New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Similar documents
What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA Training

Privacy and Security For Teammates

Advanced HIPAA Communications and University Relations

Protecting Patient Privacy It s Everyone s Responsibility

HIPAA Health Insurance Portability and Accountability Act of 1996

The Privacy & Security of Protected Health Information

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

MCCP Online Orientation

Information Privacy and Security

A general review of HIPAA standards and privacy practices 2016

HIPAA Privacy Training for Non-Clinical Workforce

Compliance Program, Code of Conduct, and HIPAA

HIPAA and HITECH: Privacy and Security of Protected Health Information

VHA Privacy Policy Training FY VHA Privacy Office

Health Information Privacy Policies and Procedures

HIPAA PRIVACY TRAINING

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

CLINICIAN S GUIDE TO HIPAA PRIVACY

Your Role in Protecting Patient Privacy 2018

PRIVACY BREACH MANAGEMENT POLICY

Chapter 9 Legal Aspects of Health Information Management

2018 Employee HIPAA Orientation (EHO) Handbook

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

FCSRMC 2017 HIPAA PRESENTATION

Patient Privacy Requirements Beyond HIPAA

HIPAA Education Program

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

East Carolina University 2010 Annual HIPAA Privacy Training

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

HIPAA Privacy Rule. Best PHI Privacy Practices

HIPAA THE PRIVACY RULE

Health Insurance Portability and Accountability Act (HIPAA)

PRIVACY BREACH GUIDELINES

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Title: HIPAA PRIVACY ADMINISTRATIVE

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Reporting a Privacy Breach to the Commissioner

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

What is Social Networking?

What is Social Networking?

Piedmont Healthcare, Inc. Code of Conduct

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

NOTICE OF PRIVACY PRACTICES

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

HIPAA Privacy & Security Training

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Compliance & Privacy For Teammates

System Office New Hire Orientation

Compliance Program Code of Conduct

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

Compliance & Privacy For Teammates

Resident/Fellow Training Orientation Policies

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

HIPAA Privacy & Security Training

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Policies & Procedures Table of Contents

NOTICE OF PRIVACY PRACTICES

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

PROTECTING PATIENT PRIVACY IS NOT ONLY

HCCA Institute Privacy Officer Round Table Discussion

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Membership Application February 2013

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

2514 Stenson Dr Cedar Park TX Fax

A self-assessment for GxP and HIPAA concerns

Compliance and Privacy/Security Training Academic Year

HIPAA Breach Policy & Procedures Handbook

Section: Medical Staff Office Page: 1 of 2

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

HIPAA Notice of Privacy Practices

Notice of Privacy Practices for Protected Health Information (PHI)

Privacy & Security: What You Need to Know

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Yale University. HIPAA PRIVACY FAQs

Notice of Privacy Practices

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

I. PURPOSE DEFINITIONS. Page 1 of 5

NOTICE OF PRIVACY PRACTICES

A Deep Dive into the Privacy Landscape

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Technology Standards of Practice

St. Jude Children s Research Hospital. Code of Conduct

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

Transcription:

New Employee Orientation HIPAA Privacy Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Definitions HIPAA Health Insurance Portability and Accountability Act PHI Protected Health Information HHS Department of Health and Human Services OCR Office for Civil Rights Enforces HIPAA Privacy and Security rules.

What is identifiable protected health information (PHI) under HIPAA Includes: Name Address Employer Relative s names Birth date Phone/fax numbers Email address Social Security # Medical Record # Member/Acct # Certificate # Voiceprints Fingerprints Photos Codes Any other characteristics, such as occupation that can be used to identify an individual.

Forms of Information Paper Verbal Electronic It is the responsibility of every employee to protect the privacy and security of PHI in ALL forms

Goals of the Privacy Rule Provide strong federal protections for privacy rights Ensure patient s TRUST the privacy and security of his/her health information Preserve QUALITY health care Encourages frank communication with healthcare providers Makes sure that the right information is flowing to the right people at the right time.

Breaches A breach occurs when information that, by law, must be protected is: Lost, stolen, or improperly disposed of hacked into by people or computer programs Communicated or sent to others who do not have an official need to receive the information

The U.S. Attorney for the Southern District of Illinois announced today that Susan L Harris, 28 of Marissa, Illinois, and Ashley C. Drummond, 25, of East St. Louis, Illinois were sentenced for aggravated identity theft and conspiracy to commit mail fraud in the U.S. District Court for the Southern District of Illinois, East St. Louis Division. Harris was convicted following a 2-day jury trial in December 2012 Today, the U.S. District Court sentenced Harris to 4 years in prison, to be followed by 3 years of supervised release. Harris was ordered to pay $7,648.97 in restitution and a $200 special assessment. Drummond, who pleaded guilty in November 2012, was previously sentenced to 2 years in prison, to be followed by a 3 year term of supervised release. Drummond also was ordered to pay $8,675.27 in restitution to various victims and a $200 special assessment.

Evidence presented at the trial of Susan Harris showed that Harris conspired with Ashley Drummond to steal personal identifying information of patients of a Southern Illinois hospital. The two women targeted elderly patients, particularly patients who came in to the hospital from the nursing homes and assisted living facilities. Drummond and Harris used the stolen personal information to apply for new credit card accounts in the victims names Drummond was a radiology technician, and it was her job to transport patients to and from the radiology department as needed. While transporting the patients, Drummond would steal victims personal information from their charts. Harris was later caught on camera at a retail stores using one of the credit cards obtained with the personal information of a 90-year-old woman who lives in an assisted living center and had been a patient at the hospital where Drummond worked. The case was investigated by the Southern District of Illinois Identity Theft Task Force, the U.S. Postal Inspection Service, the Internal Revenue Service Criminal Investigation Division, the Social Security Administration Office of the Inspector General, the Maryville Police Department, the Glen Carbon Police Department, and the Collinsville Police Department.

Other recent nationwide reports of breaches A Nevada man pleaded guilty to violating HIPAA by using patient records to generate referrals for personal injury attorneys. Medical files were found at a recycling center in Tenn. They contained graphic photos and SS# from potentially 2 medical facilities. An unencrypted, password protected desk top computer was stolen from administrative offices at Sutter Health in Sacramento CA. The computer contained information on about 4 million patients. New York Presbyterian Hospital & Columbia University agreed to pay 4.8 million fine after the health records of more than 6000 people were mistakenly released on the Internet. 4 employees were fired from University Medical Center in Tucson after 1 employee took a picture of a patient with a cell phone camera. Natahsa Orr, 36 of Miami was sentenced to 24 months in prison plus 12 month of home confinement followed by 3 years of supervised release for stealing patient information from the Holy Cross ER during her employment. She used the information to obtain bank account info & obtain debit cards in the patient s name.

noteworthy facts Data breaches are occurring in health care at nearly 3 times the rate as in banking and finance. A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a social security number. Victim s can suffer monetary loss, possible inability to obtain or retain insurance, and corruption of their medical history.

Breaches involving 500 or more individuals reported to OCR (as of 3/2014) Unknown 2% Improper Disposal 4% Other 10% Breached Patient Information was due to: Hacking 8% Unauthor Access 18% Theft 47% Loss 11%

Breaches involving 500 or more individuals that have been reported to OCR Breached Patient Information was located on: Laptop, 23% Paper, 23% Desktop Computer, 15% Portable Electronic Device, 14% Network Server, 11% EMR, 2% Other, 10% E-mail, 2%

Illinois Wall of Shame

Breaching Patient Privacy Requires Notification of the Patient Breach definition: The unauthorized acquisition, access, use, or disclosure of PHI which compromise the security or privacy of protected health information, except where an unauthorized person to whom such information is disclosed would not have reasonably have been able to retain such information Applies to paper, electronic or verbal breaches The healthcare facility MUST: notify the individual (patient) within 60 days (of knowledge of breach) that their PHI has been or may have been accessed, acquired or disclosed as a result of a breach. o Notification must include: Description of what happened Type of information disclosed Steps the patient should take to protect themselves from potential harm Steps SIH is taking to investigate the breach, alleviate any potential harm, and protect against further breaches. report breaches annually to Department of Health & Human Services.

Example of Breach Notification Letter SIH/SIMS sends to a patient Dear Patient: On (date) (SIH/SIMS), became aware of a breach of your personal health information. The breach of your information occurred on or around (date) when you were at the Department. We are notifying you so you can take personal action along with our organization s efforts to reduce or eliminate potential harm. The incident involved your protected health information, specifically, your name and being disclosed to. I recommend that you increase your awareness of any type of communication regarding your personal health information. If you suspect anything unusual please contact the Contact the Consumer Protection Agency in Illinois: (800) 243-0607; http://www.illinoisattorneygeneral.gov/consumers; 1001 East Main Street Carbondale, IL 62901 Southern Illinois Healthcare sincerely apologizes for the inconvenience and concern this incident causes you. The privacy of your personal information is very important to us and we will continue to do everything we can to fortify our operational protections for you and others. As a result of this breach SIH took the following actions: Under the Health Insurance Portability and Accountability Act (HIPAA) you also have the right to file a written complaint with the Director, Office of Civil Rights of the U.S. Department of Health and Human Services at the following address: Office of Civil Rights, U.S. Department of Health and Human Services 233 N Michigan Ave. Suite 240 Chicago IL 60601 Your complaint must describe Southern Illinois Healthcare s acts that you believe to be in violation of applicable law. A complaint to the Director of Health and Human Services may be submitted either by mail or electronic transmission within 180 days of this date. We will not retaliate against you if you file a complaint with the Director of Health and Human Services.

If breach involves PHI of 500 patients or more, then SIH will be required to notify local media and the Department of Health and Human Service

Information is accessible for authorized use and to Authorized users only When requested by the individual (patient), with proper identification For treatment of the individual (example: practitioner caring for the patient) For payment purposes (example: sending billing information to patient s insurance company), and Certain healthcare operations (example: TJC survey, quality improvement, Peer Review)

Patient s Privacy Rights Under HIPAA 1. To view and keep a copy of our Notice of Privacy Practices (document patient receives that explains how SIH uses their PHI and their rights regarding their PHI) 2. To view and copy their own protected health information (PHI) found in their medical/billing records 3. To request an amendment to documentation in their medical/billing record they think is inaccurate or incomplete. (Example: medical record documents patient has no allergies. The patient requests their medical record be amended to reflect an allergy to penicillin) 4. To request confidential communication

5. To ask for restrictions on how SIH uses and discloses their PHI for treatment, payment and healthcare operations (TPO). 6. To receive an Accounting of Disclosures. A document that identifies disclosures of their PHI made: To agencies, work comp, law enforcement, registries, when patient authorization is not required, and/or accidentally (example, faxed medical records to the wrong place). 7. To complain to SIH or with the U.S. Department of Health & Human Services about privacy violations 8. To opt out of the patient directory (do not want name on hospital publish list (do not want public to know of hospitalization)

Definitions Sensitive Information = Information in any form, including but not limited to paper, electronic, or oral, which if improperly disclosed could cause damage to the reputation, privacy, image and/or financial viability of the patient, medical staff, employees, board of trustees and/or Southern Illinois HealthCare. Sensitive information includes, but is not limited to All individually identifiable health information; Anything marked or stated as confidential Employee information; Financial information; Guarded Operational Information; Marketing and general business strategies Patient billing information; Physician information; and Proprietary products and product development

Ask yourself... Are you an authorized user of Sensitive Information and PHI? Do I need this information to do my job? Two rules of thumb. Rule 1: Is using or disclosing this information in the best interest of the patient? Yes = Do it and document No = Don t do it Rule 2: Do I need to access/know this information, (whether paper or electronic) to perform my job function? Yes = Go ahead and access the information No = Don t even think about accessing the information.

What does protecting health information & sensitive information mean? Keeping this information private Making sure this information is only accessible to the appropriate workforce and/or providers Safeguarding this information from unauthorized users

How to keep PHI & Sensitive Information private- paper world Private Medical records/documents are placed in a secure location Documents containing identifiable information that can be discarded are shredded Use fax cover sheet Timely removal of documents from fax machine tray, printer tray or copier Documents do not leave SIH premises, unless authorized to do so

How to keep PHI & Sensitive Information private electronic world Private Monitors are turned away from public view Patient information is not left up on computer screen User ID, passwords are not shared PHI is not downloaded/copied on personal storage media such as home computer, PDA, jump drive, etc

How to keep PHI and Sensitive Information private verbal world NO PHI Discussion: Elevators Smoke Areas Public or Private Dining Areas Employee Break Areas Public places restaurants, bars, etc. Social Networking Sites myspace, facebook, etc. Hallway Home

Civil and Criminal Penalties for Breaches Enforced by Office for Civil Rights & Department of Justice Unknown Violations Violations with reasonable cause Violations resulting from willful neglect Violations from willful neglect and not corrected $100-$50,000 (not to exceed $1.5 million in calendar year) $1,000-$10,000 (not to exceed $1.5 million in calendar year) $10,000-$250,000 (not to exceed $1.5 million in calendar year) $50,000-$1.5 million( not to exceed $1.5 million in calendar year)

SIH Top 5 HIPAA/Sensitive Information Hot Spots Wrongful disclosure due to misdirected fax (example: a fax number entered incorrectly & sent to an unintended individual/business). Patient complaints of breach of confidentiality involving an SIH employee wrongfully accessing or disclosing the health information of a family member, ex-family member or friend. Patient request for an amendment to their medical record because they are disagreeing with documentation about them entered by a physician or clinician. Employee access to their or their family members PHI stored on Electronic Medical Record (Meditech, Chartmaxx, etc) Employee posting SIH job related information on their social network site*

Know what you ve signed Does this document look familiar? This agreement, signed by you, is in your employee file.

More about Social Media SIH Policy Applies to use of social media at work and away from work when SIH affiliation is identified, known, or presumed. Used for approved business related purposes Workforce Members bound by SIH policies: Confidentiality of Sensitive Information, Internet Access & Usage, Harassment, HIPAA Abide by SIH: Mission & Values, Compliance Program, Code of Ethics & Conduct Standards, Performance Standards, Guidelines for using Social Media, Marketing guidelines Have a duty to report a violation of policy to immediate supervisor.

RESPECT, PROTECT, SAFEGUARD RESPECT Patients, Customers, and One Another PROTECT Confidentiality, Privacy & Security SAFEGUARD Properly use SIH Assets

Some Social Media Guidlines Do not announce company news. Do not cite or reference patients, partners or supplies w/o approval or written authorization from Marketing & Communications dept. Only those officially designated by SIH have the authorization to speak publicly on behalf of the company. Take responsibility. You are personally responsible for your post. SIH has the right to review & take action if a violation of policy or law occurs, even in personal blogs, etc. Be professional. Statements made in private social media sites, chat rooms, blogs, must treat the company & its workforce members, customers, and competitors with respect. SIH s harassment policy applies to the use of social media during both working & non-working hours. Be mindful of the world s longer memory. Everything you say is likely to be indexed & stored forever.

Confidentiality Policy Disciplinary Criteria Level 1. Failing to demonstrate appropriate care in handling sensitive information that results in accidental access, incidental access or inappropriate access due to lack of awareness or education. HIPAA Examples: Employee self access to own PHI, leaving PHI unattended, being away from work area while logged into application containing PHI, inadvertently routing PHI to a wrong recipient, fax sent to the wrong person, business, etc. Level 2. Disregard of organization or departmental policy related to the appropriate use and disclosure of sensitive information HIPAA Examples: Employee access to family member s PHI not needed for job related duties, knowingly sharing a password with coworker, discussing PHI in public areas, such as cafeteria s, hallways, or elevators

Level 3. Unauthorized access and/or disclosure of sensitive information HIPAA Examples: Intentionally exhibiting or divulging (verbal or written) PHI with co-workers or other individuals who are not privy to the information. Posting PHI on Internet sites, such as MySpace, FaceBook, Blogs (NOTE: POSTING OF ANY SENSITIVE INFORMATION ON MySpace, FaceBook Blogs is PROHIBITED). Level 4. Purposeful disregard of organizational or departmental policies. HIPAA Examples: Seeking personal benefit or permitting others to benefit personally from PHI. Access and/or disclosing PHI with malicious intent. Repeated disregard of any of the above levels 1-3.

Encrypt all email containing PHI addressed to non-sih email addresses. Do not send email containing PHI to your personal email account Do not text any type of PHI Securely store lap tops when unattended Log off of computer when walking away Keep your password confidential Turn computer monitors away from public eyesight Faxing: Double check fax numbers Complete fax cover sheet Securely seal mailing envelopes and containers that contain patient health information Before handing a patient medical record documents make sure the patient name matches the patient name on the documents. Refrain from taking pictures in patient care areas with your personal cell phone. Do not post information via social networking (face book, twitter, etc) that involves patient information you know about from being a workforce member at SIH.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback