions What is a Health Care Provider Under HIPAA? • Doctors • Clinics • Psychologists • Dentists • Chiropractors • Nursing Homes • Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. What Would You Do? Jennifer loves to take home coding to work on. It allows her to get so much done, and it is a great situation for all considered. It allows her to be able to stop and take care of things in the other room when she needs to and then go back to work when she is done with other things. That is until she hears her two kids talking in the room she left the charts in. “I didn’t know that David’s mother has a drinking problem.” What is wrong with this picture? What should be done? What is a Health Plan Under HIPAA? This includes: • Health insurance companies • HMOs • Company health plans • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs. What is a Clearing House under HIPAA? This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. How Is This Information Protected ? • Covered entities must put in place safeguards to protect health information. • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose. How Is This Information Protected ? Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately. Covered entities must have procedures in place to limit who can view and access health information as well as implement training programs for employees about how to protect health information. What Rights Does This Law Give Patients • • • • • Ask to see and get a copy of their health records Have corrections added to their health information Receive a notice that tells patient how their health information may be used and shared Patient can decide if they want to give their permission before their health information can be used or shared for certain purposes, such as for marketing Get a report on when and why their health information was shared for certain purposes As a patient -If you believe your rights are being denied or your health information isn’t being protected, you can File a complaint with your provider or health insurer File a complaint with the U.S. Government Patients have been encouraged to ask their provider or health insurer questions about their rights-and you will have to be able to answer their questions of find resources to answer their questions. • • • • What Would You Do? Mrs. Jones has been a patient at the clinic for years. Over the years, the staff has come to know her neighbor who often brings her to her appointments and picks up her prescriptions. Mrs. Jones condition becomes worse and she passes away. Today a Ms. Brown is at the office requesting a copy of the patient’s records; she states she is the daughter. Can we give the records to her? Who Can See Medical Records? • For treatment and care coordination and ensure good care is given • To pay doctors and hospitals for your health care and to help run their businesses • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object • To protect the public's health, such as by reporting when the flu is in your area • To make required reports to the police, such as reporting gunshot wounds • Your health information cannot be used or shared without your written permission unless this law allows it What Would You Do? You are prepping an exam room and you can hear the doctor in the room next door, you realize that is your neighbor, the one that you can hear yelling at and have seen the police at their house. You hear the doctor talking about her many bruises and she tells him that she is just clumsy. What would you do? What This Means To You HIPAA is a law and not only is the practice required by law to protect and secure information, but as an individual, you are as well. The violations of non-compliance can include jail time, monetary or both. The Federal government can and will go after you personally if you violate the law. In cases where staff has been trained and act upon their own (ex. After training talking about a patient to a friend or tossing information in trash that has not been de-identified or selling copies for personal gain) the practice may be not be liable, but you as a staff member might still be punished. Roles in a Practice • There are different roles in a practice and it is important to know who is responsible for what and how they affect everyone. In some cases, these roles will overlap. Some examples of roles include: – – – – – Designated Security Officer Privacy Officer System Manager Caregiver Administrative staff Things A Practice Must Have • Privacy Policies and Procedures. • Privacy Personnel • Workforce Training and Management • Mitigation Process • Data Safeguards • Complaints • Retaliation and Waiver • Documentation and Record Retention Personal Representatives. The Privacy Rule requires a covered entity to treat a "personal representative" the same as the individual, with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual. Minors In most cases are the personal representative of the patient. State laws often determine minor issues. What Would You Do? You watched a fellow employee fax a male patient’s file to the patient’s cousin who works for the OB/GYN down the hall. This patient would have no reason to see this practice, but your co-worker wants her friend to see what is in her cousin’s file. Is a cousin a Personal Representative in this case? What would you do? Whom would you report this to and what steps should they take? How would your practice handle this problem? What is a Business Associate? In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information What Would You Do? You open the newspaper and the headlines read that one of your Business Associates offices were broken into last night. The damages and losses appear to be high. Computers were stolen. File cabinets were opened and the strewn all the facility. At this time, there are no suspects, but it is under investigation. What should be done? What Is Protected? The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." De-Identified Health Information • What if the records are being used for training, marketing or other uses? De-Identify Them! – De-identified health information neither identifies nor provides a reasonable basis to identify an individual How Is This Done? • There are two ways: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual. What Would You Do? One of the providers makes notes about patients on little pieces of paper. When on the phone and then uses the information to update the patient’s charts. No one noticed that the doctor threw the paper into the trash. One of the patients work for the trash company and noticed slips of paper and called a local news station. The station sent someone out to go through the trash and then put the information on the news. Could this have been avoided? How? Permitted Uses and Disclosures A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. Authorized Uses and Disclosures A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances. Authorization Requests Check with your practice on their policy. Sometimes state laws and certain circumstances may affect these rules. Limit Disclosures HIPAA requires that PHI be communicated on a Need to Know and Minimum Necessary basis to protect the patient’s health information. Instead of the entire chart being sent to another entity only requested information that is part of the treatment, payment, or for organizational administration should be given. What Would You Do? One of your patients is being seen at a local work comp clinic and the clinic has requested the patient’s entire file, what should be released? What if the patient did not provide you with a release? How does your practice handle these problems? Disclosure Requests Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure What Would You Do? A law enforcement presents himself to the practice. He has learned that in the past you treated someone he is investigating. The officer provides the persons name and asks if the patient has any identifying marks. What now? The Patient Safety Act This establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, the Patient Safety Act provides Federal privilege and confidentiality protections for patient safety information called patient safety work product. Patient safety work product includes information collected and created during the reporting and analysis of patient safety events. The Patient Safety Act Authorizes HHS to impose civil money penalties for violations of patient safety confidentiality. The Patient Safety Act also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs). PSOs are the external experts that collect and review patient safety information. Enforcement Enforcement of the confidentiality of patient safety work product is crucial to maintaining an environment for providers to discuss and analyze patient safety events, identify causes and improve future outcomes. OCR Enforces Confidentiality Protections The Patient Safety Rule implements select provisions of the Patient Safety Act. Subpart C of the Patient Safety Rule establishes the confidentiality provisions and disclosure permissions for patient safety work product and the enforcement procedures for violations of confidentiality pursuant to section 922 of the statute. What Would You Do? The manager has given notice that today is his last day. You notice that he has gone into the chart room and is now carrying a box of stuff out of the room. What should you do? State Laws In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply. In many cases state laws are more strict than federal and must be followed. Look for all laws and regulations that could apply to you and the practice. So What If The Rules aren’t Followed? Compliance Consistent with the principles for achieving compliance provided in the Rule, HHS will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Rule. The Rule provides processes for persons to file complaints with HHS, describes the responsibilities of covered entities to provide records and compliance reports and to cooperate with, and permit access to information for, investigations and compliance reviews. Smooth and easy sailing isn’t it? Civil Money Penalties HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice. In other words…. You could personally be held responsible for a violation! Privacy and Security Threats • Threats can come many ways. Just a few: – Human – Natural Disaster – Technology Threats include: • • • • • Viruses Time bomb Logic bomb Trojan Horse Faulty equipment Source of Threats Sources of threats can be hard to identify at times and can come from a variety of areas, a few include: • Current and former employees both full and temporary, or contracted vendors • Natural disasters • Private investigators, free lancer organizations that are paid by finding errors • Law enforcement and governmental agencies • Computer hackers • Faulty construction or equipment such as defective hardware, cabling or communication system • Commercial or political espionage • Organized crime (blackmail, extortion) Data classification Data classification is important so that informative is protected at the same level as the sensitive data it contains. The more sensitive it is then the tighter the controls. What Would You Do? Candy finds herself in the manager’s office being asked why a pornographic e-mail was sent from her computer. The printout shows that it was from Candy’s e-mail and shows that it was at 12:10. Candy says that it would have been at lunch. Would Candy still be in trouble? She then remembered that she had been sharing her password with other staff, was this alright? Is there still a problem? Destruction of Records • This is an area that can cause the largest concern for practices. It is easy to just toss a message into the trash, but does it have patient information on it? Did the patient leave their name, date of birth and information for you to call back? If this is on the message than the message must be destroyed of properly and not tossed into the trash where someone can find it. • Printed records can be destroyed by burning or shredding by staff or by a bonded service. Electronic records must also be destroyed of properly. Many practices have sold or tossed out old computers without using a file eradication system to ensure that all records had been removed to find themselves in trouble later on. This can be easily avoided. What Would You Do? The office got a new computer and put the old one out for trash pick-up. Later it was discovered that someone picked up the computer and had been able to download patient information including dates or birth and social security numbers and had sold them on the internet Things for Staff To Consider Overheard conversations are always a problem in healthcare. When you speak to a patient or other staff member, can anyone hear you? Do you need to speak softer or move the conversation to somewhere more private? When on the phone • If you are calling patients and other patients might overhear personal information about your patient, you might need to consider moving when making calls. • Are you sure that the person on the phone is entitled to the information? Is it the patient on the phone or a family member? Do you have permission from the patient to speak to this person? • Is this highly personal material? Is this PHI (Personal Health Information) something of a confidential nature, such as communicable disease, mental illness, disability, related to abuse or addiction of any kind? If so, take extra precautions when discussing information. What Would You Do? The manager calls you and another staff member into the office after you return from lunch together. You are told that someone overheard you discussing a patient. What should be done? How could this have been avoided? Things that could change • HIPAA updates • Red Flag Rule • State Laws ***Check for updates frequently*** Upcoming Updates In 2009 updates to HIPAA and Red Flag may require new policies to be put into place in the practice. Places to check for updates Possible resources for update information: • http://www.hhs.gov/ocr/hipaa/ • http://www.ftc.gov/bcp/edu/pubs/business/alerts /alt050.shtm • http://www.aad.org/pm/_doc/FTCRedFlagsRules FactSheet.pdf • Also consider your specialty medical association for resources and information. What Would You Do? • Did you have any problems with the questions? • If so, consider going over your practice policies, holding a group discussion and speaking to management. • You can also find answers at: U.S. Department of Health & Human Services http://www.hhs.gov/ocr/hipaa/ Sources • American Academy of Family Physicians http://www.aafp.org • Center for Medicare and Medicaid Services Security Education Materials http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp • Indian Health Service • • • PMSA http://www.thepmsa.com • U.S. Department of Health & Human Services http://www.hhs.gov/ocr/hipaa/ http://www.ihs.gov/AdminMngrResources/PrivacyAct/index.cfm?module=pa o_medrec_qa#20 Medical Managers Association http://www.mgma.com The End!