Please Turn Off or Silence Cell Phones & Pagers

Transcription

1 Please Turn Off or Silence Cell Phones & Pagers 1

2 Compliance at UAMS Presented by: Office of Hospital Compliance Office of Research Compliance Faculty Group Practice Compliance HIPAA Office 2

3 UAMS Compliance Organization Vice Chancellor for Institutional Compliance Bob Bishop, (501) , Hospital Compliance Officer Jane Hohn, (501) , Research Compliance Officer Darri Scalzo, (501) Faculty Group Practice Compliance Officer Paula Archer (501) , UAMS HIPAA Coordinator Vera Chenault (501) , 3

4 What is Compliance? Each UAMS employee has maintained a high standard of legal and ethical behavior for many years, but now the federal government has added new rules that make companies prove their pledge to ethical behavior in all business dealings. The effort is called compliance. 4

5 UAMS Commitment Your compliance offices are here to help you work through issues that might come up Hotline reports may be anonymous UAMS has a non-retaliation policy for reporting of violations 5

6 UAMS Commitment UAMS Behavioral Standards Do what is right for the patient and their families and guests. Accept the responsibilities of your job and be accountable for outcomes. Investigate complaints and respond appropriately. Acknowledge mistakes, apologize and work to make it right. Be honest, sincere and fair in dealing with patients, families and each other. Respect patient and family confidentiality at all times. Report observed inappropriate behavior or problems using appropriate channels. Conserve resources as if they were your own. Respect the patient s time. Keep the patient informed when delays occur. 6

7 Doing the right thing What is right is right even if no one is doing it, what is wrong is wrong even if everyone is doing it. If you see someone else doing something wrong, report them. 7

8 Doing the right thing It s not the first mistake that gets you. It s the second, the coverup, that will. If you do something wrong, acknowledge it. 8

9 Institutional Compliance UAMS Policy UAMS workforce members must obey all federal and state laws in regards to: Implementation and enforcement of procedures which detect and prevent fraud, waste and abuse in respect to payments to UAMS from federal and state health care programs Provide protections for those who report actual or suspected wrongdoing. 9

10 Institutional Compliance UAMS Reporting Policy UAMS workforce members will be protected from discharge or retaliation for Good Faith Reporting the existence of: Any waste of public funds, property or manpower A violation or suspected violation of federal laws, state laws, or UAMS rules and regulations. 10

11 Compliance Reporting Line It is the policy of each compliance department to take ALL reports of wrongdoing, errors or violations of law seriously. You can report a concern about corporate, research, billing or HIPAA compliance to our toll free reporting line The person taking your call is not a UAMS employee and the call will not be recorded. Employees making reports to the line will be protected from retaliation or punishment as a result of making the report. 11

12 UAMS Office of Hospital Compliance 12

13 What Does Compliance Mean to UAMS? At UAMS, doing the right thing is nothing new. We are a department devoted to ensure that we monitor ourselves when it comes to the way we do business. Our corporate compliance program is used to reinforce our employees long-standing tradition of honesty and integrity. 13

14 What Does Compliance Mean for Me? It s up to us to do what is right every time we deal with anyone in our role at UAMS. It means we need to comply with all federal and state standards with an emphasis on preventing fraud and abuse. It means we have a responsibility to report any actions thought to be illegal or unethical. 14

15 Federal False Claims Act Incorporated into UAMS Institutional Compliance Policy The Federal False Claims act imposes civil liability on any person or entity that: Knowingly files a false or fraudulent claim for payments to Medicare, Medicaid or other federally funded health care programs. Knowingly uses a false record or statement to obtain payment on a false or fraudulent claim. Conspires to defraud Medicare, Medicaid or other federally funded health care programs. 15

16 Examples of Illegal or Unethical Actions Billing a patient for a medical treatment, service or item that was not done. Inappropriately changing or destroying a medical research or financial record. Stealing money or items that don t belong to you. Getting pay for hours not worked. Asking for and/or getting anything of value from a vendor in return for influencing a decision on whether or not to purchase a vendor s product. 16

17 What Do I Do When a Questionable Situation Occurs? If you are unsure of the right response in a given situation, ask yourself a few simple questions: Is this action legal? Am I being fair and honest? Am I following UAMS policies and procedures? How would it look in the newspaper? What would I tell a friend to do? 17

18 What Do I Do When a Questionable Situation Occurs? If you are still in doubt, talk with or contact the following: Your supervisor Another supervisor or administrator Institutional compliance department UAMS legal counsel 18

19 UAMS Code of Conduct UAMS has a policy of maintaining high professional and ethical standards in the conduct of its missions. The highest importance is placed on our reputation for honesty, integrity and high ethical standards. The Code of Conduct is a reaffirmation of the importance of high ethical standards. Please take a moment to review the code of conduct and sign the attestation on the back page. 19

20 UAMS Office of Research Compliance 20

21 Human Subject Research At UAMS To Teach, To Heal, To Search, To Serve Research is a systematic investigation designed to develop or contribute to generalizable knowledge. Federal regulations, institutional policies and procedures, and accepted standards govern research 21

22 What does the UAMS Office of Research Compliance do? Manages the human subject research compliance program on behalf of UAMS administration Promotes the Institution s commitment to the protection of human subjects and responsible conduct of research through oversight and education 22

23 Activities Consult on compliance issues Educate research staff Advise the administration and the Institutional Review Board on compliance issues Audit/Review research activities 23

24 Why is Research Compliance Important? What can happen when things don t go right: Research participants could be injured Need to spend resources to fix problems Studies can be put on hold Might not be able to receive investigational drugs or devices Worst-case scenario all research halted until problem is resolved 24

25 What can ORC do for me? Answer questions about regulations, standards, audits/reviews, and just about anything else related to human subject research Education programs Self-assessment tools 25

26 UAMS Faculty Group Practice Compliance 26

27 Faculty Group Practice Compliance FGP Compliance is the compliance component for billing providers and their staffs. There are compliance requirements for workforce members who fall into those categories. 27

28 Investigation & Corrective Action: FGP Compliance Office When the FGP Compliance Officer determines that there is reasonable cause to believe that a compliance issue may exist, an inquiry into the matter will be undertaken, with assistance from the Counsel when appropriate. The results of the inquiry will be furnished to the Dean. UAMS employees shall cooperate fully with any inquiries undertaken pursuant to this section of the Plan. To the extent practical and appropriate, efforts should be made to maintain the confidentiality of such inquiries and of the information gathered. 28

29 Governmental Sanctions Deny or revoke Medicare provider number Suspension of payment directly to provider Penalties: Can be fined up to $10,000 per violation A corporate integrity agreement may be imposed. Exclusion from Medicare and any other federally funded healthcare program Criminal prosecution 29

30 FGP Compliance Reporting Departments or divisions shall advise the FGP Compliance Officer, prior to engaging any outside billing consultants and shall provide the FGP Compliance Officer a copy of any reports prepared by such consultants. Departments or divisions shall also immediately advise the FGP Compliance Officer if notified of a subpoena, carrier review audit, or inquiry by an outside agency on any issue relating to compliance. The FGP Compliance Officer can be contacted at

31 HIPAA: Health Insurance Portability & Accountability Act Presented by the UAMS HIPAA Office 31

32 HIPAA (not HIPPA) What is HIPAA? The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information. How does HIPAA affect me? UAMS requires all workforce members to sign the UAMS Confidentiality Agreement, and to work together to protect the confidentiality and security of patient, proprietary, and other confidential information. 32

33 New HIPAA Enforcement Requirements Changes to HIPAA as a result of the 2009 Stimulus Bill: Strict Liability fines up to $1,000,000 per occurrence Requirement that we notify DHHS of a breach including inappropriate access to a patient s record.

34 What is a Breach? Any use or disclosure of PHI that is not permitted by the Privacy Rule that poses a significant risk of financial reputational or other harm. For example: A UAMS employee accesses the record of a patient outside the performance of their job duties An unencrypted laptop containing PHI is lost or stolen PHI is sent to the wrong fax, mailing address or printer

35 Exceptions Exceptions there are certain types of uses of disclosures that do not meet the definition of a breach. These exceptions are : Unintentional use by a UAMS workforce member that does not result in the PHI being further used or disclosed. For example, a nurse accidentally clicks on the wrong patient s name in WebChart, pulls up that patient s record, realizes that she is in the wrong patient s chart, and closes the record. Unauthorized disclosure to an individual who cannot possibly retain it. For example, when checking a patient in, you accidentally hand the patient a registration packet that belongs to someone else, but you realize your mistake and immediately retrieve the information.

36 Notification Requirements UAMS must notify every person in writing whose unsecured PHI has been breached as soon as feasible but within 60 days. UAMS must report breaches to HHS. If less than 500 individuals, log and report annually. If more than 500 individuals must notify HHS at the same time we notify the patient and we must also notify the media.

37 How can you help? Notify the UAMS HIPAA Office as soon as you suspect a possible breach. The HIPAA Office will then determine if an actual breach has occurred and take care of the notification process. Help us keep patient contact information current. Follow your department s documentation requirements. Take steps to prevent breaches from happening in your department. When in doubt, just contact us.

38 Why It Matters We are committed to creating comfort, hope and healing for our patients and families Can we do that if we do not respect the privacy and security of their personal information? 38

39 What is Protected Health Information? PHI is any individually identifiable health information transmitted or maintained that relates to: past, present or future physical or mental condition health care provided or payment for care. 39

40 PHI Identifiers here s what we need to protect! Apply to patients, their families, household members and employers: Name Address (street address, city, county, zip code (more than 3 digits) or other geographic codes) Dates related to patient Age greater than 89 Telephone Number Fax Number addresses Social Security Number Medical Record Number Health Plan Beneficiary # Account Number Certificate/License Number Any vehicle or device serial number Web URL Internet Protocol (IP) Address Finger or voice prints Photographic images Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) 40

41 Health Information Health information should be protected from: people who aren t involved in the patient s direct treatment insurers using it to deny life or disability coverage employers using it in hiring/firing decisions Reporters nosy neighbors, family members, or co-workers 41

42 HIPAA The HIPAA regulations are not intended to prevent the use or disclosure of patient information for the purposes of treating the patient (anyone involved in the patient s care can access the patient s information) obtaining payment (people involved in billing insurance or collection of the patient s account may access the patient s information) healthcare operations (others involved in the operations at UAMS who need the information to do their job, such as compliance staff, may access the patient s information) These purposes are referred to as TPO (treatment, payment, operations) and do not require patient authorizations 42

43 43 Guard PHI!

44 Guard PHI! Be aware of PHI around you Papers laying around Computer screens Conversations involving patients Patient information on i.d. stickers, medication labels, forms 44

45 Guard PHI! When papers containing PHI are no longer needed, place them in a locked shred bin Be careful not to leave papers at copy or fax machines, printers, or conference rooms Do not take patient records off campus. 45

46 Guard PHI! Turn computer screens away from traffic or use privacy screens, and be aware of those around you when using PHI on computers Log off or lock your computer prior to stepping away from it 46

47 Guard PHI! Use private areas to discuss patient information when possible Keep your voice lowered when discussing patients, and be aware of those around you If you overhear a conversation about a patient, keep it to yourself. 47

48 Guard PHI! If you do not need patient information to do your job, do not seek it out. Accessing patient information outside the performance of your job is a violation of UAMS policy and the law and will result in disciplinary action Access to patient information will be monitored and audited. 48

49 Guard PHI! Accessing health records for your job does not mean accessing Your own record The records of your family members or friends The records of your co-workers 49

50 Think About It It is likely that there is something in everyone s medical record that they would not want the world to know Would you want your co-workers to know your weight? Would you want your neighbor to know that you take antidepressants? Would you want your mother to know that you have a history of alcohol use? It is never okay to access someone s health records outside the performance of your job. 50

51 Remember Confidentiality is a matter of respect, and is a vital component of creating comfort, hope and healing for our patients and their families. We are all patients ourselves from time to time. Think about how you would feel if your own health information was used or disclosed in a way that was harmful to you or your family. 51

52 UAMS Policies & The Law UAMS HIPAA policies can be found on The UAMS HIPAA office can point you to the applicable policy if a question arises 52

53 UAMS Confidentiality Policy Confidential information at UAMS includes: Protected Health Information (PHI) Electronic Protected Health Information (ephi) UAMS research project information Confidential employee and student information UAMS proprietary information Sign-on and password codes 53

54 UAMS Confidentiality Policy Unlawful or unauthorized access, use or disclosure of confidential information is prohibited. Never share or post your password Do not access information except to meet needs specific to your job. Signing the UAMS Confidentiality Agreement is a condition of employment at UAMS. 54

55 Notice of Privacy Practices UAMS must give our patients a copy of our "Notice of Privacy Practices" which includes a description of their rights and how their health information may be used and disclosed. Except in emergencies, we must make a good faith effort to obtain written acknowledgement that our patients received the Notice. If unable to obtain acknowledgment, the attempt must be documented. Both English and Spanish versions may be found at: 55

56 Use and Disclosure Use is the sharing of Protected Health Information (PHI) within the UAMS community, which includes UAMS offcampus facilities such as: all AHECS, KidsFirst, and ACH. Disclosure is releasing or providing access to PHI to anyone outside UAMS. Generally, you may use and disclose PHI for treatment, payment and healthcare operations (TPO) of our organization WITHOUT patient authorization. If the requestor is not known to you, VERIFY their identity and authority before providing PHI. 56

57 Disclosures required by law Limited PHI may be used or disclosed without patient authorization when required or permitted by law. Examples are: Communicable disease reporting Suspected abuse and neglect Reporting to the FDA Organ donation purposes To funeral directors 57

58 Authorization Except for TPO or when required or permitted by law, most other uses and disclosures require patient authorization. Examples are disclosures to attorneys and life insurance companies ROI HIPAA has several required elements for an authorization to be valid. Valid Authorization for Release of Information Forms may be obtained from our HIM department. 58

59 Minimum Necessary When using or disclosing PHI or requesting it from another organization, we must make reasonable efforts to limit it to the smallest amount needed to accomplish the task. If the entire chart is not required, only ask for the information you need. Exceptions to the Minimum Necessary include disclosures to or requests by a healthcare provider for treatment purposes. Follow the simple need to know rule. 59

60 Patient Directory The following information may be included in a Patient Directory: Patient Name Location in our facility General statement of condition (good, fair, etc.) Religious affiliation (available only to clergy) Unless the patient tells UAMS not to, the above information may be provided to people who ask for the patient by name. 60

61 61 Sharing information with Family and Friends Involved in the Patient s Care You may share information directly relevant to the person's involvement with the patient s care or for payment related to care under the following circumstances: If the patient is present or otherwise available prior to the disclosure, you must: Obtain the patient s agreement or Provide the patient an opportunity to object, and they do not or Using professional judgment, reasonably infer from the circumstances that patient does not object.

62 If the patient is not present If the patient is not present, or is incapacitated, or in an emergency situation: You may provide the information directly relevant to family/friend s involvement in the patient s care, if you determine it is in the patient s best interest. 62

63 Patient Rights HIPAA gives patients the right to: access, inspect and copy PHI request amendment of PHI receive accounting of disclosures request restrictions on disclosures request communications of PHI at alternative locations or means register complaints concerning their privacy rights. Our contact number for privacy complaints is (toll free) or

64 Patient s Right to PHI With a few exceptions, patients can access, inspect and receive copies of their health information. Requests must be granted: within 30 days if PHI is on-site within 60 days if PHI is off-site 64

65 Exceptions include if a health care professional believes it could be harmful. If access to certain PHI is denied, then only the denied information may be withheld, and the rest of the information must be provided. 65

66 Amendments to PHI Patients have a right to request an amendment if they believe their information is inaccurate or incomplete. Examples of when the request may be denied are: the PHI is already accurate and complete the PHI was not created by the provider, and the creator is available Our HIM Department will process amendment requests. 66

67 Accounting of Disclosures A patient has the right to receive an accounting of PHI disclosures. Examples of disclosures that must be included are those required by law, such as communicable disease reporting, reporting to the Cancer Registry, and reporting to the FDA. Our HIM Department will process requests for An Accounting of Disclosures 67

68 Reasonable Safeguards UAMS must take reasonable steps to make sure PHI is kept private Permitted (with reasonable precautions): Calling out a patient s name in a waiting area Use of a sign-in sheet containing limited information. Talk about a patient s care at nursing stations Examples of reasonable precautions include speaking in a low voice and pulling curtains in semi-private rooms. See HIPAA Hints. 68

69 Accidental vs. Intentional Disclosures Accidental Disclosures Mistakes happen If you disclose private data in error to an unauthorized person or if you breach the security of private data Acknowledge the mistake, and notify your supervisor or the HIPAA Office immediately Learn from the error change procedures or practices, as needed Assist in correcting or recovering from the error ONLY if instructed to do so don t try to cover it up or make it right on your own. 69

70 Accidental vs. Intentional Disclosures Intentional disclosures If you ignore the rules and carelessly or deliberately use or disclose Protected Health Information inappropriately, you can expect UAMS disciplinary action, civil liability, and/or criminal charges All intentional violations, known or suspected, must be reported immediately So they can be investigated and managed So they can be prevented from happening again So damages can be kept to a minimum To minimize your personal risk 70

71 Accidental vs. Intentional Disclosures Examples of intentional violations include: Improper Use of Passwords can become Intentional Violations Sharing, posting or distributing personal password or account access information. Knowledge of unauthorized use by a co-worker of an account or password belonging to someone else. Attempting to learn or use another person s access information. Improper Use of Computers can become Intentional Security Violations Installing or downloading unauthorized computer programs that include or allow the entrance of viruses, worms or other malicious software. Failing to secure a workstation with access to or display of confidential information Posting PHI or other private data on the Internet without authorization Placing unencrypted PHI or personal information on removable media or devices, such as thumb drives, DVD s, and CD s. Other examples of intentional violations Accessing personal information outside of your job Illegally altering, destroying, or removing original paper or electronic PHI Accessing electronic PHI at home and leaving the information visible and/or accessible to family members, roommates, and friends. Selling health or personal information or inappropriately giving such information to the news media 71

72 UAMS Faxing Policy Fax machines must be in a secure location. Confidential data should be faxed only when mail will not suffice. Faxes containing PHI and other confidential information must have an official UAMS fax cover sheet. Reconfirm recipient s fax number before transmittal. Confirm receipt of fax Notify your supervisor if a fax is sent to the wrong recipient. 72

73 HIPAA Security Rule 73 Electronic Protected Health Information (ephi) means individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Received by electronic media The storage of ephi is also covered under this rule.

74 HIPAA Security Rule The Security Rule covers all electronic media. Computer networks, desktop computers, laptop computers, personal digital assistants and handheld computers are all considered electronic media. Electronic media also includes magnetic tapes, disks, compact disks, and other means of storing electronic data (including the Internet and UAMS Intranet). 74

75 75 Facility Physical Access Controls The Security Rule lists a wide range of activities for which UAMS must provide protection. For example, we must safeguard: Computer hardware and software Buildings that house computer hardware and software Storage and disposal of data and the back-up of data Who has access to data Visitor access to any facilities

76 HIPAA Security Rule - Standards The Security Rule is made up of three categories of standards Administrative Safeguards Physical Safeguards Technical Safeguards 76

77 Administrative Safeguards UAMS must have policies and procedures in place to make sure that all members of the workforce have appropriate access to electronic PHI in order to perform their jobs. UAMS must prevent inappropriate access. UAMS has selected a Security Officer. Steve Cochran can be reached at

78 Password Management Policy Keep passwords confidential. Avoid maintaining a paper record of passwords. Change passwords when there is an indication of possible compromise. Do not use the same passwords for business and personal accounts. 78 Change passwords at regular intervals (120 days) and limit reusing old passwords on domain log-on accounts.

79 Password Management Policy Change temporary passwords at first logon. Do not include passwords in any automated log-on process, including web pages. Always maintain and use passwords in a secure and confidential manner. Password phrases or sentences are encouraged for domain log-on. 79

80 Password Management Policy Passwords must: be based on something besides personal information so that it cannot be easily guessed or obtained have 8 characters and contain at least 3 of the following: Capital letter Lower case letter Number Symbol (including spaces) Examples: #G65c1a! joke51mn The sky is blue and orange! (as a domain log-on password phrase) 80

81 Security Log-In Monitoring Never share passwords with others, not even IT or your supervisor. If you believe that someone else is inappropriately using your ID or password, immediately notify the Technical Support Center at or the IT Security Office at or ACH TechSource at

82 Passwords Never use someone else s sign on information If you are asked to sign on using someone else s information, refuse to do so and report them 82

83 Information Access for Transfers & Terminations Department supervisors are responsible for reviewing transferring employees computer access levels and notifying the department s IT administrator or the UAMS IT Security Office at Upon separation from UAMS, all access is terminated. 83

84 Access Controls for Confidential Information When leaving a computer unattended, lock the workstation using control/alt/delete, use a password protected screensaver, or log-off the computer. 84

85 Locking the computer Press CTRL, ALT, Delete keys on the keyboard. On the pop up window, click on the Lock Computer button. 85

86 Locking the computer 86 When you want to work on the computer again you will need to login with your domain password.

87 87 Information Access Management Policy & Internet Policy Access to confidential information and ephi is granted to authorized individuals on a need-to-know basis. UAMS computers should be used only for authorized purposes. Do not access information outside the performance of your job duties. Do not use computers to engage in any activity that is illegal under local, state, federal, or international law. Do not use workstations to engage in any activity that is in violation of UAMS policy. For example, do not access inappropriate or offensive websites, engage in gambling, send malicious s, or download copyrighted materials. Never disclose or provide ephi to others except in accordance with UAMS policies and procedures.

88 Security Log-In Monitoring UAMS monitors log-on attempts to the UAMS electronic information systems. If you suspect inappropriate log-on attempts you must report it to the IT Security Office at or the Technical Support Center at or ACH TechSource at All UAMS information systems must be accessed through your username and password. UAMS systems are monitored to show who accessed what information. 88

89 Malicious Software Policy Installation and updating of anti-virus software is done on required information systems. Never bypass or disable anti-virus software. attachments are scanned for viruses prior to delivery, however, delete s when they appear suspicious, or you do not know who sent the . 89

90 Malicious Software Policy If you detect or suspect malicious software or a virus notify the UAMS Technical Support Center or ACH TechSource immediately. Do not install personal software or download Internet software onto UAMS computers. Examples- Kazaa, Weatherbug, anti-virus software, and/or pop-up blockers onto UAMS computers. Downloading Internet software onto your computer may install spyware without your knowledge and cause your programs to run slower or not function properly. 90

91 Facility Physical Access Controls Physical Safeguards are security measures to protect any UAMS electronic information system hardware and related buildings and equipment. For example, exterior doors should be locked appropriately at all times or have measures in place to screen visitors as they enter. 91

92 Physical Security PCs, mobile devices, such as PDA s, Blackberrys, laptops, digital cameras, CD s and diskettes, or any other devices containing confidential information or ephi must be secured and encrypted. It is a violation of UAMS policy to store PHI on unencrypted mobile devices and doing so will result in discliplinary action. All computers, remote and on-site, that contain ephi must be protected with a secure log-on. Anti-virus software approved by the UAMS Information Security office must be installed on all computers that ever connect to the UAMS network. ephi must be destroyed before hardware or media is disposed of or made available for re-use. Contact the UAMS IT Office for information. 92

93 93 Working from Home If UAMS allows you to perform some or all of your work in your home, you are responsible for maintaining the privacy and security of all confidential materials. This includes, but is not limited to: Patient Charts Computers Confidential Working Papers All UAMS confidential materials should be kept in a location that is not accessible to children, spouses, or other family members. UAMS materials should be put away when not being used.

94 Safeguarding PHI Using and Transporting PHI Confidential information, including PHI, is not to be removed from UAMS without prior approval. You are responsible for maintaining the privacy and security of all confidential information that you may be transporting, storing or accessing off-site. 94

95 Technical Safeguards Technical Safeguards include the use of computer technology solutions to protect electronic PHI and track activity in information systems. When PHI is sent from one point to another electronically; it must be secured to avoid theft, damage, or destruction of the information. 95

96 Access Controls for Confidential Information ephi Transmissions All transmissions of ephi and confidential information from UAMS to an outside network must utilize an encryption mechanism between the sending and receiving entities. Encryption makes the information unreadable by anyone who doesn t have the key. 96

97 97 Security Reminders Policy UAMS provides all users with information, reminders, and updates on topics including: UAMS information security policies Significant UAMS information security controls and processes Significant risks to UAMS information systems and data Security best practices (e.g. how to choose a good password, how to report a security incident) Reminders are often sent via ; be alert to reminders and follow directions accordingly

98 Highlights - UAMS Policy Remember that UAMS resources are for official UAMS business only. Some guidelines you should follow when ing PHI and confidential information include: When possible, only patient information within the UAMS Intranet as intranet communications are automatically encrypted. Limit the information provided to the minimum necessary. 98

99 Highlights - UAMS Policy Guidelines (Cont d): Be careful how you say things in s and do not extremely sensitive information. Do not use as your only means to communicate information that needs immediate attention. Follow-up with a phone call or page. Be cautious when forwarding any s that may contain PHI or confidential information. Use the encryption feature of the UAMS system when sending outside the UAMS domain. 99

100 Encrypting UAMS Messages typing [secure] into the subject field of the message. This method will work for both Outlook and Web mail. 100

101 Domain login & When can I expect to get my domain login account and ? 3 to 5 days after you turn in the Confidentiality Agreement at orientation. Both should be ready at same time. Domain name is lastnamefirstnamemiddleinitial Initial password is P=your social security number. & must be changed at first login. It must be changed from a pc on the campus network and not through the Internet. What will my address be? 1 st Initial 2 nd Initial Last name. absmith@uams.edu 1 st Initial Last name. pduncan@uams.edu 102

102 Other System Access Access to additional UAMS information systems is granted at the request of your supervisor after you complete any required training for that software. Examples may include our patient records systems, such as EPF, Sunrise, Centricity, and appointment and billing systems such as HBOC and SMS. Access to these systems will only be granted upon review and approval as needed for your job. 103

103 Having computer Problems? Here s How To Help The Technical Support Center Work For You! UAMS Technical Support Center Information to Know Before You Call? Last Name, First name Domain login name Campus location w/room # Contact Phone # or Pager Problem description Application &/or Operating system name Ex: Word2003, echart, Windows 2000 or XP UAMS property Tag# & computer name UAMS Tech Support techsupport@uams.edu ACH Tech Source

104 Penalties for HIPAA Violations- Disciplinary Notice Policy & U.S. Government Sanctions Employee Sanctions: Violations by UAMS Workforce will result in disciplinary action, up to and including termination from employment with UAMS. Severe Civil/Criminal penalties: In addition, you can be subject to civil and criminal penalties imposed by the federal government up to $1,000,000 and 10 years in prison. 105

105 Reporting Policy All known or suspected violations of the privacy and security regulations must be reported. There will be no retaliation for good faith reporting. Reports can be made to: Reporting line at HIPAA Office Anyone in a position of responsibility- the person receiving the report should then contact the HIPAA Office. 106

106 Conclusion Confidentiality is a team sport, when we protect PHI, everyone wins! 107

107 Your HIPAA Team Luckily you are not alone with HIPAA! If you have a question, concern, or problem, contact your privacy officer, the HIPAA Office, or the HIPAA hotline 108

108 Your HIPAA Team Vera Chenault, UAMS HIPAA Campus Coordinator ( ) Anita Westbrook, Medical Center Privacy Officer ( ) Jennifer Sharp, Research Privacy Officer ( ) Tracy Petty, PRI Compliance Officer ( ) Scott Addison, AHEC Compliance Officer ( ) Steve Cochran, Security Officer ( ) Bill Dobbins, Informatics Manager & Auditor ( ) Jacque Osburn, HIPAA Compliance Manager ( ) Ashley Vestal, HR and Training Coordinator ( ) 109

109 Your HIPAA Team And don t forget 110

110 Be a HIPAA star! 1. Examples of Individually Identifiable Health Information that could be used to identify an individual include: A. Name, License number, photograph B. Birth date, address, account number C. County, finger print, phone number D. All of the above 111

111 Be a HIPAA star! 2. Which of the following can happen if research projects are not following compliance requirements: A. Research participants can be injured B. UAMS may not receive investigational drugs or devices to study C. All research can be halted D. All of the above 112

112 Be a HIPAA star! 3. The term Protected Health Information (PHI) includes: A. Oral information about a patient B. Written information about a patient C. Individually identifiable information about a patient D. All of the above 113

113 Be a HIPAA star! 4. I can share information about a patient if I know them personally. A. True B. False 114

114 Be a HIPAA star! 5. The term HIPAA means: A. Health Is Patient Access and Accountability B. Health Insurance Portability and Accountability Act C. Neither A or B 115

115 Be a HIPAA star! 6. Patients have the right to obtain a copy of their own records A. True B. False 116

116 117 Be a HIPAA star! 7. An example of safeguarding patients PHI is: A. Sharing passwords with coworkers B. Avoiding discussing patient s information when others may hear you. C. Leaving computer screens unlocked at all times

117 Be a HIPAA star! 8. Logging onto the Network and allowing someone else to use the computer is against UAMS Policy. A. True B. False 118

118 Be a HIPAA star! 9. Which is the best way to protect sensitive data in your computer when you go out for lunch or home for the evening? A. Turn your monitor off B. Activate the screen saver C. Lock your computer D. Close all programs 119

119 Be a HIPAA star! 10. Identify examples of computer safety: A. Create alpha numeric passwords B. Locking computer screens while away C. Log off computer at the end of workday D. All of the above 120

120 Be a HIPAA star! 11. It is the responsibility of UAMS employees to report concerns about illegal or unethical behavior A. True B. False 121

121 Be a HIPAA star! 12. Employees who report compliance issues in good faith shall not be subject to harassment or retaliation. A. True B. False 122

122 Be a HIPAA star! 13. Which of the following is an example of a strong password? A. Steve B. My dog s name C. #G6cZ D. My last name spelled backwards E. *j0ke5lmn 123

123 Be a HIPAA star! 14. Breaches or suspected breaches of PHI must be reported to the HIPAA Office within what time frame? A. Immediately B. When my supervisor returns from vacation C. Within 24 hours 124

124 Be a HIPAA star! 15. Other than yourself, who else should know your password? A. Only your supervisor, major professor, or system administrator B. Coworker C. No one 125

125 Be a HIPAA star! 16. When a computer virus is detected, infected, or suspected it must be reported to the Information Security Office within what time frame? A. Immediately B. Never C. Within 24 hours 126