HITECH / HIPAA Training HITECH / HIPAA Training - PowerPoint Presentation

Slide1

HITECH / HIPAA Training

Slide2

HITECH / HIPAA Training

2

Welcome to the SCL Health

Compliance

training module. This course will focus on the HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) laws that govern the privacy and security of Protected Health Information (PHI).

After reviewing the following materials, you will be asked to complete a quiz.

Slide3

Course Objectives

3

Upon completion of this course, you should:

Have a basic understanding of HIPAA - the law that protects patient health information;

Know your reporting obligations if you suspect a privacy or security violation; and

Understand changes to HIPAA under the new HITECH regulations.

Slide4

Scenario

4

Vanessa is being admitted to the hospital for a routine procedure. Although Vanessa knows the hospital and its staff are highly respected, she has some concerns about how her personal information will be shared. Staff members want to alleviate Vanessa’s concerns and are willing to answer any questions she might have about how her

Protected Health Information (PHI)

is protected.

Note

:

Protected Health Information (PHI) is information that:

- Identifies, or can be used to identify, a specific individual; and

- Relates to the individual's health, health care, or payment for care (past,

present

or future).

Slide5

What Questions

Might Vanessa Ask?

5

How will my PHI be used?

“A health care provider (hospital or physician) may use or disclose your information for treatment,

payment

or healthcare operations and when specifically permitted or required by law. The Notice of Privacy Practices describes these uses and disclosures in more detail. Other releases require your authorization."

How will the provider limit the use of my PHI?

“A health care provider only permits those employees who have a need to know to access your health information. For example, clinicians who are treating you are allowed to access your information. Billing clerks are allowed to access your information to submit claims for payment."

Slide6

What Questions Might Vanessa Ask?

6

How will SCL Health

prevent

someone else from accessing my PHI?

"All computers are password protected and have other safeguards. Paper with sensitive information must be filed in the patient record or placed in a secure bin to be shredded. SCL

Health

also limits access to paper and electronic medical records and imposes disciplinary actions for inappropriate access."

What are my rights as a patient?

"Patients have many rights under HIPAA, including the right to request access to their medical record either by viewing or obtaining copies (paper or electronic*), an amendment to their medical record, restrictions relating to release of their record (including to health plans for self-pay situations*), and an accounting of the disclosures that have been made.“

*Added in HITECH

Slide7

Key Points: Health Insurance Portability & Accountability Act (HIPAA)

7

HIPAA imposes penalties on covered entities

and individuals

who fail to keep PHI confidential in accordance with the law.

HIPAA applies to health care providers – such as hospitals and physician offices. HIPAA also applies to health plans – such as HMOs and health insurance companies.

All of these organizations are considered “covered entities” under HIPAA.

HIPAA’s confidentiality rules fall under two main umbrellas:

Privacy Rule

— grants individual rights with regard to their PHI and requires covered entities to protect all types of PHI

Security Rule

—requires covered entities to safeguard

electronic

PHI

Slide8

Key Points: The Health Information Technology for Economic & Clinical Health Act (HITECH)

8

HITECH increases the penalties on covered entities

and individuals

who fail to keep PHI confidential in accordance with HIPAA to a maximum penalty of $1.5 million.

HITECH allows patients to request a copy of their PHI in an electronic manner.

HITECH allows patients to request a restriction of access by a health plan when the patient pays directly for his or her treatment.

HITECH adds a section requiring covered entities to notify patients and the federal government of breaches of unsecured PHI.

HITECH expands obligations for Business Associates (vendors) of covered entities.

Slide9

Key Points: PHI

9

PHI includes information in any format, including:

Patients are provided with

a

Notice of Privacy Practices ("NPP")

Note

:

A Notice of Privacy Practices is a notice that describes, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider’s obligations with respect to the PHI.

In general, patients over 18 years of age have control over their PHI.

Parents have the right to access their minor children’s health information (child under age 18). There are some exceptions to this rule, such as when the minor has the legal authority under state law to consent to certain health care services, or if the minor is emancipated.

Spoken

Electronic

Paper

Mail

Telephone

Fax

Slide10

Key Points: PHI – Use and Disclosure

10

SCL Health

uses

PHI internally and discloses it outside its hospitals and clinics for various purposes. Some examples of each include:

 

HIPAA requires a health care provider to have a legitimate treatment or business need to use or disclose PHI.

Note

: A “Use” is defined as

the access to, or sharing of, PHI within a health care provider, such as a hospital or clinic. A “Disclosure” is the release of PHI to any person or entity outside the health care provider.

USE

DISCLOSURE

Doctors’ orders for treatment

Public health reporting

Nurses’ notes for quality

review

Claims submission to insurance companies for payment

Patient Registration

Accreditation organizations (for

example, The Joint Commission)

Slide11

Key Points: PHI – Treatment, Payment or Healthcare Operations (TPO)

11

SCL Health may use or disclose PHI for TPO in the following ways:

Treatment of a patient

: referral, admission, consultation, diagnosis, treatment planning

Payment for services to a patient

: preparing claims, submitting bills and collection actions

Health Care Operations

: Administrative functions such as quality improvement, peer review/credentialing, training programs, medical/legal reviews, compliance, fraud and abuse, disease prevention, business planning, complaints and grievances

Slide12

Key Points: PHI – Public Health Reporting

12

A health care provider may report PHI to meet state or federal public health reporting requirements without the authorization of the patient. For example, the following types of reports are commonly required by state law:

Child Abuse or Neglect

Certain infectious diseases (such as HIV and TB)

Vital statistics – births and deaths

*Note: Many public health reporting requirements are specific by state.

Slide13

Key Points: PHI – Opportunity to Agree or Object

13

In some instances, a health care provider must provide the patient with an opportunity to agree or object (or opt-out) to the disclosure of the patient’s PHI. These situations include:

Whether the patient wants to be included in the facility directory (name, location in the hospital, and general condition)

Whether the patient wants close family members and friends involved in the patient’s care to stay informed about the patient’s care or payment

Whether the patient wants PHI available for fundraising purposes

In other instances, we must first get the patient’s written authorization before making a disclosure of the patient’s PHI. Examples include:

Disclosure to patient’s employer

Disclosure for marketing purposes

Slide14

Check Point: What is PHI and

How is it

Used?

14

A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written.

True____ False____

A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company.

True____ False____

At registration, patients are provided with the health care provider’s Notice of Privacy Practices that explains how their health information may be used.

True____ False____

Slide15

Check Point: What is PHI and

How is it

Used?

15

A verbal discussion about a patient's health information is not PHI. By definition, PHI must be written.

True____

False__

X

__

PHI may be in any format, including spoken, paper, telephone, electronic, mail and fax.

A health care provider must obtain the patient's authorization before submitting PHI for billing to the insurance company.

True____ False__

X

__

A provider may use or disclose PHI for payment of services to a patient.

At registration, patients are provided with the health care provider’s Notice of Privacy Practices that explains how their health information may be used.

True__

X

__ False____

Patients are provided with a Notice of Privacy Practices (NPP) that explains, in plain language, how a health care provider may use and disclose PHI about an individual, as well as the individual's rights and the provider’s obligations with respect to the PHI.

Slide16

Minimum Necessary Rule

16

When using or disclosing PHI, you should always follow the

Minimum Necessary Rule

:

The Minimum Necessary Rule means only accessing or disclosing PHI needed to do your job.

SCL Health

has

policies and procedures that reasonably limit its disclosures of, and requests for, PHI to the minimum necessary.

A health care provider is not required to apply the minimum necessary standard for disclosures to, or requests by, a health care provider for treatment purposes.

Slide17

Minimum Necessary Rule

Ask yourself:

Do I need to access this information for a work-related task I am assigned to do?What is the minimum amount of information I need to get the job done? (Note: This question does not apply if the use if for direct patient care by a physician or other provider.)

Remember: You many not access information that you do not have a business need to know.

Access to PHI is recorded, monitored and audited by SCL Health.

17

Slide18

Incidental and Oral Communications

18

Healthcare providers often need to discuss patient information where complete patient privacy is often difficult to achieve.

Example

: In a busy ED, a discussion between a patient and a doctor may be overheard by another patient.

This is considered an “incidental” disclosure and is

not

a HIPAA violation, so long as reasonable safeguards were in place – such as speaking with a lowered voice or using privacy curtains when available.

The privacy rules requires that we take reasonable steps to

“minimize the chance of incidental disclosure to others”

What can our facilities do to comply with the privacy rules with these issues?

PHI should not be discussed in public areas, such as elevators or waiting rooms.

Consultation rooms or other private areas should be used for discussions with family members.

If sign-in sheets are used, they should only contain the minimum information necessary for registration purposes.

The goal of the privacy rule is not to prevent needed discussions related to patients, but to make sure that when discussions need to take place, we are doing what is reasonable to protect a patient’s PHI.

Slide19

Reasonable and Permissible

U

ses and Disclosures – Or Not?

19

Two health care professionals speaking with lowered voices in a treatment area

Reasonable

Not

Reasonable

Talking loudly with a patient in a public area

Reading a medical record for curiosity

Sign-in sheet with only name and arrival time

Access PHI to perform a job-related function

Full name on tracking board

Identify whether the following uses and disclosures are reasonable and permissible, or not:

Slide20

Reasonable and Permissible

U

ses and Disclosures – Or Not?

20

Two health care professionals speaking with lowered voices in a treatment area

Reasonable

Not

Reasonable

X

X

X

X

X

X

Talking loudly with a patient in a public area

Reading a medical record for curiosity

Sign-in sheet with only name and arrival time

Access PHI to perform a job-related function

Full name on tracking board

Identify whether the following uses and disclosures are reasonable and permissible, or not:

Slide21

Check Point: Minimum Necessary and Incidental Disclosure

21

1)

Incidental disclosures are not permissible under any circumstances.

True____ False____

2)

You should always use or disclose the minimum amount of information necessary when completing a business task.

True____ False____

3)

You may access any PHI you want if you are a health care professional, even if the person is not your patient.

True____ False____

Slide22

Check Point: Minimum Necessary and Incidental Disclosure

22

1.) Incidental disclosures are not permissible under any circumstances.

True____

False__

X

__

An incidental use or disclosure is one that cannot reasonably be prevented, is limited in nature, and occurs as a result of another permitted use or disclosure.

2.) You should always use or disclose the minimum amount of information necessary when completing a business task.

True__

X

__ False____

Remember to ask yourself "Do I need to access this information to do my job?"

3.) You may access any PHI you want if you are a health care professional, even if the person is not your patient.

True____

False__

X

__

You may not access information that you do not have a business need to know; and access may be periodically monitored depending on your facility.

Slide23

Key Points: Security

23

You should always follow proper password practices to safeguard PHI.

Treat passwords as sensitive, confidential information – No sharing of passwords!

Log off or lock the computer when you leave your workstation.

Create a strong password that is difficult to guess and is not based on your personal information. Use upper and lower case letters, numbers and other characters.

Alert the IT department if you think your password has been compromised.

Never disclose your password - no one should ask for your password.

Slide24

Key Points: Security

24

Paper containing PHI must either be filed in the correct record or placed in a secure, locked bin to be shredded.

Computer screens should not be viewable by the public.

Emails containing PHI to recipients outside SCL Health

including

patients need to be encrypted.

To trigger email encryption add [secure] to the Subject line.

NO texting of PHI is currently allowed because no security features are available at this time.

Slide25

Check Point: Security

25

Which of the following are good practices to follow at your work station? Choose all that apply.

Using your date of birth as your password.

Logging off your system at the end of the day and whenever you leave your computer unattended.

Facing monitors away from public view or using a privacy screen.

Leaving sensitive documents on the counter in a public area.

Encrypting emails containing PHI that are sent outside the SCL Health

email

network.

Texting PHI to physicians upon request.

Slide26

Check Point: Security

26

Which of the following are good practices to follow at your work station?

Correct Answers

:

Logging off your system at the end of the day and whenever you leave your computer unattended.

Facing monitors away from public view or using a privacy screen.

Encrypting emails containing PHI that are sent outside the SCL Health

email

network.

Slide27

Key Points: Security – Email & Internet Use Guidelines

27

EMAIL USAGE

INTERNET USAGE

Do

NOT

use

SCL

Health

c

omputers

to:

Do

NOT

use

SCL Health

computers

to:

Send unencrypted sensitive information across the internet

Participate in chat rooms

Exchange email for excessive non-business use

Visit inappropriate or non-work related internet websites

Transmit contents that are in bad taste

Download software from unknown sources

Forward chain mail or non-business related attachments

Post

confidential business

information on public forums

Open attachments from unknown persons as they may contain viruses

 

Use personal

email addresses for work communications

 

Slide28

Key Points: Physical Security Standards

28

Facility Security

All associates, physicians, other caregivers, volunteers, contractors and students are to wear their ID badge while on SCL Health

premises

.

All visitors must be escorted by staff when in sensitive or restricted areas, such as Pediatrics, Nursery, Operating Room, or IT Department.

Do not allow unauthorized persons to follow you into sensitive or restricted locations.

Question individuals not wearing an ID badge or who appear suspicious.

Contact Security if you see any unusual or suspicious individuals or activities.

Slide29

Key Points: Security

29

Breach Notification*

Report all breaches, regardless of the number of records involved, to the SCL Health

Privacy

Officer or Care Site Compliance and Privacy Officer.

What is a breach? A breach is any unauthorized access, use or disclosure of unsecured PHI. For example:

Sending an email containing PHI to someone outside the SCL Health

email

network without encrypting it.

Giving one patient’s discharge paperwork to another patient.

Sending a fax containing PHI to the wrong number

In some instances, we may be required to report breaches to the

Department of Health and Human Services (D

HHS) and notify the individuals affected.

*

Added in HITECH

Slide30

Check Point: Security

30

If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately.

True ____ False ____

SCL Health

employees

should wear identification badges at all times.

True ____ False ____

If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security.

True ____ False ____

Slide31

Check Point: Security

31

If a paper containing PHI is no longer needed, it should be placed in the regular trash container immediately.

True ____ False __

X

__

If you need to dispose of paper containing PHI, throw it away in a secure shredding bin.

SCL Health

employees

should wear identification badges at all times.

True __

X

__ False ____

All employees and contractors should display an identification badge while on SCL Health

premises

.

If you suspect someone is in an area of the hospital where he/she should not be, you should question him/her or you should alert Security.

True __

X

__ False ____

Do not hesitate to question individuals not wearing an ID badge or to alert Security if you see any suspicious individuals or activities.

Slide32

Key Points: Patient Rights Under HIPAA

32

Patient rights under HIPAA include the right to:

Request a restriction on further uses and disclosures of their PHI;

Request communication by alternative methods or at alternative addresses;

Access, inspect, or get a copy of their medical record;

Request an amendment (correction) to their PHI; and

Request an accounting of certain disclosures.

SCL

Health

has policies and procedures in place to support each of these rights.

Slide33

Key Points: Patient Rights Under HIPAA

Prior to disclosing any PHI, you must verify the identity and the authority of the person making the request, if not already known.

SCL

Health

has policies or guidelines to assist you in this process. In general:

33

When the request is made…

Ask for…

In person

SCL Health

or

government-issued photo ID (such as a driver's license or passport)

By telephone

Several elements of personal information (such as

caller name, address, phone #, and patient date

of birth, last 4-digits of social security number, and date of last visit)

By fax

Faxed

requests should

be

written on official letterhead

and you verify

that the fax number matches the

fax number

on record

Slide34

Check Point: Patient Rights Under HIPAA

34

A patient has the right to request a copy of his/her health record.

True____ False____

A patient does not have the right to request a change to their medical record.

True____ False____

Slide35

Check Point: Patient Rights Under HIPAA

35

A patient has the right to request a copy of his/her health record.

True__

X

__ False____

The right to request a copy to a patient’s health record is one of many patient rights under HIPAA.

A patient does not have the right to request a change to their medical record.

True____

False__

X

__

A patient does have the right to request an amendment (correction) to their PHI.

Slide36

Key Points: Reporting

36

You should

always

report any privacy or security issues. Reporting is key to ensuring SCL Health

is

compliant with these important requirements. Options to report issues include:

Your direct supervisor

The Care Site Compliance and Privacy Officer

The SCL Health

Privacy

Officer

The Care Site Information Security Officer

The Integrity Hotline (anonymous)

Occurrence Reporting System (

Quantros

)

There is a

non-retaliation policy

for reporting any complaint or concern in good faith.

Note

: A non-retaliation policy ensures that an employee who reports suspected violations in good faith will not be subject to intimidation, threats, coercion or any retaliatory action.

Slide37

Reporting Contacts for HIPAA Issues

37

System Privacy/Security Team

Donna Moranville – System Privacy/Security Officer

Howard Haile – Chief Information Security Officer

Care Site Compliance and Privacy Officers

Saint Joseph Hospital – Kathy

Peeters

Lutheran Medical Center – David Parks

Good Samaritan Medical Center – David

Parks

Health Networks – Brenda Harstad

St

. James Healthcare – Stephanie

Fantini

Holy Rosary/St. Vincent Healthcare – Patti

Boltz

St. Mary’s

Medical

Center – Terri Chinn/Elaine

Barnett

See Compliance Page on The Landing for additional contact info.

Slide38

Check Point: Reporting

38

SCL Health

employees

may only report issues to their direct supervisor.

True____ False____

There is a non-retaliation policy for any employee who makes a complaint in good faith.

True____ False____

Slide39

Check Point: Reporting

39

SCL Health

employees

may only report issues to their direct supervisor.

True____

False__

X

__

In addition to the direct supervisor, employees may report issues to the Care Site Compliance and Privacy Officer, the SCL

Health

Privacy Officer, the Care Site Information Security Officer, or anonymously through the Integrity Hotline.

There is a non-retaliation policy for any employee who makes a complaint in good faith.

True__

X

__ False____

The non-retaliation policy states SCL

Health

will not tolerate retaliatory actions against an employee who reports an issue in good faith.