HIPAA and HITECH: Privacy and Security of Protected Health Information

Similar documents
The Privacy & Security of Protected Health Information

HIPAA Training

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Information Privacy and Security

MCCP Online Orientation

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Advanced HIPAA Communications and University Relations

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

HIPAA Privacy Training for Non-Clinical Workforce

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

A general review of HIPAA standards and privacy practices 2016

Privacy and Security For Teammates

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

Health Information Privacy Policies and Procedures

HIPAA Privacy & Security Training

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

HIPAA Privacy Rule. Best PHI Privacy Practices

Protecting Patient Privacy It s Everyone s Responsibility

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

HIPAA Privacy & Security Training

HIPAA Health Insurance Portability and Accountability Act of 1996

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

HIPAA PRIVACY TRAINING

Compliance Program, Code of Conduct, and HIPAA

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA Privacy Regulations Governing Research

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

CLINICIAN S GUIDE TO HIPAA PRIVACY

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

Title: HIPAA PRIVACY ADMINISTRATIVE

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Compliance with Personal Health Information Protection Act

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

2018 Employee HIPAA Orientation (EHO) Handbook

Chapter 9 Legal Aspects of Health Information Management

Understanding the Privacy and Security Regulations

Your Role in Protecting Patient Privacy 2018

HIPAA Education Program

FCSRMC 2017 HIPAA PRESENTATION

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

Notice of Privacy Practices

System Office New Hire Orientation

HIPAA THE PRIVACY RULE

Privacy & Security: What You Need to Know

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

Section: Medical Staff Office Page: 1 of 2

R. Gregory Cochran, MD, JD

CAPITAL SURGEONS GROUP, PLLC

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

Compliance Program Updated August 2017

HIPAA is the Health Insurance Portability and Accountability Act

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

HIPAA and Mandatory Reporting Hiding in Plain Sight

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

1303A West Campus Drive

The HIPAA Privacy Rule and Research: An Overview

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy Policies & Procedures Table of Contents

VHA Privacy Policy Training FY VHA Privacy Office

HIPAA Policies and Procedures Manual

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

PROTECTING PATIENT PRIVACY IS NOT ONLY

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Patient Privacy Requirements Beyond HIPAA

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

General Compliance Training: Fourth Reporting Period

HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO

Compliance & Privacy For Teammates

A PHIPA Update from the IPC

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

PATIENT INFORMATION. In Case of Emergency Notification

PERSONALLY IDENTIFIABLE INFORMATON (PII)

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

Information Sharing and HIPAA Compliance

NOTICE OF PRIVACY PRACTICES

Transcription:

HIPAA and HITECH: Privacy and Security of Protected Health Information

What is HIPAA? Health Insurance Portability and Accountability Act of 1996 A federal law enacted to: Protect the privacy of a patient s personal health information Provide for the physical and electronic security of personal health information Simplify billing and other transactions with Standardized Codes Sets and Transactions Specify new rights of patients to approve access/use of their medical information.

The Essential Element of HIPAA: Protected Health Information: PHI Protected Health Information (PHI) is: A patient s personal health, billing or demographic information Any information, including photographic images, that makes patient identification possible In any format (Oral, Paper, Picture or Electronic) Created or housed by a covered entity (hospital, physician, health insurance payer) or a business associate of a covered entity

PHI Identifiers 1. Name 2. Address 3. Relatives Names 4. Employer 5. Date of Birth 6. Phone Number 7. Fax Number 8. Social Security Number 9. Medical Record Number 10. Health Plan Beneficiary Number 11. Email Address 12. Account Number(s) 13. Certificate/License Number 14. Vehicle or device serial number 15. URL and IP numbers 16. Finger/voice prints 17. Photographic images 18. Any other number, character, or code that may be used to identify the individual NOTE: The description (even minus explicit identifiers) of any situation or event that is very unique will also constitute PHI. The uniqueness of a situation or event can serve to identify individual patient(s). NOTE: The Minimum Necessary concept should always be taken into strong consideration.

Minimum Necessary or Need to Know All members of the workforce contribute to the care of the patient. That doesn t mean everyone needs to see health information about patients. You are permitted to view and disclose PHI to others that you obtain from your job only when your job requires it to be viewed or disclosed.

Notice of Privacy Practices (NPP) Must be prominently displayed: Made available through the Website Provide a copy of the NPP to anyone who asks Details patients rights under the HIPAA Privacy Rule Obtain Acknowledgement of Receipt of NPP Document good faith effort to obtain Acknowledgement Document reason for refusal if patient or responsible individual will not sign

Uses & Disclosures of PHI which do not require patient authorization (TPO) Treatment: Navicent Health may use and disclose PHI to deliver care. This may take place between any of the people assigned to care for an individual who is the subject of the PHI. Payment: Navicent Health may use and disclose PHI for billing and collection of payment purposes for the delivery of care. Operations: Navicent Health may use and disclose PHI as part of its daily business practices. This helps us improve our health care services and make sure we are following all related laws.

Social Media Social Media (e.g. Facebook,Twitter, Linkedin) Per the Navicent Health confidentiality agreement: Do not discuss patient, financial, employee, or business information on social media Navicent Health employees posting photos of patients on social media is not allowed (even if the patient says it is OK) Posting descriptions of situations regarding a patient s treatment or Navicent Health business issues (even devoid of explicit identifiers) is not allowed Navicent Health employees have been disciplined for Facebook related infractions

Taking photos or videos of patients Staff members are not allowed to take photos or videos of patients. Taking a video or photo of a patient is a HIPAA violation. The only exception to this is when authorized employees take photos or videos for medical research, marketing, or education. A written informed consent signed by the patient is required before these types of photos or videos are taken.

Steps you should take to protect patient privacy include: Respect the patient s information the same way you would expect others to respect your personal health information. Close treatment room doors or use privacy curtains. Ensure that medical records are not left where others can see or gain access to them. Make sure computer screens containing PHI are not visible to others not involved with the patient. Do not place anything with a patient s name or identifier in the regular trash. It must be shredded. Shred It bins are placed throughout the hospital and offices for safe and convenient disposal of patient information.

A Breach of PHI After HITECH: Notification to Patients Federal law requires us to provide written notification to patients any time their PHI is used or disclosed in a manner not permitted by the HIPAA Privacy Rule. We are required to report all breaches of PHI to the U.S. Department of Health and Human Services (HHS): Annually if <500 individuals are affected by a single breach event Immediately if >500 individuals are affected by a single breach event: Breach details get posted to the Wall of Shame HHS Website We must notify prominent, local media and do a press release

What is a Breach? Unauthorized acquisition, Unauthorized access, Unauthorized use, or Unauthorized disclosure of unsecured PHI Unsecured PHI = not protected by approved encryption methods or destruction (paper charts) That compromises the security, privacy, or integrity of PHI

Reporting Suspected Breaches You should immediately report all suspected PHI breaches to the Privacy Officer or the Compliance Officer. The Privacy Officer will conduct a full investigation. Determination will be made if a Breach occurred and notification is required. We only have 60-days to complete the process.

HIPAA Enforcement Actions May Directly Affect Employees If you are found to be responsible for any type of a HIPAA violation that a State Attorney General believes has threatened or in some way harmed an individual who is a resident of the Attorney General s State, you can be held responsible for your actions in a civil action. Recent criminal HIPAA cases should also serve as a wake-up call for healthcare workers involved in nefarious activity. "Employees should know that they are being monitored, and that they will get caught, that they likely will be fired... and could be prosecuted, says privacy attorney Kirk Nahra.

SECURE YOUR RECORDS! HIPAA requires you to secure all electronic and paper documents and files containing PHI. Lock your filing cabinets, lock your office, create difficult passwords on all devices, and encrypt all files with PHI. You have a responsibility to your patients to protect their PHI. In 2014, an $800,000 fine was levied against Parkview Health Systems, Inc. They left 71 boxes with 5,000 to 8,000 patient records on a physician s porch. This was within 20 feet of the road, and right around the corner from a heavily trafficked public shopping mall. This is a bit of an extreme example, but the moral of the story is - secure those records!

HIPAA Prosecution for Malicious Harm and Personal Gain Andrea Smith and her husband were indicted for violations of the HIPAA administrative simplification act, as well as conspiracy to wrongfully use and disclose protected health information. According to the indictment, at the time of offense, Smith was a licensed practical nurse working in a medical clinic located in Jonesboro, Arkansas. She accessed the protected health information of a patient of the clinic, and then shared that information with her husband. Her husband then informed the patient that he was planning to use the information in an upcoming legal proceeding against the patient. Smith pled guilty to the charge of wrongfully disclosing protected health information for malicious harm or personal gain. In exchange, the government dismissed the conspiracy count against both of them, and also dismissed a remaining count against her husband. Smith faced a maximum penalty of ten years of imprisonment, a fine of no more than $250,000, or both, and a term of supervised release of no more than three years.

Another HIPAA Prosecution! The U.S. Department of Justice announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The indictment, which was filed on March 26 th in the U.S. district court in Tyler, Texas, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain.

Help Us Protect Each Other Do not share your system passwords. Do not copy PHI or remove PHI from the facility without approval to do so for permitted use or disclosure. Secure your laptop and other mobile devices Lock in your office if you do not take with you at the end of the day Do not leave unattended in your vehicle Password protect your mobile device Do not snoop in the records or other PHI of co-workers, family or friends. Shred all paper PHI after you have finished using the information. Do not post photos or comments about patients on social media for any reason.

Visitor Monitoring & Identification All employees should question unescorted visitors or other persons who are in restricted areas without ID. All workforce members must wear their ID badge. Employees Students Contractors Volunteers

Portable Devices, Email and Texting Guidelines: All Navicent Health laptops containing PHI must be encrypted. If you are unsure if your laptop is encrypted, contact IT When sending emails with PHI, type #secure# anywhere in subject matter line of the email Encrypted devices should be used when accessing or storing PHI Personal email accounts should be not be used when dealing with PHI (e.g. Hotmail, Gmail, Yahoo) PHI should not be transmitted via SMS (text messaging)

Reporting known or suspected HIPAA violations You should report HIPAA violations or suspected violations to the Privacy Officer or to the Compliance Officer. It is part of your job to report instances where you suspect policies are being broken. You may report anonymously, if you wish. You will not be retaliated against if you make a good faith report of a privacy violation, even if you were mistaken. 24/7 anonymous helpline Compliance Helpline: 3-7736 or 1-888-380-9008 Anonymous and Confidential

Contact Info Compliance Helpline: 633-7736 or 1-888-380-9008 Anonymous and Confidential Roy Griffis, Jr., Interim Chief Compliance Officer/Privacy Officer Phone: 478-633-6990 Email: griffisjr.roy@navicenthealth.org Richard Jones, Senior IT Auditor Phone: 478-633-2164 Email: jones.richard@navicenthealth.org Wesley Hardy, Compliance Business Analyst Phone: 478-633-1650 Email: hardy.wesley2@navicenthealth.org

HIPAA Training Attestation I certify that I have completed the training session titled, HIPAA and HITECH: Privacy and Security of Protected Health Information Annual Training. I understand that I am obligated to follow compliance requirements that apply to my work, and to ask questions as needed to assure my understanding. I also understand that it is my obligation to report concerns about possible non-compliance, and that I may meet that obligation by discussing my concerns with my manager, another manager or supervisor, a member of the Audit Services and Corporate Compliance Leadership team, or by calling the Navicent Health Helpline at 888-380-9008.

Click the link below and complete the HIPAA Training Post-test: http://w3.mccg.org/iota/test-hipaa.asp When the test is successfully completed (score 100%), you will be prompted to supply your name, API # or Company Name and the last four digits of your Social Security Number

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback