Upload
barnard-wade
View
214
Download
0
Embed Size (px)
Citation preview
2015 User Conference
HIPAA and Patient Safety: Why It MattersApril 24, 2015 (GEN-AO1)
Presented by:
Susan J. Kressly, MD, FAAPMedical Director, Office Practicum
General Session
2015 Office Practicum User Conference
Learning Objectives
▪Understand what HIPAA and Patient Safety have to do with my practice
▪ Identify resources that I can use for my practice
▪ Identify 3 areas where I can improve security and safety for my practice
Disclaimer
2015 Office Practicum User Conference
HIPAA
▪HIPAA Privacy Rule▪HIPAA Security Rule▪HIPAA Breach Notification Rule▪Patient Safety Rule
2015 Office Practicum User Conference
Who does this affect?
▪ALL medical practices▪NOT just those who participate in
Meaningful Use or Medical Home
2015 Office Practicum User Conference
HIPAA Privacy Rule
▪Major goal: HIPAA Privacy is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being
▪Administrative Requirements: a covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
HIPAA Privacy Rule
Let’s take a closer look……
2015 Office Practicum User Conference
HIPAA Privacy Rule
▪Establishes national standards
▪Protect individual’s medical records and other personal health information (PHI)
▪Applies to health plans, healthcare clearinghouses, health care providers
2015 Office Practicum User Conference
HIPAA Privacy Mandates Practices
▪Have in place safeguards to protect the privacy of PHI
▪Set limits on use and disclosure of PHI without specific patient authorization
▪Recognize patients have rights over their PHI including:▪A right to examine and receive a copy of their health record
▪A right to request correction of their health record information
2015 Office Practicum User Conference
Provider Notice of Privacy Policies
▪Provide notice no later than the first date of service (except in emergencies)
▪Make a “good faith” effort to obtain written acknowledgement of receipt of the notice & if unable document why
▪Make the most recent notice (one that reflects any changes in policies) available for individuals to request and take with them
2015 Office Practicum User Conference
Sample/Model HIPAA Privacy Policies
▪HHS Sample Policies in English & Spanish
▪HIPAA Resources from AAFP▪Kressly Pediatrics HIPAA Policy (feel free
to adapt for your practice)
2015 Office Practicum User Conference
HIPAA Policy Question 1
Q. Do we have to update our HIPAA policy annually?
A. No. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.
2015 Office Practicum User Conference
HIPAA Policy Question 2
Q. Do we have to get annual or periodic signatures from patients/families?
A. No. Only to acknowledge the original receipt of the HIPAA policy
2015 Office Practicum User Conference
HIPAA Policy Question 3
Q. Is our practice required to notify patients via mail or email of any changes to our policy?
A. No. If you make a change to your policy, you must make the new policy available to your patients, post it in a clear & prominent location in your facility and on your website if you have one.
2015 Office Practicum User Conference
HIPAA Privacy Question 1
Q. Can an 18 year old sister pick up forms or a prescription for her younger brother?
A. Yes. The practice may share relevant information with the family & other persons if it can reasonably infer, based on professional judgment, that the patient does not object.
2015 Office Practicum User Conference
HIPAA Privacy Question 2
Q. What can I do for other offices/health systems who refuse to send me information without expressed written consent from the patient?A. Consider creating a fax form requesting information with HIPAA references at the bottom
2015 Office Practicum User Conference
HIPAA Security Rule
▪Goal: The Security Standards for the Protection of Electronic Protected Health Information establish a national set of security standards for protecting certain health information that is held or transferred in electronic form
▪Administrative Requirements: a covered entity must adopt reasonable & appropriate policies and procedures to comply with the provisions of the Security Rule
2015 Office Practicum User Conference
HIPAA Security Resources
▪ Information Security Policy Template▪Security Audit Template Tool for Small Pr
actices▪Cybersecurity Best Practice Checklist▪Regional Extension Center Resources▪State Medical Society Resources
2015 Office Practicum User Conference
HIPAA Security Question 1
Q. Must our practice certify our compliance with the standards of the Security Rule?
A. No. There is no standard or certification requirements. An organization can decide on whether to use external third parties to perform security assessments but that does not absolve practices from meeting their legal requirements.
2015 Office Practicum User Conference
HIPAA Security Question 2
Q. Once we have completed a security risk assessment, are we finished?
A. No. Compliance is not a one-time goal but an ongoing process. In general, this includes performing a risk analysis; implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation.
2015 Office Practicum User Conference
HIPAA Security Question 3
Q. Does security only take into consideration our computer access to our EHR?
A. No. Practices should examine physical security safeguards such as unlocked back doors, policies regarding access for terminated employees, visible access to large monitors in a high patient traffic area, etc.
2015 Office Practicum User Conference
HIPAA Breach Notification Rule
▪The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates (BA) to provide notification following a breach of unsecured protected health information
▪Requirements: following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, & in certain circumstances, to the media
2015 Office Practicum User Conference
Breach Notification Requirements
▪ Individual Notification
▪Must occur within 60 days of discovery of breach
▪Must occur via first class mail unless prior agreement that patient agrees to email notification
▪ If >500 patients involved in a state/jurisdiction, required to provide notice to prominent media outlets serving the area
2015 Office Practicum User Conference
HIPAA Breach Question 1
Q. Do I have to report all accidental discovery of any HPI to the HHS secretary?A. No. However, any impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
2015 Office Practicum User Conference
Factors to Consider in Defining “Breach”
▪The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
▪The unauthorized person who used the protected health information or to whom the disclosure was made
▪Whether the protected health information was actually acquired or viewed
▪The extent to which the risk to the protected health information has been mitigated.
2015 Office Practicum User Conference
HIPAA Breach Question 2
Q. If there were only 3 patients affected in a HIPAA breach in my office, do I still have to report this somewhere?
A. Yes. All breaches are to be submitted to the Secretary of HHS. Can be done annually for breaches affecting < 500 patients or at the time of occurrence (reporting tool on HHS website)
2015 Office Practicum User Conference
Patient Safety Rule
▪The Patient Safety and Quality Improvement Act (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues
▪To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information to Patient Safety Organizations (PSOs)
2015 Office Practicum User Conference
HIPAA Enforcement
▪Enforcement has been transferred to the Office for Civil Rights
▪Enforces Privacy & Security Rules’ in several ways▪by investigating complaints filed with it▪conducting compliance reviews to determine if covered entities are in compliance
▪performing education and outreach to foster compliance with the Rules' requirements
HIPAA
Should You Fear the HIPAA Police?
2015 Office Practicum User Conference
No Fear Needed
▪HIPAA is not meant to be punitive▪Most investigations lead to continued
improvement▪Make HIPAA a Continuous Improvement
Project in your practice▪Work to identify gaps and then address
them▪Good Overview/Additional Information
available at multiple places including Medical Economics
2015 Office Practicum User Conference
Best Practices
▪Have a designated HIPAA Privacy & Security Officer with alternate (in case of vacation)
▪Commit to ongoing HIPAA education for your office
▪Maintain a folder of policies, procedures, business associate agreements, potential breach reporting templates, breach notification templates, etc.
▪Review annually and discuss whether updates necessary
2015 Office Practicum User Conference
Questions?
2015 Office Practicum User Conference
We want your feedback!