FCSRMC 2017 HIPAA PRESENTATION

Similar documents
Chapter 9 Legal Aspects of Health Information Management

Health Information Privacy Policies and Procedures

HIPAA Education Program

A general review of HIPAA standards and privacy practices 2016

HIPAA PRIVACY TRAINING

CLINICIAN S GUIDE TO HIPAA PRIVACY

Patient Privacy Requirements Beyond HIPAA

2018 Employee HIPAA Orientation (EHO) Handbook

Advanced HIPAA Communications and University Relations

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Information Privacy and Security

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

NOTICE OF PRIVACY PRACTICES

HIPAA Policies and Procedures Manual

MCCP Online Orientation

Emergency Medical Services Division Policies Procedures Protocols

Notice of Privacy Practices

HIPAA Privacy Training for Non-Clinical Workforce

PRIVACY POLICIES AND PROCEDURES

HIPAA Notice of Privacy Practices

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

PATIENT INFORMATION Please Print

HIPAA THE PRIVACY RULE

HIPAA Privacy Rule. Best PHI Privacy Practices

CHI Mercy Health. Definitions

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

HIPAA Privacy and Security Training for Researchers

Understanding the Privacy and Security Regulations

Notice of Privacy Practices

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

VHA Privacy Policy Training FY VHA Privacy Office

Privacy and Security For Teammates

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

SUMMARY OF NOTICE OF PRIVACY PRACTICES

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES

HIPAA Training

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

HIPAA and HITECH: Privacy and Security of Protected Health Information

CAPITAL SURGEONS GROUP, PLLC

Compliance Program, Code of Conduct, and HIPAA

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Notice of HIPAA Privacy Practices Updates

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Security Risk Analysis

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

GREATER HUDSON VALLEY HEALTH SYSTEM ORANGE REGIONAL MEDICAL CENTER CATSKILL REGIONAL MEDICAL CENTER Policy/Procedure

East Carolina University 2010 Annual HIPAA Privacy Training

NOTICE OF PRIVACY PRACTICES

Title: HIPAA PRIVACY ADMINISTRATIVE

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

NOTICE OF PRIVACY PRACTICES

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

The Privacy & Security of Protected Health Information

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

OREGON HIPAA NOTICE FORM

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

FAFSA Completion Initiative Participation Agreement

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

INFORMED CONSENT FOR TREATMENT

Notice of Privacy Practices for Protected Health Information (PHI)

A Deep Dive into the Privacy Landscape

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Notice of Privacy Practices

S.E. Wisconsin Hearing Center Inc.

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

New Patient Information

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

HIPAA PRIVACY NOTICE

Transcription:

FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. Page 1

What is HIPAA? HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA) August 1996: Federal law enacted April 2001: Privacy Rule February 2010: HITECH Act March 2013: HIPAA Omnibus (Final) Rule Page 2

HIPAA s Privacy Rule: HIPAA Privacy Rule Addresses the use and disclosure of an individual s health information regardless of how it is communicated (electronically, verbally, or written). Establishes standards for an individual to understand and control how their health information is used. Assures that health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public s health and well being. Page 3

Covered Entity (CE) A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers). Examples: Physician Practices Dentists Hospitals Diagnostic Services (lab, radiology) Nursing Homes Pharmacies Home Health Agencies Health Plans Page 4

Covered Entity (CE) FCSRMC is considered a Covered Entity and it s member colleges act as the plan sponsor. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA. This may include: hospital and medical benefit plans dental plans vision plans health flexible spending accounts employee assistance plans Page 5

Business Associate A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity. Examples include vendors, contractors and subcontractors such as: Billing Company Transcription Service Practice Management System Document Storage Company Collection Agency Attorney Accountant Consultant EMR/EHR System I.T. Vendor Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations. Page 6

Protected Health Information (PHI) Protected Health Information (PHI) is: * individually identifiable health information that has been transmitted or maintained in any medium (paper, verbal, electronic). * created or received by the organization, relates to the health of an individual or payment for health services, and identifies the individual. Employee Name Medical Record Number Complete Address Certificate/License Number All Elements of Dates Vehicle Identifiers (License Plate Number) Telephone Numbers IP Address Fax Numbers Biometric Identifiers (voice and fingerprint) E-Mail Address Full Face Photographic Images Social Security Number Any Other Unique Identifying Number/ Code Health Plan Beneficiary Number Account Numbers Page 7

De-Identified Health Information De-identified health information refers to patient information that cannot be used to identify an individual. City, state, zip code of patient s address Patient s date of birth Patient s date of death Uses: Research (market analysis) Public Health purposes Quality Improvement activities Health care operations within a pharmacy or clinic practice Page 8

Privacy Notice A summary of the Privacy Notice that is brief and written in plain language will be provided to the employee. It will: State how PHI will be used and disclosed Include the individual s privacy rights, date, and their signature or signature of their representative Refer individual to review the organization's Notice of Privacy Practices The Privacy Notice should be provided by the Group s Health Plan TPA (Florida Blue) to the Group Health Plan participants (FCSRMC). Page 9

Consent and Authorization Covered Entities cannot share PHI without the individual's awareness of their privacy rights. To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions. Consent can be revoked by an employee/individual (patient) in writing. It is the policy of FCSRMC and it s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it s member colleges is not obligated to grant the request. Page 10

When Consent and Authorization is NOT Required Permitted PHI disclosures without an authorization: Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/from pharmacy or diagnostic center Payment Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies Health Operations Fraud/abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities Public health activities Victims of abuse, neglect or domestic violence Law enforcement purposes To comply with Workers Compensation To avoid serious threat to health or safety Page 11

When Consent and Authorization IS Required An authorization is required for: o o o o Use and disclose PHI for purposes other than treatment, payment and health operation purposes Releasing psychotherapy notes Marketing, research, sale of PHI, and fundraising Releasing PHI to the patient s employer An authorization must include: Description of the information to be disclosed Names of persons to whom the information is to be given Purpose of the disclosure An expiration date for the use of the information Page 12

Court Orders and Subpoenas A covered health care provider or health plan may disclose PHI required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order. A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order. A covered provider or plan may disclose information to a party issuing a subpoena if the employee has signed a HIPAA authorization form specifically releasing the information or if they receive evidence that reasonable efforts were made to either: Notify the person who is the subject of the information about the request so the person has a chance to object to the disclosure; Or to seek a qualified protective order for the information from the court. Page 13

Individual s Rights Right to Restrict Disclosures Right of Access Right to Amendment Right to Accounting Disclosures Requests for the above should be directed to, and processed by, the Group s Health Plan TPA. Page 14

Individual s Rights Staff can file a written complaint if they believe their privacy has been violated. Complaints should be directed to the college s privacy contact, and any intimidating or retaliatory acts are prohibited. It is important for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. Page 15

Minimum Necessary Minimum Necessary is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose. Your facility should evaluate who should be accessing PHI (documented in job descriptions). Only staff who need access to PHI to perform their job duties should be granted access to these areas (a unique sign-on and password, access to paper files, etc.). Minimum Necessary does not apply to requests/disclosures to the staff or another healthcare provider for treatment purposes. Page 16

Medical Information Personnel Records In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law. The Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations. Medical paperwork that should be filed separately includes the following: Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions Anything that identifies a medical issue Page 17

HIPAA Privacy Vs. Security Rules Privacy Rule Security Rule Sets standards for who needs access to PHI Ensures access is only given to those who need it to perform their job Applies to all forms of PHI (electronic, written, oral) Only applies to electronic forms of PHI Page 18

HIPAA Security Rule Security encompasses the measures organizations must take to protect information within their possession from internal and external threats. Page 19

Administrative Safeguards Establish HIPAA policies/procedures Provide security awareness and reminders to staff Perform a risk analysis to determine where you might be vulnerable to a breach Have a Disaster Recovery Plan in case of emergency Implement sanctions and terminations for staff who breach PHI Management passwords, including disabling access upon termination Appoint a Privacy/Compliance Officer and Security Official Implement Business Associate Agreements for all vendors who access PHI Page 20

Physical Safeguards Design a contingency operations plan when data is temporarily unavailable Implement a security plan for facility (door locks, electronic access controls, video monitoring) Install password protection on monitors Ensure monitors are not facing public areas Password protect thumb drives and documents containing PHI (Word, Excel, etc.) Properly dispose of devices (hard drives, copiers, fax machines, scanners) Page 21

Only use certified software systems Technical Safeguards Use data encryption/decryption on all devices (laptops, cell phones) Install firewalls and antivirus software Assign unique sign-on and passwords to software containing PHI Utilize integrity controls to ensure PHI has not been tampered with or destroyed Implement automatic log-off after system has been idle Back up data daily Continually monitor and audit system to ensure the system has not been hacked or compromised Page 22

Tips for Cybersecurity Protect mobile devices with passwords Maintain good computer habits unique sign-ons and passwords, automatic log off while idle, encryption, screen protectors Use a Firewall and install anti-virus software Control access to PHI only give access to those who need it to perform their job duties Use strong passwords and change them regularly Emails containing PHI should be sent as an encrypted file Control physical access (buildings, offices, servers, computers, fax machines) Page 23

Malware Malware Malware is malicious software that is specifically designed to gain access or damage a computer without the knowledge of the owner. Malware includes: Adware profit through forced advertising Spyware stealing sensitive information Spam unsolicited bulk messages sent through email with commercial, fraudulent or malicious intent Ransomware extorting money by locking down computer until ransom is paid The best protection from malware is to be careful when opening email attachments, to be cautious when going to sites on the internet, and to install/maintain an updated, quality antivirus program. Page 24

Staff Training Employers are required to provide privacy and security training to staff and to provide periodic security reminders. Security reminders include: How to maintain security, including the need for strong passwords Specific threats to PHI that have been identified such as viruses PHI access restrictions Changes in policies/procedures concerning HIPAA regulations Procedures to follow for modifying access to PHI How to report security breaches and to whom Page 25

Enforcement of HIPAA Compliance The Office of Civil Rights (OCR) has been assigned the authority to enforce the Privacy Rule. The OCR has several responsibilities: Investigating complaints it receives from individuals who believe that a Covered Entity is not complying with HIPAA privacy requirements Providing Covered Entities with assistance in order to achieve compliance Making determinations regarding exceptions to state law preemption. Any person or organization can file a complaint with OCR, but complaints typically must be filed within 180 days of the occurrence of an action in violation of the Privacy Rule. Page 26

Threats to Your PHI and Your Organization Employees Loss/Theft of Unsecured Devices Visitors Improper Use or Disposal Business Associates Hackers, Criminals Page 27

Breach of PHI A breach is: The acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI. Any unauthorized use or disclosure of unsecured PHI unless there is a low probability that the PHI has been compromised. More than 171 million people have been affected by HIPAA security breaches 144,622 patient complaints have been filed with the Office of Civil Rights (OCR) 35,741 cases have been investigated by the OCR. 69% required action by the Covered Entity. Page 28

Breach of PHI Healthcare Provider, 19% ENTITY Business Associate, 17% Health Plan, 64% Page 29

Breach of PHI TYPE 75% 14% 1% 5% 2% 4% Hacking/IT Improper Disposal Loss Other Theft Unauthorized Access/Disclosure Page 30

Breach of PHI Source NETWORK SERVER 76% OTHER 7% DESKTOP COMPUTER 6% LAPTOP 4% ELECTRONIC MEDICAL RECORD 4% PAPER/FILMS 2% PORTABLE ELECTRONIC DEVICE 1% EMAIL 1% 0% 10% 20% 30% 40% 50% 60% 70% 80% Page 31

Penalties under HIPAA $100 - $50,000/violation CE or BA did not know they had violated the law $1,000 - $50,000/violation Violation due to reasonable cause and not willful neglect $10,000 - $50,000/violation and up to 5 years imprisonment Violation due to willful neglect but was corrected $50,000/violation and up to 10 years imprisonment Violation due to willful neglect and was not corrected Page 32

H I P A A B R E A C H E S Cignet Health $4,300,000 fine Violated patients rights by denying them access to their medical records when they requested them CVS Pharmacy $2,250,000 fine Disposal of Protected Health Information in dumpsters Stanford Hospitals & Clinics $4,000,000 fine Data from 20,000 patient records were found posted online University of Washington $750,000 fine PHI of 90,000 people was accessed after employee downloaded an email attachment containing malware New York and Presbyterian Hospital $3,300,000 fine Disclosure of 6,800 individual records on unsecured server Affinity Health Plan $1,215,780 fine Returned leased copiers without first erasing data contained on the hard drives Concentra Health Services $1,725,000 fine One unencrypted laptop was stolen Wellpoint $1,700,000 fine Technical safeguards were not in place to verify the entities accessing its database containing PHI Page 33

Sanctions Policy All workforce members must protect the confidentiality, integrity, and availability of sensitive information at all times. FCSRMC will take appropriate disciplinary action against employees, contractors, or any individuals who violate the information security and privacy policies or state, or federal confidentiality laws or regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). FCSRMC will impose sanctions on any individual who accesses, uses, or discloses sensitive information without proper authorization. Sanctions may include: Page 34 policy changes personnel changes transfer to another department retraining written reprimands suspension termination

Document Retention Maintain the following documentation for six years, unless a longer period applies: All policies and procedures Business Associate Agreements Signed Acknowledgement of Privacy Policies Authorization forms Notices and amended notices Training of employees Patient/employee complaints and their disposition (this must be documented on the complaint form and forwarded to FCSRMC) Page 35

Key Points Provide initial training at hire and annually thereafter. Use the group attendance log as documentation. Maintain a separate employee health file. Keep all protected information in a limited access area and under lock and key. Page 36

Key Points Ensure staff know who the Privacy Contact and Security Officer is for their location Identify systems/areas that have covered data (paper and electronic) Secure your PHI (paper and electronic) Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff Assign internal roles and responsibilities Encrypt data at rest and/or in transit, including attachments to emails Install and update (when necessary) appropriate malware and antivirus software Contact the Security Official prior to downloading software Page 37

How Can Staff Help? Do not write password where others can see it and do not share with anyone Use workstations properly position computers so others cannot see screen Know FCSRMC s policies and procedures, including Sanctions policy Don t leave information open and unattended Don t discuss confidential employee information with unauthorized individuals Lock computer, desk and file cabinets when you leave Use the shredder when destroying information Prevent malware infection on your computer by not downloading and installing anything you do not understand or trust, no matter how tempting (includes other websites, emails, physical media, pop-up windows, other software, file-sharing) Report problems to the Privacy Contact at your facility Page 38

Questions? Carol Crews, CMPE, CPMA, OHCC Sr. Manager, Healthcare Advisory BDO USA (904) 224-9787 ccrews@bdo.com Page 39

References More detailed information can be found at the following resources: U.S. Department of Health and Human Resources. 45 CFR Parts 160 and 164. Federal Register www.hhs.gov/ocr/privacy/hipaa/administrative/endor cementrule/enfifr.pdf U.S. Department of Health and Human Services, Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/provider_ffg.pdf Centers for Medicare & Medicaid Services, Office of E- Health Standards and Services. www.hhs.gov/ocr/privacy/hipaa/enforcement/ cmscompliancerev08.pdf U.S. Department of Health and Human Services. www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule Page 40

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback