Welcome to the 2007 - Northwest Counseling and Guidance
Download
Report
Transcript Welcome to the 2007 - Northwest Counseling and Guidance
Draft v. 11
03-31-09
Welcome to the
Privacy and Security
Training Session!
© Copyright 2009 HIPAA COW
1
Disclaimers
This HIPAA Privacy & Security Training Session is Copyright
2009 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”).
It may be freely redistributed in its entirety provided that this
copyright notice is not removed. It may not be sold for profit
or used in commercial documents without the written
permission of the copyright holder. This HIPAA Privacy &
Security Training Session is provided “as is” without any
express or implied warranty. This HIPAA Privacy & Security
Training Session is for educational purposes only and does not
constitute legal advice. If you require legal advice, you should
consult with an attorney. HIPAA COW has not yet addressed
all state pre-emption issues related to this HIPAA Privacy &
Security Training Session. Therefore, this document may need
to be modified in order to comply with Wisconsin law.
© Copyright 2009 HIPAA COW
2
Disclaimers continued…
This is an example training session containing only
some of the Privacy & Security topics which
organizations are required to train. It is not legal
advice and is not intended to cover all privacy &
security laws’ training requirements. It may
contain items not required by your organization
and/or that need to be tailored to your
organization’s P&Ps. It may also be too lengthy to
provide in just one session. Slides are provided for
informational purposes only.
© Copyright 2009 HIPAA COW
3
HIPAA Topics Covered
HIPAA Privacy &
Security Contacts
What is HIPAA?
Why Follow HIPAA?
HIPAA Definitions
Who protects PHI?
Patient Rights
Security
Audit Trails
Violations
Release of Information
Identity Verification
Documenting Disclosures
Safeguarding Information
BAAs & Other Agreements
Your Role
Reporting Violations
© Copyright 2009 HIPAA COW
4
Privacy and Security and/or
Compliance Committee Members
Privacy Officer:
Jackie Maurer
Security Officer:
Jeff Raschke
Name, title, extension and email address
Jackie Maurer, Billing Office Supervisor
715-327-4322, ext 126.
[email protected]
Jeff Raschke, Director IT & Security
Officer
715-327-4322, ext 125
[email protected]
© Copyright 2009 HIPAA COW
5
What is HIPAA?
HIPAA is an acronym for the Health
Insurance Portability & Accountability Act
of 1996 (45 C.F.R. parts 160 & 164).
Provides a framework for the establishment
of a nationwide protection of patient
confidentiality, security of electronic
systems, and standards and requirements
for electronic transmission of health
information.
© Copyright 2009 HIPAA COW
6
What is HIPAA?
HIPAA Consists of three separate parts:
1) Privacy, 2) Security, and 3) Electronic Data Exchange
HIPAA mandates accountability
ELECTRONIC
DATA
EXCHANGE
Each part has
separate
regulations to
comply with
PRIVACY
SECURITY
© Copyright 2009 HIPAA COW
7
Parts of HIPAA:
1. The Privacy Rule
The Privacy Regulations went into effect April 14, 2003.
Privacy refers to the protection of an individual’s health
care data.
Defines how patient information is used and disclosed.
Gives patients privacy rights and greater control over
their own health information.
Outlines ways to safeguard Protected Health Information
(PHI).
We also need to keep in mind Wisconsin privacy laws,
such as WI Chapters 51, 146, 252 and DHS 92, which in
some situations continue to protect patients’ rights more
than the HIPAA Regulations.
© Copyright 2009 HIPAA COW
8
Parts of HIPAA:
2. The Security Rule
Security (IT) regulations went into
effect April 21, 2005.
Security means controlling:
– The confidentiality of electronic
protected health information (ePHI).
– How patient data is electronically
stored.
– How patient data is electronically
accessed.
© Copyright 2009 HIPAA COW
9
Parts of HIPAA:
3. EDI
Electronic Data Exchange (EDI) – defines the
format of electronic transfers of information
between providers and payers to carry out
financial or administrative activities related to
health care.
Information includes coding, billing and
insurance verification.
The goal of using the same formats is to
ultimately make the billing process more
efficient.
© Copyright 2009 HIPAA COW
10
Why Should Our Organization
Comply with HIPAA?
We must be committed to protecting our patients’
privacy.
Northwest Counseling and Guidance Clinic is placing trust
in you to follow the policies. This is not an option, it is
required.
Choosing not to follow these rules,
– Could put you at risk.
– Could put Northwest Counseling and Guidance Clinic at
risk.
© Copyright 2009 HIPAA COW
11
Why Should Our Organization
Comply with HIPAA?
The right thing to do is to:
– Protect patient records.
– Protect business data.
– Protect patient data and reduce the
risk of litigation to organizations.
There are significant penalties associated
with non-compliance to organizations
and employees of those organizations.
© Copyright 2009 HIPAA COW
12
HIPAA Regulations
The HIPAA Regulations require that we protect our
patients’ PHI in all media including, but not limited to,
PHI created, stored, or transmitted in/on the following
media:
– Verbal discussions (i.e. in person, on the phone, etc.).
– Written on paper (i.e. chart, progress note, encounter form,
–
–
prescription, x-ray order, referral form, explanation of benefits (EOBs),
scratch paper, etc.).
In all of our computer applications/systems (i.e.
electronic health record (EHR), Practice Management, Lab, X-ray,
Microsoft, etc.).
In all of our computer hardware/equipment (PCs,
laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones,
patient care devices, servers, etc.).
© Copyright 2009 HIPAA COW
13
This training session
provides reminders of
Northwest Counseling &
Guidance Clinic’s policies
and of how you, an
employee or provider, are
required to protect PHI.
© Copyright 2009 HIPAA COW
14
Why is Privacy and Security
Training Important?
It outlines ways to prevent accidental and
intentional misuse of PHI.
To make PHI secure with minimal impact to
staff and business processes.
It’s not just about HIPAA – it’s about doing
the right thing.
We should treat personal electronic data
with the same care and respect as weaponsgrade plutonium -- it is dangerous, longlasting and once it has leaked, there's no
getting it back. -- Corey Doctorow
© Copyright 2009 HIPAA COW
15
This training is designed to educate you
on the importance of Privacy and Security
It is everyone’s responsibility to take the
confidentiality of patient information seriously.
Anytime you come in contact with patient
information or any PHI that is written, spoken or
electronically stored, YOU
become involved with some
facet of the privacy and security
regulations.
The law requires us to train you.
© Copyright 2009 HIPAA COW
16
HIPAA Definitions
What is Protected Health Information (PHI)?
PHI is Individually Identifiable
Health Information (IIHI) relating to
information about:
Health/condition of an individual.
Payment for health care of an
individual.
Reasonably identifies the individual
(patient identifiers/demographics).
© Copyright 2009 HIPAA COW
17
HIPAA Definitions
PHI Includes:
Items in the record, such as:
– Encounter/visit documentation
– Lab Results
– Appointment dates/times
– Invoices
– Radiology films and reports
– History and Physicals (H&Ps), etc.
© Copyright 2009 HIPAA COW
18
HIPAA Definitions
PHI Includes:
Patient Identifiers
PHI includes information by which the
identity of a patient can be determined
with reasonable accuracy and speed
either directly or by reference to other
publicly available information.
© Copyright 2009 HIPAA COW
19
HIPAA Definitions
PHI Includes Patient Identifiers
Examples include:
Names
Web universal resource
Medical Record Numbers
locaters (URLs)
Social Security Numbers
Any dates related to any
Account Numbers
individual (date of birth)
License/Certification
Telephone numbers
numbers
Fax numbers
Vehicle Identifiers/Serial
Email addresses
numbers/License plate
Biometric identifiers
numbers
including finger and voice
Internet protocol
prints
addresses
Health plan numbers
Any other unique
identifying number,
Full face photographic
images and any
characteristic or code
© Copyright 2009 HIPAA COW
comparable images
20
HIPAA Definitions
Use: when we review or use PHI
internally (audits, training, customer
service, quality improvement).
Disclose: when we release or provide
PHI to someone (ex. an attorney, a
patient, faxing records to another
provider, etc.).
© Copyright 2009 HIPAA COW
21
HIPAA Definitions
What does releasing the “minimum necessary”
PHI mean?
– To use or disclose/release only the minimum
necessary to accomplish the intended purposes of the
use, disclosure, or request.
– Requests from employees at NWCGC:
Identify each workforce member who needs to access PHI.
Limit the PHI provided on a “need-to-know” basis.
– Requests from individuals not employed at NWCGC:
Limit the PHI provided to what is needed to accomplish the
purpose for which the request was made.
© Copyright 2009 HIPAA COW
22
HIPAA Definitions
What is TPO?
HIPAA allows us to Use and/or Disclose PHI for the purpose
of:
– Treatment – providing care to patients.
– Payment – the provision of benefits and premium payment.
– Operations – normal business activities (reporting, quality improvement,
training, auditing, customer service and resolution of grievances data
collection and eligibility checks, accreditation, etc.).
These terms are collectively referred to as TPO.
PHI used outside of TPO is not allowed without a signed
authorization.
TPO must be within the minimum necessary to perform your
job!
© Copyright 2009 HIPAA COW
23
Why Do We Need to
Protect PHI?
It’s the law.
To protect our reputation.
To avoid potential withholding of federal
Medicaid and Medicare funds.
To build trust between providers and patients.
– If patients feel that their PHI will be kept
confidential, they will be more likely to share
the information needed for their care.
© Copyright 2009 HIPAA COW
24
Who or What Protects PHI?
The Federal Government through the laws of HIPAA.
– Civil penalties up to $25,000 for Failure to Comply.
– Criminal penalties:
$50,000 fine and 1 year prison for knowingly obtaining
and wrongfully sharing information.
$100,000 fine and 5 years prison for obtaining and
disclosing through false pretenses.
$250,000 fine and 10 years prison for obtaining and
disclosing for commercial advantage, personal gain, or
malicious harm.
Our organization, through the Notice of Privacy Practices
(NOPP).
You, by following our policies and procedures.
© Copyright 2009 HIPAA COW
25
Enforcement
The Public. The public will be educated
about their privacy rights and will not tolerate
violations to their privacy! They will take
action.
Office For Civil Rights (OCR). This is the
agency that enforces the privacy regulations.
They will provide guidance and monitor
compliance.
Department of Justice (DOJ). This agency
is involved in criminal privacy violations.
Provides fines, penalties and imprisonment to
offenders.
© Copyright 2009 HIPAA COW
26
HIPAA Regulations
Brought individual privacy rights
to patients.
Require that we provide these
rights to them.
– The following slides explain patient
rights…
© Copyright 2009 HIPAA COW
27
Patient Rights: Access
Right to inspect and copy their PHI.
Situations where access may be denied or delayed:
– Psychotherapy notes.
– PHI compiled for civil, criminal or administrative action or
proceedings.
– PHI subject to CLIA Act of 1988 when access would be prohibited by
law.
– Access would endanger a person’s life or safety based upon a
professional judgment.
– A correctional inmate’s request may jeopardize health and safety of
the inmate, other inmates or others at the correctional institution.
– A research study has previously secured agreement from the
individual to deny access.
– Access is protected by the Federal Privacy Act.
– PHI was obtained under promise of confidentiality and access would
reveal the source of the PHI.
© Copyright 2009 HIPAA COW
28
Patient Rights: Alternative
Communications
Right to request to receive
communication by alternative means
or location. Examples:
– The patient may request a bill be sent
directly to him instead of to his insurance
company.
– The patient may request we contact her
on her cell phone instead of at her home
telephone number.
© Copyright 2009 HIPAA COW
29
Patient Rights:
Special PHI Requests
What should I do if a patient requests
we always call a family member
instead of her?
– Request patients with permanent and
special/unique calling and/or mailing
Alternative
communication
instructions to go to their primary
requests
mental health provider or onsite
administrator to complete and sign a
release of information.
© Copyright 2009 HIPAA COW
30
Patient Rights:
Amendment Requests
Right to Request an Amendment or Correct PHI.
– Situations where a request may be denied.
Northwest Counseling & Guidance Clinic did not
create the information.
Record is accurate according to the health care
professional that wrote it.
Information is not part of the Northwest Counseling
& Guidance Clinic record.
A patient states there is an error in his electronic
record and wants it corrected. What should I do?
–
Request the patient contact the onsite administrator to
request to have the record amended.
© Copyright 2009 HIPAA COW
31
Patient Rights:
Restrictions and AOD
Right to Request a Restriction on use and disclosure
of their PHI (ex. revoke a previous authorization, request
to not give to certain providers, request to not provide
for research purposes).
– We are not required to approve the request, but must make
reasonable efforts to approve it, when possible.
Right to an Accounting of Disclosures (AOD).
– Must give information on disclosures of information
released except those that were given to:
The Individual.
TPO.
Law enforcement officials, correction institutions or
national security.
© Copyright 2009 HIPAA COW
32
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
A. An individual may request an accounting for
disclosures as far back as six years before the time of
the request - but to start no earlier than April 14,
2003.
B. A covered entity must suspend accounting of
disclosures to a patient if an agency or law
enforcement indicate the accounting is likely to
impede the agency’s activity.
© Copyright 2009 HIPAA COW
33
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
C. Disclosures NOT requiring accounting include disclosures
made:
– For Treatment (to persons involved in the individual’s
care), Payment or Operations.
– To the individual subjects of the PHI.
– Incident to an otherwise permitted disclosure.
– Based on the individual’s signed authorization.
– For a facility directory.
– For national security or intelligence purposes.
– To correctional facilities or law enforcement on behalf
of inmates.
– As part of a limited data set (see 164.514).
– That occur prior to the compliance date of April 14,
© Copyright 2009 HIPAA COW
34
2003.
Patient Rights: Right to Receive an
Accounting of Disclosures of PHI
D. Disclosures requiring accounting include:
– Required by law
– For public health activities
– Victims of abuse, neglect,
violence.
– Health oversight activities
– Judicial/Administrative
proceedings
– Law enforcement
purposes
– Organ/eye/tissue donations
– Research purposes
– To avert threat to health and
safety
– For specialized government
functions
– About decedents
– Workers’ compensation
– Releases made in error to an
incorrect person/entity (i.e.
breach)
© Copyright 2009 HIPAA COW
35
Patient Rights: NOPP
Are we still required to request patients sign the Notice of Privacy
Practices (NOPP) acknowledgment prior to their first visit?
Yes. Please continue to request they sign the acknowledgment
before they see a provider for their first appointment at Northwest
Counseling & Guidance Clinic. (except in the case of emergency
services where staff will attempt to provide notification based on the
needs of the client).
Patient signs the Acknowledgment of Receipt to confirm that they
have been offered and/or received the Notice.
What is the purpose of the NOPP?
Summarizes how Northwest Counseling & Guidance Clinic uses and
discloses patient’s PHI.
Details patient’s rights in respect to their PHI.
© Copyright 2009 HIPAA COW
36
Patient Rights:
NOPP Reminders
If a patient or legal guardian refuses to take a NOPP,
this is their right; do not force them to take one.
If a patient or legal guardian refuses to sign the
acknowledgment form, document this on the form and
in the system.
Once the patient turns 18, he/she must sign an
acknowledgment form.
Host parents of a foreign exchange student may act on
behalf of the student’s biological parent(s) and sign the
NOPP acknowledgment form.
© Copyright 2009 HIPAA COW
37
Patient Rights:
Privacy Complaints
Right to file a privacy complaint.
– Direct all requests or complaints
regarding these rights to the
Privacy Officer at 715-327-4322,
extension 126.
© Copyright 2009 HIPAA COW
38
Security
One key element of protecting our patient’s
PHI lies in maintaining the security of our
systems, which houses and transmits ePHI
(electronic protected health information).
The HIPAA Security Rule outlines how we
are to do this.
How do we protect our computer systems
and our patients’ information in them?
Read on to explore this…
© Copyright 2009 HIPAA COW
39
Applying the Security Rule
Administrative Safeguards
– Policies and procedures of the organization are
REQUIRED and must be followed by the employees
to maintain security (i.e. disaster recovery of
computer systems, use of the internet, use of email,
faxing, use of voicemail, computer hardware and
software standards).
Technical Safeguards
– Many technical devices are needed to
maintain security. Examples include
different levels of computer passwords,
screen savers and devices to scan ID
badges, data backups, disposal of media,
encryption, audit trails. Computer and
system processes are set up to protect,
control and monitor information access.
© Copyright 2009 HIPAA COW
40
Applying the Security Rule
Physical Safeguards. Many physical barriers and devices are needed
to maintain security. Examples include installing locks on doors,
securing buildings and rooms, identifying visitors, locking file cabinets to
protect the organization’s property and the health information.
Personnel Security. Organizational policies and procedures manage
the assignment of access authority to employees and other workforce
members. Procedures should address employee transfers, role
changes and terminations. Effective security and privacy training must
be conducted.
© Copyright 2009 HIPAA COW
41
Access to ePHI: UNs and PWs
How do we control access to electronic
protected health information (ePHI) in our
computer systems?
–
–
By requiring all users to utilize individually unique
Usernames (UNs) and Passwords (PWs), we control
access to the information in each of our computer
systems and applications.
UNs and PWs control what users are able to access and
help us identify what information users accessed in our
applications.
© Copyright 2009 HIPAA COW
42
Access to ePHI: UNs and PWs
Cont.
For these reasons, you may not share your UNs and PWs
with anyone else (the only exception to this is to share a
UN and PW with IS, if necessary, for troubleshooting a
computer problem).
When leaving a computer, ALWAYS:
– Log off, OR
– Lock the computer screen (Ctrl-Alt-Del and select lock).
This prevents other users from using
your applications.
© Copyright 2009 HIPAA COW
43
Access to ePHI: UNs and PWs
Cont.
Creating strong passwords.
– Use at least 6-8 characters.
– Use a minimum of 2 letters and 1 number, and
capital and lower case letters.
– Do not use pw’s that may be easily guessed, such
as: names (spouse’s, pet’s, child’s, etc.), significant
dates, words, favorite team names, etc.
Note: UN and PW controls are required by law.
TIP: Use a “pass-phrase” to help you remember
your password such as: MbcFi2yo
(My brown cat, Fluffy, is two years old).
© Copyright 2009 HIPAA COW
44
Protect Your UNs and PWs
Memorize your PW. Don’t post UNs and PWs on
your computer, notebook, tablet, under your
keyboard, etc.
–
Lock up your UNs and PWs so they may not be
accessed by anyone else.
If you believe one of your PWs has been
compromised, request the IT Department to
change it.
–
If you think PHI may have been inappropriately
accessed, discuss it with the Privacy Officer.
© Copyright 2009 HIPAA COW
45
Help Protect Our
Systems/Equipment
–
It is your responsibility to protect Northwest
Counseling & Guidance Clinic’s systems/
equipment/computers at all times.
Do not disable anti-virus software, malware
protection, or any other security items unless
directed by the IS Department.
If you have access from offsite (remote Citrix,
Outlook web access, VPN, SSL, URL, etc.)
and/or a PC, pager, phone, or PDA, this is for
your use only.
Family and friends may not utilize it.
© Copyright 2009 HIPAA COW
46
Email Security
It is against Northwest Counseling &
Guidance Clinic policy to forward “joke
emails”.
–
“Joke” emails frequently have viruses
attached to them and they take up a lot of
space on our servers.
Refer to the Release of Information
slides for emailing ePHI requirements.
Please report it to IT if you receive a
suspicious and/or threatening email.
© Copyright 2009 HIPAA COW
47
Audit Trails of What I Access
The Security regulations require this.
Northwest Counseling & Guidance Clinic conducts
random audits of employee and provider access to
determine:
– Appropriateness of access, and
– If access is in compliance with Northwest Counseling
& Guidance Clinic policies.
Audit trails show what patients have been accessed, the
date and time of the access, what was accessed, etc.
– If access appears to be inappropriate, the Privacy
Officer works with leaders, Human Resources and the
employee/provider to determine whether or not it
was appropriate. © Copyright 2009 HIPAA COW
48
Audit Trails and HIPAA
Violations
What are some common types of
HIPAA privacy and security
violations found in these audit
trails and/or reported?
Following are a few examples
from which to learn…
© Copyright 2009 HIPAA COW
49
Audit Trails:
Access to Own ePHI
An employee viewed his own
appointment list. Another
employee accessed her own lab
results from her own workstation
(using her own password). Is this
against Northwest Counseling &
Guidance Clinic policies?
© Copyright 2009 HIPAA COW
50
Audit Trails:
Access to Own ePHI
Yes, it is Northwest Counseling & Guidance Clinic policy
that you may not directly access your own medical
record, using your own password in any
system/application.
PHI in the electronic medical record, scheduling/billing
system, etc. are considered a part of your medical
record. In fact, PHI in all Northwest Counseling &
Guidance Clinic systems make up your medical record.
– To view your medical record, contact the NWCGC Privacy Officer
at 715-327-4322.
– To view your appointment list, contact a receptionist in the
department in which you schedule appointments.
– To view your billing information, contact the billing office at 715© Copyright 2009 HIPAA COW
51
327-4322.
Audit Trails: Access to a
Family Member’s PHI and
Unassigned Tasks
A receptionist scheduled an
appointment for her child in
a different department/site
than she works. Is this
against Northwest
Counseling & Guidance
Clinic policies?
© Copyright 2009 HIPAA COW
52
Audit Trails: Access to a
Family Member’s PHI and
Unassigned Tasks
Yes. Only schedule appointments as assigned in the
departments in which you work. If you don’t work in
that department, call the receptionist in that
department and request him/her to schedule the
appointment.
Note: while scheduling this appointment, the
employee may have viewed appointment information
which she did not have the right to see.
Don’t schedule appointments for or otherwise view,
access, edit, etc. family members’ PHI, unless it is
a part of your assigned duties, it is an urgent matter,
AND nobody else is available to do the job at that
© Copyright 2009 HIPAA COW
53
time.
Audit Trails:
Access to PHI by a Coworker
An employee requested a coworker to view
his/her appointment list to find the last time
the employee had a physical in Internal
Medicine. Her coworker does not work in the
Internal Medicine department. Is this against
Northwest Counseling & Guidance Clinic
policies?
© Copyright 2009 HIPAA COW
54
Audit Trails:
Access to PHI by a Coworker
Yes. It is inappropriate to ask
your coworkers to do this if it is
not part of their regular assigned
job responsibilities.
If you need to know when you
had your last physical, call the
department in which you had
this appointment (or will be
scheduling your next
appointment).
© Copyright 2009 HIPAA COW
55
Audit Trails:
Securing Systems
When leaving his/her computer, an employee didn’t
log off the electronic medical record; another
employee then utilized it to look up her own and her
family members’ transcriptions, appointment lists,
medications, etc.
– Important Note: in this situation, both employees
did not follow Northwest Counseling & Guidance
Clinic P&Ps which require:
Logging off/securing all applications when
unattended.
Using the password protected screensaver when
leaving it unattended.
Not using another person’s login, unless they are
training you and directly observing what you do.
56
© Copyright 2009 HIPAA COW
Audit Trails: Accessing More
Than the Minimum Necessary
A clinical staff employee is assigned to
routinely view and update medications, blood
pressure, pulse, and weight for each patient
being seen by the provider with whom she
works. She was curious and concerned about
a particular patient’s health, and therefore
viewed several other records, such as lab
results, and specialist transcriptions.
–
Note: It was determined this was a breach of
confidentiality as she was not requested by her
provider and/or supervisor to access this
patient’s additional records.
© Copyright 2009 HIPAA COW
57
Audit Trails: Accessing More
Than the Minimum Necessary
We may only access the minimum
necessary to complete our assigned job
responsibilities. This means we may not
access information out of curiosity and/or
concern about a patient’s health.
© Copyright 2009 HIPAA COW
58
The following slides
provide examples of Privacy
and Security violations to help
you better understand how
they occur so that you may
help prevent them.
© Copyright 2009 HIPAA COW
59
Security Violations:
Downloading Onto PCs
Users have downloaded software onto
Northwest Counseling & Guidance Clinic
computer/laptop/tablet. Is this ok?
© Copyright 2009 HIPAA COW
60
Security Violations:
Downloading Onto PCs
No. We may not download anything onto our
computers, laptops, notebooks, PDAs, etc. without the
permission from the IT Administrator or Security
Officer.
–
This includes not downloading from the Internet, CD, flash
drive, DVD, disc, software, etc.
Why not? The IT Department or Security Officer verifies we
have appropriate licenses and virus protection in place.
–
Did you know that downloading may slow down our systems?
Some downloads have interfered with the appropriate functioning
of web based EHRs!
© Copyright 2009 HIPAA COW
61
Security Violations:
Downloading From PCs
If it is absolutely necessary to copy or save files onto
removable media, obtain approval from your
Supervisor and encrypt the file so that it may only
be accessed by utilizing the password (ask the IT
Department how to encrypt a file).
–
–
–
This includes downloading anything off our computers
onto media such as a flash drive, USB, disc, CD, etc.
Safeguard this removable media, and the password to
access the information, at all times so that the
information may not be inappropriately accessed.
Immediately contact the IT Department and Security
Officer if a device is lost or stolen.
© Copyright 2009 HIPAA COW
62
Other Types of Security Issues
and Incidents
Theft (or loss) of a computer, laptop, PDA.
Inappropriate usage of Northwest
Counseling & Guidance Clinic computers.
A technology-related situation which results
in a significant adverse effect on people,
process, technology, facilities, etc., such as:
–
–
A system “glitch” which results in ePHI being
accessed and/or sent to an inappropriate
recipient.
A virus that prevents users from being able
to access PHI.
© Copyright 2009 HIPAA COW
63
What is Misuse of PHI?
U n a u t h o r i z e d:
Access to…
Using…
Taking…
Possession of…
Release of…
Edit of…
Destruction of…
Patient PHI Without Authorization.
© Copyright 2009 HIPAA COW
64
Privacy Violations:
How Do They Happen?
What are some common ways breaches
of confidentiality occur?
– Many incident reports happen due to
common human errors, such as the
following:
© Copyright 2009 HIPAA COW
65
Privacy Violations:
How Do They Happen?
Faxing to the wrong individual/location.
When searching for a patient’s address, her
name is typed, her date of birth is not
validated, and a patient with the same name
is selected instead.
These can be prevented by double
checking you have the right patient’s
records prior to releasing PHI.
© Copyright 2009 HIPAA COW
66
Privacy Violations:
Incorrect Patient on a Form
Jane Doe’s name, medical record number,
and date of birth was placed on a
prescription and handed to Molly Sue. Is
this considered a breach of confidentiality?
–
Yes. If Molly Sue reads Jane Doe’s name on
this form, or any other document, it is a
breach of confidentiality.
Request Molly Sue to return the incorrect
prescription and contact the Privacy
Officer to walk through the reporting
process.
© Copyright 2009 HIPAA COW
67
Privacy Violations:
Incorrect Records Released
A patient requested we send 2006
mental health diagnosis to her nonNorthwest Counseling & Guidance Clinic
provider. In addition to the 2006 mental
health diagnosis, we also released 2004
and 2005 mental health diagnosis. Is
this a breach of confidentiality?
© Copyright 2009 HIPAA COW
68
Privacy Violations:
Incorrect Records Released
Yes. This is a breach of confidentiality as more
information than was requested by the patient was
released (the 2004 and 2005 test results).
Always keep in mind we may only release the
minimum necessary PHI to accomplish the purpose
of the request – even when releasing to another
treating provider, insurance company, etc.
–
Request the provider to return the 2004 and 2005 test results,
and contact the Privacy Officer.
© Copyright 2009 HIPAA COW
69
Privacy Violations: Incorrect
Patient’s Results Mailed
Treatment plan of one patient was mailed to
a different patient. Is this a breach of
confidentiality?
–
Yes. It is a breach of confidentiality if the
treatment plan includes a different patient’s
name.
Request the patient to return the incorrect
treatment plan, document the disclosure, and
contact the Privacy Officer.
© Copyright 2009 HIPAA COW
70
Privacy Violations: Patient’s
Records Sent to Wrong Company
Patient records were sent to the wrong
insurance company. Is this a breach of
confidentiality?
–
Yes, because this insurance company does
not provide coverage for this patient, they
did not have a need to know anything
about him/her.
Request the company return the incorrect
records, document the disclosure, and contact
the Privacy Officer.
© Copyright 2009 HIPAA COW
71
Release of Information
(ROI)
What PHI may I release?
– What WI Laws and Federal Regulations apply?
What information can be released without an authorization?
What are the steps in releasing information?
When is an authorization required?
How do I verify the authority and identify the requestor?
Are there any restrictions which do not allow this release?
Do I need to document the release?
Why do I need to be doing all this?
What are some practical release of information examples?
Please proceed to learn more
about how to
correctly release PHI
© Copyright 2009 HIPAA COW
72
ROI: Applying the Steps
I received a request to release a patient’s PHI.
What now?
Whether releasing verbally or in writing,
determine the following:
–
–
Is the requestor legally authorized to receive
the PHI? Important Note: when uncertain,
ask the onsite administrator, Privacy Officer, or
obtain a signed authorization from the patient.
Is a signed Authorization required?
If yes, determine if the Authorization is HIPAA
and WI compliant (refer to next slide).
© Copyright 2009 HIPAA COW
73
ROI: Valid Authorizations
Elements of a valid authorization:
1.
2.
3.
4.
5.
Client/Patient Name and date of birth.
Name of the individual or agency authorized to make the
requested disclosure.
Name of the person or organization to whom the disclosure
is to be made.
Purpose of the disclosure.
Specific description of the type and amount of information
to be released.
A.
B.
6.
7.
If the release includes mental health, alcohol or drug abuse or test
results, or developmental disability records, these must be specified.
If the release includes HIV test result, AIDS, or AIDS related disease,
the statement “HIV test results” is required.
Statement on possibility of re-disclose by the recipient and
that it is no longer protected by Northwest Counseling &
Guidance Clinic.
Right to inspect a copy of the records released (required
only for WI DHS 92 records).
© Copyright 2009 HIPAA COW
74
ROI: Valid Authorizations
Refer to the HIPAA COW Authorization Form located at
http://hipaacow.org/home/PrivacyDocs.aspx
Elements of a valid authorization Cont.:
8.
9.
10.
11.
12.
13.
Statement of the ability or inability to condition treatment,
payment, enrollment or eligibility for benefits .
If the release involves marketing and direct or indirect
remuneration to Northwest Counseling & Guidance Clinic by
a third party, include a statement reflecting this.
A statement of the right to revoke the authorization in
writing, exceptions to the right to revoke, and how to
request a revocation.
Expiration date or event.
Time period during which the authorization is effective.
Signature of client/patient or legal personal representative
and date signed.
A.
14.
If signed by a legal personal representative, a description of
his/her authority to sign.
A copy of the form is required to be given to the
client/patient.
© Copyright 2009 HIPAA COW
75
ROI: Authorization Not
Required
There are times when an authorization
is not needed.
Read on to find out when authorizations
are not required…
© Copyright 2009 HIPAA COW
76
ROI: Permitted Uses and Disclosures of
PHI Without an Authorization
Uses and disclosures of PHI for (TPO):
– Treatment
– Payment
– Health Care Operations
Mandatory disclosures by law.
If use of the information does not fall under one of
these categories you must have the patient’s signed
authorization (written permission) before sharing that
information with anyone.
© Copyright 2009 HIPAA COW
77
ROI: When is an
Authorization Required?
tic
cl a
im
Re
en
ce
ym
n
ra
pa
po
r
fo
su
in
life y
a an
to mp
co
e
e
rt
vi o i n g
le do
nc m
e es
as
in
ut
le
ea
to
y
Ro
Re
R
el
se
ne
r
to
at
t
Authorization
Required
rti
fic
ce
rth
bi
ic
rif
a
ve
io
at
of
lity
g
bi
n
Fi
lin
sa
ea
to
t
ur
yo
y
tb n
e n i ci a
tm ys
ea ph
Tr
Di
R
el
se
e
th
pa
n
tie
at
e
Authorization Not
Required
© Copyright 2009 HIPAA COW
78
ROI: General Wisconsin
“Confidentiality” Laws
WI laws may require authorizations,
even though HIPAA doesn’t require
them. The next few slides summarize
a few of the more commonly utilized
WI laws…
© Copyright 2009 HIPAA COW
79
ROI: General Wisconsin
“Confidentiality” Laws
Statute
146.82,
Wis. Stat.
51.30, Wis.
Stat.
Summary
Covers general medical health care PHI and
authorization requirements.
Covers PHI relating to mental health, AODA,
and developmentally disabled treatment,
authorization requirements, and penalties.
DHS 92
Further covers confidentiality of mental health
Adm. Code treatment records (with 51.30).
DHS 144, Covers release of immunizations between
Adm. Code vaccine providers, and to schools specifically
for minors.
© Copyright 2009 HIPAA COW
80
ROI: General Wisconsin
“Confidentiality” Laws
Statute
102.13 &
102.33
Wis. Stat.
610.70
Wis. Stat.
Summary
Covers records reasonably related to a
worker’s compensation claim and release to
the employee (patient), employer, worker’s
compensation insurer, or Department with a
written request.
Covers disclosure of personal medical
information by insurers.
252.15,
Wis. Stat.
Covers health care information relating to
HIV testing and authorization requirements.
© Copyright 2009 HIPAA COW
81
ROI: Other Regulations to
Consider
Statute
Summary
42 CFR, Federal Alcohol and Drug Regulations
Part 2 which covers use and release of a
patient’s drug and alcohol abuse
records in a federally assisted
program.
© Copyright 2009 HIPAA COW
82
ROI: Identity Verification
Prior to releasing PHI, ask the individual to provide you with
enough information to identify the patient, such as:
– Name
– Date of Birth
– Address
– Other identifiers: Social security number, mother’s maiden name
Identify someone other than the patient by requesting he provide
you with all the above information, as well as his relationship to the
patient.
–
–
–
–
Check a physical signature against a known one on file
Make a call-back to a known number
Refer to the HIPAA COW Identity Verification
Ask for a photo ID
Policy located at
Ask for a business card
http://hipaacow.org/home/PrivacyDocs.aspx
Provide only the minimum necessary to safeguard PHI.
© Copyright 2009 HIPAA COW
83
ROI: Authority Verification
Once you know who the requestor is, be sure he or she has the right
to access this information.
Routine requests from employees you know in our organization who
have a need to know information for business reasons, are ok.
Unusual requests from individuals you don’t know can be risky, so
before sharing PHI:
– Ask your supervisor.
– And/or check your procedure.
Who are you?
© Copyright 2009 HIPAA COW
84
ROI: Individual Needs to
Find Patient In Any Setting
If an individual would like to find out if
a patient is in our facility.
– Do not confirm or deny the patient is
here, and politely end the phone call.
– After ending the call, notify the client
and/ or parent/guardian in the case of a
minor client that the individual inquired
about them and ask them how they
would like to proceed for future contacts
with this person.
© Copyright 2009 HIPAA COW
85
ROI:
Minimum Necessary
Release only the requested PHI, and only include
sensitive PHI (mental health, HIV/AIDS, STDs,
etc.) if specifically authorized.
Release the minimum necessary (note, this may
be less than what was requested).
– Limit access to what is needed to accomplish the
purpose for which the request was made (or
that which was authorized).
– May not disclose an entire medical record unless
it is specifically justified as the amount of PHI
that is reasonably needed to accomplish the
purpose for the use or disclosure.
© Copyright 2009 HIPAA COW
86
ROI: Documentation
Document the release, when required by
law, and our organization’s policies. See
“Accounting of disclosures” policy in the
HIPAA policy manual.
Effective April 1, 2008, Wisconsin Statute
146 no longer requires documentation of
disclosures for purposes relating to
treatment (providing and coordinating
care); payment (billing for services
rendered); and health care operation
(internal business).
© Copyright 2009 HIPAA COW
87
ROI: Documentation
(Continued)
Document the release, per WI Statute,
HIPAA and our organization policies. See
“Accounting of disclosures” policy in the
HIPAA policy manual.
For example, HIPAA requires documentation
of breaches, public health reporting, etc.)
This documentation would be made directly
into the clients file.
© Copyright 2009 HIPAA COW
88
ROI: Documentation
(Continued)
What are we required to document?
– Date of the disclosure
– The name of the person the PHI was released
to (and address if known)
– A brief description of the PHI disclosed
– The purpose of the release
Other suggested items but not required:
– Received date
– Who released the information
– How the information was disclosed *
* Also required if information is from a 51.30
treatment record. © Copyright 2009 HIPAA COW
89
ROI: Documentation
Why do we have to document when
we release PHI (when required by
law)?
– Patients have the right to request from
us a record of what PHI was released
and to whom (Accounting of Disclosures).
© Copyright 2009 HIPAA COW
90
ROI:
Note: those steps must be followed each
time you release information verbally and
in writing.
Wow! That’s a lot to know! Were you aware you can
ask the onsite administrator/and or the Privacy Officer
if you have questions or concerns related to the release
of information.
That’s right! If you aren’t absolutely 100% certain
on whether or not you can (or how to) release
information, STOP and ask for help by calling 715327-4322, extension 126.
Following are some examples
of release situations …
© Copyright 2009 HIPAA COW
91
ROI: Family and Friends
Patient present and alert – patient decides.
Patient incapable to make wishes known –
inferred permission to discuss current care.
Care or payment.
– Information needed for patient’s care.
– Must clearly be involved in payment for care
(involvement is obvious, patient stated so).
Notify family or friend(s):
–
–
–
–
–
When involved in their care.
Of patient’s general condition.
Of patient’s location.
When patient’s ready for discharge.
Of patient’s death. © Copyright 2009 HIPAA COW
Note: paper copies
may not be released
under these examples
92
ROI: Divorced Parents
A parent calls to get information on their child.
Can you release it?
– If the parents are divorced, either parent may get access to
the records with a proper release. Assume that they can get
records unless told otherwise.
– In the case where parental rights of one parent have been
terminated, the parent with sole right is responsible to provide
the information.
– When in doubt, call the parent who has physical placement to
ask if the other parent is allowed to obtain records. If they
say no, then they would be required to present the
corresponding court documents. If they say “yes”, obtain
permission and document what was provided.
© Copyright 2009 HIPAA COW
93
ROI: Legal Guardians
An individual calls to discuss appointment information
with you for a patient and states he is the patient’s
Legal Guardian, may I discuss this with the individual?
–
Yes, after verifying the individual is the patient’s Legal
Guardian and has access rights to the type of records being
requested. Here’s how to verify:
Prior to releasing PHI, ask the individual to provide
you with enough information to identify the patient,
such as:
–
Name
–
Date of Birth
–
Address
–
Other identifiers: Ask them to verify other
identifying information that we would have in the
94
client file. S.S.# etc..
© Copyright 2009 HIPAA COW
ROI: Step-Parents
A step-parent calls to discuss her stepchild’s
care. May you discuss this with her?
–
–
No, unless the step-parent is a legal guardian and
we have the guardianship papers on file, or a legal
guardian has provided authorization.
Step-parents may call to schedule appointments, but
do not have access to their step-children’s PHI,
without authorization by a legal guardian.
© Copyright 2009 HIPAA COW
95
ROI: Foster Parents
Can foster parents get information on the
child they are caring for?
– Yes, if they have guardianship, other court
papers, or an authorization from the birth
parent, allowing them the right of access.
– If they don’t have any legal papers and a health
care provider is in need of the information, you
may release directly to the care provider.
© Copyright 2009 HIPAA COW
96
ROI: Workers’ Compensation
PHI to an Employer
When releasing workers’ compensation records to an
employer and/or work comp carrier, may I release the
rest of the patient’s medical history (not related to the
work comp claim with that employer)?
–
–
No. The patient’s employer and work comp insurance
carrier have the right to only those records reasonably
related to the workers’ compensation claim/condition
without an authorization.
Request the patient to sign an authorization form to
release additional types of records.
© Copyright 2009 HIPAA COW
97
ROI: Leaving Messages
A spouse answers the phone, or the voice mail picks up. What
information may I provide? Unless client has requested we not call
their home or leave them messages:
– State your first name and that you are calling from Northwest.
– Ask the patient to return your call, and provide your direct
phone number.
– Do not provide detailed information, other than an
appointment reminder.
– Example: “This is Sally from Northwest calling for Johnny Doe.
Please call me back at your earliest convenience at (the phone
number where you can be reached). Thank you.”
– Double check you ended the call.
© Copyright 2009 HIPAA COW
98
ROI: Faxing PHI
May we Fax PHI?
–
–
–
Yes, we may fax PHI, but only when in the best interest of
patient care or payment of claims.
We may not fax sensitive PHI (HIV, mental health, AODA,
STDs, etc.), unless approval is given on the ROI.
It is best practice to test a fax number prior to faxing PHI to
it. If this is not done, then complete the following:
Restate the fax number to the individual providing it to you.
Obtain a telephone number to contact the recipient with any
questions.
Do not include PHI on the cover sheet.
Verify you are including only the correct patient’s information
(i.e. check the top and bottom pages).
Double check the fax number prior to “sending” it.
© Copyright 2009 HIPAA COW
99
ROI: Email
When sending ePHI to anyone for
treatment, payment or healthcare
operations, encrypt the email and verify
that the organization’s confidentiality email
disclaimer is included on the email.
© Copyright 2009 HIPAA COW
100
And now, for some
general safeguarding
tips…
How else can I protect our patients’ PHI?
© Copyright 2009 HIPAA COW
101
Safeguarding: Discussing PHI
You never know who may overhear you
discussing a patient. The patient or
coworker could be the patient’s
neighbor, best friend, cousin, etc…
–
–
–
Remember to talk quietly.
When possible, discuss PHI privately,
such as behind a closed door.
Avoid having discussions in patient
waiting rooms, elevators, cafeteria, etc.
© Copyright 2009 HIPAA COW
102
Safeguarding PHI:
Approaching a Co-worker
You need to talk with a co-worker,
but she is talking with a different
patient to schedule his appointment.
What should you do?
– Provide your co-worker with the
privacy to finish working with that
patient and approach her when she is
done.
© Copyright 2009 HIPAA COW
103
Safeguarding: Seeing a Patient
Outside [Organization]
You’re walking through the grocery store
one day, and see a Northwest Counseling
& Guidance Clinic patient. What should
you do?
–
–
It’s ok to say hello but don’t ask the
patient “how she’s doing” or questions
about her health. It’s ok to listen if she
offers to update you on her health.
Let the patient approach you first, but
don’t make it seem like you are trying to
avoid her.
© Copyright 2009 HIPAA COW
104
Safeguarding: Talking
with Friends About Work
You had a negative encounter with a patient and
really need to vent to a friend after work. What
can you discuss?
–
Working in health care isn’t easy and patient
confidentiality MUST be maintained at all times:
– at work, during non-work hours and after
your employment ends with the organization.
Here are some helpful tips…
© Copyright 2009 HIPAA COW
105
Safeguarding: Talking
with Friends About Work
Do not share with family, friends, or anyone
else a patient’s name, or any other information
that may identify him/her, for instance:
– It would not be a good idea to tell your friend
that a patient came in to be seen after a severe
domestic dispute incident.
Why? Your friend may hear about the domestic
dispute on the news and know the person involved.
Do not inform anyone that you know a famous
person, or their family members, were seen at
this organization.
© Copyright 2009 HIPAA COW
106
Safeguarding PHI: Media
If I am contacted by the media, may I
release PHI to them? If I am
contacted by an individual offering to
pay me for PHI, may I release it to
them?
– No! You may not release PHI under
either of these circumstances. Both are
grounds for disciplinary action.
– Refer the requestor to the Privacy Officer.
© Copyright 2009 HIPAA COW
107
Safeguarding PHI: Delivery
I need to transport paper records/PHI to
another department. Is it ok for me to do this?
–
–
Yes, you may transport documents to another
department,
Secure them so you don’t drop them:
Carry them close to your person.
Carry them in a facility designated bag, box,
or container.
Ensure no names are visible.
Ensure that no records are left unattended.
© Copyright 2009 HIPAA COW
108
Safeguarding PHI:
Transporting Offsite
When necessary to transport PHI externally:
– Place in a locked briefcase, closed container,
sealed self-addressed interoffice envelope;
– Place PHI in the trunk of your vehicle, if
available, or on the floor behind the front seat;
– Lock vehicles when PHI is left unattended .
You may not transport patient charts between
departments or offsite – unless authorized by
the onsite administrator.
© Copyright 2009 HIPAA COW
109
Safeguarding PHI:
Interoffice Mail
Send all PHI in sealed interoffice
envelopes.
–
–
–
–
Verify all PHI was removed from the
envelope before stuffing it.
Address them to the correct individual and
department.
Mark the envelope “confidential”.
Confirm you are sending the correct PHI.
© Copyright 2009 HIPAA COW
110
Safeguarding PHI:
Paper
Turn over/cover PHI when you leave
your desk/cubicle so others cannot
read it.
– If you have an office, you have the
option of closing your door instead.
Turn over/cover PHI when a
coworker approaches you to discuss
something other than that PHI.
© Copyright 2009 HIPAA COW
111
Safeguarding PHI:
Paper Continued
Don’t leave documents containing PHI
unattended in fax machines, printers,
or copiers.
Check your fax machine frequently so
documents are not left on the
machine.
© Copyright 2009 HIPAA COW
112
Safeguarding PHI:
Disposal
How should I dispose of confidential paper?
–
Shred or place all confidential paper in the designated
confidential paper bins.
Does this include Post-it notes, scratch paper, envelopes, and
old non-confidential documents we no longer need?
– No. Please put these in the recycling paper bins!
Does this include tissue, paper plates, cardboard, and pizza
boxes?
– No. Please put these items in the regular trash or
other appropriate recycling container!
How should I dispose of electronic media (floppy disk,
CD, USB Drive, etc.)?
–
Provide electronic media to the IT Department to dispose it
© Copyright 2009 HIPAA COW
113
Facility Security
How can I help protect our facilities?
–
–
–
–
Wear your ID Badge at all times, if provided (it
helps identify you as a Northwest Counseling &
Guidance Clinic employee/provider).
Only let employees enter through employee
entrances with you.
Keep hallway doors that lead to patient care
areas closed.
Request vendors and contracted individuals to
sign-in.
© Copyright 2009 HIPAA COW
114
What are Restricted Areas?
Restricted areas are those areas within our facilities
where PHI and/or organizationally sensitive information
is stored or utilized.
–
–
–
–
–
–
–
Receptionist stations
Business office windows
Records Department
Patient care hallways/treatment areas
Offices
Storage closets and cabinets
Accounting, Human Resources, Administration Offices, IT
Department, etc.
– Employee meeting/rooms/kitchens in the departments
– Areas containing potential safety hazards (ex. medical
imaging, lab, nuclear medicine, etc.
© Copyright 2009 HIPAA COW
115
Facility Security
Continued…
– If you see someone in a restricted area
and you do not recognize them, kindly
ask “May I help you?”
Escort the individual out of the restricted
area and to the individual/area he/she is
visiting.
© Copyright 2009 HIPAA COW
116
Business Associate
Agreements
If you initiate negotiations to contract with a
company to perform, or assist in the performance
of a function or activity involving the use or
disclosure of PHI, please contact the Northwest
Counseling & Guidance Clinic Privacy Officer to
obtain a Business Associate Agreement (BAA).
Examples of when to obtain a BAA with a company
include:
– Claims processing or administration, data analysis,
processing or administration, utilization review, quality
assurance, billing, benefit management, practice
management, and re-pricing; and
– Legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial
services.
© Copyright 2009 HIPAA COW
117
Other Confidentiality
Agreements
When initiating a contract with a
company to perform work for
Northwest Counseling & Guidance
Clinic which will not have direct
access to PHI, request that they sign a
Confidentiality Agreement.
© Copyright 2009 HIPAA COW
118
HIPAA and Your Role
Remember, it is your responsibility, as a Northwest
Counseling & Guidance Clinic employee or provider, to
comply with all privacy and security laws, regulations,
and Northwest Counseling & Guidance Clinic policies
pertaining to them.
Employees and providers suspected of violating a
privacy or security law, regulation, or Northwest
Counseling & Guidance Clinic policy are provided
reasonable opportunity to explain their actions.
Violations of any law, regulation, and/or Northwest
Counseling & Guidance Clinic policy will result in
disciplinary action, up to and including termination.
© Copyright 2009 HIPAA COW
119
HIPAA Violations:
-How Much is Enough?
-How Much is too Much?
There are three types of
violations:
– Incidental
– Accidental
– Intentional
© Copyright 2009 HIPAA COW
120
Incidental Violations
If reasonable steps are taken to safeguard a
patient’s information and a visitor happens to
overhear or see PHI that you are using, you
will not be liable for that disclosure.
Incidental disclosures are going to
happen…even in the best of circumstances.
An incidental disclosure is not a privacy
incident. This type of disclosure is not
required to be documented.
© Copyright 2009 HIPAA COW
121
Accidental Violations
Mistakes happen. If you mistakenly disclose PHI
or provide confidential information to an
unauthorized person or if you breach the security
of confidential data:
– Acknowledge the mistake and notify your supervisor and the
Privacy Officer immediately.
– Learn from the error and help revise procedures (when
necessary) to prevent it from happening again.
– Assist in correcting the error only as requested by your
leader or the Privacy Officer. Don’t cover up or try to make
it “right” by yourself.
Accidental disclosures are Privacy Incidents and must be
reported to your Privacy Officer immediately! It is required to
document this disclosure.
© Copyright 2009 HIPAA COW
122
Intentional Violations
If you ignore the rules and carelessly or deliberately use
or disclose protected health or confidential information,
you can expect:
– Disciplinary action, up to and including termination.
– Civil and/or criminal charges.
Examples include:
– Accessing PHI for purposes other than assigned job
responsibilities.
– Attempting to learn or use another person’s access
information.
If you’re not sure about a use or disclosure,
check with your Supervisor or the Privacy Officer
© Copyright 2009 HIPAA COW
123
Reporting HIPAA Violations
If you are aware or suspicious of an
accidental or intentional HIPAA violation, it
is your responsibility to report it.
–
–
Northwest Counseling & Guidance Clinic may
not intimidate, threaten, coerce,
discriminate against, or take other
retaliatory action against anyone who in
good faith reports a violation (whistleblowing).
Refer to the office of Civil Rights web page
http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.h
tml for more examples
of what and how to
© Copyright 2009 HIPAA COW
report.
124
It’s Important to Report
HIPAA Violations…
So they can be investigated, managed, and
documented.
So they can be prevented from happening again in
the future.
So damages can be kept to a minimum.
To minimize your personal risk.
In some instances, management may have to notify
affected parties of lost, stolen, or compromised
data.
Incidental disclosures need not be reported, but if
you’re not sure, report them anyway.
© Copyright 2009 HIPAA COW
125
Patient Complaints
Report all patient complaints.
We are required by law to respond to
privacy and security complaints.
© Copyright 2009 HIPAA COW
126
How May I Report a
HIPAA Privacy Violation?
Directly to your Supervisor, who in turn
reports it to the Privacy Officer.
Call or email the Privacy Officer.
© Copyright 2009 HIPAA COW
127
How May I Report a
HIPAA Security Violation?
If it involves a breach of patient
confidentiality, report it through the same
methods listed for Privacy Violations.
If it does not involve a breach of
confidentiality, report it through one of
the following methods:
– The same methods listed for Privacy
Violations
– Call or email the Security Officer.
© Copyright 2009 HIPAA COW
128
Questions, Comments,
Concerns…
Not sure which way to go?
Please contact your
Privacy Officer, at
Please contact your
Security Officer, at
715-327-4322
Extension 126
[email protected]
© Copyright 2009 HIPAA COW
715-327-4322
Extension 126
[email protected]
129
Remember to complete
your training
documentation and turn
it into your supervisor.
© Copyright 2009 HIPAA COW
130
Thank you, from....
The Privacy and
Security Committees
Refer to the HIPAA COW website for
privacy, security, and EDI reference
materials
http://hipaacow.org/home/home.aspx
Hand
In - hand
Protecting
All
Accounts!
© Copyright 2009 HIPAA COW
131
HIPAA COW Authors
Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy
Officer
Contributing authors:
– Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant
– Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant
– Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records
Supervisor
– Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service
– Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health
Services
– Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance
Coordinator
– Kim Pemble, Executive Director, WI Health Information Exchange (WHIE)
– LaVonne Smith, Information Services Director, Tomah Memorial Hospital
Reviewed by: HIPAA COW Privacy & Security Networking Groups
© Copyright 2009 HIPAA COW
132