Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

Similar documents
Title: HIPAA PRIVACY ADMINISTRATIVE

Health Information Privacy Policies and Procedures

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Compliance Program Updated August 2017

Clinical Compliance Program

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Notice of Privacy Practices

CAPITAL SURGEONS GROUP, PLLC


HIPAA PRIVACY NOTICE

A self-assessment for GxP and HIPAA concerns

JOINT NOTICE OF PRIVACY PRACTICES

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Quality Assessment and Assurance. Guidance Training (F520) (o)

Access to Patient Information for Research Purposes: Demystifying the Process!

HIPAA IMPLICATIONS: Patient Rights Under HIPAA

Alignment. Alignment Healthcare

COMPLIANCE PLAN PRACTICE NAME

Compliance Program, Code of Conduct, and HIPAA

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

COMPLIANCE PLAN October, 2014

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

Southwest Acupuncture College /PWFNCFS

Notice of Privacy Practices for Protected Health Information (PHI)

HCCA Institute Privacy Officer Round Table Discussion

Preventing Fraud and Abuse in Health Care

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

4/3/2018. Nursing Facility Changes to Conditions of Participation (& Enforcement): What You Need to Know. Revisions to State Operations Manual

Information Privacy and Security

Notice of HIPAA Privacy Practices Updates

HIPAA Health Insurance Portability and Accountability Act of 1996

Walking the Tightrope with a Safety Net Blood Transfusion Process FMEA

Greenwood Connections Notice of Privacy Practice

HIPAA Breach Policy & Procedures Handbook

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

HIPAA Policies and Procedures Manual

HIPAA: Privacy Officers 1. Samuel Knapp, Ed.D. Previous articles in the Pennsylvania Psychologist have given an overview of the

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

1303A West Campus Drive

NOTICE OF PRIVACY PRACTICES

Midwest Alliance for Patient Safety Patient Safety Organization Getting Started with a PSO. An Illinois Hospital Association Company

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Patient Privacy Requirements Beyond HIPAA

A GUIDE TO HOSPICE SERVICES

NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

Compliance with Personal Health Information Protection Act

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

Risk Management in the ASC

Notice of Privacy Practices

R. Gregory Cochran, MD, JD

Advanced HIPAA Communications and University Relations

Blood Alcohol Testing, HIPAA Privacy and More

INFORMED CONSENT FOR TREATMENT

NOTICE OF PRIVACY PRACTICES

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

HIPAA and Joint Commission Requirements Compared and Contrasted

NOTICE OF PRIVACY PRACTICES

The Impact of PSO Confidentiality and Privilege Protections on the Peer Review Process: What you need to know

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

EMPLOYMENT-RELATED OBLIGATIONS IMPOSED BY HEALTH CARE REFORM LAW

NOTICE OF PRIVACY PRACTICES

VHA Privacy Policy Training FY VHA Privacy Office

Lutheran Brethren Homes, Inc. NOTICE OF PRIVACY PRACTICES

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

Privacy Practices Home Visit Doctor, LLC July 2017

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

2012 Medicare Compliance Plan

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

Research Compliance Oversight in the Department of Veterans Affairs

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Compliance Program And Code of Conduct. United Regional Health Care System

Managing employees include: Organizational structures include: Note:

HIPAA THE PRIVACY RULE

OREGON HIPAA NOTICE FORM

NOTICE OF PRIVACY PRACTICES

The HIPAA privacy rule and long-term care : a quick guide for researchers

Carrying Out a State Regulatory Program

Workplace Violence Preventing and Responding to Workplace Violence

Drafting, Implementing, and Enforcing No Contact Orders for Sexual Violence Victims on College Campuses

Notice of Privacy Practices

PRMS Risk Management Educational Offerings

HIPAA Privacy Rule and Sharing Information Related to Mental Health

University of Colorado Denver Human Research Protection Program Investigator Responsibilities for the Protection of Human Subjects

PRIVACY BREACH GUIDELINES

HIPAA Privacy Rule. Best PHI Privacy Practices

SUPERSEDES: New CODE NO SECTION: Physician Services. SUBJECT: Disruptive Practitioner Behavior POLICY & PROCEDURE MANUAL POLICY:

CLINICAL Policies and Procedures

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

Risk Management and Medical Liability

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Notice of Privacy Practices

HIPAA Notice of Privacy Practices

NETWORK POLICY & PROCEDURE Page 1 of 6 REPORTING COMPLIANCE AND HIPAA CONCERNS AND PROBLEM RESOLUTION

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Transcription:

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints Barbara Seitz, RHIA Privacy Officer/Director of HIM South Peninsula Hospital Homer, AK Becky Buegel, RHIA Privacy Officer/Director of HIM Casa Grande Regional Medical Center Casa Grande, AZ

OBJECTIVES At the End of This Presentation, Participants Should: Be able to identify at least three items that the Privacy Rule does and does not require when responding to complaints; Have an understanding of the Privacy Complaint Process at South Peninsula Hospital. Know what the acronym FMEA means. Understand the FMEA approach to identifying and preventing privacy breaches before they occur. 2

The Privacy Rule Requires Covered Entities to develop a process to receive complaints about: Policies & Procedures Compliance with Policies & Procedures Overall compliance with the Rule 3

An individual may file a complaint with a Covered Entity (CE) as well as the HHS Secretary. The goal is to ensure accountability of CE policies and procedures and to ensure compliance with the Privacy Rule 4 The HHS will allow CE to respond to complaints in an appropriate and timely manner

HSS Complaint Continued If complainants contacts HSS the CE will be subject to the Secretary s Compliance Investigation. Once on site, investigators can investigate any aspect of the CE s HIPAA compliance. 5

When writing your policy and procedure, CE s should consider: Requirements for internal complaint process, Section 164.518 (d). How a complaint will trigger other issues under the Privacy Rule. How the internal process relates to complaints to the Secretary of HHS. What are the foreseeable areas of concern? 6

The Privacy Rule DOES NOT Offer a description of a required process to address complaints; Require CE to acknowledge receiving a complaint in writing; Define a complaint; Require a written complaint; Define a reasonable time in which to respond; Require CE to notify patients of improper disclosure. 7

The Privacy Rule Requires CEs to: 8 Develop a Complaint Process; Retain complaint log for period of 6 years; Appoint contact person to receive complaints; Develop a standardized complaint form; Mitigate harm arising from noncompliance; Protect complainant from retaliation; Include process in Notice of Privacy Practice; Develop and apply Sanctions P&Ps.

Complaint Process for SPH HIPAA team determined who would investigate and respond to complaints based upon: Nature of complaint Focus Scope 9 Team investigated preemption of state privacy laws. (45 CFR 160.202/203)

WHO should be responsible for processing HIPAA related complaints? Privacy Officer? HIM professional? Risk Management? Security Officer? Compliance Officer? Legal counsel? Patient representative team? 10 Make sure you communicate who is chosen and have a back up person to take complaints!

Determine Level of Involvement Level 1 An issue that you/designated person can handle yourself and resolve in a short period of time. 11

Involvement (Continued) Level 2 Issue involves the attention of other staff members. i.e. Two employees discussing PHI with each other on campus. 12 You/designated person meet as a group with involved staff, managers and HR rep.

Involvement (Continued) 13 Level 3 Serious issue or security incident. Organize an incident response team to determine: harm to patient patient relations legal implications law enforcement Security and Privacy Officers should be trained on how to handle the media in situations like this!!

Complaint Investigation should generate an audit trail: Complaint form; Periodic report on status of investigation; Disposition form - Root Cause analysis Identify privacy deficiencies Identify appropriate Corrective actions to take; Final report for the complainant; Disposition form final record for reporting. 14

WARNING, WARNING, WARNING Standardized wording to claim privilege of non-discovery for civil liability should be written into your policies. 15

To Tell or Not to Tell.. 16 HIPAA Privacy Rule does not require CE to inform patient of improper disclosure of PHI. SPH philosophy: Admitting a mistake shows Good Faith. Breach must be entered into the Accounting of Disclosure log regardless if you inform the patient. Helps comply with requirement that you Mitigate (lessen ant harmful effects caused by the privacy violation.)

Disclosure Accounting Log 17 Required to document improper disclosure and violations of rule; Retain for a minimum of 6 years per federal or state retention requirement; Does not include incidental uses and disclosures (August 2002 modification) Cannot reasonably be prevented; Is limited in nature; Occurs as a by-product of an otherwise permitted use or disclosure.

Complaint Form should include: Name of complainant; Date & time complaint is filed; Date & location of incident; Location; Persons involved; Nature of breach. 18

Complaint Form (Continued) Harm, if observed; Statement by suspect & witnesses; Who was notified; Remedial action taken, if any; 19 Recommendations for Corrective Action.

Duty to Mitigate Entities have a duty to mitigate any harmful effect of a use or disclosure of PHI that is known to the CE. This duty is applied to a violation of the CEs P&Ps, not just a violation of the requirements of the regulatory subpart. 20

Retaliation 21 Regulations prohibit retaliation against an individual for filing a complaint with the HHS Secretary as well as any other person who files a complaint with the CE (i.e. staff and providers.) Allowances exist for whistleblowers and crime victims who disclose PHI. (See 164.502(j). Made in good faith; Disclosure is made to a public health authority, health oversight agency, attorney, or health accreditation organization. This provision applies to the Privacy Rule alone not to all the HIPAA Administrative Simplification rules.

SANCTIONS CMS requires CEs to develop and apply, when appropriate, sanctions against its staff and providers who fail to comply with Privacy P&P or with the requirements of the rule. Appropriate to the nature and scope of the violation. Sanctions can range from a verbal warning to termination. 22

Conclusion The best practice for avoiding a complaint by an individual to the Secretary is to implement a responsive process and good documentation practices. Complaint process should help your organization do a better job of protecting patient privacy, not just comply with HIPAA regulations. 23

FMEA Failure Mode Effect Analysis 24

What is FMEA? According to the Veteran s Administration National Center for Patient Safety, a Failure Mode Effect Analysis is a systematic method of identifying and preventing product and process problems before they occur. 25

FMEA is not a new process. Developed by the US Military in 1949; Used to identify the effect of system and equipment failures before they occur; Also used in the automotive and aerospace industries. 26

FMEAs Are often used to analyze a bad experience or near-miss situations; Are most effective when used as a part of the design process and not after the process has failed. 27

Select a HIPAA-Related Process Processing requests for PHI Insurance underwriting Legal cases Patient s representative Case Management Concurrent Reviews Retrospective Reviews 28 Research Protocols from Other Institutions or Organizations

Evaluate the Risk of Failure for the Process You ve Selected The risk of failure and its subsequent effect can be determined by three factors: Frequency; Severity; Detectability. 29

FMEA 7 Step Process 1. Choose a topic. 2. Assemble a team. 3. Describe the process in detail. 4. Identify potential failures. 30

FMEA 7 Step Process (continued) 5. Rate the risk: Frequency; Severity; Detectability. 6. Calculate the Risk Priority Number (RPN.) 7. Identify actions that can reduce or eliminate risk. 31

Choose a Topic Can be a previously identified problem. Could be something that in and of itself has been identified as a high-risk process. Remember to review existing policies and procedures. 32

Assemble a Team Involve people who perform the process every day; they are the experts, not the supervisors, managers, or directors. Have an impartial facilitator. Train the team in the FMEA process. 33

Describe the Process in Detail Flow-chart the process. Be as detailed as possible. Use flow-charting tools such as post-its, white boards, etc. Don t rush this step. Keep focused and put aside issues that may arise but have nothing to do with the task at hand. 34

Identify Potential Failure Modes What are the various ways the process can fail to accomplish its intended purpose? In other words: Identify hazards that are of such significance that they are reasonably likely to cause a privacy breach (insert any process/problem) if not effectively controlled. 35

Rate the Risk - Frequency How often will there be an adverse outcome? (1) Remote - Highly unlikely it will ever occur. (2) Moderate - It could happen sometime. (3) Occasional - Probably will occur. (4) Frequent - Very likely to occur. 36

Rate the Risk - Severity (1) Minor Minimal effect on the organization/ could be resolved internally. (2) Moderate Potential for complaint to OCR. (3) Major Potential for litigation/lawsuit. (4) Catastrophic Criminal/civil charges & fines. 37

Rate the Risk Dectability (1) Certain to Detect Problem/breach always detected (9/10) (2) Might Detect Problem/breach likely to be detected (5/10) (3) Probably Won t Detect Problem/breach unlikely to be detected (2/10) (4) Can t Detect - Not possible to detect (0/10) 38

Calculate the Risk Priority Number Frequency X Severity X Detectability = RPN Use the Risk Priority Number to rank and prioritize failure modes. 39

Identify Actions to Be Taken to Reduce or Eliminate Risk What changes can be made to the process? How can they be implemented? How soon can they be implemented? Follow up on changes to make certain they re effective. 40

Protect the Process Cite each page as confidential with intended privilege. Treat the same as any PI/QA or risk management process. 41

Practice FMEA See separate handout. 42

Barbara s Resources/References Health Information Compliance Insider (HIMSS), www.brownstone.com In Confidence (AHIMA), www.ahima.org The Medical Management Institute 43 Strategic Management Systems, Inc.

Becky s Resources/References The Basics of Healthcare Failure Mode and Effect Analysis, VA National Center for Patient Safety. A Proactive Risk Strategy: Failure Mode Effect Analysis, Ann Abke, Director of Risk and Compliance, St. Joseph s Hospital and Medical Center, Phoenix, AZ. FMEA Selection Criteria and Opportunity Statement Worksheet, Catholic Healthcare West. Example of a Health Care Failure Mode and Effects Analysis for IV Patient Controlled Analgesia, Institute for Safe Medication Practices. 44

Contact Speakers Barbara Seitz bas@sph.com Becky Buegel rbuegel@cgrmc.org Thanks for your time! 45

46 Denali / HIPAA The BIG One

47 Sitka Sound

48 Humpback whales

49 Mt. Edgecombe

50 Heat Wave

51 Winter fun Alaska style

52 Aurora

53 SPH CFO - Charlie

54 Dahl sheep

55 Awesome Sky

56 Lake Louise

57 Musk Ox

58 Field of Fire Weed

59 The Photographer

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback