What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Similar documents
Valley Regional Medical Center HIPAA AND HITECH EDUCATION

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Information Privacy and Security

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HIPAA PRIVACY TRAINING

MCCP Online Orientation

HIPAA Privacy Training for Non-Clinical Workforce

HIPAA Privacy Rule. Best PHI Privacy Practices

Chapter 9 Legal Aspects of Health Information Management

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

CLINICIAN S GUIDE TO HIPAA PRIVACY

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

CHI Mercy Health. Definitions

Notice of Privacy Practices

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Advanced HIPAA Communications and University Relations

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

HIPAA THE PRIVACY RULE

HIPAA and HITECH: Privacy and Security of Protected Health Information

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Protecting Patient Privacy It s Everyone s Responsibility

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Health Information Privacy Policies and Procedures

Compliance Program, Code of Conduct, and HIPAA

HIPAA Health Insurance Portability and Accountability Act of 1996

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

A general review of HIPAA standards and privacy practices 2016

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Privacy and Security For Teammates

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA Privacy Regulations Governing Research

HIPAA Policies and Procedures Manual

Notice of Privacy Practices

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Notice of Privacy Practices for Protected Health Information (PHI)

VHA Privacy Policy Training FY VHA Privacy Office

The Privacy & Security of Protected Health Information

Notice of HIPAA Privacy Practices Updates

NOTICE OF PRIVACY PRACTICES

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA Training

NOTICE OF PRIVACY PRACTICES

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

SUMMARY OF NOTICE OF PRIVACY PRACTICES

HIPAA 201: Student Self-Learning Module & Test

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

NOTICE OF PRIVACY PRACTICES

Patient Privacy Requirements Beyond HIPAA

Title: HIPAA PRIVACY ADMINISTRATIVE

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

2018 Employee HIPAA Orientation (EHO) Handbook

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

HIPAA Education Program

East Carolina University 2010 Annual HIPAA Privacy Training

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

HIPAA Privacy and Security Training for Researchers

2514 Stenson Dr Cedar Park TX Fax

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Notice of Privacy Practices

Notice of Health Information Privacy Practices Acknowledgement

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

NOTICE OF PRIVACY PRACTICES

GREATER HUDSON VALLEY HEALTH SYSTEM ORANGE REGIONAL MEDICAL CENTER CATSKILL REGIONAL MEDICAL CENTER Policy/Procedure

HIPAA Privacy & Security Training

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA Privacy & Security Training

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

HIPAA Privacy Policies & Procedures Table of Contents

Understanding the Privacy and Security Regulations

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

NOTICE OF PRIVACY PRACTICES

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

FCSRMC 2017 HIPAA PRESENTATION

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

The Queen s Medical Center HIPAA Training Packet for Researchers

NORTH COUNTRY HEALTHCARE

Guidelines for Requesting an Increase in Authorized Enrollment in Orthodontics and Dentofacial Orthopedics Residency and Fellowship Programs

JOINT NOTICE OF PRIVACY PRACTICES

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Patient Registration Form Pediatrics

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Patient name (print) Signature of Patient/ Legal Representative. Relationship to Patient FOR OFFICE USE ONLY

Transcription:

Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory, penalties apply for failure to comply Purpose Protect health insurance coverage, improve access to healthcare Improve quality of healthcare in general Reduce Healthcare fraud and abuse Set forth requirements regarding ensuring the privacy and security of protected health information (PHI) Reduce healthcare administrative costs (electronic transactions) 1

What is HITECH? Health Information Technology for Economic and Clinical Health Act Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) It s a federal law Purpose Makes massive changes to privacy and security laws Applies to covered entities and business associates Creates a nationwide electronic health record Increases penalties for privacy and security violations Key HITECH Changes Breach Notification requirements AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment Business Associate Agreements Restrictions Right to Access Criminal Provisions Penalties OCR Privacy Audits Copy charges for providing copies from EHR HIPAA Preemption applies to new provisions Private cause of action Sharing of civil monetary penalties with harmed individuals 2

Civil Penalties for Non-compliance* Violation Category Each Violation All such violations of an identical provision in a calendar year Did not know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect - Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 *As of 2/17/2009 Criminal Penalties for Non-compliance For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any person. Penalties higher for actions designed to generate monetary gain up to $50,000 and one year in prison for obtaining or disclosing protected health information up to $100,000 and up to five years in prison for obtaining protected health information under false pretenses up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm Facility Privacy Official HIPAA requires healthcare entities to appoint a FPO. This appointment is made by the CEO. Que Le, RHIT (972-547-8142) is MCM s FPO. Responsible for: Privacy Program Privacy Rights of patients Requests for Privacy Restrictions Facilitate training and education of staff Compliance with requirements of the HIPAA Standards for Privacy Ensure appropriate safeguards are in place to protect patient privacy Receive Complaints about matters of patient privacy 3

HIPAA Terminology HIPAA: Health Insurance Portability and Accountability Act HITECH: Health Information Technology for Economic and Clinical Health Act PHI: Protected Health Information CE: Covered Entity (Hospital) ACE: Affiliated Covered Entity (Common Ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) DRS: Designated Record Set (medical record and billing record) AOD: Accounting of Disclosures (patient s right to receive) Directory: Hospital Census list used by volunteers and operators with name and room How will HIPAA and HITECH affect you? Patient information should only be accessed if there is a need to know (e.g., the information is required for the treatment of a patient, to carry out health care operations or for payment purposes). Only the minimum necessary amount of information may be used. Reasonable safeguards will need to be put into place for patient privacy protection Authorizations must be obtained from patient to release information for purposes such as health fairs, clergy, and services that vendors may provide on behalf of the patient What is Protected by HIPAA (PHI)? Name Address including street, city, county, zip code and equivalent geocodes Name of relatives Name of employers Birth date Telephone numbers Fax numbers Electronic e-mail addresses Social Security Number Medical Record Number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address Finger or voice prints Photographic images Any other unique identifying number, characteristic, code Each employee signs a Confidentiality and Security agreement, which states that information is not shared even after leaving HCA. 4

Notice of Privacy Practices Must be given to each patient that has face-to-face contact with hospital staff (e.g., inpatients, outpatients, health fair attendees) Must be acknowledged that the patient received the Notice Must be posted on website and in each of the registration areas of the facility Confidential Communications Patients can request use of alternate address or phone number If there is a failure to respond by the patient, then we may revert to permanent address or phone number Affiliated Covered Entity (ACE) Facilities in a shared clinical market (CPCS) and are under common ownership Members of the ACE must be documented All documentation maintained for 6 years Allows information to be shared between facilities in certain situations 5

Organized Health Care Arrangement (OHCA) Defined as a clinically integrated care setting in which individuals typically receive health care from more than one health care provider This defines the relationship between the facility and the physician treating the same patient. Allows information to flow between the covered entities for treatment, payment, and health care operations without patient authorization Patient Privacy Complaints A complaint log must be maintained in accordance with the complaint process Complaints must be investigated and documented with corrective action if applicable Responses cannot be accompanied by retaliatory actions by the hospital Disposition of complaint must be consistent with the facility s Sanctions for Privacy Violations Right to Privacy Restrictions Requests for such restrictions must be made in writing to the Facility Privacy Official (FPO) No other facility employee may process such a request unless specifically authorized by the FPO Requests may denied Example: I don t want my information shared with anyone outside the hospital. This would not be appropriate because information is required for state reporting and accreditation purposes (e.g., TJC) 6

Accounting of Disclosures Must provide documentation of certain disclosures of the designated record set for up to 6 years Examples Medical and Billing Records All required state reporting Births and Deaths Tumor registry reporting Domestic/Child Abuse suspect reporting Very complex to implement Due to HITECH, additional requirements are forthcoming Patient Rights Each patient is given a Notice of Privacy Practices The patient signs an acknowledgement of receipt Right to Access Patient has a right to inspect or obtain copies of their Medical and Billing Records Any patient can access their medical records by stopping by HIM, showing ID, and filling out an authorization form. Patient Rights continued Right to access continued Facility will provide a readable hard copy of portions of record requested Patients can access any health information in our designated record set (DRS) Patients that are still in-house have a right to access their information. We encourage them to wait until discharge so their chart is complete. If they insist, call HIM so that the request can be tracked appropriately and we can ensure all the appropriate information has been completed on the authorization. If the patient wants to review the chart (no copies) this must be supervised. 7

Patient Rights continued Requests may be denied under certain circumstances (i.e. the patient may cause harm to him or herself or others) Facility must respond to requests for access within 30 days or may send a letter to the patient stating issue and expected access or denial Patient Rights continued Right to amend Right to request an amendment of information within the Designated Record Set (DRS) Request must be in writing and will not change or delete documentation, just amends May deny the amendment with letter from the FPO Patient Rights continued Right to opt out of the directory Right to an Accounting of Disclosures Right to request to a privacy restriction ti of their PHI Never agree to this, direct to FPO Right to confidential communication 8

Patient Directory The Directory kept by the PBX and information desk contains: Patient Name Room # / location General condition The diagnosis i or procedure should never be disclosed. Patients listed as confidential are not listed. Patients have the option to opt out of the directory. When choosing to do this, they are not listed, and we do not acknowledge that they are here when asked. How do I protect PHI? Authorizations are needed from patients to release information Exception: We are allowed to release information without an authorization for Treatment, Payment, and Operations (TPO) Coversheets with Confidential statement needs to be used on all faxes (even if faxing within the hospital). Patients need to identify who their information can be discussed with, including family. Refrain from speaking about work specifics via electronic methods. How do I protect PHI? Patient information is only accessed when there is a need to know. Never for curiosity!!!! Only the amount of information necessary is accessed. Computer screens need to be placed out of public view. Charts should not be left out where visitors it can read the patient name or any documentation. All PHI is placed in a shred container when discarding. Never the trash!!! Conversations concerning patients should be made in private. 9

Electronic Communication Remember that electronic communications are often not secure and information can be viewed or accessed by others without a need to know. Facebook Twitter Email Texting Appropriate Releases or Breach of Confidentiality? PHI is discussed in a public place or with inappropriate individuals. Inappropriate Physician views information for his/her patient Appropriate Case Management shares information with a Nursing Home for patient placement. Appropriate for continuing care of the patient PHI was placed in the trash Inappropriate TJC Reviewers access a chart. Appropriate Appropriate or Breach cont. Copy of electronic patient information is left exposed and unattended. Inappropriate Viewing neighbor s medical record because they won t mind. Inappropriate Viewing your own medical record Inappropriate Quality of Care reviews. Appropriate Physician views record for spouse that has been recently hospitalized Inappropriate 10

Breach Notification HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: To the patient To the Department of Health and Human Services To the media when the breach involves more than 500 individuals in the same state or jurisdiction Ensuring Security Compliance Ensure users log off terminals when not is use PC s should have screen savers whenever possible Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person PHI must be properly disposed Examples of Exposure Sharing of passwords Inappropriate control or use of patient lists with PHI Lack of knowledge regarding permitted uses of patient information Using business agents without contracts and appropriate Business Associate Agreements Discussing patient information on social networking sites (e.g., Facebook, Twitter) 11

Examples of Exposure Sharing PHI without an authorization when one is required Failure to act proactively to prevent, detect, or correct privacy or security breaches PHI in the trashcan Discussing PHI with someone who does not have a need to know What happens when there is a violation? FPO must be notified FPO does investigation and classifies the violation as reportable or non-reportable If non-reportable, education/discipline is conducted and the violation is tracked within the facility If reportable, the violation is reported to corporate and HHS. Committee determines if violation must be reported to patient and/or public Sanctions 3 levels of violations that require disciplinary action Accidental and/or due to lack of proper education Purposeful violation of privacy policy or an unacceptable number of previous violations Purposeful violation of privacy policy with associated potential for patient harm 12

Final Notes MCM has a sanctions policy in place for violations. Refer any privacy complaints or questions to Que Le, RHIT, FPO. Now complete your post test and return to the student coordinator at MCM. 13

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback