Upload
magdalene-merritt
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
HIPAA & HITECH
Confidentiality
Audio Enabled
This course has an audio track. Please ensure your speakers are turned on.
Volume can be adjusted using the controls on the bottom left.
Course Agenda
HIPAA & HITECH
Privacy Beyond HIPAA & HITECH
Clinic Responsibilities
Resources
Target AudienceThis course is required for all employees, interns, board members and certain volunteers
Course LengthThis course takes about 30 minutes to complete
Course CompletionYou must complete the learning module and the assessment to receive credit for this course
Recognize HIPAA & HITECH requirements
Identify situations where privacy could be at risk and take appropriate action
Know when and where to report issues and/or seek help
Upon completing this course, you will be able to:
Objectives
Why Privacy Matters
The healthcare environment is subject to a growing number of regulations and enforcement activities
HIPAA and HITECH are federal laws with legal consequences for violations. They protect privacy, confidentiality and security of “individually identifiable health information”
Other privacy laws protect confidential business information
General Principles for Uses and Disclosures
A major purpose of privacy regulations is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities
A covered entity, such as the Open Door Clinic, may not use or disclose protected health information, except as the Privacy Rule permits or as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing
Privacy & Non-Clinical Roles
Privacy goes beyond employees in clinical assignments
Non-clinical staff, interns, volunteers, and board members could be exposed to confidential information making it important to understand the basic tenets of privacy
Understanding Open Door requirements will help ensure your success and avoid inadvertently putting the clinic at risk
HIPAA and
HITECH
HIPAA and HITECH
Covered Entities are Health Plans, Health Care Clearinghouses or healthcare providers who transmit health information electronically in connection with certain administrative or financial transactions standardized under HIPAA and HITECH.
HIPAA and HITECH regulations must be followed by employees, third party contractors and volunteers.
HIPAA and HITECH provide federal protections for individually identifiable health information (i.e., protected health information or “PHI”) held by Covered Entities and Business Associates and gives patients increased control over the use and disclosure of their health information.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The U.S. Department of Health and Human Services (HHS) issued major revisions to HIPAA's privacy and security regulations in 2013.
The Health Information Technology for Economic and Clinical Health Act (HITECH) implemented new rules for the accounting of disclosures of a patient's health information, extending existing disclosure requirements to electronic health records (EHR).
What
Why
Who
Protected Health Information (PHI)
Over time, the U.S. Department of Health and Human Services (HHS) has issued several regulations to implement HIPAA requirements and new requirements under HITECH
The Privacy Rule standards address the use and disclosure of protected health information (PHI) in any form by the Covered Entities
Protected Health Information (PHI) refers to individually identifiable health information – meaning the information can be linked to a particular person
Examples of Individually Identifiable Health Information
• Name
• Address
• Employer
• Relatives’ names
• Date of Birth
• Telephone and fax numbers
• e-mail addresses
• IP addresses (Web URL)
• Social Security Number
• Medical Record Number
• Member or account number
• Any device or vehicle serial number
• Voice/fingerprints
• Photos
• Admission date
• Discharge date
• Date of Death
• Health plan beneficiary numbers
• Account numbers
• Full-faced photographic images
• Any other unique identifying number,
characteristic, or code
Minimum Necessary Principle
The “minimum necessary” principle requires that use, disclosure, or requests for PHI be limited to the “minimum necessary” needed to perform the specified job or function and that access to such PHI is limited to only those individuals who require it to perform their assigned activity
System security supports us in meeting the minimum necessary principle
2013 Updates – Overview
Highlights
NPP
• Breach notification requirements
• Disclosures to health plans• Marketing communications• Disclosures after death• Sale of PHI
The final Omnibus Rule of 2013 expands the obligations of health care providers to protect patients’ protected health information (PHI), extend these obligations to business associates who have access to PHI, and increase the penalties for violations of any of these obligations.
New rules include impact to clinic confidentiality policies and procedures in several areas, including:
• Copies of e-PHI• Emailing PHI• Charging for copies of
e-PHI or PHI• Research
authorizations
Notice of Privacy Practices (NPP) must be amended under the new rules to reflect all of the changes highlighted above. Because of the significance of these changes, the revised NPP must be made available in our offices to all new patients and to anyone else on request.
2013 Updates – Business Associate Agreements
What
Who
The new rules expand the universe of individuals and companies that must be treated as business associates to include Patient Safety Organizations and others involved in patient safety activities, health information organizations like e-prescribing gateways or health information exchanges that transmit and maintain PHI, and personal health record vendors that practitioners sponsor for their patients.
Under the Omnibus Rule, certain key changes impact the area of Business Associate Agreements:•The definition of Business Associates has been enlarged•The liability and obligations of Business Associates has been expanded so that they are directly liable for HIPAA Privacy and Security rules•A new standard has been established for privacy breach notification
As a result of these changes, Open Door will be reviewing and entering into new Business Associate agreements with those who create, receive, store, maintain or transmit PHI on our behalf.
HIPAA/HITECH Enforcement & Penalties
HIPAA and HITECH rules are enforced by the Office for Civil Rights (OCR) of HHS and the Department of Justice
State attorneys general may also bring civil actions in federal court on behalf of their citizens who are harmed by a violation
HITECH creates a tiered system for HIPAA civil violations/penalties, up to $1.5M per calendar year
Criminal penalties will apply against a person (including an employee or other individual) where PHI is maintained by a Covered Entity and the individual obtained or disclosed the information without authorization in violation of HIPAA
Civil
Criminal
Who
HIPAA is an acronym. Listed below are two options for the words that it represents.
Please click the correct answer.
Health Insurance Privacy and Accessibility Act
Health Insurance Portability and Accountability Act
Let’s Check Your Understanding
HIPAA stands for the Health Insurance Portability and Accountability Act
HIPAA is a federal law that sets rules for health care providers and health plans about who can look at and receive health information
The HIPAA Privacy Rule ensures individuals have rights over their health information, including the right to get one’s own information, make sure it’s correct, and know who has seen it
You’re right!
Good try but not the right answer!
HIPAA stands for the Health Insurance Portability and Accountability Act
HIPAA is a federal law that sets rules for health care providers and health plans about who can look at and receive health information
The HIPAA Privacy Rule ensures individuals have rights over their health information, including the right to get one’s own information, make sure it’s correct, and know who has seen it
Privacy Beyond HIPAA and
HITECH
Privacy Beyond HIPAA & HITECH
Confidential data beyond PHI includes•Clinic business information (financial data, grant info, etc.)•Employee information (salary, performance, etc.)•Proprietary software or tools
A variety of legislation protects other confidential data that you may encounter in the course of your work
Regulations must be followed by employees, third party contractors and volunteers
What
Why
Who
Clinic Responsibilitie
s
Open Door Clinic Responsibilities
• Health Centers are considered Covered Entities under HIPAA and HITECH and have responsibility to train the workforce, including interns and certain volunteers, on privacy and security requirements
• Additional responsibilities include:
‐ Limit use and disclosure of PHI to only the minimum necessary needed to accomplish a task, service, or activity
‐ Develop policies and procedures to control access to, and the use of, PHI
‐ Implement reasonable safeguards to limit incidental uses and disclosures
‐ Institute physical and technical controls that limit access to PHI by members of the workforce to fulfill the Minimum Necessary Principle
Collaboration: How We Work with Data
What When
• Patient data with identifying information removed
• Only on clinic premises and resources – never remove
Where
• Only on clinic premises and resources – never remove
PHI &/or Confidential
Data
De-Identified Data
Mock Data
• Fictitious data created for demonstration or simulation purposes
• Preferably worked on clinic premises and resources
• Extremely restricted• Example: intern or
volunteer helping scan records into EMR
• Restricted• Example: R&D staff
analyzing ethnicity and age for planning marketing campaign
• Controlled• Example: intern with
expertise in excel teaching staff how to manipulate data
Communication: Inside & Outside the Clinic
Inside the Clinic
Outside the Clinic
• PHI is not discussed in the presence of members of the general public.
• PHI is not disclosed to friends or family of a patient without permission.
• Access to PHI is controlled physically and electronically. Be careful to immediately pick up confidential information that you print, lock up physical files, and close down computer files when stepping away from your desk.
• Do not show recognition of a client verbally or non-verbally in public, unless they acknowledge you first.
• PHI is never discussed in a public setting.
• PHI is not emailed without the requesting individual being advised of the risk and still requesting such transmission in writing. Similarly, we don’t leave phone messages without written permission to do so.
A health center is transitioning from paper to electronic medical records. A volunteer is asked to scan patient records into an electronic format
Is this an appropriate activity for a volunteer?
Yes
No
Let’s Check Your Understanding
Scanning records is an appropriate activity
Volunteers may have access to PHI when directed and the complete data is necessary to complete the task
Any volunteer who will be accessing patient records should complete Confidentiality training before beginning the scanning
Also, the volunteer should only access the PHI that is necessary to perform the scanning (e.g. they should not be reading records)
You’re right!
While it’s wise to be cautious about being exposed to PHI, scanning records is an appropriate volunteer activity.
Any volunteer who will be accessing patient records should complete Confidentiality training before beginning the scanning
Also, the volunteer should only access the PHI that is necessary to perform the scanning (e.g. they should not be reading records)
Good try but not the right answer!
HRSA has a site visit scheduled. In preparation, you need to audit multiple client charts with PHI and you’re afraid that you don’t have time to complete what’s necessary.
How would you proceed?
Stay at the clinic late into the evening to finish the project – the data stays at Open Door as it should
Put the data on a thumb drive and take it home to work – you can meet the deadline and balance your life
What would you do?
Borrow a laptop from Open Door and take it home – you are using a clinic asset to work on your project so it’s okay
Work with your manager to see if another employee can assist you in completing the project during work hours
You’re right!
The best approach is to talk with your manager and see if another employee can assist you in conducting the audit during work hours.
Your answer shows that you recognize that you should not remove PHI from the clinic – whether hardcopy, on a thumb drive or a clinic laptop.
Another option is to stay at the clinic into the evening to finish your audit, however, that should only occur if you and your manager cannot find another way to accomplish the task during work hours.
No, that’s not the correct answer!
The best approach is to talk with your manager and see if another employee can assist you in conducting the audit during work hours.
You should not remove PHI from the clinic – whether hardcopy, on a thumb drive or a clinic laptop.
Another option is to stay at the clinic into the evening to finish your audit, however, that should only occur if you and your manager cannot find another way to accomplish the task during work hours.
Resources&
Summary
Your Responsibilities
Become familiar with Open Door’s confidentiality policies
Elevate incidents, questions or concerns to Open Door’s Assistant Director, who oversees compliance
Adhere to data handling guidelines ‐ Limit your access to PHI in
accordance with the Minimum Necessary Principle
‐ Don’t ever take PHI outside the clinic
Locating Additional Resources
• Open Door Employee Toolkit
• HIV/AIDS Confidentiality Course
• Other Questions & Concerns
Open Door Compliance, headed by Assistant Director Perry Maier
Please share examples of HIPAA/HITECH Confidentiality situations so we can continue to enhance this training
Always report any questionable situations
You have successfully completed the course… you should be able to
Recognize the scope of confidentiality requirements HIPAA and HITECH rules set standards and limits on who can look at
and receive health information Remember that interns and volunteers are considered members of
the Health Center workforce and must comply with HIPAA and other privacy protections
Identify situations where privacy could be at risk and take appropriate action to limit access to PHI Privacy is at risk whenever PHI is involved No PHI may ever be removed from the center
Know when and where to report issues and/or seek help
Certification Quiz
Please advance into the next section to complete the accompanying Certification Quiz in order to receive credit for course completion
• For additional questions about the course, please email [email protected] • For additional questions about the course, please email [email protected]
You have completed the course and may now exit
Thank you!