Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
FCSRMC – HIPAA PRIVACY & SECURITY PRESENTATION
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name foPrathgeeB1DO network and for each of the BDO Member Firms.
What is HIPAA?
HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA)
August 1996: Federal law enacted
April 2001: Privacy Rule
April 2005 Security Rule
February 2010: HITECH Act March 2013: HIPAA Omnibus (Final) Rule
Page 2
HIPAA Privacy Rule
HIPAA’s Privacy Rule:
Addresses the use and disclosure of an individual’shealth information regardless of how it iscommunicated (electronically, verbally, or written).
Establishes standards for an individual to understand and control how their health information is used.
Assures that health information is properly protectedwhile allowing the flow of health information neededto provide and promote high quality health care andto protect the public‘s health and well being.
Page 3
Covered Entity (CE)
A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers).
Examples: • Physician Practices• Dentists• Hospitals• Diagnostic Services (lab, radiology)• Nursing Homes• Pharmacies• Home Health Agencies• Health Plans
Page 4
Covered Entity (CE)
FCSRMC is considered a Covered Entity (Group Health Plan) and it’s member colleges act as the plan sponsor.
A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA.
This may include: hospital and medical benefit plans
dental plans vision plans health flexible spending accounts
employee assistance plans
Page 5
Business Associate
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity.
Examples include vendors, contractors and subcontractors such as:
● Billing Company ● Attorney● Transcription Service ● Accountant● Practice Management System ● Consultant● Document Storage Company ● EMR/EHR System● Collection Agency ● I.T. Vendor
Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations.
Page 6
Protected Health Information (PHI) Protected Health Information (PHI) is:
*individually identifiable health information that has beentransmitted or maintained in any medium (paper, verbal, electronic).
*created or received by the organization, relates to the health of anindividual or payment for health services, and identifies the individual.
Employee Name Complete Address All Elements of Dates Telephone Numbers Fax Numbers E-Mail Address Social Security Number
Medical Record Number
Certificate/License Number Vehicle Identifiers (License Plate Number) IPAddress Biometric Identifiers (voice and fingerprint) Full Face Photographic Images Any Other Unique Identifying Number/ Code
Health Plan Beneficiary Number Account Numbers
Page 7
De-Identified Health InformationDe-identified health information refers to information that cannot be used to identify an individual. Examples include information that has been redacted from documents containing health information, or reports that do not identify a specific individual.
Uses:
• Research (market analysis)
• Financial Reports
• Statistical Reports
• Demographic Studies
• Reports for Public Health Purposes
• Quality Improvement Activities
• Health Care Operations
Page 8
Notice of Privacy PracticesThe Covered Entity must provide a Notice of Privacy Practices to each individual. It is brief, written in plain language, and includes:
a description of the types of uses and disclosures that the Covered Entity is permittedto make for treatment, payment and healthcare operations.
a description of other purposes for which the Covered Entity is permitted or requiredto disclose PHI without the individual’s written authorization.
a description of the types of uses and disclosures that require an authorization.
a statement outlining the Covered Entity’s duties to maintain the privacy of PHI.
a statement that individuals may complain to the covered entity if they believe theirprivacy rights have been violated.
The Privacy Notice is provided by the Group’s Health Plan TPA (Florida Blue) to the Group Health Plan
participants (FCSRMC). Page 9
Notice of Privacy PracticesFCSRMC and it’s member colleges have adopted a HIPAA Privacy Policy Statement. The Privacy Policy should be reviewed with new staff at the time of new hire orientation. Employees should sign the acknowledgement form indicating they have received and have had an opportunity to read the HIPAA Privacy Policy.
Page 10
Consent and Authorization
Covered Entities cannot share PHI without the individual's awareness of their privacy rights.
To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions.
Consent can be revoked by an employee/individual (patient) in writing.
It is the policy of FCSRMC and it’s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it’s member colleges is not obligated to grant the request.
Page 11
When Consent and Authorization is NOT Required
Permitted PHI disclosures without an authorization:
Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/from pharmacy or diagnostic center
Payment – Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies
Health Operations – Fraud/abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities
• Public health activities• Victims of abuse, neglect or domestic violence• Law enforcement purposes• To comply with Workers’ Compensation• To avoid serious threat to health or safety
Page 12
When Consent and Authorization IS Required
An authorization is required for:
o Use and disclose PHI for purposes other than treatment, payment and healthoperation purposes
o Releasing psychotherapy noteso Marketing, research, sale of PHI, and fundraisingo Releasing PHI to the patient’s employer
An authorization must include:
Description of the information to be disclosed Names of persons to whom the information is
to be given Purpose of the disclosure An expiration date for the use of the
information
Page 13
Right to Restrict Disclosures
Right of Access
Right to Amendment
Right to Accounting Disclosures
Requests for the above should be directed to, and processed by, the Group’s Health Plan TPA.
Individual’s Rights
Page 14
Individual’s Rights
Staff can file a written complaint if they believe their privacy has been violated. Complaints should be directed to the college’s privacy contact, and any intimidating or retaliatory acts are prohibited.
It is important for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.
Page 15
“Minimum Necessary”
“Minimum Necessary” is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose.
Your facility should evaluate who should be accessing PHI(documented in job descriptions).
Only staff who need access to PHI to perform their job dutiesshould be granted access to these areas (a unique sign-on andpassword, access to paper files, etc.).
Minimum Necessary does not apply to requests/disclosures to the staff or another healthcare provider for treatment purposes.
Page 16
Medical Information – Personnel Records In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law.
The Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records.
Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations.
Medical paperwork that should be filed separately includes the following:
Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions
Anything that identifies a medical issuePage 17
HIPAA Privacy Vs. Security Rules
Privacy Rule Security Rule
Sets standards for who needs access to
PHI
Applies to all forms of PHI (electronic,
written, oral)
Ensures access is only given to those
who need it to perform their job
Only applies to electronic forms of
PHI
Page 18
HIPAA Security Rule
Security encompasses the measures organizations must take to protect information within their possession from internal and external threats.
Page 19
Administrative Safeguards Establish HIPAA policies/procedures
Provide security awareness and reminders to staff
Perform a risk analysis to determine where you might be vulnerable to abreach
Have a Disaster Recovery Plan in case of emergency
Implement sanctions and terminations for staff who breach PHI
Management passwords, including disabling access upon termination
Appoint a Privacy/Compliance Officer and Security Official
Implement Business Associate Agreements for all vendors who access PHI
Page 20
Physical Safeguards Design a contingency operations plan when data is temporarily
unavailable
Implement a security plan for facility (door locks, electronicaccess controls, video monitoring)
Install password protection on monitors
Ensure monitors are not facing public areas
Password protect thumb drives and documents containing PHI(Word, Excel, etc.)
Properly dispose of devices (hard drives, copiers, fax machines,scanners)
Page 21
Technical Safeguards Only use certified software systems
Use data encryption/decryption on all devices (laptops, cell phones)
Install firewalls and antivirus software
Assign unique sign-on and passwords to software containing PHI
Utilize integrity controls to ensure PHI has not been tampered with ordestroyed
Implement automatic log-off after system has been idle
Back up data daily
Continually monitor and audit system to ensure the system has not beenhacked or compromised
Page 22
Staff Training
Employers are required to provide privacy and security training to staff and to provide periodic security reminders.
Security reminders may include:
How to maintain security, including the need for strongpasswords
Specific threats to PHI that have been identified such as viruses
PHI access restrictions Changes in policies/procedures concerning HIPAA regulations Procedures to follow for modifying access to PHI How to report security breaches and to whom
Page 23
Breach of PHI A breach is:
Any unauthorized access, use or disclosure of unsecured PHI which compromises the security or privacy of PHI, unless there is a low probability that the PHI has been compromised.
From January – June 2017, there was 2,000 HITECH Breaches:
175 million people
affected
127.6 million network server
6.6 million desktop
5.6 million laptop
– 2.1 million –unsecured
Page 24 Source: HIPAAOne - www.hipaaone.com/2017-hipaa
Mitigating Risk Data protection
o Use workstations properly - don’t leave information open and unattendedo Don’t share passwords or post where others can see ito Don’t discuss confidential information with unauthorized individualso Lock computer, desk and file cabinetso Use shredder/recycle bin when destroying information
Access controls – only give authorized staff access to software/files containing PHI
Report potential threats to the Privacy Contact at your facility
Encrypt emails containing PHI
Obtain BAA from vendors when accessing/obtaining PHI
Password protect mobile devices if accessing company emails on device
Prevent malware infection on your computer by not downloading and installinganything you do not understand or trust, no matter how tempting
Provide training at time of hire and annually thereafter
Page 25
Sanctions Policy All workforce members must protect the confidentiality, integrity,
and availability of sensitive information at all times.
FCSRMC will take appropriate disciplinary action against employees,contractors, or any individuals who violate the information securityand privacy policies or state, or federal confidentiality laws orregulations, including the Health Insurance Portability andAccountability Act of 1996 (HIPAA).
FCSRMC will impose sanctions on any individual who accesses, uses,or discloses sensitive information without proper authorization.Sanctions may include: policy changes personnel changes transfer to another department retraining written reprimands suspension termination
Page 26
Document Retention Maintain the following documentation for six years, unless a longer period applies:
All policies and procedures
Business Associate Agreements
Signed Acknowledgement of Privacy Policies
Authorization forms
Notices and amended notices
Training of employees
Patient/employee complaints and their disposition (this must be documented on thecomplaint form and forwarded to FCSRMC)
Page 27
Key Points
Provide initial training at hire and annually thereafter. Use the group attendance log as documentation.
Maintain a separate employee health file.
Keep all protected information in a limited access area and under lock and key.
Page 28
1. Who is not a Covered Entity?a. Supermarketb. Physicianc. Health Plan
2. Who must comply with HIPAA privacy and security rules?a. Only physicians and hospitalsb. Patientsc. All Covered Entities and Business Associates
3. Who should have access to PHI?a. Everyone in the companyb. Everyone in the departmentc. Only those who need access to perform their job duties
4. It is OK to share your user name and password with someone you know as longas they do not share it with anyone else.a. True b. False
Page 29
5. PHI can be used to make employment related decisions.a. True b. False
6. When is an authorization required to release PHI?a. Disclosures not related to treatment, payment or healthcare operationsb. When someone requires assistance with insurance claims/benefitsc. Both a and b
7. How long is the document retention policy under HIPAA?a. 10 yearsb. 6 yearsc. Indefinitely
8. Ways to mitigate risk to PHI is:a. Secure your workstation and other areas containing PHIb. Don’t report a breach if you suspect it has occurredc. Avoid the HIPAA training sessions
Page 30
Questions?
Carol Crews, CMPE, CPMA, OHCC Sr. Manager, Healthcare Advisory
BDO Center for Healthcare Excellence & Innovation
BDO USA
(904) 224-9787
Page 31
References More detailed information can be found at the following resources:
U.S. Department of Health and Human Resources. 45 CFR Parts 160 and 164. Federal Register www.hhs.gov/ocr/privacy/hipaa/administrative/endor cementrule/enfifr.pdf
U.S. Department of Health and Human Services, Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/provider_ffg.pdf
Centers for Medicare & Medicaid Services, Office of E-Health Standards and Services. www.hhs.gov/ocr/privacy/hipaa/enforcement/ cmscompliancerev08.pdf
U.S. Department of Health and Human Services. www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule
Page 32