The goal of this training is to help ensure that all Optima employees are prepared to protect the privacy and security of our members health information COURSE GOAL After review of this training and successful passing completion of the quiz you will be able to ID: 710376
Download Presentation The PPT/PDF document "HIPAA FOR THE WORKPLACE 2012" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HIPAA FOR THE WORKPLACE 2012
Slide2
The goal of this training is to help ensure that all Optima employees are prepared to protect the privacy and security of our members’ health information.
COURSE GOALSlide3
After review of this training and successful passing completion of the quiz, you will be able to:
Discuss the 3 different Acts that comprise the Administrative Simplification regulation;
Demonstrate comprehensive understanding of privacy and security measures for our members; andUnderstand how to prevent, identify and report violations or breaches.
LEARNING OBJECTIVESSlide4
HIPAA OVERVIEW
The Privacy Rule
governs who has access to protected health information (PHI).
The Security Rule
specifies a series of administrative, technical and physical security procedures to assure the confidentiality, integrity and availability of
ePHI
.
The American Recovery and Reinvestment Act
(ARRA) goal is to establish secure electronic health records for all Americans by 2014.
The Health Information Technology for Economic and Clinical Health Act (HITECH)
ARRA/HITECH brings changes to the HIPAA regulations in 3 categories:Breach notificationBusiness Associate responsibilities PenaltiesSlide5
HITECH
is designed to encourage health care providers to adopt health information technology in a standardized manner and to protect private health information.ARRA
is the direct result of modifications in the HIPAA Privacy, Security and Enforcement Rules and strengthens health information privacy and security protections. ARRA specifically addresses: Breaches
Electronic Health Records(EHR)
Personal Health Records (PHR)
HITECH and
ARRA RULESSlide6
THE PRIVACY RULE
The Privacy Rule
is designed to protect individuals’ health information (PHI) and allows individuals to:
get a copy of their medical records
ask for changes to their medical records
find out and limit how their PHI may be used
know who has received their PHI
have communications sent to an alternate location or by an alternate means
file complaints and participate in investigationsSlide7
GUIDELINES FOR USING & DISCLOSING PHI
You may disclose information, without a member’s authorization,
to the appropriate authorities
:
if required by law, court order, etc.
to public health officials, FDA, etc.
for abuse or domestic violence
to help law enforcement officials
to notify of suspicious death
to provide information for workers’ compensation
to assist government actions
to help in disaster relief efforts
to avert a serious threat to health or safety
for health oversight activitiesSlide8
YOUR RESPONSIBILITIES
You
are required
to:
disclose PHI – limit the information you share with a person to what he or she needs to know (“minimum necessary” guidelines)
use PHI
according to HIPAA-approved guidelines for access, accounting, amendment, and restriction of PHI
only access the PHI necessary to complete your job duties
maintain confidentiality & security of member
information at all timesSlide9
Members and Personal Representatives have the right to request alternate confidential means of receiving communications that includes PHI.
Send the completed request to the Director of Compliance:
Must be in writingMust indicate the alternate address or specifications for the alternative means of communication
Must be signed
If requestor is a Personal Representative, must provide legal proof of their authority to represent the Member
ALTERNATE ADDRESSSlide10
Prior to making any verbal disclosures of PHI, you must verify the requestor’s identity by asking several identifying questions, i.e., address, birth date, member number, etc.
You may discuss billing questions, benefit information, etc. without having an Authorization form signed.
Protected health information may be given to custodial parents, adults acting in Loco Parentis, emancipated minors, Designated Representatives and Designated Agents as long as an authorization and/or legal documents are on file.
VERIFICATION FOR RELEASE OF PHISlide11
Federal law protects all information about a member with a current or past diagnosis of substance abuse and/or mental disorder.
These laws override the HIPAA laws.Protected health information cannot be disclosed without a signed authorization.
Limited mental health information can be discussed with a minor’s custodial parent.
MENTAL HEALTH and
SUBSTANCE ABUSESlide12
Federal and State Laws protect Minor’s (under the age of 18) health care rights.
Staff may discuss a minor’s health information with custodial parents except for:Pregnancy and family planning
Sexually transmitted diseasesSubstance abuse
Mental health, if treatment consent given by minor only
All discussions should be limited to the minimal amount of information necessary to resolve the question.
If unsure about procedures for releasing information, seek advice from your supervisor or the Compliance Department.
MINORSSlide13
EMAILS
In your daily job responsibilities, email is used to communicate with staff, members, providers and vendors. Remember:
Emails about members should only be shared with those who have a need to know this information in connection with their specific job function(s).
Emails sent externally should be encrypted.
The Email system cannot be used by employees to express discriminatory views, threaten or harass employees or to advertise information that brings personal or financial gain.Slide14
ENCRYPTED EMAIL PROCESS for messages to an external email user (non-Sentara):
The sender needs to insert [secure]
in the subject line.The recipient(s) needs to register for an IRONPORT (POSTX) mailbox to receive/view the message.The message never leaves Sentara’s Network in an email format, therefore it is only viewed as a web page over https.
ENCRYPTED EMAIL Slide15
FAXES
Avoid faxing confidential information. If you send a fax to an incorrect number, report the incident immediately to your Supervisor or Manager.
Verify fax numbers prior to transmission to ensure the fax will be going to the correct person.
Use the Optima Health Fax Cover Sheet located on Wavenet.
The Fax Cover Sheet should contain a confidentiality notice requesting notification if the fax went to the wrong person. Slide16
Performs services to/for Optima Health that involves the use or disclosure of member PHI.
Optima Health Business Associate Agreement (BAA) requires specified written safeguards for PHI.ARRA requires BAs to comply with all the same regulations as Optima Health.
Optima’s Business Associates have the same penalties for violations as Optima.Business Associate Agreement (BAA) must be included with contract.
PRIVACY/SECURITY BUSINESS ASSOCIATES (BAs)Slide17
The Security Rule
is designed to keep secure the transfer and storage of electronic health information (ePHI) by enforcing:
Administrative Procedures: These measures manage the selection, development, implementation and maintenance of security measures and include workforce security, security training, policies & procedures.
Technical Safeguards: The technology that protects ePHI and controls access and transmission security.
Physical Safeguards: Physical measures to protect the electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
THE SECURITY RULESlide18
PROTECTING ePHI
Every organization has its own rules for internal and external storing and transferring of information, also known as EDI (electronic data interchange). You are required to:
- use passwords
- log off computer systems when you leave
your desk
- turn monitors so that they are not visible
to others
- dispose of disks and CDs properly (Contact the
IT Dept for disposal assistance)
- always save PHI to shared directory – not
personal drives
Slide19
WHAT IS A BREACH?
A breach is defined as the
acquisition
,
access
,
use or disclosure of unsecured PHI which is not permitted by the HIPAA Privacy Rules and which compromises the security or privacy of the PHI
.
Unsecured
PHI is any
member
health information that is not secured through encryption or an approved destruction process that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals.
PHI can be in any form or medium including electronic, paper or oral.Slide20
When a breach is identified, Optima Health is to notify each individual whose
unsecured PHI has been, or believed to have been accessed, acquired or disclosed.
Business Associates must notify Optima as well as the individual whose PHI was disclosed.The first day the breach is discovered, or there is reason to suspect that a breach has occurred, is counted as the first day.
Required notifications must occur without unreasonable delay (no more than 60 calendar days after discovery).
HITECH BREACH CHANGESSlide21
REPORTING HIPAA VIOLATIONS OR BREACHES
If a HIPAA violation, breach or possible breach occurs, complete the Member Disclosure Tracking Form and the HIPAA Breach Form.
Give it to your supervisor who will send it to the Director of Compliance.
Reports may be made without fear of intimidation, coercion, threats, retaliation, or discrimination.
If you have questions about the Privacy Rule and how it affects your job, talk to your supervisor, compliance personnel or call the Sentara Integrity Hotline at 1-800-981-6667.
Be sure to notify your supervisor and/or the Director of Compliance even if you are not sure the error is a breach.Slide22
OPTIMA BREACH HISTORY
2010
2011
TOTAL BREACHES/VIOLATIONS
21
32
Sent
to wrong provider/group/Business Associate
4
8
Sent
to wrong member
56
Email violation
2
6
Fax violation
1
8
Encryption violation
4
2
Physical security/equipment violation
5
2
Remedial
action: PHI returned/destroyed
7
20
Remedial action: staff training
10
9
Remedial action: computer/physical security enhanced
2
4
Remedial action: staff disciplinary
action
0
0Slide23
This is the end of the
1
st Module of the 2012 Optima Health Compliance
Course. Please
begin Quiz #1.
Thank you!