Transcript hipaa - Kentucky Health Information Management Association

An Introduction to Compliance
and HIPAA Privacy
RVHIMA Spring 2016 Meeting
Joshua A. Lenavitt, MHA
Regional Director of Compliance and Privacy
Baptist Health Louisville/La Grange
Disclaimer
This presentation is for general education
purposes only. The information contained in
these materials, lecture, ideas and concepts
presented is not intended to be, and is not,
legal advice or even particular business
advice relevant to your personal
circumstances. The laws and regulations
presented in this lecture are open to
interpretation.
2
Disclaimer Continued
• I am not a lawyer…
• I know several lawyers…
• They were not available today…
• That’s why you have me today!

3
Objectives
• Define Compliance and discuss in terms of Ethics and
Values
• Gain an understanding of basic HIPAA (Health
Insurance Portability and Accountability Act) law,
• Discuss protection of Protected Health Information
(PHI) and Identity Theft/Red Flags
• Briefly discuss Social Media and Healthcare
• Discuss Texting of PHI
4
Compliance
How would you define Compliance?
5
What is Compliance?
Compliance may be described as…..
• Adhering to federal and state laws
• Following policies and rules
• Monitoring medical documentation and
billing practices
• Observing the HIPAA Privacy Rule
6
What is Ethics?
Ethics may be described as …..
• Core beliefs and convictions
• Values about what is right and good
• Doing the right thing
7
Compliance & Ethics
Taken together, they define the essence of the
Corporate Responsibility
A values-based culture that guides our actions
in the workplace so that our daily activities
are performed with honesty, integrity, and in
support of organizational Mission, Vision and
Values Statements.
8
Quick Poll –
TRUE or FALSE?
FRAUD is a deception, a hoax, or a lie that is
made for personal or corporate gain.
9
Industry and Governmental news
• A dialysis center illegally paid physicians for referrals
and settled with the government for $389 million.
• A hospital allegedly submitted false or fraudulent
claims for doing unnecessary heart procedures and
settled with the government for $16.5 million.
• A clinic operator fraudulently billed Medicare for
medications that were never given to patients, or
were at incorrect dosages, or were unnecessary. A
plea agreement included re-payment of $12 million.
10
Health and Human Services (HHS), Office
of Civil Rights (OCR) in Action
• Starting in January of 2016, HHS, OCR started issuing
monthly messages as it relates to HIPAA and PHI. The
subject matter to date includes:
– Patients’ right to access health information and clarifies
appropriate fees for copies
– Understanding Some of HIPAA’s Permitted Uses and
Disclosures
– Improper disclosure of research participants’ protected health
information results HIPAA settlement
http://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/access/index.html
11
HIPAA
12
HIPAA
The Office for Civil Rights enforces the HIPAA Privacy Rule:
• HIPAA –
Health Insurance Portability and Accountability Act of 1996
– Security Rule, national standards for the security of electronic
protected Health information (published in 2003)
– Breach Notification Rule, requires covered entities to provide
notification of HIPAA breaches (published in 2009)
• HITECH – Health Information Technology for Economic and Clinical Health
Act, 2009
• HIPAA Final Omnibus Rule 2013
http://www.hhs.gov
13
What is PHI?
Protected Health Information (PHI) can be in
any form (electronic, paper, or oral), and
includes:
1) Demographic data
2) Past / present / future physical or mental health
or condition(s)
3) The provision of health care to the individual
4) The past, present, or future payment for the
provision of health care services
14
Permitted Uses of PHI
• Treatment
• Payment
– Audits / Requests from payors
– Worker’s compensation
• Healthcare operations
– Quality Assessments
– Business Management, such as customer service
and resolution of grievances
15
Quick Poll –
TRUE or FALSE?
HIPAA was not designed to interfere
with patient care.
TRUE
The HIPAA Privacy Rule allows medical
staff to access information necessary
for patient treatment.
16
Quick Poll –
TRUE or FALSE?
Under the HIPAA Rules, we must protect our
patients’ information (PHI) which includes:
- Name, address, and phone number
-
Social Security number
Insurance information
Medical record or account number
Patient’s picture
17
Identity Theft
Identity Theft Prevention Programs are designed to detect,
prevent and mitigate identity theft.
Definitions
• Identity Theft – fraud committed or attempted using
the identifying information of another person
without authority.
• Red Flag – a pattern, practice or specific activity that
indicates the possible existence of identity theft.
18
Identity Theft
Identification of Relevant “Red Flags”
• The presentation of suspicious documents.
• The presentation of suspicious personal identifying
information.
• Suspicious activity related to a covered account.
• Complaint or question is received from a patient based on
their receipt of suspicious documents.
• Notice of address discrepancy.
19
Our Responsibilities
• Obtain the patient’s permission before discussing
PHI in the presence of visitors (including family
members).
• Refer all requests for medical records to the Health
Information Management (HIM) Department or your
organizations Release of Information Office.
• Refrain from casual conversation. Hold discussion of
PHI in confidential and secure areas.
• Do not leave charts, files, or computer screens open
and within public view.
20
Our Responsibilities (cont.)
• Never share passwords. Always lock your computer
when stepping away from your work station.
• Do not email PHI from work to your personal email
address.
• Do not text PHI unless using a secure and approved
platform.
21
Our Responsibilities (cont.)
• PHI should not be taken off Baptist property unless
secure transport is approved by your manager.
• Do not leave messages concerning a patient’s
condition or test results on a patient’s voicemail.
• Report suspicious behavior, people, or situations to
your manager, security, or the compliance officer.
22
Quick Poll –
TRUE or FALSE?
Employees are encouraged to share
medical advice with patients and
families via social media (such as
Facebook, Twitter, blogs).
23
24
Social Media General Guidance
• Use caution when having online social contact with
patients, former patients, and their family members.
• Avoid posts related to work as these discussions also
have the potential to inadvertently disclose PHI.
• At Baptist Health, we do not use or post patient
information or pictures without prior approval from
Executive Management.
25
Texting of PHI
• Healthcare providers and covered entities
should be aware of the potential consequences
under HIPAA for unsecure and/or misdirected
text messages.
• Baptist Health has a policy that governs the use
of text messaging as a means of communicating
PHI between providers.
– Only a secure application is acceptable
• i.e.. Tiger, MicroBloggingMD, etc.
26
Key Takeaways
• Compliance impacts all functional areas of the hospital or
organization.
• We all have a responsibility to carry out our activities in
a manner that is ethical, legal, and in support of the
behaviors outlined in your organizations standards of
conduct, professional organizations guidelines, and laws.
• Let someone know if you have a compliance question or
concern. When you speak up, we have an opportunity to
improve our programs and resolve issues before they
become more serious.
27
Joshua Lenavitt
Regional Director of Compliance and Privacy
Baptist Hospital Louisville & La Grange
(502) 779-1073 phone
[email protected]
28