Welcome to Elmcroft Information Systems
Download
Report
Transcript Welcome to Elmcroft Information Systems
HIPAA Privacy & Security
Training Module
1
What we want to accomplish
Understand HIPAA Privacy Rule
Understand who it applies to
Discuss PHI
Define PHI
Identify how and when it is used and disclosed
Identify the right amount of PHI to use or disclose
Talk about patient rights under HIPAA
Understand a breach
Review responsibilities and safeguards
2
What is HIPAA?
Health Insurance Portability and
Accountability Act of 1996
Federal law
Comprised of Five Sections
Administrative Simplification
Electronic Transactions and
Code Sets Rule
Privacy Rule
Security Rule
3
Privacy Rule v. Security Rule
Privacy Rule identifies what information is to be
protected and outlines the individual’s rights to control
access to their health information
Security Rule defines how to protect protected health
information in electronic form, called ePHI
4
Education
The education that you are receiving today will focus on learning what responsibilities
you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security
Regulations. The following topics will be covered:
HIPAA PRIVACY
HIPAA SECURITY
Protected Health Information
Electronic Protected Health Information
Minimum Necessary
User Identity
Patient Rights
Password Management
Notice of Privacy Practices
Appropriate Use of Computing Devices
Privacy Policies
Security Policies
Privacy Officer
Security Officer
Reporting Privacy Concerns
Reporting Security Concerns
5
6
HIPPA Privacy Officer
Maintains appropriate measures to guard against unauthorized
access to PHI.
Ensures compliance through adequate training programs and
periodic audits.
Maintains HIPAA policies and procedures.
Other important rules
HITECH Act of 2009 – Health Information Technology
for Economic and Clinical Health Act
Breach Notification Rule
HIPAA Omnibus Rule
Changed the Breach Notification Rule
Don’t forget about state law!
8
What is the Privacy Rule?
Personal health information must be safeguarded by organizations and
the individuals who work there
Patients have rights to gain access to their medical records and restrict
who sees their health information
Organizations must train their workforce on the privacy requirements
Organizations must appoint an individual to be responsible for seeing
that privacy procedures are adopted and followed
Punishes individuals and organizations that fail to keep patient
information confidential
9
Who is Covered?
Health Plans
Healthcare Clearinghouses
Healthcare Providers that
conduct standard transactions
in electronic form that involve
PHI
Known as “Covered Entities”
10
Business Associates (BA)
Individual or Organization that performs duties or
business functions on behalf of the Covered Entity
using Protected Health Information (PHI)
Law firm
Pharmacist consultant
Medical Director
Record Storage Company
Prior to disclosing PHI to the BA, the Covered Entity
is required to have a written agreement with the
BA that specifies the safeguards on the PHI used or
disclosed by the BA
11
What is Protected Health Information (PHI)?
Individually identifiable health
information
That relates to an individual’s past,
present or future health care, or
That relates to health care services
provided to the patient, or
That relates to payment for care
Created or received by a Covered
Entity or Business Associate
In any form: paper, electronic or oral
12
Individual Identifiers of PHI
Name
Address
Telephone No.
Finger or voice prints
Social security number
Vehicle/device serial no.
Health plan number
Certificate/license No.
Account Number
13
Names of relatives
Names of employers
Fax number
Birth date/admission &
discharge dates
Photographic images/X-rays
Medical record number
Account Number
Email, IP address, web URL
Notice of Privacy Practices (NPP)
Notice of Privacy Practice (NPP) describes how PHI
may be used and disclosed by a Covered Entity.
NPP explains how an individual can get access to
information and how to make a complaint to the
Covered Entity.
NPP for health care providers must be:
Distributed at the first instance of service,
Posted at the service site,
Posted on the website if one exists.
All employees should be aware of the NPP.
14
When does HIPAA allow use or disclosure of PHI?
Permitted by law
Treatment
Payment
Health Care Operations
Public interest and public
benefit
Permission by the
resident/patient
Authorization
15
Incidental Uses and Disclosures
Incidental use or disclosure
Occurs as a by-product of a permissible use or
disclosure using reasonable safeguards
Cannot be reasonably prevented
Must use reasonable safeguards
Example: A visitor catches a glimpse of the information
on a nursing station whiteboard as a nurse is adding
information to it
16
Accidental Uses and Disclosures
Accidental use or disclosure
Potential breach
Attempt to retrieve it, or limit exposure or risk
to the information
Report the incident immediately
Example: A nursing assistant is faxing lab results to
a resident’s doctor but uses the wrong fax number
and sends it to a garage
17
Minimum Necessary
Uses, disclosures, and requests of PHI limited to the
“minimum necessary to accomplish the intended purpose.”
Example: An insurance company requests a patient’s
medical record for billing purposes. Only the information
pertaining to a specific bill should be sent.
Minimum necessary does not apply when PHI is used or
disclosed:
For treatment purposes,
To the individual,
When you obtained an authorization,
When required by law.
18
Need to know
Determine the information you
need to know to do your job
Access information only if you
have a need to know it
Example: a nurse needs to
know PHI to provide care for
the patients on his/her unit, but
not for the patients that are on
another unit.
19
Patient Rights
Receive a Notice of Privacy
Practices
Right to Access
Right to an Accounting of
Disclosures
Restriction of Use of PHI
Confidential Communications
Request Amendment
File Complaint (Covered Entity
and Office of Civil Rights)
20
What would you do?
A co-worker gets called away from the med cart. He
makes sure the drawers are locked, but walks away
leaving the MAR sheet uncovered and able to be
viewed by the general public.
A professionally dressed visitor walks into the nurses
station and states that she is the daughter of Mr. Taylor,
a resident in room 16, and that she wants to review his
medical record.
You notice a list of names and current medications in
the trash can.
21
Disclosure that must be tracked
Patients have the right to receive an Accounting of
Disclosures of PHI made by a Covered Entity for the six
(6) years prior to the request.
The following disclosures need to be tracked:
Required by law (i.e. reports of abuse to a public health authority)
Required for public health activities (i.e. reporting of disease)
For health oversight activities (i.e. audits by an oversight agency)
Reports of abuse (i.e. to the police, medical staff)
For law enforcement purposes (i.e. to identify the perpetrator of
a crime)
To the coroner (i.e. for identifying a deceased person)
To avert a threat of serious injury (i.e. disclosure to a person who
can prevent the threat or to law enforcement)
Unlawful or unauthorized disclosure (i.e. inadvertent disclosures)
22
23
What is a breach?
An impermissible use or
disclosure that
compromises the security
or privacy of the PHI.
A breach is presumed
unless the Covered Entity
or Business Associate can
demonstrate there is a low
probability the PHI was
compromised based on a
risk assessment.
24
Examples of Possible Breaches
Throwing PHI in the trash or
dumpster (without being
shredded);
Sharing PHI with those who do
not have a need to know;
Posting another person’s PHI
on your Facebook page;
Faxing a document containing
PHI to the wrong fax number;
PHI that has been lost or
stolen.
25
What if a breach occurred?
Report incidents to your
supervisor as soon as they
occur or are discovered
LPO investigates to
determine if the incident
is a breach
26
Breach Notification
A breach requires notification within a required
time from the date the breach was discovered
or should have been discovered:
Individual, within 60 days
HHS – OCR, within 60 days if > 500 individuals
involved
HHS – OCR, annually within 60 days of the end of the
calendar year if < 500 individuals
Media, within 60 days if more than 500 individuals
involved
27
OCR Audits / Investigations
Permanent audits in
planning stage
Complaints can trigger
an investigation
A breach can trigger an
investigation
28
Penalties for Non-Compliance
Individual can be responsible, not just the Covered
Entity or Business Associate
Civil Money Penalties
Violation but you did not know or could not
have known
$100 per violation with annual maximum of $25,000
for repeat violations
Violation due to reasonable cause and not
due to willful neglect
$1,000 per violation with an annual maximum of
$100,000 for repeat violations
Violation due to willful neglect but corrected
within required time period
$10,000 per violation with annual maximum of
$250,000 for repeat violations
Violation due to willful neglect and not
corrected
$50,000 per violation with annual maximum of $1.5
million
29
Penalties, cont.
Criminal Penalties
Knowingly committed the offence
Up to $50,000.00
Up to one year in prison
Committed under false pretenses
$100,000
Up to five years in prison
Committed for financial gain or malicious harm
$250,000
Up to ten years in prison
30
Headlines, Reported Breaches
Southwest General Health Center
Notified 480 patients that a binder containing their
personal and health information had gone missing
Phoenix Cardiac Surgery
Appointments were available to the public on
internet-based calendar
Paid $100,000 to settle claims of lack of HIPAA
safeguards and agreed to take corrective action to
implement policies and procedures to safeguard PHI
of its patients
Nursing Assistant in Florida sentenced for HIPAA
crime
Former nursing assistant of assisted living facility in
sentenced to 3 years in prison for stealing and selling
patient information
Ordered to pay $12,000 in penalties
UCLA School of Medicine
Researcher terminated and in retaliation accessed the
medical records of his superior and his co-workers and
the patient records of celebrities, a total of 323 times
Sentenced to 4 years in prison
31
General Safeguards
Protect the privacy and security of our residents’ highly
confidential information: medical, financial or other
data
When you talk about it
When you fax it
When you store it
When you use it
When you disclose it
When you dispose of it
Remember minimum necessary and access only the
amount of PHI necessary to do your job and only when
you have a need to know
32
General Safeguards, cont.
Confidential verbal conversations should be
conducted away from others who do not have a
need to know.
Never use or disclose confidential information for
any personal purpose or out of curiosity, or allow
others to do so.
Documents containing PHI should not be left in
open areas or on desks where it can easily be seen
or stolen by passerby.
33
General Safeguards, cont.
Dispose of resident information by shredding or
storing in lock containers for destruction. Do
not throw in the trash!
Keep information you hear about a resident to
yourself. Share only with those who have a
need to know.
Use reasonable safeguards to keep resident
information from being accessible by others
who do not have a need to know.
34
General Safeguards, cont.
Notify security if you see an unescorted visitor
in a private area.
Computer screens where PHI is viewed should be
turned away from the view of visitors.
Any fraudulent attempts by an unauthorized
person to obtain PHI must be reported to the
supervisor and the LPO.
35
HIPAA Security Rule
Security Rule defines how to protect
protected health information in electronic
form, called ePHI
36
37
HIPAA: Security Rule
Four Requirements of Security:
Ensures confidentiality, integrity, and availability of electronic
PHI.
Protects against possible threats and hazards to the
information.
Hackers, viruses, natural disasters or system failures.
Protects against unauthorized uses or disclosures.
Ensures compliance by the workforce through
security regulations and policies/procedures.
Three Components of Security:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
HIPAA: Security Rule
Administrative Safeguards:
Documentation kept for 6 years.
Internal system audits minimize security violations.
Logins, file accesses, and or security incidents.
Information access management:
Access to PHI based on what is needed to preform the job.
Once computer access is requested, it will take 48-72 hours to
implement due to complexity of security system.
Security awareness and training:
Security updates, incident reporting, log-in, and password
management.
Security incidents will be reported if suspected or if there is
an actual breach.
HIPAA: Security Rule
Physical Safeguards:
Safeguard the facility and equipment, from unauthorized
physical access, tampering, and theft.
Workstations positioned so monitor screens/ keyboards are not directly
visible to unauthorized persons. Use of privacy screens when
applicable. Physical access to the server room limited to key personnel.
Workstation use and security.
Log on as themselves. Log off prior to leaving the workstation,
Inspect the last logon information, report any discrepancies.
Comply with all applicable password policies and procedures.
Close files not in use.
HIPAA: Security Rule
Technical Safeguards:
Access controls:
User password setup is for one-time use initially. Allowing the individual to choose
their own unique password for future access.
User passwords reset every 180 days.
All passwords must consist of at least eight (8) alphanumeric characters (numbers and
letters).
Passwords cannot be reused until after three (3) different generations have been
used.
Six (6) failed logon attempts will cause the user account to be locked out. The account
is locked out for (30) minutes and then reset.
Computer Desktops automatically lock after 17 minutes of inactivity.
Citrix sessions automatically close after 30 minutes of inactivity.
CareVoyant sessions automatically close at different intervals depending on place
within the program.
CareTracker sessions automatically close at different intervals depending on place
within the program
HIPPA Security Officer
* Maintains appropriate security measures to guard against
unauthorized access to electronically stored and/or transmitted
patient data and protect against reasonably anticipated threats
and hazards.
* Oversees and/or performs on-going security monitoring of
organization information systems.
* Ensures compliance through adequate training programs and
periodic security audits.
* Ensures security standards comply with statutory and regulatory
requirements.
* Maintains HIPAA security policies and procedures.
Who is responsible for HIPAA?
EVERYONE at Elmcroft:
* Support Center Staff:
* IT Staff:
*
Implement safeguards for the computer systems.
* Local Privacy Officer:
* Clinical Staff and Physicians:
* Create and access the majority of resident information.
* Managers and Supervisors:
* Develop and implement policies and procedures that relate to security and ensure their
staff are trained properly.
* Clerical Staff:
* Create and access resident information.
* Volunteers:
* Have access to resident information in various settings
* Vendors and Contractors
* May have access to resident information
Tips for HIPAA Security Compliance
Log on and off the network appropriately.
Never let others use your ID or work under your ID.
Do NOT disable anti-virus software or install unapproved
software. Never introduce new hardware or media.
E-mail may be, but is not always, a secure form of data
transmission. Do NOT e-mail PHI unless using encrypted
means.
Use caution in opening e-mail files from unknown sources.
Do NOT access non-permitted information or give nonpermitted information to unauthorized employees.
Be aware of, and report, security threats to the Security
Officer.
Tips for HIPAA Security Compliance
Passwords must be treated as sensitive and confidential
information.
Never share your password with anyone for any reason.
Passwords should not be written down, stored
electronically, or published.
Tips for HIPAA Security Compliance
Be sure to change initial passwords, password resets and
default passwords first time you log in.
Use different passwords for your different accounts.
Create passwords that are
not common,
avoid common keyboard sequences,
do not contain personal information, such as pets,
birthdays or kid’s names.
Tips for HIPAA Security Compliance
Protect sensitive information on lists and reports with
social security numbers (SSNs).
Limit access to lists and reports with SSNs to those who
specifically need SSNs for official business.
Never store SSNs or use lists with SSNs on laptops or
home computers.
Save and store sensitive information only on Elmcroft
servers managed by IT staff.
Tips for HIPAA Security Compliance
Never copy sensitive data to CDs, disks, or portable
storage devices.
Do not store lists with sensitive information on the Web
(Dropbox, Google+, Etc.).
Lock printed materials with sensitive data in drawers or
cabinets when you leave at night.
When done with printed sensitive material, shred them.
Tips for HIPAA Security Compliance
Remove sensitive materials from printer right away.
If problem with printer, turn off printer to remove sensitive
material from printer’s memory.
Personally deliver sensitive materials to recipient or
distribute information electronically using the email system.
Arrange for shared electronic files that requires user ID and
password.
What do we do?
Complete initial and annual HIPAA
training
Read the Notice of Privacy
Practices (NPP)
Understand how HIPAA
regulations impact your job
function and responsibility
Check with your supervisor if you
are uncertain
Ask for additional training if
required
It is our responsibility to ensure
confidentiality of our residents’
health information.
50
General Rule for HIPAA
What
happens
at work, OR…..
stays at
work!
51
Questions
52
Resources
Your Local Privacy/Security Officer
(Administrator/Executive Director)
Susan Dawson, Privacy Officer
Elmcroft Senior Living
9510 Ormsby Station Road, Suite 101
Louisville, KY 40223
Office: 502.753.6000
E-Mail: [email protected]
Bob Dooley, VP Information Systems
Bob Dooley, VP Information Systems
Elmcroft Senior Living
Elmcroft
Senior Living
9510 Ormsby Station Road, Suite 101
9510 Ormsby
Station Road,
Suite 101
Louisville,
KY 40223
Louisville,
KY 40223
Office: 502.714.7435
Office: [email protected]
502.714.7435
E-Mail:
E-Mail: [email protected]
53