HIPAA Annual Training 2018-2019hipaa.corizonhealth.com/wp-content/uploads/2018/10/... · Business Associate involving the use and/or disclosure of individually identifiable health

HIPAA – Annual Training 2018-2019

Test Out Option for HIPAA Annual Training

Corizon Health is offering a test out option on Annual HIPAA Training. Here is how it works:

1. You may take a 10 question pre-test regarding HIPAA. If you pass with a score of 100%, you may skip the full training course and receive a “Completed” status for this annual requirement.

2. You MUST attain a 100% score.

3. If you miss no more than two questions, you may qualify to re-take the pre-test. If you miss 3 or more questions on the pre-test, you will be redirected to the course.

4. If you attain a 100% the second time around, you will receive a “Completed” status for this training. However, if you do not achieve a 100% score on your re-test, you will be required to complete the entire training module.

Test Out Option for HIPAA Annual Training

NOTE: If you are a new hire and have never taken the HIPAA Training module before, you are NOT eligible for the pre-test option. Please You MUST take the ENTIRE New Employee HIPAA training module.

1. If you would like to take the pre-test option, please let your site Super User know so that you can take the test now.

2. If you would prefer to take the entire training module and then take the test, then please proceed with the training module at this time and your Super User will provide you the test.

Topic 1

Time to complete Topic 1

Overview

Approximately 15 minutes

Introduction/ObjectivesAt the conclusion of this training module, you should have an understanding of the following:

Corizon Health’s Privacy and Security Policies and Procedures;

What constitutes Protected Health Information (PHI);

The General Rules for the use and/or disclosure of PHI;

The HIPAA Privacy and Security Rules and how each affects Employees in the workplace;

The appropriate method for identifying and reporting Privacy and/or Security Violations and/or Incidents;

2012 © Corizon Health, Inc. All information and photos are confidential and proprietary. All rights reserved.5

Introduction/Objectives (continued)At the conclusion of this training module, you should have an understanding of the following:

A patient’s rights surrounding his or her PHI and the role Employees have in exercising and/or preserving these rights;

The HITECH Act and the Final Omnibus Rule (2013);

Business Associates and the role and requirements surrounding each;

Enforcement measures that are available in the absence of compliance; and

Each Employee’s responsibility in terms of Privacy and Security surrounding PHI in the workplace.

© Corizon Health, Inc. All information and photos are confidential and proprietary. All rights reserved.6

HIPAA Terms


HIPAA Terms

Breach The acquisition, access, use, or disclosure of protected

health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

HIPAA Term: Business Associate

A person or entity, other than an Employee or other member of the workforce of the Company, which performs, or assists in the performance of, a function or activity on behalf of Corizon Health or a Corizon Health Business Associate involving the use and/or disclosure of individually identifiable health information.

Such functions or activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and repricing. Business associates also include any providers of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to Corizon Health or a Business Associate thereof, where the provision of such services involves the disclosure or use of individually identifiable health information.


HIPAA Terms


Business Associate Agreement

• Agreement between the Company and a Business Associate, pursuant to which the Business Associate agrees to provide certain protections of PHI received by or created on behalf of the Company.

Corizon Health

• Corizon Health, Inc., Corizon, LLC, and their affiliated entities.

Designated Record Set

• Please refer to your Corizon Health Privacy Policies for specific information on the Designated Record Set.

HIPAA Terms


Disclosure Log

• Record maintained by Corizon Health of all disclosures of PHI as required to be maintained pursuant to Privacy and Security Policies and Procedures.

Employee

• Any person whose conduct, in the performance of work for Corizon Health, is under the direct control of Corizon Health, whether or not such person is paid by Corizon Health and whose duties bring such person in contact with PHI. For the purpose of these Privacy and Security Policies and Procedures, the term “Employee” includes, but is not limited to, customer service representatives, any administrative personnel, and any personnel under Corizon Health‘s control who deliver health care services or items to inmates in correctional institutions.

HIPAA Terms


Final Omnibus Rule

• The final rule announced by U.S. Dept. of Health and Human Services which implements a number of provisions of the HITECH ACT, effective March 26, 2013 with a compliance date of September 26, 2013.

HIPAA Terms


Health Care Operations

• Administrative and managerial activities of Corizon Health including quality assessment and improvement activities, legal compliance activities, business planning and development activities, and other business management and general administrative activities.

Health Oversight Activity

• Activities by a Health Oversight Agency for the purpose of oversight of the healthcare system (whether public or private, or government programs) in which health information is necessary to determine eligibility or compliance, or to enforce civil rights for which health information is relevant.

HIPAA Terms


Health Oversight Agency

• An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority or contract with such public agency, that is authorized by law to conduct Health Oversight Activities.

HIPAA

• The Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA”, is a federal law which created a national standard for the privacy and security of protected health information (“PHI”).

HIPAA Terms


HITECH Act

• Health Information Technology for Economic and Clinical Health Act

Individually Identified Health Information

• Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HIPAA Terms


Patients and Personal Reps

• The term “patient” may also include the patient's legally designated "personal representative". A personal representative is any of the following [see 45 C.F.R. § 164.502(g)]: A conservator of the person of an incompetent patient; an agent appointed under a power of attorney for health care, if the patient is incompetent; any other person who can make health care decisions on behalf of an incompetent patient; A personal representative (i.e., the executor or administrator) of the estate of a deceased patient or any heir or beneficiary of a deceased patient; parents of minor children; or emancipated minors.

HIPAA Terms


Professional Corporation (PC)

• A corporate entity established and solely owned by physician shareholders.

HIPAA Terms

Protected Health Information (PHI) Health information which relates to: (i) the past,

present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

PHI includes not only medical records, but all other forms or documents that contain individually identifiable information, including but not limited health service request forms, medication administration records, sick call requests, daily clinic logs, etc.

HIPAA Terms


Privacy Officer

• The person who is responsible for the development and implementation of these Privacy and Security Policies and Procedures, and overseeing the Company’s compliance with the requirements of the Privacy Rules.

Privacy Rules

• Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) at Title 45, parts 160, 162 and 164 of the Code of Federal Regulations, pertaining to the privacy of health information.

HIPAA Terms


Privacy and Security Policies and Procedures

• The policies and procedures contained herein, which have been adopted by the Company as part of its efforts to comply with the Privacy and Security Rules.

Public Health Activity

• The activities of a public health authority for the purpose of preventing or controlling disease, injury or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions.

HIPAA Terms


Security Officer

• The person who is responsible for the development and implementation of Security Policies and Procedures, and overseeing the Company’s compliance with the requirements of the Security Rule.

HIPAA Terms

Unsecured PHI Protected health information that is not rendered

unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary

Who are the Corizon Health Super Users?


Who are the Super Users for our companies?

• All HSAs/DONs

• All Field and Regional Office AAs

• Regional Office Designees

• Professional Corporation (PC) Shareholders

Who will the Super Users be training?

• All Site Level Employees

• PC Employees

Who are the Corizon Health Super Users?


What is the Super User role?

• HIPAA Training Facilitator

• Initial contact person at the site level for HIPAA related issues

Why is training important?


There are many reasons why training is important.

Training

• Training enables Employees to develop the knowledge and skills set necessary to perform the essential functions of their job in compliance with the law.

Advantage

• Effective training affords Corizon Health a competitive advantage in the correctional healthcare market.

Why is training important?


Career

• Training advances an Employee’s career and sense of feeling valued by Corizon Health.

OJT

• “On the job training” is an investment in Corizon Health’s future as Employees will share this knowledge with other Employees (current and new hires) in performing the essential functions of their job.

Training Compliance


To begin, you will need to complete this course by completing all of the Topics. After you review the 5 topics, you may take the quiz. We’ve estimated your total time to complete this course, including the Quiz, is about 70 minutes.

Topic Title Topic # Time to Complete

Overview 1 15 Minutes

Privacy Rule 2 15 Minutes

Security Rule 3 10 Minutes

Reporting and Enforcement 4 10 Minutes

Scenarios 5 10 Minutes

Review Quiz Quiz 10 Minutes

Total Time to Complete: 70 Minutes

Training Compliance


At the end of this training, you will need to take a short quiz and answer all ten (10) questions correctly. In the event you do not answer all ten (10) questions correctly, you are required to retake the quiz. The Super User at each site shall ensure that each Employee takes the Quiz until he/she attains a score of 100%.

Hot Buttons for Corizon Health

Disposal of PHI

• Sensitive information and PHI should NEVER be placed in the regular trash!

• Hard copy materials that contain PHI, like sick call request forms, must be properly shredded at your site or placed in a locked shred container for shredding later.

• DO NOT use an open box under your desk as your shred storage for PHI

─ If you are using an unsecured container to hold PHI for destruction, there is a greater likelihood in inappropriate access or that it will accidentally be comingled with regular trash.

─ Keep in mind that the destruction of actual medical records is client dependent, so please work with your site management before destroying any medical records.

Hot Buttons for Corizon

Verification of Identity

• Before you provide records to an inmate or any other third party, you MUST verify that the name of the person in the medical record matches the name being requested.

• Does the information within the medical record all belong to that inmate?

If two different inmates with the same last name of Smith request their records, check, check again and check a third time to ensure that you are providing the correct record to the correct inmate "Smith".

Hot Buttons for Corizon Health

Unsecured PHI

EVERY SINGLE TIME you send an email outside the Corizonhealth domain that contains any PHI the email MUST BE ENCRYPTED, e.g., you send medical record to attorney who does not have a corizonhealth.com email address.

As a Corizon employee, you must use your Corizonhealth email.

DO NOT send emails from your personal email accounts like Gmail or Hotmail or your County or state email address that contain any PHI.

Corizon, as the covered entity, is responsible for the security of the PHI and we cannot control the security of a third party email system.

What is HIPAA?


The Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA”, is a federal law which created a national standard for the privacy and security of Protected Health Information (“PHI”).

In learning about HIPAA, it is important to recognize that this legislation was enacted with two broad interests in mind:

• Privacy

• Security

Congress became concerned about how to protect the confidentiality of health care data that was being electronically transmitted. Therefore, the purpose of HIPAA was to protect the privacy and security of PHI. HIPAA legislation was passed in 1996. However, it was not until 2003 that the Privacy Rule was finally enacted and later in 2005, the Security Rule was enacted.

What is HIPAA?


In this course, we will first learn about the privacy component of HIPAA more precisely referred to as the HIPAA Privacy Rule.

Generally speaking, the HIPAA Privacy Rule was enacted to encompass the following items:

• Individual rights;

• Instructions on how to exercise those individual rights; and

• Uses and/or disclosures of PHI which must be authorized by the individual (patient) or are required by law.

What is HIPAA?


After we conclude our discussion of the Privacy Rule, we will redirect our attention to the Security Rule which mandates the administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”).

The belief was that privacy is a "fundamental right" and that patients should have the ability to control information pertaining to their care. Therefore, HIPAA gave patients a number of rights, including but not limited to access to medical records, the right to amend records and the right to restrict certain uses and

disclosures of their PHI.

What is Protected Health Information?


HIPAA’s Privacy and Security Rules only apply to PHI, which is commonly referred to as “PHI”. Therefore, in order for Employees to understand the important aspects of HIPAA, it is critical to know what PHI is.

PHI is defined as individually identified health information that is transmitted or maintained in electronic, written, oral, and/or any other recorded form or medium.

The Department of Health and Human Services generally considers any health related information that identifies an individual, or reasonably could be used to identify an individual, which is created or received by a covered entity to be PHI.

What is Protected Health Information?


Individually identifiable health information is:

• Information that identifies an individual;

• Information created or received by Corizon Health; and

• Information that relates to the past, present or future physical or mental health condition of the individual.

Remember: PHI does not just refer to medical records, but any document or form that contains individually identifying information about the patient.

What is PHI?


Some common examples of PHI include:

• Patient medical records• Prescriptions• Billing information• Patient insurance forms• Patient charts

PHI does NOT include:

• Employment records held by a Covered Entity in its role as an employer• Educational records

It is important to remember that PHI includes less obvious items in comparison to those common examples provided. If you are unsure as to whether or not a particular item constitutes PHI, please consult the Privacy Officer for further clarification.

How does HIPAA apply to Corizon?


HIPAA only applies to “Covered Entities”, which include health plans, health care clearinghouses and health care providers who use PHI in connection with certain electronic transactions (such as payments or claims attachments).

How does HIPAA apply to Corizon?


Under HIPAA, a health care provider is defined as an entity that furnishes medical services.

Because Corizon Health provides medical services to inmates of correctional facilities across the United States, Corizon Health is considered a health care provider.

As a health care provider, Corizon Health transmits electronic PHI for purposes of certain transactions which results in Corizon Health being classified as a “Covered Entity” for purposes of HIPAA.

Corizon, as it currently functions, does not meet the definition of either a health care clearinghouse or a health plan.

However, Corizon does engage in certain standard transactions, making us a Covered Entity subject to the rules and regulations of HIPAA.

Topic 1 – Overview – Conclusion


Great job, Topic 1 is complete.









Topic 2


Privacy Rule


Objectives

At the end of this Topic, the learner will have a good understanding of:

• The general rules for the use and disclosure of PHI;

• An individual’s right to access his or her own PHI;

• How to adequately protect an individual’s PHI from inappropriate use or disclosure;

• Documenting “non-routine” disclosures of PHI; and

• The reporting of any improper uses or disclosures of PHI to the appropriate personnel so that any harmful effects can be mitigated.

Note: Use means the PHI is being shared, applied, utilized, examined or analyzed within Corizon and Disclosure means the releasing, transferring, or

providing access to the PHI outside of Corizon.


General Rules for the Use and Disclosure of PHI

The HIPAA Privacy Rule generally requires Corizon Health to take reasonable steps to limit the use and disclosure of PHI to the minimum amount necessary to accomplish this purpose.

The Employee shall make a reasonable effort to use and or disclose only the amount of PHI which is required to perform the essential job functions.

It is important to remember that the “Minimum Necessary Standard” does not apply to all uses and disclosures of PHI.


Exceptions to the “Minimum Necessary Standard”

The Minimum Necessary Standard DOES NOT apply to the following uses and disclosures of PHI:

Uses and disclosures of PHI for treatment purposes (e.g. from one health care provider to another)

Uses and disclosures of PHI to the individual who is the subject of the PHI

Uses and disclosures of PHI pursuant to a valid HIPAA compliant written authorization

Uses and disclosures of PHI that are required by law


“Minimum Necessary Standard” – Example 1

A patient at the Jail has requested that a copy of his entire medical record be provided to his attorney. He has a presented a signed, validly executed authorization for release of his records.

Does the “Minimum Necessary Standard” apply here?

Correct Answer: No, the patient has signed an Authorization allowing his entire record to be sent to his Attorney. The Minimum Necessary Rule does not apply.The entire record must be provided to the patient’s attorney.


YES NO


Patient is being sent off-site to the hospital for a surgical procedure. The surgeon at the hospital calls to speak to the treating physician at the correctional facility about the Patient’s care and upcoming procedure.


Correct Answer:No, the “Minimum Necessary Standard” does NOT apply to uses and disclosures ofPHI for the purpose of treatment.


YES NO


Nurse Nancy makes a serious documentation error in aPatient’s chart. Her supervisor works with the HR Department to determine whether corrective action is warranted. The HR Department requests a copy of the medical record as part of its investigation.


Correct Answer:Yes, the Supervisor should only provide the relevant pages of the medical record to the HR department with the patient’s name redacted. The HR Department does not need to know the patient’s name or see the entire record in order to complete its investigation.


YES NO


Several inmates at the correctional facility have been diagnosed with and are being treated for a communicable disease. The local health department is on-site at the correctional facility to investigate and help mitigate a possible outbreak.

Should the Medical Staff apply the “Minimum Necessary Standard” when speaking with the Health Department?

Correct Answer:No, this disclosure is required by law so the “Minimum Necessary Standard” would NOT apply. The Health Department will need all information related to the patients with the communicable disease in order to adequately and effectively treat and prevent the spread of the disease.


YES NO

The HIPAA Privacy Rule requires Employees to obtain a HIPAA compliant written patient authorization prior to using and/or disclosing PHI for certain purposes.

Some examples of uses and/or disclosures of PHI that require a HIPAA compliant patient authorization are:

• Disclosure of PHI to the patient’s family or friends in cases where the friend or family member is NOT the patient’s personal representative

• Disclosure of PHI to the media

• Disclosure of PHI to the patient’s attorney.

Employees can obtain Corizon’s standard HIPAA compliant patient authorization online at

http://hipaa.corizonhealth.com or from the Super User at your respective site.

To be consistent and ensure that the Authorization is HIPAA compliant, it is best to always use the Corizon approved form. If a patient or third party presents an Authorization on a non-Corizon form, you may request that they complete a new authorization on the Corizon form.

49

When is a Written Authorization Required?

http://hipaa.corizonhealth.com/

When a Written Authorization is NOT Required

Employees are NOT required to obtain a HIPAA compliant written authorization prior to using and/or disclosing PHI in the following circumstances:

Uses or disclosures of PHI for treatment purposes (providing healthcare services or items)

Uses or disclosures of PHI for payment purposes(submitting and receiving claims, making and receiving payment for services)

Uses or disclosures of PHI for health care operational purposes (quality improvement activities, credentialing, utilization review, training programs, accreditation activities, insurance rating)


When a Written Authorization is NOT Required(Continued)

Uses or disclosures of PHI to a correctional facility or officer to assist the facility in providing the patient with health care, protecting the health or safety of the patient or others, or for the safety or security of the correctional facility

Uses or disclosures of PHI to avert serious threat to health or safety (threat to the patient, public, or other individuals)

Uses or disclosures of PHI for law enforcement purposes(information related to the commission of a crime on the premises or against health care personnel)


When a Written Authorization is NOT Required(Continued)

Uses or disclosures of PHI to a Corizon Health Business Associate that has signed a Business Associate Agreement

Uses or disclosures of PHI for public health activities as required by law for the purpose of preventing or controlling disease, injury or disability

Uses or disclosures of PHI for judicial, legal, or administrativeproceedings (e.g. Court orders and subpoenas)


KEY ELEMENT OF INSTRUCTION:It is important that Employees understand that Corizon Health is the custodian of the PHI in its possession and the Client is the owner. For this reason, Employees must not impede the Client’s ability to access its own PHI so long as such use and disclosure complies with the correctional facilities/officer exception listed above.

Custodial Exemption

As previously mentioned, in the correctional environment, HIPAA gives broad authority to the providers to allow for the release of information to a correctional facility or officer if the purpose is to provide care to the patient or to protect the health and safety of the officers and/or the facility.

However, be cautious with this authority. Any release of information to an officer or a warden should be done so for the purpose of protecting the institution, it's officers and the other inmates. This does not give an officer the right to inspect a patient's records out of mere curiosity. You still have an obligation to protect the patient's privacy.

Safeguarding the Confidentiality of PHI

YOU are responsible for securing PHI from improper disclosure.

Avoiding an improper disclosure includes the following:

• Sharing PHI with only those that need to know the information in a discreet manner.

• Refraining from discussing patient information with family, friends, neighbors and others that have no need to know.

• Avoiding leaving PHI visible on desktops or work surfaces by turning things over and locking information in your desk.

You must ensure that any disclosure of information reaches the correct person.

• Validate fax numbers prior to faxing any PHI

• Verify the identity of a person prior to releasing information

• Verify email addresses before sending any encrypted patientinformation electronically

Quick Knowledge Check

It is acceptable to put PHI in an open shred or recycle box under your desk since all Corizon employees have taken HIPAA training and understand their obligation to protect the information.

Yes or No, you can put PHI in an open shred box under your desk or in a common area?

Knowledge Check Answer

Correct Answer: No

Any document containing PHI that is ready for disposal must either be shred at the site or placed in a locked bin so that other third parties like inmate workers and correctional officers do not have access to the information.

Disposal of PHI

Either shred the PHI at the site or place the PHI in a locked receptacle .

If you utilize inmate workers in your area for janitorial services, they should never touch your shred bids or empty any containers holding PHI until a shred vendor comes to shred the information.

If you have any electronic media (discs, USB drives, etc.) that contain PHI, please contact our IT department for proper disposal instructions.

REMEMBER: PHI does not just mean the physical medical record but includes any paper that contains patient information. If that document contains any PHI, it must be disposed of properly.

What is required of a Business Associate?


The HIPAA Privacy Rule requires Covered Entities such as Corizon Health to enter into a Business Associate Agreement (“BAA”) with any third party individual or entity that is determined to be a “Business Associate” of the Company (“BA”). Upon entering into a BAA with Corizon Health, a BA is then obligated to comply with certain requirements under the Privacy and Security Rules, including agreeing to the use and/or disclosure of PHI only as permitted under the BAA and to maintain the appropriate security safeguards so as to prevent the unauthorized access, use, and/or disclosure of PHI.

Business Associate Contracting Process

It is important to remember that Corizon Health may not share PHI (the use and/or disclosure) with a BA until a BAA has been executed between the parties.

If you wish to engage a BA, you need to contact the Privacy Officer and they will assist you with the process of drafting and executing the agreement.

Corizon Health is required to maintain copies of any fully executed BAAs in the event they are requested by the government. Therefore, it is imperative that the Privacy Officer be involved in the contracting process.

Subcontractors


Upon the enactment of the Final Omnibus Rule in 2013, all subcontractors of Corizon Health's Business Associates are required to comply with the Privacy & Security Rules. This significant legislative change will require Corizon Health to carefully monitor the subcontractors utilized by its business associates for the purpose of ensuring 100% compliance.

Who is a Business Associate?


The appropriate way to determine whether or not a third party individual or entity is a Corizon Health BA is in looking at the activities and/or functions they perform on the Company’s behalf. Typical activities or functions performed by a BA for or on behalf of a Covered Entity such as Corizon Health include those listed below, provided the activity or function involves the use and/or disclosure of PHI:

Typical Activities / Functions Performed by a Business Associate

Claims Processing Practice Management Services

Data Analysis Legal

Utilization Management Accounting / Actuarial

Quality Assurance Consulting

Benefit Management Management

Third Party Admin Activities Administrative

Who is a Business Associate?


To the contrary, if a third party individual or entity performs one or more of the foregoing activities and/or functions on behalf of Corizon Health but, DOES NOT access or use PHI in doing so, no business associate agreement is required. Additionally, if a third party individual or entity is a healthcare provider AND only receives and/or uses PHI in treating a common patient (an individual that is also a patient of Corizon Health), no business associate agreement is required.

In the event you have any questions withregard to Business Associates, pleasecontact the Privacy Officer and/or amember of the Corizon HealthLegal Department.

Documenting “Non-Routine” Disclosures of PHI


Under the Privacy Rule, Corizon Health is required to provide patients with an accounting of all “Non-Routine” Disclosures of PHI made for up to six (6) years prior to the date of the patient’s request. Employees MUST document all “Non-Routine” disclosures of PHI in the PHI Non-Routine Disclosure Log.

You are LEGALLY required to document your disclosures of PHI!

A patient has the right to request a copy of an accounting of any and all disclosures of his or her PHI which are considered "Non-Routine."



Disclosure of PHI to a Health Oversight Agency(CMS, State DHS, SSA)

Disclosures of PHI made pursuant to a Court orAdministrative Agency Order

Disclosures of PHI made pursuant to a subpoena

Disclosures of PHI made pursuant to a request by a law enforcement agency

Disclosures of PHI made to avoid a serious threat tohealth or safety

Disclosures of PHI made to a public health agency (state or local public health authority)

The following disclosures of PHI are considered “Non-routine”:

“Routine” Disclosures

NOTE: Disclosures for the purposes of treatment, payment, and/or operations are NOT considered to be "Non-Routine."

In the event you are unable to determine whether or not a disclosure is "Non-Routine", please refer to your Privacy Policies and/or consult the Super User at your facility for further guidance.



When documenting “Non-Routine” Disclosures of PHI, Corizon Health must record the following information in the PHI Non-Routine Disclosure Log:

Date of the disclosure

Name and address of the person or organization who received the disclosure

Brief description of the PHI disclosed

Purpose for which the information was disclosed

In the event an Employee has further questions about the documentation requirements for “Non-Routine” Disclosures ofPHI, they should contact their site Super User or the Privacy Officer.

“Non-Routine” Disclosure Key Points

You MUST maintain an accurate and complete log of ALL non-routine disclosures of PHI at your site.

You MUST maintain the non-routine disclosure log for a minimum of 6 years.

If your site is closing, you must mail a hard copy of the non-routine disclosure log to the Privacy Officer BEFORE the new vendor comes into the facility.

Patient’s Right to Access PHI


As a general rule, HIPAA gives patients certain rights regarding their PHI, including, but not limited to, the right to inspect or obtain a copy of their medical records. Additionally, specialized rules may apply if the patient is legally considered a minor.

However, because inmates do not have the same rights as other patients under HIPAA, Corizon Health may deny an inmate’s request to inspect or obtain a copy of his or her PHI if it would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of an Employee or the correctional staff of the facility.

NOTE: Many Corizon Partners do not allow and/or limit a patient's access to their medical records during incarceration. If your site restricts access to patient records, please contact the Privacy Officer so that he or she can assist you in determining whether you should allow the patient access to his or her medical records.

What Rights Do Minors Have?


HIPAA addresses issues surrounding parental rights relative to a minor (a person who has not reached the legal age of majority) under the regulations dealing with “personal representatives.”

• Generally, parents have the authority to make health care decisions about their minor children. Therefore, HIPAA allows parents to access to their child's PHI as they are making the decisions.

• However, if state law allows a minor to exercise his or her own control over a health care decision, HIPAA then allows the minor to control who will have access to that health care information related to that decision.

• For example, if state law allows a minor to consent to mental health treatment without the consent of a parent, then the parent would not be acting as the minor's personal representative and would not have access to that information.

HIPAA defines a “personal representative” as a person authorized under applicable law to make health care decisions on another individual’s behalf.

It is important to know that HIPAA takes a deferential approach to patient rights when it comes to dealing with patients who have not reached the legal age of majority (minors).

As a general rule, HIPAA gives minors the right to exercise control over their own PHI (including restrictions on access) IF, under state law, the minor in question obtained or could have obtained the medical treatment to which the PHI pertains, WITHOUT parental consent.

What Rights Do Minors Have?


As is the case with all legal rules, there is an EXCEPTION: If the state law allows or prevents the disclosure of a minor’s PHI to a parent or guardian (personal representative), HIPAA defers to the state law.

CAUTION: When dealing with minors and their rights with regard to PHI, you should consult the legal department as to what state law allowsand/or requires.

These situations should be addressed on a case by case basis as there are other legal scenarios where a minor is permitted to restrict access to his or her own PHI (e.g. in cases of abuse or neglect, where PHI involves substance abuse and/or mental health).

Corizon Health Privacy Officer


Corizon Health has designated a HIPAA Privacy Officer whose responsibilities include ensuring HIPAA compliance among all Employees.

The Corizon Health Privacy Officer is:

Maya PatelVice President, Associate General Counsel and Privacy OfficerEmail: [email protected]

Safeguarding PHI – Key Provisions


Comprehensive Privacy and Security Policies and Procedures have been developed in order to safeguard PHI. The Corizon Health Privacy and Security Policies & Procedures are available for reference at http://hipaa.corizonhealth.com and in paperform at the site level. Key provisions include the following:

All current Employees and all new Employees will receive compliance training consistent with the Corizon Health Privacy and Security Policies and Procedures

Only authorized Employees willhave access to PHI

Access to all PHI will be monitored

Safeguarding PHI – Key Provisions (Continued)


Before disclosing PHI for any purpose other than for treatment, payment or health care operations, an Employee should consult the Corizon Health Privacy and Security Policies and Procedures and determine the following:

If the disclosure is permitted

If a patient authorization is required for the disclosure

If the disclosure must be documented

Safeguarding PHI – Key Provisions (Continued)


If an employee cannot determine with certainty whether a disclosure is permitted, requires patient authorization, or must be documented, the Employee must contact the Super User or Privacy Officer for clarification.

Employees are encouraged to reference the Corizon Privacy and Security Policies and Procedures along with related online compliance resources made available at HIPAA.Corizonhealth.com.

Employee Privacy Responsibilities


All Employees must do the following:

COMPLY:

MINDFUL:

ACCESS:

Comply with Corizon’s Privacy andSecurity Policies and Procedures;

Be mindful of privacy issuespertaining to the use and disclosure of PHI;

Ensure that only authorized Employees access PHI;

Employee Privacy Responsibilities


BEFORE:

REFRAIN:

NOTIFY:

Before disclosing PHI, consult the Privacy and Security Policies and Procedures to determine if a patient authorization is required for the disclosure and whether or not the disclosure must be documented;

Refrain from discussing PHI in common or unsecured areas (e.g. elevators, lobbies, etc.); and

Notify the Privacy Officer if he or she believes that a Privacy and/or Security Policies and Procedure has been violated


It is acceptable to leave PHI in a copy room or open on a desk because all Corizon employees have taken HIPAA training and understand their obligation with respect to PHI.

Yes or No, you can take your time retrieving PHI from a copy room that has access by others and/or leave PHI face up on your desk or common area?


NO, merely because all employees have been trained does not automatically grant them access to PHI.

• Each employee has an obligation to protect that information from further disclosure.

• Make sure that you are appropriately securing PHI in your workspace by closing folders and files and never leave information in an open space like a copy room.

Topic 2 – Privacy Rule – Conclusion











Topic 3


Security Rule


The Security Rule


The HIPAA Security Rule became effective on April 20,2005, and set a national standard for protection of the confidentiality, integrity, and availability of electronicPHI when it is stored (at rest), maintained, or transmitted.

The Security Rule sets forth the standards and processes that are required to protect the confidentiality, integrity, and availability of electronic PHI in the form of Administrative, Physical, and Technical *Safeguards (*covered on next page).

The Security Rule


Administrative Safeguard Example

Requiring authorization for Employees to access electronic PHI

Physical Safeguard Example

Maintaining secure workstations to avoid the incidental viewing of PHI

Technical Safeguard Example

Continuously monitoring all access attempts to electronic PHI

These are only a few examples of the many administrative, technical and or physical safeguards included in the security rule. All of which are in place to ensure the confidentiality, integrity and availability of ePHI.

Corizon Health Security Officer


Corizon Health has designated a Security Officer whose responsibilities include ensuring compliance with Corizon’s Security Policies and Procedures.

The Corizon Health Security Officer is:

Howard Wolfe103 Powell CourtBrentwood, TN 37027

Email: [email protected]

Employee Security Responsibilities


All Employees must do the following:

ADHERE:

AVOID:

AVOID:

LOCK/LOG OFF:

REPORT

Comply with Corizon’s Privacy and Security Policies and Procedures;

Avoid the use of common or obvious passwords;

Avoid sharing passwords with anyone;

Lock or log off workstations whenever leaving them unattended;

Promptly report any suspected security violations to the Security Officer.

Employee Security Responsibilities

Your password should be hard to guess but easy for you to remember.

Once you have determined an appropriate password, do not share it with anyone or write it down and leave it in a location where someone else can obtain it.

Remember that if someone else is able to log in under your username and password, you are ultimately responsible for any actions taken by that person.

When you step away from your workstation for any reason, please lock your computer screen and put away or turn over any PHI on your desk to avoid the risk of an unauthorized use or disclosure.

Workstation Usage

It is important that you protect your workstation space to avoid any accidental disclosures of PHI.

Some examples of these safeguards include:

• RESTRICT view access from others

• FOLLOW appropriate log-on and log-off procedures

• LOCK your workstation when you are away from your workspace

PHI and Mobile Devices

PHI should not be stored on any mobile device like a phone or tablet, unless you have been authorized to do so and have worked directly with Corizon Health's Security Officer.

If devices are lost, stolen or compromised, notify your supervisor immediately and report the loss to the Security and Privacy officers!

Email Usage

Appropriate use of e-mail can prevent the accidental disclosure of ePHI.

Best practices include:

• Use email in accordance with Corizon's email usage policy.

• Use e-mail for business purposes and do not use e-mail in a way that is disruptive, offensive, or harmful.

• ALWAYS verify email address before sending.

• Don't open e-mail containing attachments when you don't know the sender.

Corizon Encryption Policy

When sending PI or PHI via email to a domain address other than “Corizonhealth.com.”, you must encrypt the communication.

Adding any one of the following key words: encryptme, [ENCRYPT], or [SEND SECURE] to the subject line of the email, will send the message through our secure email gateway.

Failure to do so could result in a breach of the PHI.

Prohibited Email Activity

You MAY NOT send any PHI from any personal email account or other non Corizonhealth email account, like a DOC or county email address.

When you send an email that contains PHI outside the Corizonhealth.com domain, it needs to be sent from a corizonhealth.com email address and be encrypted.

DO NOT USE your DOC or county email address to communicate with employees or the corporate office regarding any PHI.

If you do so, corrective action, up to and including termination, may result.

Topic 3 – Security Rule – Conclusion











Topic 4

Time to complete Topic

Reporting/Enforcement


Objectives

Upon completing this Topic, you should understand the following:

• How the HITECH Act of 2009 and the Final Omnibus Rule affect Corizon Health and its Employees

• What enforcement measures can be taken in the event our Employees run afoul of compliance.

Because the exchange of health information is important for all health care providers and their patients, legislators are constantly looking for ways to modify and /or improve the rules surrounding such. The Final Omnibus Rule is one example of a recent legislative update which increased many of the duties a health care provider has with regard to information privacy and security.


Privacy and Security Violations

Employees that fail to follow the Privacy and Security Policies and Procedures will be subject to appropriate disciplinary actions as set forth under HIPAA.

In the event that an Employee believes that a Privacy and/or Security Policy and Procedure has been violated, the Employee should:

Notify the Privacy or Security Officer immediately

Assist the Privacy or Security Officer to take whatever steps are practicable to mitigate (minimize) the harm from the violation


Privacy and Security Violations

Once an Employee has been appropriately trained, if that Employee violates a Privacy or Security policy, corrective action, up to and including termination, may be warranted.

Further, if you witness a possible violation, you should report it immediately to the Privacy or Security Officer and cooperate in any investigation that takes place.

Corizon has a zero-tolerance policy for retaliation. If you believe you are being retaliated against for cooperating in an investigation, you should report this to the Privacy Officer immediately.

The duty each Corizon employee has to report potential privacy and/or security violations and/or incidents is critically important to maintaining compliance throughout our organization and its day to day operations.

HIPAA Enforcement: Key Facts


DELEGATED AUTHORITY:

On December 20, 2000, the Department of Health and Human Services secretary delegated the authority to administer and enforce the Privacy and Security Standards to the Office of Civil Rights (OCR).

The OCR enforcement process is complaint driven and provides any individual who believes that a HIPAA Covered Entity is not complying with the HIPAA Rules the right to file a complaint.

OCR ENFORCEMENT



OCR has the power to assess civil money penalties against Corizon Health (a covered entity) if an Employee violates HIPAA. Specifically, OCR may assess civil monetary penalties against Corizon Health for up to $50,000 per “violation” and up to $1,500,000 each calendar year for “identical violations” which are not corrected.

MONEY PENALTIES:

HIPAA mandates strict civil and criminal penalties for violations of the Privacy and Security Standards.

HIPAA MANDATES:



Criminal charges may be brought and enforced by the Department of Justice against Covered Entities or their employees (individually) if an offense is committed with intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm. Violators (covered entities and/or their individual employees) may be fined up to $250,000, imprisoned for up to 10 years, or both.

CRIMINAL CHARGES:

HITECH

HITECH proposed several modifications to HIPAA, many of which were enacted into law through the Final Omnibus Rule, effective March 26, 2013.


Breach Notification Requirement

What is a breach?

• Impermissible use or disclosure of (unsecured) PHI is assumed to be a breach unless the Covered Entity, or Business Associate, demonstrates a low probability that the PHI has been compromised based on a risk assessment.

Risk Assessment Requirement

If you believe a "breach" occurred, you must contact the Privacy Officer IMMEDIATELY so that a risk assessment can be conducted.

A Risk Assessment under the Final Rule requires consideration of at least these four factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

• The unauthorized person who used the PHI or to whom the disclosure was made;

• Whether the PHI was actually acquired or viewed; and

• The extent to which the risk to the PHI has been mitigated.

IMPORTANT: You must report ANY suspected Violations

You MUST report HIPAA violations:

• So they can be investigated, managed and documented

• So they can be prevented from happening again in the future

• So damages can be kept to a minimum

• To minimize your personal risk

• In some instances, management may have to notify affected parties of lost, stolen, or compromised data.

If you are not sure if it should be reported, report it anyway!

Reporting Violations

How do I report a Privacy or Security Violation?

• Start with your supervisor or site Super User to alert them to the possible issue

• Email the Privacy Officer at [email protected]

• Email the Security Officer at [email protected]

mailto:[email protected]

mailto:[email protected]


True or False - If you believe a “breach” involving PHI has occurred, you must contact the Privacy Officer immediately.


TRUE, in the event of a PHI Breach, you are required to notify the Privacy Officer IMMEDIATELY so that a Risk Assessment can be conducted.

Risk Assessments are conducted by the Privacy Officer in collaboration with site leadership and are required after every "breach" incident.

Topic 4 – Reporting/Enforcement – Conclusion











Topic 5


Scenarios


Privacy and Security Violations (Scenario 1)

A local state representative has been contacted by one of his constituents expressing concerns for their son’s medical care while incarcerated and has called your site demanding a copy of the inmate’s medical records and to speak with the treating provider. The appropriate action would be to send a copy over to the representative since he is a government employee.


YES NO

Correct Answer: NoWithout a properly executed, HIPAA compliant authorization signed by the inmate, the site may not release any information to the state representative, regardless of his position in the Legislature.

Privacy and Security Violations (Scenario 2)

A terminally ill patient has recently died. During his incarceration, he was never visited by any family member nor had any contact with family. Upon his death, his daughter is now demanding a copy of his medical records. The daughter has provided no evidence that she is the personal representative of the estate.

The appropriate action would be to provide the inmate’s health record to the attorney.


YES NO

Correct Answer: NoIn order to provide a deceased patient’s records to a family member, the family member must present documentation evidencing that they have been appointed personal representative of the estate. The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the patient.

Scenarios Behind Bars (Scenario 3)

The mother of a MINOR inmate contactsmedical and informs you of the following:

She saw her son at a visit today, and he toldher that he is not getting his medication and

that we put him on medication he doesnot want to take. It is obvious that she

is reporting accurate information.

Can you discuss her son’s healthcare with her because you realize that she has this information?


YES NO

Correct Answer: NoThe Employee must consult the Legal Department as to the policy governing disclosure of PHI to a “Personal Representative” of a minor.

Scenarios Behind Bars (Scenario 4)

The mother of an ADULT inmate contacts medical and informs you of the following:

She saw her son at a visit today and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information.

Can you discuss her son’s healthcare with her because you realize that she has this information?


YES NOCorrect Answer: NoThe mother needs to provide verification that she has been authorized / designated as the inmate’s personal representative via a standard Corizon Health Authorization Form, prior to any PHI being released / discussed / disclosed.

Topic 5 – Scenarios – Conclusion











Slides Completed –Go To Quiz

Great Job!

You have completed viewing the 5 Topics.

Please proceed, as instructed by your site Super User, to the Quiz.

A separate Quiz and Answer sheet will be provided to you.

Documents

HIPAA Annual Training 2018-2019hipaa.corizonhealth.com/wp-content/uploads/2018/10/... · Business Associate involving the use and/or disclosure of individually identifiable health