HIPAA FOR THE WORKPLACE 2012 - PowerPoint Presentation

Slide1

HIPAA FOR THE WORKPLACE 2012

Slide2

The goal of this training is to help ensure that all Optima employees are prepared to protect the privacy and security of our members’ health information.

COURSE GOALSlide3

After review of this training and successful passing completion of the quiz, you will be able to:

Discuss the 3 different Acts that comprise the Administrative Simplification regulation;

Demonstrate comprehensive understanding of privacy and security measures for our members; andUnderstand how to prevent, identify and report violations or breaches.

LEARNING OBJECTIVESSlide4

HIPAA OVERVIEW

The Privacy Rule

governs who has access to protected health information (PHI).

The Security Rule

specifies a series of administrative, technical and physical security procedures to assure the confidentiality, integrity and availability of

ePHI

.

The American Recovery and Reinvestment Act

(ARRA) goal is to establish secure electronic health records for all Americans by 2014.

The Health Information Technology for Economic and Clinical Health Act (HITECH)

ARRA/HITECH brings changes to the HIPAA regulations in 3 categories:Breach notificationBusiness Associate responsibilities PenaltiesSlide5

HITECH

is designed to encourage health care providers to adopt health information technology in a standardized manner and to protect private health information.ARRA

is the direct result of modifications in the HIPAA Privacy, Security and Enforcement Rules and strengthens health information privacy and security protections. ARRA specifically addresses: Breaches

Electronic Health Records(EHR)

Personal Health Records (PHR)

HITECH and

ARRA RULESSlide6

THE PRIVACY RULE

The Privacy Rule

is designed to protect individuals’ health information (PHI) and allows individuals to:

get a copy of their medical records

ask for changes to their medical records

find out and limit how their PHI may be used

know who has received their PHI

have communications sent to an alternate location or by an alternate means

file complaints and participate in investigationsSlide7

GUIDELINES FOR USING & DISCLOSING PHI

You may disclose information, without a member’s authorization,

to the appropriate authorities

:

if required by law, court order, etc.

to public health officials, FDA, etc.

for abuse or domestic violence

to help law enforcement officials

to notify of suspicious death

to provide information for workers’ compensation

to assist government actions

to help in disaster relief efforts

to avert a serious threat to health or safety

for health oversight activitiesSlide8

YOUR RESPONSIBILITIES

You

are required

to:

disclose PHI – limit the information you share with a person to what he or she needs to know (“minimum necessary” guidelines)

use PHI

according to HIPAA-approved guidelines for access, accounting, amendment, and restriction of PHI

only access the PHI necessary to complete your job duties

maintain confidentiality & security of member

information at all timesSlide9

Members and Personal Representatives have the right to request alternate confidential means of receiving communications that includes PHI.

Send the completed request to the Director of Compliance:

Must be in writingMust indicate the alternate address or specifications for the alternative means of communication

Must be signed

If requestor is a Personal Representative, must provide legal proof of their authority to represent the Member

ALTERNATE ADDRESSSlide10

Prior to making any verbal disclosures of PHI, you must verify the requestor’s identity by asking several identifying questions, i.e., address, birth date, member number, etc.

You may discuss billing questions, benefit information, etc. without having an Authorization form signed.

Protected health information may be given to custodial parents, adults acting in Loco Parentis, emancipated minors, Designated Representatives and Designated Agents as long as an authorization and/or legal documents are on file.

VERIFICATION FOR RELEASE OF PHISlide11

Federal law protects all information about a member with a current or past diagnosis of substance abuse and/or mental disorder.

These laws override the HIPAA laws.Protected health information cannot be disclosed without a signed authorization.

Limited mental health information can be discussed with a minor’s custodial parent.

MENTAL HEALTH and

SUBSTANCE ABUSESlide12

Federal and State Laws protect Minor’s (under the age of 18) health care rights.

Staff may discuss a minor’s health information with custodial parents except for:Pregnancy and family planning

Sexually transmitted diseasesSubstance abuse

Mental health, if treatment consent given by minor only

All discussions should be limited to the minimal amount of information necessary to resolve the question.

If unsure about procedures for releasing information, seek advice from your supervisor or the Compliance Department.

MINORSSlide13

EMAILS

In your daily job responsibilities, email is used to communicate with staff, members, providers and vendors. Remember:

Emails about members should only be shared with those who have a need to know this information in connection with their specific job function(s).

Emails sent externally should be encrypted.

The Email system cannot be used by employees to express discriminatory views, threaten or harass employees or to advertise information that brings personal or financial gain.Slide14

ENCRYPTED EMAIL PROCESS for messages to an external email user (non-Sentara):

The sender needs to insert [secure]

in the subject line.The recipient(s) needs to register for an IRONPORT (POSTX) mailbox to receive/view the message.The message never leaves Sentara’s Network in an email format, therefore it is only viewed as a web page over https.

ENCRYPTED EMAIL Slide15

FAXES

Avoid faxing confidential information. If you send a fax to an incorrect number, report the incident immediately to your Supervisor or Manager.

Verify fax numbers prior to transmission to ensure the fax will be going to the correct person.

Use the Optima Health Fax Cover Sheet located on Wavenet.

The Fax Cover Sheet should contain a confidentiality notice requesting notification if the fax went to the wrong person. Slide16

Performs services to/for Optima Health that involves the use or disclosure of member PHI.

Optima Health Business Associate Agreement (BAA) requires specified written safeguards for PHI.ARRA requires BAs to comply with all the same regulations as Optima Health.

Optima’s Business Associates have the same penalties for violations as Optima.Business Associate Agreement (BAA) must be included with contract.

PRIVACY/SECURITY BUSINESS ASSOCIATES (BAs)Slide17

The Security Rule

is designed to keep secure the transfer and storage of electronic health information (ePHI) by enforcing:

Administrative Procedures: These measures manage the selection, development, implementation and maintenance of security measures and include workforce security, security training, policies & procedures.

Technical Safeguards: The technology that protects ePHI and controls access and transmission security.

Physical Safeguards: Physical measures to protect the electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

THE SECURITY RULESlide18

PROTECTING ePHI

Every organization has its own rules for internal and external storing and transferring of information, also known as EDI (electronic data interchange). You are required to:

- use passwords

- log off computer systems when you leave

your desk

- turn monitors so that they are not visible

to others

- dispose of disks and CDs properly (Contact the

IT Dept for disposal assistance)

- always save PHI to shared directory – not

personal drives

Slide19

WHAT IS A BREACH?

A breach is defined as the

acquisition

,

access

,

use or disclosure of unsecured PHI which is not permitted by the HIPAA Privacy Rules and which compromises the security or privacy of the PHI

.

Unsecured

PHI is any

member

health information that is not secured through encryption or an approved destruction process that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals.

PHI can be in any form or medium including electronic, paper or oral.Slide20

When a breach is identified, Optima Health is to notify each individual whose

unsecured PHI has been, or believed to have been accessed, acquired or disclosed.

Business Associates must notify Optima as well as the individual whose PHI was disclosed.The first day the breach is discovered, or there is reason to suspect that a breach has occurred, is counted as the first day.

Required notifications must occur without unreasonable delay (no more than 60 calendar days after discovery).

HITECH BREACH CHANGESSlide21

REPORTING HIPAA VIOLATIONS OR BREACHES

If a HIPAA violation, breach or possible breach occurs, complete the Member Disclosure Tracking Form and the HIPAA Breach Form.

Give it to your supervisor who will send it to the Director of Compliance.

Reports may be made without fear of intimidation, coercion, threats, retaliation, or discrimination.

If you have questions about the Privacy Rule and how it affects your job, talk to your supervisor, compliance personnel or call the Sentara Integrity Hotline at 1-800-981-6667.

Be sure to notify your supervisor and/or the Director of Compliance even if you are not sure the error is a breach.Slide22

OPTIMA BREACH HISTORY

2010

2011

TOTAL BREACHES/VIOLATIONS

21

32

Sent

to wrong provider/group/Business Associate

4

8

Sent

to wrong member

56

Email violation

2

6

Fax violation

1

8

Encryption violation

4

2

Physical security/equipment violation

5

2

Remedial

action: PHI returned/destroyed

7

20

Remedial action: staff training

10

9

Remedial action: computer/physical security enhanced

2

4

Remedial action: staff disciplinary

action

0

0Slide23

This is the end of the

1

st Module of the 2012 Optima Health Compliance

Course. Please

begin Quiz #1.

Thank you!