Welcome to the 2007
Download
Report
Transcript Welcome to the 2007
Draft v. 11
03-31-09
Welcome to the
Privacy and Security
Training Session!
© Copyright 2009 HIPAA COW
1
Disclaimers
This HIPAA Privacy & Security Training Session is Copyright
2009 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”).
It may be freely redistributed in its entirety provided that this
copyright notice is not removed. It may not be sold for profit
or used in commercial documents without the written
permission of the copyright holder. This HIPAA Privacy &
Security Training Session is provided “as is” without any
express or implied warranty. This HIPAA Privacy & Security
Training Session is for educational purposes only and does not
constitute legal advice. If you require legal advice, you should
consult with an attorney. HIPAA COW has not yet addressed
all state pre-emption issues related to this HIPAA Privacy &
Security Training Session. Therefore, this document may need
to be modified in order to comply with Wisconsin law.
© Copyright 2009 HIPAA COW
2
Disclaimers continued…
This is an example training session containing only
some of the Privacy & Security topics which
organizations are required to train. It is not legal
advice and is not intended to cover all privacy &
security laws’ training requirements. It may
contain items not required by your organization
and/or that need to be tailored to your
organization’s P&Ps. It may also be too lengthy to
provide in just one session. Slides are provided for
informational purposes only.
© Copyright 2009 HIPAA COW
3
HIPAA Topics Covered
HIPAA Privacy &
Security Contacts
What is HIPAA?
Why Follow HIPAA?
HIPAA Definitions
Who protects PHI?
Patient Rights
Security
Audit Trails
Violations
Release of Information
Identity Verification
Documenting Disclosures
Safeguarding Information
BAAs & Other Agreements
Your Role
Reporting Violations
© Copyright 2009 HIPAA COW
4
Privacy and Security and/or
Compliance Committee Members
Privacy Officer: [Insert Name and contact information]
Security Officer: [Insert Name and contact information]
Name, title, extension and email address
© Copyright 2009 HIPAA COW
5
What is HIPAA?
HIPAA is an acronym for the Health
Insurance Portability & Accountability Act
of 1996 (45 C.F.R. parts 160 & 164).
Provides a framework for the establishment
of a nationwide protection of patient
confidentiality, security of electronic
systems, and standards and requirements
for electronic transmission of health
information.
© Copyright 2009 HIPAA COW
6
What is HIPAA?
HIPAA Consists of three separate parts:
1) Privacy, 2) Security, and 3) Electronic Data Exchange
HIPAA mandates accountability
PRIVACY
SECURITY
Each part has
separate
regulations to
comply with
ELECTRONIC DATA
EXCHANGE
© Copyright 2009 HIPAA COW
7
Parts of HIPAA:
1. The Privacy Rule
The Privacy Regulations went into effect April 14, 2003.
Privacy refers to the protection of an individual’s health
care data.
Defines how patient information is used and disclosed.
Gives patients privacy rights and greater control over
their own health information.
Outlines ways to safeguard Protected Health Information
(PHI).
We also need to keep in mind Wisconsin privacy laws,
such as WI Chapters 51, 146, 252 and DHS 92, which in
some situations continue to protect patients’ rights more
than the HIPAA Regulations.
© Copyright 2009 HIPAA COW
8
Parts of HIPAA:
2. The Security Rule
Security (IT) regulations went into
effect April 21, 2005.
Security means controlling:
– The confidentiality of electronic
protected health information (ePHI).
– How patient data is electronically
stored.
– How patient data is electronically
accessed.
© Copyright 2009 HIPAA COW
9
Parts of HIPAA:
3. EDI
Electronic Data Exchange (EDI) – defines the
format of electronic transfers of information
between providers and payers to carry out
financial or administrative activities related to
health care.
Information includes coding, billing and
insurance verification.
The goal of using the same formats is to
ultimately make the billing process more
efficient.
© Copyright 2009 HIPAA COW
10
Why Should Our Organization
Comply with HIPAA?
We must be committed to protecting our
patients’ privacy.
[Organization] is placing trust in you to follow
the policies. This is not an option, it is required.
Choosing not to follow these rules,
– Could put you at risk.
– Could put [name of organization] at risk.
© Copyright 2009 HIPAA COW
11
Why Should Our Organization
Comply with HIPAA?
The right thing to do is to:
– Protect patient records.
– Protect business data.
– Protect patient data and reduce the
risk of litigation to organizations.
There are significant penalties associated
with non-compliance to organizations
and employees of those organizations.
© Copyright 2009 HIPAA COW
12
HIPAA Regulations
The HIPAA Regulations require we protect our patients’
PHI in all media including, but not limited to, PHI
created, stored, or transmitted in/on the following
media:
– Verbal discussions (i.e. in person, on the phone, etc.).
– Written on paper (i.e. chart, progress note, encounter form,
–
–
prescription, x-ray order, referral form, explanation of benefits (EOBs),
scratch paper, etc.).
In all of our computer applications/systems (i.e.
electronic health record (EHR), Practice Management, Lab, X-ray,
Microsoft, etc.).
In all of our computer hardware/equipment (PCs,
laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones,
patient care devices, servers, etc.).
© Copyright 2009 HIPAA COW
13
This training session
provides reminders of
[Organization’s] policies
and of how you, an
employee or provider, are
required to protect PHI.
© Copyright 2009 HIPAA COW
14
Why is Privacy and Security
Training Important?
It outlines ways to prevent accidental and
intentional misuse of PHI.
To make PHI secure with minimal impact to
staff and business processes.
It’s not just about HIPAA – it’s about doing
the right thing.
We should treat personal electronic data
with the same care and respect as weaponsgrade plutonium -- it is dangerous, longlasting and once it has leaked, there's no
getting it back. -- Corey Doctorow
© Copyright 2009 HIPAA COW
15
This training is designed to educate you
on the importance of Privacy and Security
It is everyone’s responsibility to take the
confidentiality of patient information seriously.
Anytime you come in contact with patient
information or any PHI that is written, spoken or
electronically stored, YOU
become involved with some
facet of the privacy and security
regulations.
The law requires us to train you.
© Copyright 2009 HIPAA COW
16
HIPAA Definitions
What is Protected Health Information (PHI)?
PHI is Individually Identifiable
Health Information (IIHI) relating to
information about:
Health/condition of an individual.
Payment for health care of an
individual.
Reasonably identifies the individual
(patient identifiers/demographics).
© Copyright 2009 HIPAA COW
17
HIPAA Definitions
PHI Includes:
Items in the record, such as:
– Encounter/visit documentation
– Lab Results
– Appointment dates/times
– Invoices
– Radiology films and reports
– History and Physicals (H&Ps), etc.
© Copyright 2009 HIPAA COW
18
HIPAA Definitions
PHI Includes:
Patient Identifiers
PHI includes information by which
the identity of a patient can be
determined with reasonable
accuracy and speed either directly
or by reference to other publicly
available information.
© Copyright 2009 HIPAA COW
19
HIPAA Definitions
PHI Includes Patient Identifiers
Examples include:
Names
Web universal resource
Medical Record Numbers
locaters (URLs)
Social Security Numbers
Any dates related to any
Account Numbers
individual (date of birth)
License/Certification
Telephone numbers
numbers
Fax numbers
Vehicle Identifiers/Serial
Email addresses
numbers/License plate
Biometric identifiers
numbers
including finger and voice
Internet protocol
prints
addresses
Health plan numbers
Any other unique
identifying number,
Full face photographic
images and any
characteristic or code
© Copyright 2009 HIPAA COW
comparable images
20
HIPAA Definitions
Use: when we review or use PHI
internally (audits, training, customer
service, quality improvement).
Disclose: when we release or provide
PHI to someone (ex. an attorney, a
patient, faxing records to another
provider, etc.).
© Copyright 2009 HIPAA COW
21
HIPAA Definitions
What does releasing the “minimum necessary”
PHI mean?
– To use or disclose/release only the minimum
necessary to accomplish the intended purposes of the
use, disclosure, or request.
– Requests from employees at [organization]:
Identify each workforce member who needs to access PHI.
Limit the PHI provided on a “need-to-know” basis.
– Requests from individuals not employed at
[organization]:
Limit the PHI provided to what is needed to accomplish the
purpose for which the request was made.
© Copyright 2009 HIPAA COW
22
HIPAA Definitions
What is TPO?
HIPAA allows us to Use and/or Disclose PHI for the purpose
of:
– Treatment – providing care to patients.
– Payment – the provision of benefits and premium payment.
– Operations – normal business activities (reporting, quality improvement,
training, auditing, customer service and resolution of grievances data
collection and eligibility checks, accreditation, etc.).
These terms are collectively referred to as TPO.
PHI used outside of TPO is not allowed without a signed
authorization.
TPO must be within the minimum necessary to perform your
job!
© Copyright 2009 HIPAA COW
23
Why Do We Need to
Protect PHI?
It’s the law.
To protect our reputation.
To avoid potential withholding of federal
Medicaid and Medicare funds.
To build trust between providers and patients.
– If patients feel that their PHI will be kept
confidential, they will be more likely to share
the information needed for their care.
© Copyright 2009 HIPAA COW
24
Who or What Protects PHI?
The Federal Government through the laws of HIPAA.
– Civil penalties up to $25,000 for Failure to Comply.
– Criminal penalties:
$50,000 fine and 1 year prison for knowingly obtaining
and wrongfully sharing information.
$100,000 fine and 5 years prison for obtaining and
disclosing through false pretenses.
$250,000 fine and 10 years prison for obtaining and
disclosing for commercial advantage, personal gain, or
malicious harm.
Our organization, through the Notice of Privacy Practices
(NOPP).
You, by following our policies and procedures.
© Copyright 2009 HIPAA COW
25
Enforcement
The Public. The public will be educated
about their privacy rights and will not tolerate
violations to their privacy! They will take
action.
Office For Civil Rights (OCR). This is the
agency that enforces the privacy regulations.
They will provide guidance and monitor
compliance.
Department of Justice (DOJ). This agency
is involved in criminal privacy violations.
Provides fines, penalties and imprisonment to
offenders.
© Copyright 2009 HIPAA COW
26
HIPAA Regulations
Brought individual privacy rights
to patients.
Require that we provide these
rights to them.
– The following slides explain patient
rights…
© Copyright 2009 HIPAA COW
27
Patient Rights: Access
Right to inspect and copy their PHI.
Situations where access may be denied or delayed:
– Psychotherapy notes.
– PHI compiled for civil, criminal or administrative action or
proceedings.
– PHI subject to CLIA Act of 1988 when access would be prohibited by
law.
– Access would endanger a person’s life or safety based upon a
professional judgment.
– A correctional inmate’s request may jeopardize health and safety of
the inmate, other inmates or others at the correctional institution.
– A research study has previously secured agreement from the
individual to deny access.
– Access is protected by the Federal Privacy Act.
– PHI was obtained under promise of confidentiality and access would
reveal the source of the PHI.
© Copyright 2009 HIPAA COW
28
Patient Rights: Alternative
Communications
Right to request to receive
communication by alternative means
or location. Examples:
– The patient may request a bill be sent
directly to him instead of to his insurance
company.
– The patient may request we contact her
on her cell phone instead of at her home
telephone number.
© Copyright 2009 HIPAA COW
29
Patient Rights:
Special PHI Requests
What should I do if a patient requests
we always call a family member
instead of her?
– Request patients with permanent and
special/unique calling and/or mailing
Alternative
communication
instructions to go to the [Patient
requests
Relations Department] or HIM
Department to complete and sign a
written request.
© Copyright 2009 HIPAA COW
30
Patient Rights:
Amendment Requests
Right to Request an Amendment or Correct PHI.
– Situations where a request may be denied.
[Organization] did not create the information.
Record is accurate according to the health care
professional that wrote it.
Information is not part of the [Organization’s] record.
A patient states there is an error in his electronic
record and wants it corrected. What should I do?
–
Request the patient contact the HIM Department to
request to have the record amended.
© Copyright 2009 HIPAA COW
31
Patient Rights:
Restrictions and AOD
Right to Request a Restriction on use and disclosure
of their PHI (ex. revoke a previous authorization, request
to not give to certain providers, request to not provide
for research purposes).
– We are not required to approve the request, but must make
reasonable efforts to approve it, when possible.
Right to an Accounting of Disclosures (AOD).
– Must give information on disclosures of information
released except those that were given to:
The Individual.
TPO.
Law enforcement officials, correction institutions or
national security.
© Copyright 2009 HIPAA COW
32
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
A. An individual may request an accounting for
disclosures as far back as six years before the time of
the request - but to start no earlier than April 14,
2003.
B. A covered entity must suspend accounting of
disclosures to a patient if an agency or law
enforcement indicate the accounting is likely to
impede the agency’s activity.
© Copyright 2009 HIPAA COW
33
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
C. Disclosures NOT requiring accounting include disclosures
made:
– For Treatment (to persons involved in the individual’s
care), Payment or Operations.
– To the individual subjects of the PHI.
– Incident to an otherwise permitted disclosure.
– Based on the individual’s signed authorization.
– For a facility directory.
– For national security or intelligence purposes.
– To correctional facilities or law enforcement on behalf
of inmates.
– As part of a limited data set (see 164.514).
– That occur prior to the compliance date of April 14,
© Copyright 2009 HIPAA COW
34
2003.
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
D. Disclosures requiring accounting include:
– Required by law
– For public health activities
– Victims of abuse, neglect,
violence.
– Health oversight activities
– Judicial/Administrative
proceedings
– Law enforcement
purposes
– Organ/eye/tissue donations
– Research purposes
– To avert threat to health and
safety
– For specialized government
functions
– About decedents
– Workers’ compensation
– Releases made in error to an
incorrect person/entity (i.e.
breach)
© Copyright 2009 HIPAA COW
35
Patient Rights: NOPP
Are we still required to request patients sign
the Notice of Privacy Practices (NOPP)
acknowledgment prior to their first visit?
–
–
Yes. Please continue to request they sign the
acknowledgment before they see a provider for
their first appointment at [Organization].
Patient signs the Acknowledgment of Receipt to
confirm that they have been offered and/or received
the Notice.
What is the purpose of the NOPP?
–
–
Summarizes how [Organization] uses and
discloses patient’s PHI.
Details patient’s rights in respect to their PHI.
© Copyright 2009 HIPAA COW
36
Patient Rights:
NOPP Reminders
If a patient or legal guardian refuses to take a NOPP,
this is their right; do not force them to take one.
If a patient or legal guardian refuses to sign the
acknowledgment form, document this on the form and
in the system.
Once the patient turns 18, he/she must sign an
acknowledgment form.
Host parents of a foreign exchange student may act on
behalf of the student’s biological parent(s) and sign the
NOPP acknowledgment form.
© Copyright 2009 HIPAA COW
37
Patient Rights:
Privacy Complaints
Right to file a privacy complaint.
– Direct all requests or complaints
regarding these rights to the
Privacy Officer at [XXX-XXXX].
© Copyright 2009 HIPAA COW
38
Security
One key element of protecting our patient’s
PHI lies in maintaining the security of our
systems, which houses and transmits ePHI
(electronic protected health information).
The HIPAA Security Rule outlines how we
are to do this.
How do we protect our computer systems
and our patients’ information in them?
Read on to explore this…
© Copyright 2009 HIPAA COW
39
Applying the Security Rule
Administrative Safeguards
– Policies and procedures of the organization are
REQUIRED and must be followed by the employees
to maintain security (i.e. disaster recovery of
computer systems, use of the internet, use of email,
faxing, use of voicemail, computer hardware and
software standards).
Technical Safeguards
– Many technical devices are needed to
maintain security. Examples include
different levels of computer passwords,
screen savers and devices to scan ID
badges, data backups, disposal of media,
encryption, audit trails. Computer and
system processes are set up to protect,
control and monitor information access.
© Copyright 2009 HIPAA COW
40
Applying the Security Rule
Physical Safeguards. Many physical barriers and devices are needed
to maintain security. Examples include installing locks on doors,
securing buildings and rooms, identifying visitors, locking file cabinets to
protect the organization’s property and the health information.
Personnel Security. Organizational policies and procedures manage
the assignment of access authority to employees and other workforce
members. Procedures should address employee transfers, role
changes and terminations. Effective security and privacy training must
be conducted.
© Copyright 2009 HIPAA COW
41
Access to ePHI: UNs and PWs
How do we control access to electronic
protected health information (ePHI) in our
computer systems?
–
–
By requiring all users to utilize individually unique
Usernames (UNs) and Passwords (PWs), we control
access to the information in each of our computer
systems and applications.
UNs and PWs control what users are able to access and
help us identify what information users accessed in our
applications.
© Copyright 2009 HIPAA COW
42
Access to ePHI: UNs and PWs
Cont.
For these reasons, you may not share your UNs and PWs
with anyone else (the only exception to this is to share a
UN and PW with IS, if necessary, for troubleshooting a
computer problem).
When leaving a computer, ALWAYS:
– Log off, OR
– Lock the computer screen (Ctrl-Alt-Del and select lock).
This prevents other users from using
your applications.
© Copyright 2009 HIPAA COW
43
Access to ePHI: UNs and PWs
Cont.
Creating strong passwords.
– Use at least 6-8 characters.
– Use a minimum of 2 letters and 1 number, and
capital and lower case letters.
– Do not use pw’s that may be easily guessed, such
as: names (spouse’s, pet’s, child’s, etc.), significant
dates, words, favorite team names, etc.
Note: UN and PW controls are required by law.
TIP: Use a “pass-phrase” to help you remember
your password such as: MbcFi2yo
(My brown cat, Fluffy, is two years old).
© Copyright 2009 HIPAA COW
44
Protect Your UNs and PWs
Memorize your PW. Don’t post UNs and PWs on
your computer, notebook, tablet, under your
keyboard, etc.
–
Lock up your UNs and PWs so they may not be
accessed by anyone else.
If you believe one of your PWs has been
compromised, request the IS Department to
change it.
–
If you think PHI may have been inappropriately
accessed, discuss it with the Privacy Officer.
© Copyright 2009 HIPAA COW
45
Help Protect Our
Systems/Equipment
–
It is your responsibility to protect
[Organization’s] systems/
equipment/computers at all times.
Do not disable anti-virus software, malware
protection, or any other security items unless
directed by the IS Department.
If you have access from offsite (remote Citrix,
Outlook web access, VPN, SSL, URL, etc.)
and/or a PC, pager, phone, or PDA, this is for
your use only.
Family and friends may not utilize it.
© Copyright 2009 HIPAA COW
46
Email Security
It is against [Organization’s] policy to
forward “joke emails”.
–
“Joke” emails frequently have viruses
attached to them and they take up a lot of
space on our servers.
Refer to the Release of Information
slides for emailing ePHI requirements.
Please report it to the IS Help Desk if
you receive a suspicious and/or
threatening email.
© Copyright 2009 HIPAA COW
47
Audit Trails of What I Access
The Security regulations require this.
[Organization] conducts random audits of employee
and provider access to determine:
–
–
Appropriateness of access, and
If access is in compliance with [Organization’s]
policies.
Audit trails show what patients have been accessed,
the date and time of the access, what was
accessed, etc.
–
If access appears to be inappropriate, the Privacy
Officer works with leaders, Human Resources and the
employee/provider to determine whether or not it
© Copyright 2009 HIPAA COW
48
was appropriate.
Audit Trails and HIPAA
Violations
What are some common types of
HIPAA privacy and security
violations found in these audit
trails and/or reported?
Following are a few examples
from which to learn…
© Copyright 2009 HIPAA COW
49
Audit Trails:
Access to Own ePHI
An employee viewed his own
appointment list. Another
employee accessed her own lab
results from her own workstation
(using her own password). Is this
against [Organization’s] policies?
© Copyright 2009 HIPAA COW
50
Audit Trails:
Access to Own ePHI
Yes, it is [Organization’s] policy that you may not directly
access your own medical record, using your own
password in any system/application.
PHI in the electronic medical record, scheduling/billing
system, etc. are considered a part of your medical
record. In fact, PHI in all [organization’s] systems make
up your medical record.
– To view your medical record, contact the HIM/release of
information department at [#].
– To view your appointment list, contact a receptionist in the
department in which you schedule appointments.
– To view your billing information, contact the [billing area] at
extension [#].
© Copyright 2009 HIPAA COW
51
Audit Trails: Access to a
Family Member’s PHI and
Unassigned Tasks
A receptionist scheduled an
appointment for her child in
a different department/site
than she works. Is this
against [Organization’s]
policies?
© Copyright 2009 HIPAA COW
52
Audit Trails: Access to a
Family Member’s PHI and
Unassigned Tasks
Yes. Only schedule appointments as assigned in the
departments in which you work. If you don’t work in
that department, call the receptionist in that
department and request him/her to schedule the
appointment.
Note: while scheduling this appointment, the
employee may have viewed appointment information
which she did not have the right to see.
Don’t schedule appointments for or otherwise view,
access, edit, etc. family members’ PHI, unless it is
a part of your assigned duties, it is an urgent matter,
AND nobody else is available to do the job at that
© Copyright 2009 HIPAA COW
53
time.
Audit Trails:
Access to PHI by a Coworker
An employee requested a coworker to
view his/her appointment list to find the
last time the employee had a physical in
Internal Medicine. Her coworker does
not work in the Internal Medicine
department. Is this against
[Organization’s] policies?
© Copyright 2009 HIPAA COW
54
Audit Trails:
Access to PHI by a Coworker
Yes. It is inappropriate to ask
your coworkers to do this if it is
not part of their regular assigned
job responsibilities.
If you need to know when you
had your last physical, call the
department in which you had
this appointment (or will be
scheduling your next
appointment).
© Copyright 2009 HIPAA COW
55
Audit Trails:
Securing Systems
When leaving his/her computer, an employee didn’t
log off the electronic medical record; another
employee then utilized it to look up her own and her
family members’ transcriptions, appointment lists,
medications, etc.
– Important Note: in this situation, both employees
did not follow [Organization’s] P&Ps which require:
Logging off/securing all applications when
unattended.
Using the password protected screensaver when
leaving it unattended.
Not using another person’s login, unless they are
training you and directly observing what you do.
© Copyright 2009 HIPAA COW
56
Audit Trails: Accessing More
Than the Minimum Necessary
A clinical staff employee is assigned to
routinely view and update medications, blood
pressure, pulse, and weight for each patient
being seen by the provider with whom she
works. She was curious and concerned about
a particular patient’s health, and therefore
viewed several other records, such as lab
results, and specialist transcriptions.
–
Note: It was determined this was a breach of
confidentiality as she was not requested by her
provider and/or supervisor to access this
patient’s additional records.
© Copyright 2009 HIPAA COW
57
Audit Trails: Accessing More
Than the Minimum Necessary
We may only access the minimum
necessary to complete our assigned job
responsibilities. This means we may not
access information out of curiosity and/or
concern about a patient’s health.
© Copyright 2009 HIPAA COW
58
The following slides
provide examples of Privacy
and Security violations to help
you better understand how
they occur so that you may
help prevent them.
© Copyright 2009 HIPAA COW
59
Security Violations:
Downloading Onto PCs
Users have downloaded music, pictures,
screensavers, “Weather bug”, and other
software onto [Organization’s]
computer/laptop/tablet. Is this ok?
© Copyright 2009 HIPAA COW
60
Security Violations:
Downloading Onto PCs
No. We may not download anything onto our
computers, laptops, notebooks, PDAs, etc. without the
written permission from the [Director of IS or Security
Officer].
–
This includes not downloading from the Internet, CD, flash
drive, DVD, disc, software, etc.
Why not? The [IS Department or Security Officer] verifies
we have appropriate licenses and virus protection in place.
–
Did you know that downloading may slow down our systems?
Some downloads have interfered with the appropriate functioning
of web based EHRs!
© Copyright 2009 HIPAA COW
61
Security Violations:
Downloading From PCs
If it is absolutely necessary to copy or save files onto
removable media, obtain approval from your
Supervisor and encrypt the file so that it may only
be accessed by utilizing the password (ask the IS
Department how to encrypt a file).
–
–
–
This includes downloading anything off our computers
onto media such as a flash drive, USB, disc, CD, etc.
Safeguard this removable media, and the password to
access the information, at all times so that the
information may not be inappropriately accessed.
Immediately contact the IS Department and Security
Officer if a device is lost or stolen.
© Copyright 2009 HIPAA COW
62
Other Types of Security Issues
and Incidents
Theft (or loss) of a computer, laptop, PDA.
Inappropriate usage of [Organization]
computers.
A technology-related situation which results
in a significant adverse effect on people,
process, technology, facilities, etc., such as:
–
–
A system “glitch” which results in ePHI being
accessed and/or sent to an inappropriate
recipient.
A virus that prevents users from being able
to access PHI.
© Copyright 2009 HIPAA COW
63
What is Misuse of PHI?
U n a u t h o r i z e d:
Access to…
Using…
Taking…
Possession of…
Release of…
Edit of…
Destruction of…
Patient PHI Without Authorization.
© Copyright 2009 HIPAA COW
64
Privacy Violations:
How Do They Happen?
What are some common ways breaches
of confidentiality occur?
– Many incident reports happen due to
common human errors, such as the
following:
© Copyright 2009 HIPAA COW
65
Privacy Violations:
How Do They Happen?
Faxing to the wrong individual/location.
Wrong “sticky” patient label placed on a document,
then it is handed to the wrong patient.
When typing a medical record number to look up an
address, it is transposed. The lab results are then
sent to the incorrect patient.
When searching for a patient’s address, her name is
typed, her date of birth is not validated, and a
patient with the same name is selected instead.
These can be prevented by double checking
you have the right patient’s records prior to
releasing PHI.
© Copyright 2009 HIPAA COW
66
Privacy Violations:
Incorrect Patient on a Form
Jane Doe’s name, medical record number,
and date of birth was placed on a
prescription and handed to Molly Sue. Is
this considered a breach of confidentiality?
–
Yes. If Molly Sue reads Jane Doe’s name on
this form, or any other document, it is a
breach of confidentiality.
Request Molly Sue to return the incorrect
prescription and forward it with an
incident report to the Privacy Officer.
© Copyright 2009 HIPAA COW
67
Privacy Violations:
Incorrect Records Released
A patient requested we send 2006 test
results to her non-[Organization]
provider. In addition to the 2006 test
results, we also released 2004 and 2005
test results. Is this a breach of
confidentiality?
© Copyright 2009 HIPAA COW
68
Privacy Violations:
Incorrect Records Released
Yes. This is a breach of confidentiality as more
information than was requested by the patient was
released (the 2004 and 2005 test results).
Always keep in mind we may only release the
minimum necessary PHI to accomplish the purpose
of the request – even when releasing to another
treating provider, insurance company, etc.
–
Request the provider to return the 2004 and 2005 test results,
and forward them with an incident report to the Privacy
Officer.
© Copyright 2009 HIPAA COW
69
Privacy Violations: Incorrect
Patient’s Results Mailed
Lab results of one patient were mailed to a
different patient. Is this a breach of
confidentiality?
–
Yes. It is a breach of confidentiality if the lab
results include a different patient’s name.
Request the patient to return the incorrect lab
results, document the disclosure, and forward
it with an incident report to the Privacy
Officer.
© Copyright 2009 HIPAA COW
70
Privacy Violations: Patient’s
Records Sent to Wrong Company
Patient records were sent to the wrong
insurance company. Is this a breach of
confidentiality?
–
Yes, because this insurance company does
not provide coverage for this patient, they
did not have a need to know anything
about him/her.
Request the company return the incorrect
records, document the disclosure, and forward it
with an incident report to the Privacy Officer.
© Copyright 2009 HIPAA COW
71
Release of Information
(ROI)
What PHI may I release?
– What WI Laws and Federal Regulations apply?
What information can be released without an authorization?
What are the steps in releasing information?
When is an authorization required?
How do I verify the authority and identify the requestor?
Are there any restrictions which do not allow this release?
Do I need to document the release?
Why do I need to be doing all this?
What are some practical release of information examples?
Please proceed to learn more
about how to
correctly release PHI
© Copyright 2009 HIPAA COW
72
ROI: Applying the Steps
I received a request to release a patient’s PHI.
What now?
Whether releasing verbally or in writing,
determine the following:
–
–
Is the requestor legally authorized to receive
the PHI? Important Note: when uncertain,
ask the HIM department, Privacy Officer, or
obtain a signed authorization from the patient.
Is a signed Authorization required?
If yes, determine if the Authorization is HIPAA
and WI compliant (refer to next slide).
© Copyright 2009 HIPAA COW
73
ROI: Valid Authorizations
Elements of a valid authorization:
1.
2.
3.
4.
5.
Client/Patient Name and date of birth.
Name of the individual or agency authorized to make the
requested disclosure.
Name of the person or organization to whom the disclosure
is to be made.
Purpose of the disclosure.
Specific description of the type and amount of information
to be released.
A.
B.
6.
7.
If the release includes mental health, alcohol or drug abuse or test
results, or developmental disability records, these must be specified.
If the release includes HIV test result, AIDS, or AIDS related disease,
the statement “HIV test results” is required.
Statement on possibility of re-disclose by the recipient and
that it is no longer protected by [organization].
Right to inspect a copy of the records released (required
only for WI DHS 92 records).
© Copyright 2009 HIPAA COW
74
ROI: Valid Authorizations
Refer to the HIPAA COW Authorization Form located at
http://hipaacow.org/home/PrivacyDocs.aspx
Elements of a valid authorization Cont.:
8.
9.
10.
11.
12.
13.
Statement of the ability or inability to condition treatment,
payment, enrollment or eligibility for benefits .
If the release involves marketing and direct or indirect
remuneration to [organization] by a third party, include a
statement reflecting this.
A statement of the right to revoke the authorization in
writing, exceptions to the right to revoke, and how to
request a revocation.
Expiration date or event.
Time period during which the authorization is effective.
Signature of client/patient or legal personal representative
and date signed.
A.
14.
If signed by a legal personal representative, a description of
his/her authority to sign.
A copy of the form is required to be given to the
client/patient.
© Copyright 2009 HIPAA COW
75
ROI: Authorization Not
Required
There are times when an authorization
is not needed.
Read on to find out when authorizations
are not required…
© Copyright 2009 HIPAA COW
76
ROI: Permitted Uses and Disclosures of
PHI Without an Authorization
Uses and disclosures of PHI for (TPO):
– Treatment
– Payment
– Health Care Operations
Mandatory disclosures by law.
If use of the information does not fall under one of
these categories you must have the patient’s signed
authorization (written permission) before sharing that
information with anyone.
© Copyright 2009 HIPAA COW
77
ROI: When is an
Authorization Required?
tic
cl a
im
Re
en
ce
ym
n
ra
pa
po
r
fo
su
in
life y
a an
to mp
co
e
e
rt
vi o i n g
le do
nc m
e es
as
in
ut
le
ea
to
y
Ro
Re
R
el
se
ne
r
to
at
t
Authorization
Required
rti
fic
ce
rth
bi
ic
rif
a
ve
io
at
of
lity
g
bi
n
Fi
lin
sa
ea
to
t
ur
yo
y
tb n
e n i ci a
tm ys
ea ph
Tr
Di
R
el
se
e
th
pa
n
tie
at
e
Authorization Not
Required
© Copyright 2009 HIPAA COW
78
ROI: General Wisconsin
“Confidentiality” Laws
WI laws may require authorizations,
even though HIPAA doesn’t require
them. The next few slides summarize
a few of the more commonly utilized
WI laws…
© Copyright 2009 HIPAA COW
79
ROI: General Wisconsin
“Confidentiality” Laws
Statute
146.82, Wis.
Stat.
51.30, Wis.
Stat.
Summary
Covers general medical health care PHI and
authorization requirements.
Covers PHI relating to mental health, AODA,
and developmentally disabled treatment,
authorization requirements, and penalties.
DHS 92
Further covers confidentiality of mental health
Adm. Code treatment records (with 51.30).
DHS 144, Covers release of immunizations between
Adm. Code vaccine providers, and to schools specifically
for minors.
© Copyright 2009 HIPAA COW
80
ROI: General Wisconsin
“Confidentiality” Laws
Statute
102.13 &
102.33
Wis. Stat.
610.70
Wis. Stat.
Summary
Covers records reasonably related to a
worker’s compensation claim and release to
the employee (patient), employer, worker’s
compensation insurer, or Department with a
written request.
Covers disclosure of personal medical
information by insurers.
252.15,
Wis. Stat.
Covers health care information relating to
HIV testing and authorization requirements.
© Copyright 2009 HIPAA COW
81
ROI: Other Regulations to
Consider
Statute
Summary
42 CFR, Federal Alcohol and Drug Regulations
Part 2 which covers use and release of a
patient’s drug and alcohol abuse
records in a federally assisted
program.
© Copyright 2009 HIPAA COW
82
ROI: Release Restrictions/
Alerts …
Is there an alert restricting
access (as would be the case
of an adopted child)?
– Alerts are located:
[Indicate here how to
find the alert…]
© Copyright 2009 HIPAA COW
83
ROI: Identity Verification
Prior to releasing PHI, ask the individual to provide you with
enough information to identify the patient, such as:
– Name
– Date of Birth
– Address
– Other identifiers: Social security number, mother’s maiden name
Identify someone other than the patient by requesting he provide
you with all the above information, as well as his relationship to the
patient.
–
–
–
–
Check a physical signature against a known one on file
Make a call-back to a known number
Refer to the HIPAA COW Identity Verification
Ask for a photo ID
Policy located at
Ask for a business card
http://hipaacow.org/home/PrivacyDocs.aspx
Provide only the minimum necessary to safeguard PHI.
© Copyright 2009 HIPAA COW
84
ROI: Authority Verification
Once you know who the requestor is, be sure he or she has the right
to access this information.
Routine requests from employees you know in our organization who
have a need to know information for business reasons, are ok.
Unusual requests from individuals you don’t know can be risky, so
before sharing PHI:
– Ask your supervisor.
– And/or check your procedure.
Who are you?
© Copyright 2009 HIPAA COW
85
ROI: Individual Needs to
Find Patient In Any Setting
If an individual would like to find out if
a patient is in our facility, but the
patient is not in our Facility Directory:
– Do not confirm or deny the patient is
here, until you…
Obtain the patient’s and individual’s names.
Inform the requesting individual that if the
patient is in our facility, and agrees for us to
notify them of this, you will…
© Copyright 2009 HIPAA COW
86
ROI: Individual Needs to Find
Patient In Any Setting, Cont.
Privately call the department in which the
patient is located.
– That department asks the patient if their location
and/or condition may be released to this
individual.
If the patient agrees, provide that information to the
requesting individual.
If the patient is not in the facility, or does not agree to
notify the requesting individual he/she is here, inform
the requesting individual that you are unable to
confirm or deny whether or not the patient is in the
facility.
© Copyright 2009 HIPAA COW
87
ROI: Hospital Facility
Directory
Patients have a right to opt in or out of the
directory.
This right determines whether the hospital
can provide information when a visitor or
caller calls the hospital to ask about a
patient.
Very limited amount of information may be
provided to requesting individuals – name,
location (room #), religious affiliation,
general condition.
© Copyright 2009 HIPAA COW
88
ROI:
Minimum Necessary
Release only the requested PHI, and only include
sensitive PHI (mental health, HIV/AIDS, STDs,
etc.) if specifically authorized.
Release the minimum necessary (note, this may
be less than what was requested).
– Limit access to what is needed to accomplish the
purpose for which the request was made (or
that which was authorized).
– May not disclose an entire medical record unless
it is specifically justified as the amount of PHI
that is reasonably needed to accomplish the
purpose for the use or disclosure.
© Copyright 2009 HIPAA COW
89
ROI: Documentation
Document the release, when required by
law, and our organization’s policies [insert
policies here].
Effective April 1, 2008, Wisconsin Statute
146 no longer requires documentation of
disclosures for purposes relating to
treatment (providing and coordinating
care); payment (billing for services
rendered); and health care operation
(internal business).
© Copyright 2009 HIPAA COW
90
ROI: Documentation
(Continued)
Document the release, per WI Statute,
HIPAA and our organization policies
[insert organization policies here]. For
example, HIPAA requires
documentation of breaches, public
health reporting, etc.).
© Copyright 2009 HIPAA COW
91
ROI: Documentation
(Continued)
What are we required to document?
– Date of the disclosure
– The name of the person the PHI was released
to (and address if known)
– A brief description of the PHI disclosed
– The purpose of the release
Other suggested items but not required:
– Received date
– Who released the information
– How the information was disclosed *
* Also required if information is from a 51.30
treatment record. © Copyright 2009 HIPAA COW
92
ROI: Documentation
Why do we have to document when
we release PHI (when required by
law)?
– Patients have the right to request from
us a record of what PHI was released
and to whom (Accounting of Disclosures).
© Copyright 2009 HIPAA COW
93
ROI:
Note: those steps must be followed each
time you release information verbally and
in writing.
Wow! That’s a lot to know! Were you aware
you can ask the HIM/release of information
department to release PHI for you?
– That’s right! If you aren’t absolutely 100%
certain on whether or not you can (or how to)
release information, STOP and ask for help by
calling [number].
Following are some examples of release
situations …
© Copyright 2009 HIPAA COW
94
ROI: Family and Friends
Patient present and alert – patient decides.
Patient incapable to make wishes known –
inferred permission to discuss current care.
Care or payment.
– Information needed for patient’s care.
– Must clearly be involved in payment for care
(involvement is obvious, patient stated so).
Notify family or friend(s):
–
–
–
–
–
When involved in their care.
Of patient’s general condition.
Of patient’s location.
When patient’s ready for discharge.
Of patient’s death. © Copyright 2009 HIPAA COW
Note: paper copies
may not be released
under these examples
95
ROI: Divorced Parents
A parent calls to get information on their child.
Can you release it?
– If the parents are divorced, either parent may get access to
the records with a proper release. Assume that they can get
records unless told otherwise.
– In the case where parental rights of one parent have been
terminated, the parent with sole right is responsible to provide
the information.
– When in doubt, call the parent who has physical placement to
ask if the other parent is allowed to obtain records. If they
say no, then they would be required to present the
corresponding court documents. If they say “yes”, obtain
permission and document what was provided.
© Copyright 2009 HIPAA COW
96
ROI: Legal Guardians
An individual calls to discuss appointment
information with you for a patient and
states he is the patient’s Legal Guardian,
may I discuss this with the individual?
–
Yes, after verifying the individual is the
patient’s Legal Guardian and has access
rights to the type of records being
requested. Here’s how to verify:
[Organization list here…]
© Copyright 2009 HIPAA COW
97
ROI: Step-Parents
A stepparent calls to discuss her stepchild’s
care. May you discuss this with her?
–
–
No, unless the step-parent is a legal guardian and
we have the guardianship papers on file, or a legal
guardian has provided authorization.
Step-parents may call to schedule appointments, but
do not have access to their stepchildren’s PHI,
without authorization by a legal guardian.
© Copyright 2009 HIPAA COW
98
ROI: Foster Parents
Can foster parents get information on the
child they are caring for?
– Yes, if they have guardianship, other court
papers, or an authorization from the birth
parent, allowing them the right of access.
– If they don’t have any legal papers and a health
care provider is in need of the information, you
may release directly to the care provider.
© Copyright 2009 HIPAA COW
99
ROI: Power of Attorneys
A patient’s power of attorney for health care (POA-HC)
requests I discuss the patient’s care with her. May I?
–
No. A POA-HC does not allow the POA-HC to have access
to that individual’s medical and/or billing information until
the patient has been deemed incapacitated (except in
rare cases).
Refer to
the ROI:
Family &
Friends
slide if
the POAHC is
involved
in the
patient’s
care
–
In addition, before providing access to billing information,
review the POA-HC to confirm it specifically allows this
access and/or verify a Durable POA document is in place.
Basically, POAs don’t have any more rights than any other
individual to discuss a patient’s care, billing, etc. until two
physicians deem the patient incapacitated.
If the patient has been deemed incapacitated, a document
of incapacitation is located…[list here].
© Copyright 2009 HIPAA COW
100
ROI: Workers’ Compensation
PHI to an Employer
When releasing workers’ compensation records to an
employer and/or work comp carrier, may I release the
rest of the patient’s medical history (not related to the
work comp claim with that employer)?
–
–
No. The patient’s employer and work comp insurance
carrier have the right to only those records reasonably
related to the workers’ compensation claim/condition
without an authorization.
Request the patient to sign an authorization form to
release additional types of records.
© Copyright 2009 HIPAA COW
101
ROI: to Another Facility
Can I release a patient’s address and/or
insurance information to a nursing home?
–
If you are not familiar with the individual,
request the nursing home to provide you with
the following information:
Patient’s name, date of birth, and address.
Why the information is needed.
–
–
If they also treat the patient or pay their claims, continue.
The requestor’s name, name of the nursing home,
and a direct telephone to the nursing home
(switchboard).
Call the requestor back and request to be
transferred to the individual. Then release the PHI.
When uncertain, contact the patient and obtain
authorization.
© Copyright 2009 HIPAA COW
102
ROI: Leaving Messages
A spouse answers the phone, or the voice mail
picks up. What information may I provide?
–
–
–
–
–
State your first name and that you are calling from
[Organization name] (include the site).
Ask the patient to return your call, and provide your
direct phone number.
Do not provide lab results, or other detailed
information, other than an appointment reminder.
Example: “This is Sally from [Organization] calling
for Johnny Doe. Please call me back at your earliest
convenience at [number]. Thank you.”
Double check you ended the call.
© Copyright 2009 HIPAA COW
103
ROI: Item Pick Up
A man arrives and requests to pick up a prescription for
his neighbor. Now what?
– Request he provide you with the patient’s name, date
of birth, address, and relationship to the patient.
– Confirm the patient’s and requestor’s information
matches what the the patient provided when
informing [Organization] this individual was picking
up the prescription.
–
If everything matches, this means the patient requested
us to provide the prescription to his neighbor (according
to our Item Pick Up Procedure).
Request the man to sign the Item Pick up form and
provide him with the prescription.
© Copyright 2009 HIPAA COW
104
ROI: Faxing PHI
May we Fax PHI?
–
–
–
Yes, we may fax PHI, but only when in the best interest of
patient care or payment of claims.
We may not fax sensitive PHI (HIV, mental health, AODA,
STDs, etc.)
It is best practice to test a fax number prior to faxing PHI to
it. If this is not done, then complete the following:
Restate the fax number to the individual providing it to you.
Obtain a telephone number to contact the recipient with any
questions.
Do not include PHI on the cover sheet.
Verify you are including only the correct patient’s information
(i.e. check the top and bottom pages).
Double check the fax number prior to “sending” it.
© Copyright 2009 HIPAA COW
105
ROI: Email
We may not communicate with patients
through emails at this time.
–
* Note to Organization:
Depending on your Email policy,
include either this slide, or the
next slide, but not both
The patient portal will provide the
opportunity to electronically communicate
with our patients.
When sending ePHI to other organizations
for required business functions (i.e.
treatment, payment or healthcare
operations), encrypt the email [insert org.
procedures here…].
© Copyright 2009 HIPAA COW
106
ROI: Email
* Note to Organization:
Depending on your Email policy,
include either this slide, or the
previous slide, but not both
We may communicate with patients
through emails only if the patient has
signed the organization’s privacy and
security email agreement.
When sending ePHI to anyone for
treatment, payment or healthcare
operations, encrypt the email [insert org.
procedures here…], and verify the
organization’s confidentiality email
disclaimer is included on the email.
© Copyright 2009 HIPAA COW
107
And now, for some
general safeguarding
tips…
How else can I protect our patients’ PHI?
© Copyright 2009 HIPAA COW
108
Safeguarding: Discussing PHI
You never know who may overhear you
discussing a patient. The patient or
coworker could be the patient’s
neighbor, best friend, cousin, etc…
–
–
–
Remember to talk quietly.
When possible, discuss PHI privately,
such as behind a closed door.
Avoid having discussions in patient
waiting rooms, elevators, cafeteria, etc.
© Copyright 2009 HIPAA COW
109
Safeguarding PHI:
Approaching a Coworker
You need to talk with a coworker, but
she is talking with a different patient
to schedule his appointment. What
should you do?
– Provide your coworker with the privacy
to finish working with that patient and
approach her when she is done.
© Copyright 2009 HIPAA COW
110
Safeguarding: Seeing a Patient
Outside [Organization]
You’re walking through the grocery store
one day, and see a [Organization]
patient. What should you do?
–
–
It’s ok to say hello but don’t ask the
patient “how she’s doing” or questions
about her health. It’s ok to listen if she
offers to update you on her health.
Let the patient approach you first, but
don’t make it seem like you are trying to
avoid her.
© Copyright 2009 HIPAA COW
111
Safeguarding: Talking
with Friends About Work
You had a negative encounter with a patient and
really need to vent to a friend after work. What
can you discuss?
–
Working in health care isn’t easy and patient
confidentiality MUST be maintained at all times:
– at work, during non-work hours and after
your employment ends with the organization.
Here are some helpful tips…
© Copyright 2009 HIPAA COW
112
Safeguarding: Talking
with Friends About Work
Do not share with family, friends, or anyone
else a patient’s name, or any other information
that may identify him/her, for instance:
– It would not be a good idea to tell your friend
that a patient came in to be seen after a severe
car accident.
Why? Your friend may hear about the car accident
on the news and know the person involved.
Do not inform anyone that you know a famous
person, or their family members, were seen at
this organization.
© Copyright 2009 HIPAA COW
113
Safeguarding PHI: Media
If I am contacted by the media, may I
release PHI to them? If I am
contacted by an individual offering to
pay me for PHI, may I release it to
them?
– No! You may not release PHI under
either of these circumstances. Both are
grounds for disciplinary action.
– Refer the requestor to the Privacy Officer.
© Copyright 2009 HIPAA COW
114
Safeguarding PHI: Delivery
I need to transport paper records/PHI to
another department. Is it ok for me to do this?
–
–
Yes, you may transport documents to another
department,
Secure them so you don’t drop them:
Carry them close to your person.
Carry them in a facility designated bag, box,
or container.
Ensure no names are visible.
Ensure that no records are left unattended.
© Copyright 2009 HIPAA COW
115
Safeguarding PHI:
Transporting Offsite
When necessary to transport PHI externally:
– Place in a locked briefcase, closed container,
sealed self-addressed interoffice envelope;
– Place PHI in the trunk of your vehicle, if
available, or on the floor behind the front seat;
– Lock vehicles when PHI is left unattended .
You may not transport patient charts between
departments or offsite – unless authorized by
the Director of HIM.
© Copyright 2009 HIPAA COW
116
Safeguarding PHI:
Interoffice Mail
Send all PHI in sealed interoffice
envelopes.
–
–
–
–
Verify all PHI was removed from the
envelope before stuffing it.
Address them to the correct individual and
department.
Mark the envelope “confidential”.
Confirm you are sending the correct PHI.
© Copyright 2009 HIPAA COW
117
Safeguarding PHI:
Paper
Turn over/cover PHI when you leave
your desk/cubicle so others cannot
read it.
– If you have an office, you have the
option of closing your door instead.
Turn over/cover PHI when a
coworker approaches you to discuss
something other than that PHI.
© Copyright 2009 HIPAA COW
118
Safeguarding PHI:
Paper Continued
Don’t leave documents containing PHI
unattended in fax machines, printers,
or copiers.
Check your fax machine frequently so
documents are not left on the
machine.
© Copyright 2009 HIPAA COW
119
Safeguarding PHI:
Disposal
How should I dispose of confidential paper?
–
Shred or place all confidential paper in the designated
confidential paper bins.
Does this include Post-it notes, scratch paper, envelopes, and
old non-confidential documents we no longer need?
– No. Please put these in the recycling paper bins!
Does this include tissue, paper plates, cardboard, and pizza
boxes?
– No. Please put these items in the regular trash or
other appropriate recycling container!
How should I dispose of electronic media (floppy disk,
CD, USB Drive, etc.)?
–
Provide electronic media to the IS Department to dispose it
© Copyright 2009 HIPAA COW
120
Facility Security
How can I help protect our facilities?
–
–
–
–
Wear your ID Badge at all times (it helps
identify you as an [Organization]
employee/provider).
Only let employees enter through employee
entrances with you.
Keep hallway doors that lead to patient care
areas closed.
Request vendors and contracted individuals to
sign-in and obtain Vendor ID Badges when
visiting a restricted area.
© Copyright 2009 HIPAA COW
121
What are Restricted Areas?
Restricted areas are those areas within our facilities
where PHI and/or organizationally sensitive information
is stored or utilized.
–
–
–
–
–
–
–
Receptionist stations
Business office windows
HIM Department
Patient care hallways/treatment areas
Offices
Storage closets and cabinets
Accounting, Human Resources, Administration Offices, IS
Department, etc.
– Employee meeting/rooms/kitchens in the departments
– Areas containing potential safety hazards (ex. medical
imaging, lab, nuclear medicine, etc.
© Copyright 2009 HIPAA COW
122
Facility Security
Continued…
– If you see someone in a restricted area
not wearing a badge, kindly ask “May I
help you?”
Escort the individual out of the restricted
area and to the individual/area he/she is
visiting.
© Copyright 2009 HIPAA COW
123
Business Associate
Agreements
If you initiate negotiations to contract with a
company to perform, or assist in the performance
of a function or activity involving the use or
disclosure of PHI, please contact the [Organization
Privacy Officer] to obtain a Business Associate
Agreement (BAA). Examples of when to obtain a
BAA with a company include:
– Claims processing or administration, data analysis,
processing or administration, utilization review, quality
assurance, billing, benefit management, practice
management, and repricing; and
– Legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial
services.
© Copyright 2009 HIPAA COW
124
Other Confidentiality
Agreements
When initiating a contract with a
company to perform work for
[Organization] which will not have
direct access to PHI, request a
Confidentiality Agreement be signed
and forwarded to the [Organization
Privacy Officer].
© Copyright 2009 HIPAA COW
125
HIPAA and Your Role
Remember, it is your responsibility, as a
[Organization] employee or provider, to comply
with all privacy and security laws, regulations,
and [Organization’s] policies pertaining to them.
Employees and providers suspected of violating
a privacy or security law, regulation, or
[Organization] policy are provided reasonable
opportunity to explain their actions.
Violations of any law, regulation, and/or
[Organization] policy will result in disciplinary
action, up to and including termination,
according to [Organization] HR Policy #.
© Copyright 2009 HIPAA COW
126
HIPAA Violations:
-How Much is Enough?
-How Much is too Much?
There are three types of violations:
– Incidental
– Accidental
– Intentional
Insert [Organization’s] policy
regarding types of violations and levels
disciplinary action provided.
© Copyright 2009 HIPAA COW
127
Incidental Violations
If reasonable steps are taken to safeguard a
patient’s information and a visitor happens to
overhear or see PHI that you are using, you
will not be liable for that disclosure.
Incidental disclosures are going to
happen…even in the best of circumstances.
An incidental disclosure is not a privacy
incident. This type of disclosure is not
required to be documented.
© Copyright 2009 HIPAA COW
128
Accidental Violations
Mistakes happen. If you mistakenly disclose PHI
or provide confidential information to an
unauthorized person or if you breach the security
of confidential data:
– Acknowledge the mistake and notify your supervisor and the
Privacy Officer immediately.
– Learn from the error and help revise procedures (when
necessary) to prevent it from happening again.
– Assist in correcting the error only as requested by your
leader or the Privacy Officer. Don’t cover up or try to make
it “right” by yourself.
Accidental disclosures are Privacy Incidents and must be
reported to your Privacy Officer immediately! It is required to
document this disclosure.
© Copyright 2009 HIPAA COW
129
Intentional Violations
If you ignore the rules and carelessly or deliberately use
or disclose protected health or confidential information,
you can expect:
– Disciplinary action, up to and including termination.
– Civil and/or criminal charges.
Examples include:
– Accessing PHI for purposes other than assigned job
responsibilities.
– Attempting to learn or use another person’s access
information.
If you’re not sure about a use or disclosure,
check with your Supervisor or the Privacy Officer
© Copyright 2009 HIPAA COW
130
Reporting HIPAA Violations
If you are aware or suspicious of an
accidental or intentional HIPAA violation,
it is your responsibility to report it.
–
–
[Organization] may not intimidate,
threaten, coerce, discriminate against, or
take other retaliatory action against
anyone who in good faith reports a
violation (whistleblowing).
Refer to the [HIPAA Intranet page] for
more examples of what to report.
© Copyright 2009 HIPAA COW
131
It’s Important to Report
HIPAA Violations…
So they can be investigated, managed, and
documented.
So they can be prevented from happening again in
the future.
So damages can be kept to a minimum.
To minimize your personal risk.
In some instances, management may have to notify
affected parties of lost, stolen, or compromised
data.
Incidental disclosures need not be reported, but if
you’re not sure, report them anyway.
© Copyright 2009 HIPAA COW
132
Patient Complaints
Report all patient complaints.
We are required by law to respond to
privacy and security complaints.
© Copyright 2009 HIPAA COW
133
How May I Report a
HIPAA Privacy Violation?
Directly to your Supervisor, who in turn reports
it to the Privacy Officer.
Call or email the Privacy Officer.
Complete a HIPAA Incident Report form (#)
which is located [on the HIPAA Intranet page].
Email the internal “HIPAA Hotline” email
group. Note: this is not anonymous as the sender will be
known.
Leave a message on the HIPAA Hotline
[insert #].
© Copyright 2009 HIPAA COW
134
How May I Report a
HIPAA Security Violation?
If it involves a breach of patient confidentiality,
report it through the same methods listed for
Privacy Violations.
If it does not involve a breach of confidentiality,
report it through one of the following methods:
–
–
The same methods listed for Privacy Violations
Call or email the Technical Security Officer,
Information Services Help Desk, or Director of
Information Services.
© Copyright 2009 HIPAA COW
135
HIPAA Information
Check out the
[HIPAA Intranet page].
We will continue to
add additional information
for your reference.
© Copyright 2009 HIPAA COW
136
Questions, Comments,
Concerns…
Not sure which way to go?
Please contact your
Privacy Officer, at
Please contact your
Security Officer, at
(phone)
(pager)
(email)
(phone)
(pager)
(email)
© Copyright 2009 HIPAA COW
137
Remember to Take the
Test
To obtain credit for this session,
remember to take the test after
viewing this presentation.
© Copyright 2009 HIPAA COW
138
Thank you, from....
The Privacy and
Security Committees
Refer to the HIPAA COW website for
privacy, security, and EDI reference
materials
http://hipaacow.org/home/home.aspx
Hand
In - hand
Protecting
All
Accounts!
© Copyright 2009 HIPAA COW
139
HIPAA COW Authors
Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy
Officer
Contributing authors:
– Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant
– Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant
– Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records
Supervisor
– Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service
– Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health
Services
– Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance
Coordinator
– Kim Pemble, Executive Director, WI Health Information Exchange (WHIE)
– LaVonne Smith, Information Services Director, Tomah Memorial Hospital
Reviewed by: HIPAA COW Privacy & Security Networking Groups
© Copyright 2009 HIPAA COW
140