When Required or Permitted by Law
Download
Report
Transcript When Required or Permitted by Law
Regulatory Training
Privacy & Information Security
Learning Objectives
This course will help you comply with privacy, information
security, and identity theft regulations. After completing this
course, you should be able to:
• Distinguish between which uses and disclosures of protected
health information are allowed and not allowed under the
HIPAA Privacy Rule.
• Recognize safeguards required to ensure the security and
integrity of electronic protected health information.
• Recognize a security breach under federal or state Identity
Theft Laws.
• Identify where to report concerns regarding these topics.
Privacy & Information Security
Introduction
As a worker in the health care industry, you are affected by multiple laws and
regulations establishing requirements related to privacy, information security,
and identity theft.
This lesson will:
• Provide an overview of the HIPAA privacy laws and regulations;
• Describe the organization's responsibilities; and
• Describe your responsibilities at UMass Memorial.
For more information, including UMass Memorial policies and forms, go to the
Privacy & Information Security website.
Privacy Rule
This section reviews the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule.
The Privacy Rule sets the first national standards for protecting the
confidentiality of protected health information (PHI). The goal of the Privacy
Rule is to balance two important aspects of health care:
1.Protecting the privacy of patients
2.Allowing flow of health information when needed to:
• Ensure high quality health care
• Protect public health
What is PHI?
PHI - Protected Health Information (PHI) is defined as all individually
identifiable health information created, transmitted, received or maintained by
a covered entity (UMMMC). This includes any information, including
demographics, which identifies or could reasonably identify an individual, their
health/condition, treatment or provision/payment for their health care.
Identifiable information includes: name, address, city, county, zip code, names
of relatives, names of employers, birth date, telephone number, fax number, email address, social security number, any vehicle or other device serial number,
web URL, Internet Protocol address, finger or voice prints, photographic
images, and any other unique identifying number, characteristic or code.
Examples of PHI in the Workplace:
• Communications: Switchboard, hallway conversations, dictation, shift
reports, appointment scheduling, telephone conversations and meeting
discussions.
• Paper Documents: Medical records, prior authorizations, white boards,
clinic reports, shift reports, wristbands, encounter forms, requisitions,
dietary cards, medication labels and downtime logs.
• Electronic Documents/Displays: Claims, computer screens, patient
monitors, identifiable photos, EKG strips, films, test results, e-mail, faxes
and electronic files.
What is a Business Associate?
A Business Associate (BA) is a person or organization that uses PHI (including
electronic PHI) to perform a service or function on behalf of UMass Memorial.
Examples include outsourced transcriptionists and coders, billing services,
financial institutions, contracted vendors, and collection agencies.
• Specific contract language is required with BAs to make certain they will
properly safeguard all PHI.
• Managers involved in the review, approval and authorization of contracts
must ensure the UMass Memorial approved Business Associate Agreement
(BAA) is in place before disclosing PHI to an outside party.
• Do not disclose more than is necessary for the BA to complete the agreed
upon function.
• When in doubt, call the Office of the General Counsel or the Privacy &
Information Security Offices.
Allowable Uses & Disclosures
Without Authorization
Minimum Necessary:
•
•
For all uses/disclosures of PHI under the Privacy Rule, except treatment, we must
only use/disclose the minimum amount of PHI necessary.
Workforce members may only access, use, or disclose records of patients under their
care or related to their job duties. Accessing family members, friends, co-workers, or
others is not permitted without the patient's written authorization.
In addition to communicating with the patient, the Privacy Rule allows use/ disclosure of
PHI by a covered entity, without authorization, for the purpose of:
• Treatment activities
• Payment activities
• Health care operations activities
• De-identified information
Click on each of the links above to learn more about each element.
When you have reviewed all four… click here to continue this lesson.
Allowable Uses & Disclosures
The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:
Treatment Activities
PHI may be used/disclosed among providers when two or more
providers:
• Provide health care services for a patient
• Coordinate health care services for a patient
• Manage health care services for a patient
Examples include:
• Consultation between providers
• Referral from one provider to another
Allowable Uses & Disclosures
The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:
Payment Activities
PHI may be used/disclosed by a health plan to:
• Obtain premiums
• Determine responsibility for coverage/benefits
• Fulfill responsibilities for coverage/benefits
• Give or receive payment for health care provided to a patient
PHI may be used/disclosed by a provider to:
• Obtain payment for providing care to a patient
• Obtain reimbursement for providing care
Allowable Uses & Disclosures
The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:
Health Care Operations
PHI may be used/disclosed when an organization is:
• Performing quality assessment and improvement activities
• Conducting training, certification and licensing activities
• Evaluating provider competency
• Conducting or arranging for medical services, audits or legal
services
• Performing certain insurance functions
• Planning, developing, managing or administering business
activities
Allowable Uses & Disclosures
The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:
De-identified Information
Health care information that is stripped of all identifying information
and unique characteristics or codes including:
• Name
• Address, including:
• street address
• city
• county
• zip code
• equivalent geocodes
• Names of relatives and employers
• Birth date
• Telephone and fax numbers
• E-mail addresses
• Social security number
•
•
•
•
•
•
•
•
•
•
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial
number
Web URL
Internet Protocol (IP) address
Finger or voice prints
Photographic images
Any other unique identifying number,
characteristic, or code
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed,
and tracked by authorized members of the workforce in
preparation for disclosure required or permitted by law.
The individual who discloses the information is
responsible for verifying the identification of the
requester through picture identification and/or
reviewing a written request on official letterhead. These
uses/disclosures include:
•
•
•
•
•
Public health activities
Victims of abuse or neglect
Health care oversight activities
Judicial and administrative proceedings
Law enforcement purposes
(limited disclosure may be permitted)
•
•
•
•
•
Decedents
Organ donation
Serious threat to health or
safety
Specialized government function
Workers' compensation
Click on each of the links above to learn more about each element.
When you have reviewed all ten… click here to continue this lesson.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Public Health Activities
Public health activities authorized by law such as disease prevention/control
(vital statistics including births and deaths, child abuse or neglect, public
health investigation and intervention, communicable diseases, reporting
adverse events, product tracking, work related injuries).
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Victims of Abuse or Neglect
Disclosures about victims of abuse or neglect to authorized government
agencies.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Health Care Oversight Activities
Health care oversight activities when agencies are looking into the health
care system or government benefits programs, as well as civil and criminal
investigation from health oversight agencies.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Judicial and Administrative Proceedings
Judicial and administrative proceedings pursuant to a court order or administrative tribunal.
Absent an order of, or a subpoena issued by a court or administrative tribunal, UMMMC
may respond to a subpoena or other lawful process by a party to the proceeding only if the
following are provided: (1) Satisfactory assurances that reasonable efforts have been
made to give the individual whose information has been requested notice of the request; or
(2) Satisfactory assurances that the party seeking such information has made reasonable
efforts to secure a qualified protective order that prohibits disclosure except for stated
purpose and requires return or destruction of information at the end of the litigation or
proceeding, or provides notice to the individual regarding the protective order; (3) Limited
to expressly authorized PHI.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Law Enforcement
Limited disclosure may be permitted, but is not usually required, for law
enforcement purposes related to crime victims, crime on the premises,
identification of possible criminals pursuant to a court order or warrant, or a
subpoena or summons issued by a judicial officer, state or federal grand
jury subpoena, administrative subpoenas or summons, civil or authorized
investigative demands, or similar process authorized by law (suspect,
fugitive, material witness, or missing person, victim of a crime, emergency
calls or deaths suspected to be related to criminal conduct).
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Information about Decedents (Deceased Patients)
About decedents to coroners, funeral directors, medical examiners to
identify a body, determine cause of death or perform other functions
allowed by law.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Organ Procurement Organizations
To organ procurement organizations for cadaveric donation of organs, eyes,
tissues.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Serious Threat to Health or Safety
To prevent or lessen serious threat to health or safety.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Specialized Government Function
For specialized government function such as military and veterans
activities, national security and intelligence, protective services for the
President, medical suitability for Department of State officials, to
correctional institutions if necessary for health and safety.
Allowable Uses & Disclosures
Without Authorization
(When Required or Permitted by Law)
Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include:
Workers’ Compensation
For workers’ compensation (subject to minimum necessary) and in
accordance with workers’ compensation laws.
Allowable Uses & Disclosures
With Authorization
Allowable uses and disclosures, with authorization, include:
•
Disclosure to Patient or Authorized
Representative
• Minimum Necessary Does Not Apply
•
Employee as Patient
• Authorization for Electronic Access must
be submitted before accessing your
record
•
Disclosure to 3rd Parties
• Pre-Employment
• Disability/Life Insurance Application or
Claims
• Attorneys/Legal Cases
•
Research Use Requiring Authorization
• Clinical Trials
•
•
•
Marketing
Targeted Fundraising
Informal permission or patient has
the opportunity to agree or object
• Listing a patient's contact information
in the patient hospital directory when
the patient has not opted out
• Dispensing a filled prescription to a
patient's family member
• Informing a caretaker or a patient's
family of the patient's condition
Allowable Uses & Disclosures
With Authorization
With allowable uses and disclosures with authorization, the patient has the
opportunity to agree or object .
This means the patient has an opportunity to:
• Give informal permission
• Be given a clear chance to either agree or object to the disclosure
If the patient is not available or able to agree or object, this sort of
use/disclosure is still allowed if the covered entity believes the use/disclosure is
in the best interest of the patient.
PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:
User may attempt quiz:
Goes to Next Slide
Goes to Next Slide
At any time
At any time
Unlimited times
Information Security
This section describes several laws and regulations that establish information
security requirements for UMass Memorial.
In general, these laws and regulations require UMass Memorial to ensure the
confidentiality, integrity, and availability of patient data.
This section also describes information security standards contained in the
UMass Memorial Acceptable Use of Electronic Resources Policy that apply to all
UMass Memorial workforce members.
Security Rule Requirements
The HIPAA Security Rule requires UMass Memorial to:
• Ensure the confidentiality, integrity, and availability of all electronic
protected health information the covered entity creates, receives,
maintains, or transmits;
• Protect against any reasonably anticipated threats or hazards to the security
or integrity of such information;
• Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required; and
• Ensure compliance by UMass Memorial’s workforce.
Acceptable Use
UMass Memorial's Acceptable Use of Electronic Resources Policy defines the
"acceptable use" of electronic resources, including software, hardware devices
and network systems. Included in the policy are standards for:
•
•
•
•
Remote Access/Working at Home;
Wireless and Mobile Computing Devices;
Internet Use and Standards; and
Workstation Use and Security and E-mail security.
Click to access the Acceptable Use of Electronic Resources policy.
Your Responsibilities
Your security responsibilities include:
•
•
•
•
Secure E-mail - Always use secured
messaging when sending e-mails containing
confidential information outside the UMass
Memorial network. To encrypt an e-mail,
type the word “secure” in the subject line.
Be certain to always double-check all “to”
and “cc” fields prior to sending any e-mails.
E-mail abuse – Do not send any information
that you would not want to see in your
personnel file.
Internet abuse – Do not post any
confidential information to an internet site
(i.e., Facebook, MySpace, Twitter).
Lock your workstation - When leaving your
workstation, always lock the workstation by
pushing Ctrl-Alt-Delete keys and then
pressing Enter or logout.
•
•
•
•
•
Never share your username and
password. These represent your unique
identity and access to key
systems/applications.
Protect mobile devices when traveling never leave unattended. Devices such as
laptops and smartphones are easily lost
or stolen.
Shred copies of confidential paper
documents or place in secured disposal
consoles.
Identify & report security violations to
your manager and the Privacy and
Information Security Offices.
Wear your ID badge and challenge
unknown people in your work area
without an ID.
Identity Theft:
FTC Red Flags
The Federal Trade Commission (FTC), along with other federal bank
regulatory agencies, issued the Red Flags Rules which require financial
institutions and creditors to develop, implement, and document
identity theft prevention programs.
Red Flags are patterns, practices, or specific activities that could
indicate identity theft. Examples include:
•
A complaint or question from a patient based on the patient’s
receipt of a bill for a product or service that the patient denies
receiving; or
•
Records showing medical treatment that is inconsistent with a
physical examination, or with a medical history as reported by
the patient; or
•
A patient or insurance company report that coverage for
legitimate hospital stays is denied because insurance benefits
have been depleted or a lifetime cap has been reached; or
•
A patient who has an insurance number but never produces an
insurance card or other physical documentation of insurance.
Identity Theft:
Program Requirements
UMass Memorial is required to protect patients and
workforce members through the establishment of a
written program dedicated to preventing, detecting, and
responding to potential and actual identity theft.
Program Requirements include:
• Identifying relevant Red Flags for the covered accounts
that UMass Memorial offers or maintains, as well as
the Red Flags for the personally identifiable
information of UMass Memorial’s workforce members;
• Detecting Red Flags indicating potential or actual
identity theft;
• Responding appropriately to any Red Flags that are
detected; and
• Updating the program periodically to reflect changes to
the risk of patient and workforce member identity
theft.
Click to access the Policy to Prevent, Detect, and Address
Identity Theft.
Identity Theft - Massachusetts Data
Security Regulations
Similar to the Federal Red Flags Rules, Massachusetts has
laws related to the security of personal information
including:
•
•
•
Establish requirements for notification to state government
and consumers in the event of a data security breach,
Establish a consumer’s right to request a security freeze and
Establish requirements for destruction and disposal of records
containing a consumer’s personal information.
Personal information is a Massachusetts resident's first and
last name, or first initial and last name combined with:
•
•
•
SSN, or
Driver's license number or state issued ID #, or
Credit/debit card number or bank account number
Identity Theft - Massachusetts Data
Security Regulations
•
A data security breach is the unauthorized
acquisition or unauthorized use of personal
information that creates a substantial risk of
identity theft or fraud against a resident of the
Commonwealth of Massachusetts.
•
Personal information can be found in many areas
such as HR, Payroll, Billing Offices, Finance,
Registration and treatment areas.
•
The Massachusetts ID Theft Law requires proper
disposal of personal information by either
redacting, burning, pulverizing or shredding so
that the data cannot be read or reconstructed.
•
Use locked disposal bins and consoles to dispose
of any personal information no longer needed, or
use a department shredder if one is available.
•
Any breach involving personal information must
be reported to the Privacy & Information Security
Office so appropriate individuals and agencies may
be notified.
Penalties for Violations
Penalties for Privacy & Information Security Violations
• External Agency Enforcement (OCR, DOJ, OIG)
• Civil and criminal penalties will be applied to covered entities and individuals as
determined by these agencies for inappropriate disclosure of PHI.
• UMass Memorial Corrective Action Enforcement
• Violations of UMass Memorial policies causing privacy or information security
breaches are likely to result in termination of employment or contracted service.
• Examples of Breaches:
• Discussing or leaving PHI in a public area; leaving a computer unattended in an accessible
area with PHI unsecured; leaving your password visible on or near your computer
• Unauthorized access , which includes requesting another individual to access your
medical record; looking up family, friend, or co-worker information; using someone else’s
user ID & password; posting pictures of patients or procedures to social networking sites
• Obtaining information to use in a personal relationship; obtaining PHI for a pending legal
case
• Loss or unauthorized destruction of confidential information
Questions and Complaints
Patients or workforce members who wish to file a complaint about alleged
privacy violations or information security incidents have the following reporting
options available:
• Notify your supervisor or manager
• Call the Privacy & Information Security Hotline with any questions or
suspected violations : 508-334-5551
• E-mail the Privacy & Information Security Offices at:
[email protected]
• File a complaint with the Department of Health & Human Services (DHHS)