2 Welcome to the SCL Health Compliance training module This course will focus on the HIPAA and Health Information Technology for Economic and Clinical Health HITECH laws that govern the privacy and security of Protected Health Information PHI ID: 813509
Download The PPT/PDF document "HITECH / HIPAA Training HITECH / HIPAA T..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HITECH / HIPAA Training
Slide2HITECH / HIPAA Training
2
Welcome to the SCL Health
Compliance
training module. This course will focus on the HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) laws that govern the privacy and security of Protected Health Information (PHI).
After reviewing the following materials, you will be asked to complete a quiz.
Slide3Course Objectives
3
Upon completion of this course, you should:
Have a basic understanding of HIPAA - the law that protects patient health information;
Know your reporting obligations if you suspect a privacy or security violation; and
Understand changes to HIPAA under the new HITECH regulations.
Slide4Scenario
4
Vanessa is being admitted to the hospital for a routine procedure. Although Vanessa knows the hospital and its staff are highly respected, she has some concerns about how her personal information will be shared. Staff members want to alleviate Vanessa’s concerns and are willing to answer any questions she might have about how her
Protected Health Information (PHI)
is protected.
Note
:
Protected Health Information (PHI) is information that:
- Identifies, or can be used to identify, a specific individual; and
- Relates to the individual's health, health care, or payment for care (past,
present
or future).
Slide5What Questions
Might Vanessa Ask?
5
How will my PHI be used?
“A health care provider (hospital or physician) may use or disclose your information for treatment,
payment
or healthcare operations and when specifically permitted or required by law. The Notice of Privacy Practices describes these uses and disclosures in more detail. Other releases require your authorization."
How will the provider limit the use of my PHI?
“A health care provider only permits those employees who have a need to know to access your health information. For example, clinicians who are treating you are allowed to access your information. Billing clerks are allowed to access your information to submit claims for payment."
Slide6What Questions Might Vanessa Ask?
6
How will SCL Health
prevent
someone else from accessing my PHI?
"All computers are password protected and have other safeguards. Paper with sensitive information must be filed in the patient record or placed in a secure bin to be shredded. SCL
Health
also limits access to paper and electronic medical records and imposes disciplinary actions for inappropriate access."
What are my rights as a patient?
"Patients have many rights under HIPAA, including the right to request access to their medical record either by viewing or obtaining copies (paper or electronic*), an amendment to their medical record, restrictions relating to release of their record (including to health plans for self-pay situations*), and an accounting of the disclosures that have been made.“
*Added in HITECH
Slide7Key Points: Health Insurance Portability & Accountability Act (HIPAA)
7
HIPAA imposes penalties on covered entities
and individuals
who fail to keep PHI confidential in accordance with the law.
HIPAA applies to health care providers – such as hospitals and physician offices. HIPAA also applies to health plans – such as HMOs and health insurance companies.
All of these organizations are considered “covered entities” under HIPAA.
HIPAA’s confidentiality rules fall under two main umbrellas:
Privacy Rule
— grants individual rights with regard to their PHI and requires covered entities to protect all types of PHI
Security Rule
—requires covered entities to safeguard
electronic
PHI
Slide8Key Points: The Health Information Technology for Economic & Clinical Health Act (HITECH)
8
HITECH increases the penalties on covered entities
and individuals
who fail to keep PHI confidential in accordance with HIPAA to a maximum penalty of $1.5 million.
HITECH allows patients to request a copy of their PHI in an electronic manner.
HITECH allows patients to request a restriction of access by a health plan when the patient pays directly for his or her treatment.
HITECH adds a section requiring covered entities to notify patients and the federal government of breaches of unsecured PHI.
HITECH expands obligations for Business Associates (vendors) of covered entities.
Slide9Key Points: PHI
9
PHI includes information in any format, including:
Patients are provided with
a
Notice of Privacy Practices ("NPP")
Note
:
A Notice of Privacy Practices is a notice that describes, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider’s obligations with respect to the PHI.
In general, patients over 18 years of age have control over their PHI.
Parents have the right to access their minor children’s health information (child under age 18). There are some exceptions to this rule, such as when the minor has the legal authority under state law to consent to certain health care services, or if the minor is emancipated.
Spoken
Electronic
Paper
Mail
Telephone
Fax
Slide10Key Points: PHI – Use and Disclosure
10
SCL Health
uses
PHI internally and discloses it outside its hospitals and clinics for various purposes. Some examples of each include:
HIPAA requires a health care provider to have a legitimate treatment or business need to use or disclose PHI.
Note
: A “Use” is defined as
the access to, or sharing of, PHI within a health care provider, such as a hospital or clinic. A “Disclosure” is the release of PHI to any person or entity outside the health care provider.
USE
DISCLOSURE
Doctors’ orders for treatment
Public health reporting
Nurses’ notes for quality
review
Claims submission to insurance companies for payment
Patient Registration
Accreditation organizations (for
example, The Joint Commission)
Slide11Key Points: PHI – Treatment, Payment or Healthcare Operations (TPO)
11
SCL Health may use or disclose PHI for TPO in the following ways:
Treatment of a patient
: referral, admission, consultation, diagnosis, treatment planning
Payment for services to a patient
: preparing claims, submitting bills and collection actions
Health Care Operations
: Administrative functions such as quality improvement, peer review/credentialing, training programs, medical/legal reviews, compliance, fraud and abuse, disease prevention, business planning, complaints and grievances
Slide12Key Points: PHI – Public Health Reporting
12
A health care provider may report PHI to meet state or federal public health reporting requirements without the authorization of the patient. For example, the following types of reports are commonly required by state law:
Child Abuse or Neglect
Certain infectious diseases (such as HIV and TB)
Vital statistics – births and deaths
*Note: Many public health reporting requirements are specific by state.
Slide13Key Points: PHI – Opportunity to Agree or Object
13
In some instances, a health care provider must provide the patient with an opportunity to agree or object (or opt-out) to the disclosure of the patient’s PHI. These situations include:
Whether the patient wants to be included in the facility directory (name, location in the hospital, and general condition)
Whether the patient wants close family members and friends involved in the patient’s care to stay informed about the patient’s care or payment
Whether the patient wants PHI available for fundraising purposes
In other instances, we must first get the patient’s written authorization before making a disclosure of the patient’s PHI. Examples include:
Disclosure to patient’s employer
Disclosure for marketing purposes
Slide14Check Point: What is PHI and
How is it
Used?
14
A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written.
True____ False____
A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company.
True____ False____
At registration, patients are provided with the health care provider’s Notice of Privacy Practices that explains how their health information may be used.
True____ False____
Slide15Check Point: What is PHI and
How is it
Used?
15
A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written.
True____
False__
X
__
PHI may be in any format, including spoken, paper, telephone, electronic, mail and fax.
A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company.
True____ False__
X
__
A provider may use or disclose PHI for payment of services to a patient.
At registration, patients are provided with the health care provider’s Notice of Privacy Practices that explains how their health information may be used.
True__
X
__ False____
Patients are provided with a Notice of Privacy Practices (NPP) that explains, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider’s obligations with respect to the PHI.
Slide16Minimum Necessary Rule
16
When using or disclosing PHI, you should always follow the
Minimum Necessary Rule
:
The Minimum Necessary Rule means only accessing or disclosing PHI needed to do your job.
SCL Health
has
policies and procedures that reasonably limit its disclosures of, and requests for, PHI to the minimum necessary.
A health care provider is not required to apply the minimum necessary standard for disclosures to, or requests by, a health care provider for treatment purposes.
Slide17Minimum Necessary Rule
Ask yourself:
Do I need to access this information for a work-related task I am assigned to do?What is the minimum amount of information I need to get the job done? (Note: This question does not apply if the use if for direct patient care by a physician or other provider.)
Remember: You many not access information that you do not have a business need to know.
Access to PHI is recorded, monitored and audited by SCL Health.
17
Slide18Incidental and Oral Communications
18
Healthcare providers often need to discuss patient information where complete patient privacy is often difficult to achieve.
Example
: In a busy ED, a discussion between a patient and a doctor may be overheard by another patient.
This is considered an “incidental” disclosure and is
not
a HIPAA violation, so long as reasonable safeguards were in place – such as speaking with a lowered voice or using privacy curtains when available.
The privacy rules requires that we take reasonable steps to
“minimize the chance of incidental disclosure to others”
What can our facilities do to comply with the privacy rules with these issues?
PHI should not be discussed in public areas, such as elevators or waiting rooms.
Consultation rooms or other private areas should be used for discussions with family members.
If sign-in sheets are used, they should only contain the minimum information necessary for registration purposes.
The goal of the privacy rule is not to prevent needed discussions related to patients, but to make sure that when discussions need to take place, we are doing what is reasonable to protect a patient’s PHI.
Slide19Reasonable and Permissible
U
ses and Disclosures – Or Not?
19
Two health care professionals speaking with lowered voices in a treatment area
Reasonable
Not
Reasonable
Talking loudly with a patient in a public area
Reading a medical record for curiosity
Sign-in sheet with only name and arrival time
Access PHI to perform a job-related function
Full name on tracking board
Identify whether the following uses and disclosures are reasonable and permissible, or not:
Slide20Reasonable and Permissible
U
ses and Disclosures – Or Not?
20
Two health care professionals speaking with lowered voices in a treatment area
Reasonable
Not
Reasonable
X
X
X
X
X
X
Talking loudly with a patient in a public area
Reading a medical record for curiosity
Sign-in sheet with only name and arrival time
Access PHI to perform a job-related function
Full name on tracking board
Identify whether the following uses and disclosures are reasonable and permissible, or not:
Slide21Check Point: Minimum Necessary and Incidental Disclosure
21
1)
Incidental disclosures are not permissible under any circumstances.
True____ False____
2)
You should always use or disclose the minimum amount of information necessary when completing a business task.
True____ False____
3)
You may access any PHI you want if you are a health care professional, even if the person is not your patient.
True____ False____
Slide22Check Point: Minimum Necessary and Incidental Disclosure
22
1.) Incidental disclosures are not permissible under any circumstances.
True____
False__
X
__
An incidental use or disclosure is one that cannot reasonably be prevented, is limited in nature, and occurs as a result of another permitted use or disclosure.
2.) You should always use or disclose the minimum amount of information necessary when completing a business task.
True__
X
__ False____
Remember to ask yourself "Do I need to access this information to do my job?"
3.) You may access any PHI you want if you are a health care professional, even if the person is not your patient.
True____
False__
X
__
You may not access information that you do not have a business need to know; and access may be periodically monitored depending on your facility.
Slide23Key Points: Security
23
You should always follow proper password practices to safeguard PHI.
Treat passwords as sensitive, confidential information – No sharing of passwords!
Log off or lock the computer when you leave your workstation.
Create a strong password that is difficult to guess and is not based on your personal information. Use upper and lower case letters, numbers and other characters.
Alert the IT department if you think your password has been compromised.
Never disclose your password - no one should ask for your password.
Slide24Key Points: Security
24
Paper containing PHI must either be filed in the correct record or placed in a secure, locked bin to be shredded.
Computer screens should not be viewable by the public.
Emails containing PHI to recipients outside SCL Health
including
patients need to be encrypted.
To trigger email encryption add [secure] to the Subject line.
NO texting of PHI is currently allowed because no security features are available at this time.
Slide25Check Point: Security
25
Which of the following are good practices to follow at your work station? Choose all that apply.
Using your date of birth as your password.
Logging off your system at the end of the day and whenever you leave your computer unattended.
Facing monitors away from public view or using a privacy screen.
Leaving sensitive documents on the counter in a public area.
Encrypting emails containing PHI that are sent outside the SCL Health
email
network.
Texting PHI to physicians upon request.
Slide26Check Point: Security
26
Which of the following are good practices to follow at your work station?
Correct Answers
:
Logging off your system at the end of the day and whenever you leave your computer unattended.
Facing monitors away from public view or using a privacy screen.
Encrypting emails containing PHI that are sent outside the SCL Health
email
network.
Slide27Key Points: Security – Email & Internet Use Guidelines
27
EMAIL USAGE
INTERNET USAGE
Do
NOT
use
SCL
Health
c
omputers
to:
Do
NOT
use
SCL Health
computers
to:
Send unencrypted sensitive information across the internet
Participate in chat rooms
Exchange email for excessive non-business use
Visit inappropriate or non-work related internet websites
Transmit contents that are in bad taste
Download software from unknown sources
Forward chain mail or non-business related attachments
Post
confidential business
information on public forums
Open attachments from unknown persons as they may contain viruses
Use personal
email addresses for work communications
Key Points: Physical Security Standards
28
Facility Security
All associates, physicians, other caregivers, volunteers, contractors and students are to wear their ID badge while on SCL Health
premises
.
All visitors must be escorted by staff when in sensitive or restricted areas, such as Pediatrics, Nursery, Operating Room, or IT Department.
Do not allow unauthorized persons to follow you into sensitive or restricted locations.
Question individuals not wearing an ID badge or who appear suspicious.
Contact Security if you see any unusual or suspicious individuals or activities.
Slide29Key Points: Security
29
Breach Notification*
Report all breaches, regardless of the number of records involved, to the SCL Health
Privacy
Officer or Care Site Compliance and Privacy Officer.
What is a breach? A breach is any unauthorized access, use or disclosure of unsecured PHI. For example:
Sending an email containing PHI to someone outside the SCL Health
email
network without encrypting it.
Giving one patient’s discharge paperwork to another patient.
Sending a fax containing PHI to the wrong number
In some instances, we may be required to report breaches to the
Department of Health and Human Services (D
HHS) and notify the individuals affected.
*
Added in HITECH
Slide30Check Point: Security
30
If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately.
True ____ False ____
SCL Health
employees
should wear identification badges at all times.
True ____ False ____
If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security.
True ____ False ____
Slide31Check Point: Security
31
If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately.
True ____ False __
X
__
If you need to dispose of paper containing PHI, throw it away in a secure shredding bin.
SCL Health
employees
should wear identification badges at all times.
True __
X
__ False ____
All employees and contractors should display an identification badge while on SCL Health
premises
.
If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security.
True __
X
__ False ____
Do not hesitate to question individuals not wearing an ID badge or to alert Security if you see any suspicious individuals or activities.
Slide32Key Points: Patient Rights Under HIPAA
32
Patient rights under HIPAA include the right to:
Request a restriction on further uses and disclosures of their PHI;
Request communication by alternative methods or at alternative addresses;
Access, inspect, or get a copy of their medical record;
Request an amendment (correction) to their PHI; and
Request an accounting of certain disclosures.
SCL
Health
has policies and procedures in place to support each of these rights.
Slide33Key Points: Patient Rights Under HIPAA
Prior to disclosing any PHI, you must verify the identity and the authority of the person making the request, if not already known.
SCL
Health
has policies or guidelines to assist you in this process. In general:
33
When the request is made…
Ask for…
In person
SCL Health
or
government-issued photo ID (such as a driver's license or passport)
By telephone
Several elements of personal information (such as
caller name, address, phone #, and patient date
of birth, last 4-digits of social security number, and date of last visit)
By fax
Faxed
requests should
be
written on official letterhead
and you verify
that the fax number matches the
fax number
on record
Slide34Check Point: Patient Rights Under HIPAA
34
A patient has the right to request a copy of his/her health record.
True____ False____
A patient does not have the right to request a change to their medical record.
True____ False____
Slide35Check Point: Patient Rights Under HIPAA
35
A patient has the right to request a copy of his/her health record.
True__
X
__ False____
The right to request a copy to a patient’s health record is one of many patient rights under HIPAA.
A patient does not have the right to request a change to their medical record.
True____
False__
X
__
A patient does have the right to request an amendment (correction) to their PHI.
Slide36Key Points: Reporting
36
You should
always
report any privacy or security issues. Reporting is key to ensuring SCL Health
is
compliant with these important requirements. Options to report issues include:
Your direct supervisor
The Care Site Compliance and Privacy Officer
The SCL Health
Privacy
Officer
The Care Site Information Security Officer
The Integrity Hotline (anonymous)
Occurrence Reporting System (
Quantros
)
There is a
non-retaliation policy
for reporting any complaint or concern in good faith.
Note
: A non-retaliation policy ensures that an employee who reports suspected violations in good faith will not be subject to intimidation, threats, coercion or any retaliatory action.
Slide37Reporting Contacts for HIPAA Issues
37
System Privacy/Security Team
Donna Moranville – System Privacy/Security Officer
Howard Haile – Chief Information Security Officer
Care Site Compliance and Privacy Officers
Saint Joseph Hospital – Kathy
Peeters
Lutheran Medical Center – David Parks
Good Samaritan Medical Center – David
Parks
Health Networks – Brenda Harstad
St
. James Healthcare – Stephanie
Fantini
Holy Rosary/St. Vincent Healthcare – Patti
Boltz
St. Mary’s
Medical
Center – Terri Chinn/Elaine
Barnett
See Compliance Page on The Landing for additional contact info.
Slide38Check Point: Reporting
38
SCL Health
employees
may only report issues to their direct supervisor.
True____ False____
There is a non-retaliation policy for any employee who makes a complaint in good faith.
True____ False____
Slide39Check Point: Reporting
39
SCL Health
employees
may only report issues to their direct supervisor.
True____
False__
X
__
In addition to the direct supervisor, employees may report issues to the Care Site Compliance and Privacy Officer, the SCL
Health
Privacy Officer, the Care Site Information Security Officer, or anonymously through the Integrity Hotline.
There is a non-retaliation policy for any employee who makes a complaint in good faith.
True__
X
__ False____
The non-retaliation policy states SCL
Health
will not tolerate retaliatory actions against an employee who reports an issue in good faith.