General Compliance Training: Fourth Reporting Period

Similar documents
Information Privacy and Security

Compliance Program, Code of Conduct, and HIPAA

Advanced HIPAA Communications and University Relations

MCCP Online Orientation

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA Training

Privacy and Security For Teammates

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY TRAINING

Health Information Privacy Policies and Procedures

Chapter 9 Legal Aspects of Health Information Management

EMPLOYEE HANDBOOK EMPLOYEE HANDBOOK. Code of Conduct

Ashland Hospital Corporation d/b/a King s Daughters Medical Center Corporate Compliance Handbook

HIPAA and HITECH: Privacy and Security of Protected Health Information

HIPAA Health Insurance Portability and Accountability Act of 1996

The Privacy & Security of Protected Health Information

HIPAA Education Program

CLINICIAN S GUIDE TO HIPAA PRIVACY

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Compliance Program Updated August 2017

Compliance Program Code of Conduct

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

System Office New Hire Orientation

Compliance Program And Code of Conduct. United Regional Health Care System

HIPAA Policies and Procedures Manual

NOTICE OF PRIVACY PRACTICES

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Alignment. Alignment Healthcare

PRIVACY POLICIES AND PROCEDURES

East Carolina University 2010 Annual HIPAA Privacy Training

CODE OF CONDUCT (Regarding Legal and Ethical Conduct) PERFORMED BY: All Staff

HIPAA Privacy Training for Non-Clinical Workforce

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

2018 Employee HIPAA Orientation (EHO) Handbook

VHA Privacy Policy Training FY VHA Privacy Office

Piedmont Healthcare, Inc. Code of Conduct

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Compliance & Privacy For Teammates

A general review of HIPAA standards and privacy practices 2016

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

HIPAA Privacy & Security Training

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Yale University. HIPAA PRIVACY FAQs

2012 Medicare Compliance Plan

Compliance & Privacy For Teammates

HIPAA Privacy & Security Training

Title: HIPAA PRIVACY ADMINISTRATIVE

BOARD OF COOPERATIVE EDUCATIONAL SERVICES SOLE SUPERVISORY DISTRICT FRANKLIN-ESSEX-HAMILTON COUNTIES MEDICAID COMPLIANCE PROGRAM CODE OF CONDUCT

Code of Conduct. at Stamford Hospital

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

THE MONTEFIORE ACO CODE OF CONDUCT

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

STANDARDS OF CONDUCT SCH

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

NOTICE OF PRIVACY PRACTICES

Compliance Plan. Table of Contents. Introduction... 3

HIPAA Privacy Policies & Procedures Table of Contents

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Notice of Privacy Practices

UCLA HEALTH SYSTEM CODE OF CONDUCT

HIPAA Privacy Rule. Best PHI Privacy Practices

FCSRMC 2017 HIPAA PRESENTATION

Southwest Acupuncture College /PWFNCFS

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Clinical Compliance Program

Code of Conduct Effective October 19, 2017

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

Your Role in Protecting Patient Privacy 2018

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

UNDERSTANDING OUR CODE OF CONDUCT...4 OUR RELATIONSHIP WITH THOSE WE SERVE...5 OUR RELATIONSHIP WITH PHYSICIANS AND OTHER HEALTH CARE PROVIDERS...

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

Notice of Privacy Practices

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

COMPLIANCE PLAN PRACTICE NAME

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

NOTICE OF PRIVACY PRACTICES

CHI Mercy Health. Definitions

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Doing the Right Thing Right

GUIDE TO SERVICES Service Coordination

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

NOTICE OF PRIVACY PRACTICES

CAPITAL SURGEONS GROUP, PLLC

St. Jude Children s Research Hospital. Code of Conduct

CODE OF CONDUCT. Policies and Procedures. Corporate Compliance Committee. Interim President and CEO

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

Mississippi Baptist Health Systems Code of Ethics and Business Conduct

Transcription:

General Compliance Training: Fourth Reporting Period 2017-18 1

Hi, I am Mona Thompson, Vice President and Chief Compliance Officer. I thank you for participating in the Fourth Reporting Period General Compliance Training. King s Daughters Medical Center is committed to providing the highest level of quality care in an ethical and responsible fashion and in strict compliance with all federal, state and local regulations. The Medical Center is dedicated to maintaining excellence and integrity in all aspects of its operations, delivery of care, and professional and business conduct with team members, patients and their families, administrative staff, physicians, vendors and payers, and the community. 2

What is a Corporate Compliance Program? Corporate Compliance refers to the Medical Center s program to ensure the Medical Center complies with (a) Federal, state and local laws; (b) Federal healthcare program requirements; (c) the Code of Conduct; and (d) the Medical Center s policies and procedures. A corporate compliance program: Demonstrates to the community the Medical Center s commitment to corporate citizenship; Reinforces the Medical Center s culture of ethics, integrity accuracy to all team members and provides guidelines for leadership compliance responsibilities; Provides an expectation of team member, provider and contractor behavior; Provides procedures to correct misconduct; Provides effective communications for Board of Directors through an organized framework for regulatory compliance tracking and reporting; Protects the financial viability of the Medical Center; Mitigates sanctions which may be imposed by the government; Ensures the Medical Center provides the highest level of quality care; Protects the Protected Health Information (PHI) of the patients. 3

General Compliance Training Criteria and Requirements All Active team members as of November 6, 2017 are required to take the General Compliance Training by December 31, 2017. Failure to complete the training by December 31, 2017 may result in disciplinary action; Active PRN and/or Part Time Team members are included in the training; If an Active team member is on Leave of Absence as of November 6, 2017 and/or is placed on Leave of Absence (LOA) during the training period, the LOA team member must take the General Compliance Training before beginning his or her work schedule; Team members who join the Medical Center after November 6, 2017, will complete the Initial General Compliance Training provided during New Team Member Orientation. 4

Corporate Integrity Agreement Overview On May 27, 2014, the Medical Center and the Office of Inspector General entered into a five (5) year Corporate Integrity Agreement as a result of the Medical Center s settlement with the government. On May 27, 2017, the Medical Center entered the Fourth Reporting Period (4RP). The Corporate Integrity Agreement requires, among many things, the Medical Center provide: Designated compliance training During each reporting period To specific Covered Persons In addition, the Medical Center is required to ensure that Covered Persons (as described in the following slides) receive and certify understanding of the training. 5

Seven Elements of the OIG Model Compliance Program Policies and Procedures Compliance Officer and Compliance Oversight Screening Employees, Contractors, Physicians, Board Members Education Auditing and Monitoring Corrective Actions to Identified Problems Enforcement of Violations 6

It is important you know who is a member of the Compliance & Integrity Committee as they are available to you as a compliance resource. The committee members are: Mark Beilstein Mark Detherage, MD Richard Ford, MD Scott Hill Sydney Keeton Shelly McGraw-Baier Heather Marcum Heidi Moore Kristin Price Paula Willis Shawn Boggs Chris Epling, DO Tom Heck Kelly Hurt Autumn McFann Sheryl Mahaney Sara Marks Stacy Patrick Mona Thompson 7

Code of Conduct The Medical Center s Code of Conduct provides the principal guidelines to conduct daily business activities ethically and legally. The Code of Conduct is the Constitution of the Medical Center s Compliance & Integrity program and ensures that the Medical Center meet compliance goals. Each of us has a role to play and can make a real difference. We have individual responsibility and accountability to follow the Medical Center policies and procedures, Code of Conduct, Federal health care program requirements, and to conduct activities in an ethical manner. The Code of Conduct must be observed by everyone: 1. Team Members; 2. Executive Management Team; 3. Board of Directors; 4. Medical Staff and Allied Health Professionals; 5. Vendors and Contractors; 6. Students; and 7. Volunteers The Compliance Handbook contains the Medical Center s Code of Conduct. Review the Code of Conduct. 8

Conflicts of Interest A Conflict of Interest arises in the workplace when a team member has competing interests or loyalties that either are, or potentially can be, at odds with each other. The Medical Center expects its Team Members, Medical Staff Members, Volunteers and Contractors and Vendors to exercise attention, good judgment and prudence in their relationships, obligations and financial interests so that they do not conflict with the interests of the Medical Center or the performance of their duties. Review the Medical Center s policy and process on Conflicts of Interest. Upon completing this module, go to the 4RP Conflict of Interest module to answer the related questions. 9

Healthcare is a government enforcement priority because of the potential for fraud, waste and abuse. Fraud is making material false statements or representations of facts that an individual knows to be false or does not believe to be true in order to obtain payment or other benefit to which we would otherwise not be entitled Abuse are practices that directly or indirectly result in unnecessary costs or improper payments for services which fail to meet recognized professional standards of care Waste is overutilization of services or other practices that, directly or indirectly, result in unnecessary costs to the health care system, including the Medicare and Medicaid programs. The Federal False Claims Act governs violations of Federal health care program requirements. 10

How Do I Report Suspected Compliance Violations? All Medical Center team members, providers, and contractors/vendors are required to report concerns about actual, potential or perceived misconduct to the Compliance & Integrity Department. One may use any of the following reporting tools: Call the Compliance Hotline at (606) 408-4145 or (877) 327-4145; Call the Lighthouse Services Hotline at (844) 940-0003 which is an independent third-party hotline provider contracted by the Medical Center as an additional anonymous reporting tool; Complete the Compliance Concern Form; Contact Vice President/Chief Compliance Officer, Mona Thompson (606-408- 4496); Contact Compliance Officer, Paula Willis (606-408-0161); Contact your supervisor, director or Vice President; Email corporatecompliance@kdmc.kdhs.us (not anonymous); Send written correspondence intercompany to 2201 Lexington Avenue, Ashland, KY 41101 Attn: Compliance & Integrity Department. 11

What Kinds of Things Should I Report? Violations of the law (Federal, state or local) Violations of the Federal healthcare program requirements Inappropriate gifts, entertainment or gratuities Discrimination Workplace or sexual harassment Hostile work environment, bullying Stealing/misused of Medical Center s assets Billing or coding concerns Documentation issues Violations of patient confidentiality (can be reported to Scott Hill and/or Heather Marcum) Violations of the Code of Conduct Violations of policies and procedures Potential conflicts of interest 12

Non-Retaliation Policy The Medical Center takes its responsibility to protect one who reports concerns pertaining to actual or suspected fraud and abuse seriously. No team member may threaten, coerce, harass, retaliate, or discriminate against any individual who reports a compliance concern. Review the Medical Center s Non-Retaliation Policy. Any individual who reports a compliance concern has the right to remain anonymous and the Medical Center commits to enforcing this right. If you chose to submit your concern anonymously such as through the Compliance Hotline, Lighthouse Hotline, or the Compliance Concern Form, please provide enough information so the Compliance & Integrity Department may investigate. 13

Participation and cooperation in the Medical Center s Compliance & Integrity Program is important! Not only because of the potential fines, criminal penalties and loss of federal healthcare program funding which could result to the Medical Center, but because it is the Right Thing to Do! If you have any questions about the content of the Fourth Reporting Period General Compliance Training, please contact: Mona Thompson, 606-408-4496 Paula Willis, 606-408-0161 Email corporatecompliance@kdmc.kdhs.us 14

PRIVACY & SECURITY TRAINING

Objectives Understand the basics of HIPAA and HITECH Understand your role in maintaining privacy of protected health information Be aware of consequences for non-compliance REMEMBER: Protecting our patients private information is one more way we can help serve them

HIPAA Health Insurance Portability and Accountability Act (HIPAA) imposes restrictions on the use and disclosure of all protected health information ( PHI ). It requires the Medical Center to: Protect the privacy of patient health information Secure patient health information Use and disclose patient health information the minimum necessary

Patient Rights Under HIPAA Right to access and receive a copy of one s own PHI (paper or electronic format) Right to request amendments to information Right to request restriction of PHI uses and disclosures Right to restrict disclosure to health plans for services self-paid in full Right to request alternative forms of communications Right to an accounting of the disclosures of PHI

Notice of Privacy Practice The Medical Center must give each patient a Notice of Privacy Practice that: Describes how the Medical Center may use and disclose PHI Advises the patient of his/her privacy rights The Medical Center must attempt to obtain a patient s signature acknowledging receipt of the Notice, EXCEPT in emergency situations. If a signature is not obtained, the Medical Center must document the reason it was not. Patient Access is critical in distributing the Notice of Privacy Practices and getting patient signatures.

Access to Medical Records Patients have the right to request access and/or obtain a copy of their medical record. If a patient requests a copy of their medical record, please refer them to the medical records department and the medical records staff will help the patient with the process. Team members are NOT to access their own medical record. Team members need to contact the medical records department to obtain a copy of the record.

Amendment Patients have the right to request that information in their record be amended. If a patient wants an amendment to their medical record, give them a copy of the Request for Amendment form, located in the Privacy Manual under the Policies Tab on TeamKDMC.com. You can also refer the patient to the Privacy Officer, who can help the patient through the process. The patient must fill out the form and send it to the Privacy Officer for review and approval. The Privacy Officer will work with the relevant medical provider on the requested amendment.

Amendment (cont.) If the clinician disagrees with the amendment, the patient must be notified in writing of the following: The basis for the denial Their right to file a statement of disagreement to be kept in their file and included with future PHI disclosures Their right to complaint to the covered entity or Secretary of Health and Human Services Contact information for the covered entity s privacy officer

Right to Restriction Patients may opt to restrict disclosure of their PHI to health plans if they pay out-of-pocket for goods or services. Patients may direct how they wish to be contacted, such as through a particular phone number or address, and whether messages may be left.

Accounting for Disclosures Patients have the right to know with whom their information has been shared. Patients are not entitled to an accounting of all disclosures, such as treatment or payment operations. On request, you must be able to provide a report to your patient of the entities with whom their PHI was shared.

Protected Health Information Protected Health Information (PHI) is information you create or receive in the course of providing treatment or obtaining payment for services. It includes: Information related to the past, present or future physical and/or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare; AND Includes at least one of the 18 personal identifiers OR there is a reasonable basis to believe the information can be used to identify the individual. In any format oral, written, electronic including videos, photographs, x-rays, etc. It DOES NOT include health information about individuals who have been deceased more than 50 years.

PHI Identifiers The 18 Identifiers are: Name Postal Address All elements of dates except year Telephone number Fax number Email address URL address IP address Social Security Number Account Numbers License numbers Medical record number Health plan beneficiary number Device identifiers & their serial numbers Vehicle identifiers and serial number Biometric identifiers Full face photos & other similar images Any other unique identifying number, code or, characteristic

How Can PHI Be Used? You are permitted to use or disclose PHI for: Treatment; Payment; Healthcare operations (e.g., legal, medical staff/peer review, audit, business management); The individual patient who is the subject of the PHI; and Other uses and disclosures required by law. In all other instances, a written authorization from the patient is needed. Whenever in doubt about release of information, contact Medical Records, Privacy officer, or Legal Services for guidance.

Psychotherapy Notes Use or disclosure of psychotherapy notes to a third party requires the patient s authorization except in limited circumstances.

Minimum Necessary As a team member you should only have access to patient information via computer systems and other sources that you need to do your job. Accessing patient information which you do not need to as part of your job duties violates policy. Epic access is monitored and checked to assure compliance of all team members.

Minimum Necessary (cont.) In general, uses/disclosures of or requests for PHI are limited to the minimum amount of health information necessary to get the job done. That means: Those employees who regularly access PHI must be identified, and the Medical Center must limit access to PHI to the minimum necessary for the Team Members to do their jobs.

Incidental Uses & Disclosures Incidental means a use or disclosure that cannot be reasonably prevented, is limited in nature, and occurs as a byproduct of an otherwise permitted use or disclosure. These disclosures are permitted, so long as reasonable safeguards are used to protect PHI and minimum necessary standards are applied.

Example The doctor and nurse discuss a patient s case out at the nurse s station, within earshot of patient rooms. A visitor overhears, and based on the information heard believes the doctor and nurse were discussing her relative. True or False: Is this a breach?

Answer False! The doctor and nurse were discussing the patient case as quietly as possible, and avoided using the patient s name or other clearly identifiable characteristic of the patient. The case was being discussed so the doctor and nurse could discuss necessary care of the patient within the minimum necessary to further the patient s care. This was an incidental disclosure.

Sale, Marketing, and Fundraising HIPAA prohibits the sale of PHI without the patient s authorization. The Medical Center can communicate with patients about their services, send refill reminders, and send letters about health-related goods and services as long as the practice does not receive payment for doing so. HIPAA allows for patients to opt out of fundraising communications.

Limited Data Sets HIPAA allows the use of a Limited Data Set for teaching, research, and public health. It may be used or disclosed only if a Data Use Agreement is in place between the Medical Center and the recipient of the information. Contact Legal Services for assistance with Data Use Agreements. A Limited Data Set can only include dates and zip codes. It cannot include any other identifiers.

PHI & Research Patient information cannot be shared with research investigators unless the patient has provided a signed HIPAA research authorization allowing this, or if the IRB has granted a waiver of HIPAA research authorization. Treating healthcare providers can inform patients about research studies.

Media The patient s healthcare provider must be the initial contact with the patient for communication with the media or for developing Medical Center communications that use PHI. The patient s authorization must be obtained for the use and disclosure to the media. Please contact the Marketing Department for more information and help with interacting with the media.

Example You had a patient who received a difficult diagnosis, and at the end of the day you want to express the sorrow you feel for this patient. In addition to the diagnosis, what information could you post on Facebook? A. Patient s Age B. Date of Service C. Description of the patient s tattoo D. Patient s first name

Answer None of the above Facebook is considered the public domain, so any information shared there is available for anyone to see. The Medical Center s service area is a small community, and chances are someone will be familiar enough with the patient to use even this limited information to uncover this patient s identity.

Business Associates HIPAA also includes business associates A business associate is any person or organization who provides services to the Medical Center (or its affiliates, e.g., Kingsbrook) that involves use or disclosure of PHI. Examples: Billing vendors, Tri-Data, Maintenance service providers, etc. To comply with HIPAA, all business associates must have business associate agreements with King s Daughters. The Medical Center can be held responsible if our business associates are not compliant with HIPAA. If you utilize a vendor who may qualify as a business associate, please contact Legal Services to help with the contract process.

Breaches and Reporting Under the Health Information Technology for Economic and Clinical Health Act (HITECH), when a breach of patient information occurs, the Medical Center has to notify each individual (and the federal government) and let them know their PHI has been compromised. There are SHORT deadlines by which the Medical Center has to provide notification, so IMMEDIATELY report breaches to the Privacy Officer or Compliance Officer to make sure the Medical Center meets its deadlines.

Why Report? The Medical Center is required by law to report breaches to the Department of Health and Human Resources, Office of Civil Rights. When the Medical Center reports a breach, we are essentially reporting a violation of the Privacy Rule (HIPAA). If HHS suspects that the breach or violation resulted from willful neglect, they will conduct a compliance review. The Medical Center can be fined as much as $50,000 per violation of each provision of HIPAA.

Breach Response Timing Two things can increase the amount of the fine: Willful neglect This means acting in a manner that shows conscious, intentional failure or reckless indifference towards our obligation to comply with HIPAA. Failure to correct the violation quickly Do not delay reporting to your Privacy Officer any incident that you know or think might be a HIPAA violation!

Common Breaches Below are examples of common unauthorized uses and disclosures of PHI that must be reported to the Privacy Officer: Fax sent to wrong number: A fax with patient information sent to the wrong recipient must be investigated by the Privacy Officer for potential risk to the patient s protected health information. When a provider leaves, make sure their information in Epic is updated or removed, as needed. Many wrong number faxes occur when former Medical Center physicians continue to get automatic notifications through Epic, but the information is sent to their new contact information and they are no longer involved in that patient s care.

Common Breaches (cont.) Patient statements or discharge papers given to the wrong patient Make sure to ask for two patient identifiers before giving an After Visit Summary, discharge instructions, prescriptions, or any other documentation. This is the most common cause of breaches in the Health System take your time before giving paperwork to patients and make sure you are giving it to the right patient. Envelopes not sealed or having the wrong mailing label affixed. Mailing unsealed envelopes means any person can access the patient s PHI. Make sure you use the correct mailing label, and double check the address and patient name before mailing to make sure you are sending the correct documentation to the correct patient. Sometimes additional private information can be printed on mailing labels make sure only the patient s name and address is on the outside of the envelope, and nothing more.

Common Breaches (cont.) Unencrypted mobile devices or storage media If a mobile device, laptop, tablet, USB drive, or other storage media has PHI on it, the information should be encrypted. Unauthorized patient pictures or information posted on social media websites The Medical Center is located in a small community, and everyone is one or two degrees removed. It takes very little information for a friend on Facebook to recognize the description of a patient you posted about in your status. When in doubt, don t post about patients. Remember, it is against policy to take unauthorized photos of patients. Disposing of patient information incorrectly Make sure you use the shred bins located throughout the hospital! Don t leave PHI, whether in paper form, on a CD, or other storage device, unattended. Always store it securely for example, in a locked cabinet.

Common Breaches (cont.) Accessing patient information that is not job-related REMEMBER: Only access patient information the minimum necessary to do your job. Examples: A Team Member had been involved in a patient s care. The next time the Team Member is working, the patient has been transferred to another unit. The Team Member wants to know how the patient is doing and goes into the medical record. Is this inappropriate access? Yes. There was no reason for the Team Member to be in the patient record to provide medical care. A Team Member s relative is receiving treatment in the facility. The Team Member goes into the medical record in order to get information for the family, and for discussion with the providers of care to the relative. Is this inappropriate access? Yes. The Team Member was not in the medical record for purposes of providing medical care, but instead for personal reasons.

Penalties for Non-Compliance If you violate the Privacy Rule, civil and criminal penalties can include: A $100 - $50,000 civil penalty per violation, up to an annual maximum of $1,500,000. A criminal penalty for knowingly disclosing PHI may escalate to a maximum of 10 years in prison and $250,000 for conspicuously bad offenses, such as selling a patient s PHI. Discipline up to and including termination. But if you unknowingly make a mistake, remember: The Department of Health and Human Services (DHHS) is mandated to give you and your organization advice and technical assistance and help you work out problems.

Privacy Tips Never take PHI home with you Never leave computers, tablets, or other mobile or storage devices in your trunk or car Speak quietly Avoid using patient names in public areas We live in a small community, and even the smallest details can be identifiable to someone who overhears. Secure records and computers, even if you are just stepping away for a second It takes just seconds for a patient or relative or other person to access an Epic screen left open and unattended. Use the shred bins located throughout the Medical Center to shred documents (that do not need to be preserved) with PHI

Privacy Tips (cont.) Take your time when faxing, mailing, or checking a patient in or out Rushing through the process can lead to errors and inadvertent breaches. Whenever in doubt about whether you can access a medical record or provide information or records to someone, contact the Privacy Officer or Heather Marcum. We would rather you ask than make the wrong decision; we are here to help! Report privacy concerns and issues (or just to ask questions) to: - Scott Hill, Chief Privacy Officer - Heather Marcum, HIM Director, Privacy Officer - scott.hill@kdmc.kdhs.us / heather.marcum@kdmc.kdhs.us

HIPAA Security Rule A great deal of PHI is stored electronically and/or transmitted by electronic systems. The HIPAA Security Rule was created to specifically address electronic PHI (ephi).

HIPAA Security Rule All Team Members have responsibilities relating to protecting electronic health information (ephi) from unauthorized: Access Alteration Deletion Transmission

Purpose of Security Standards Establish a minimum level of security for electronic patient health information (ephi) stored or available in electronic form, on computers or any storage media. Ensure the confidentiality, integrity, and availability of electronic PHI. Protect against threats or hazards to the security and integrity and unauthorized use, access or disclosure of PHI.

Security Standards Apply To PHI in electronic form both stored and transmitted

Password Recommendations Treat your user ID and password as securely as you do your bank pin number. Passwords should be difficult to guess. Passwords should be as complex as possible. Change all passwords received from another source (password resets, passwords supplied from a vendor, etc.). Do not use the Remember Me feature in Windows

Password Requirements (cont d) Password Length 8 Character Minimum Password Change Interval 90 Days

Password Requirements Password Complexity Pick three of the following four options when constructing a password Uppercase Letter Lowercase Letter Special Character (!,@,#,$, etc.) Number

Generic ID & Password Generic ID & Password Only allowed on shared workstations with the Windows screensaver enabled Windows Workstation Security Will be enabled on all workstations, e.g., antivirus software

User Credentials Only log on to computer systems with your own user ID and password. Never use someone else s. You will be held responsible for all activity under your user ID. Do not share passwords, ID badges, or other access credentials with anyone. Password complexity is an important deterrent to unauthorized access.

Location and Access Protection Keep your Medical Center badge with you or in a secure location at all times. Medical Center badges allow access to a variety of locations and should always be protected. Do not prop doors open or leave windows unlocked. This allows un-secured access. At home and at work, we rely on locks and alarm systems. It is important to prevent unauthorized access to locations and information. Keep all file cabinets and drawers locked that contain PHI when you are not present. Remember to keep the keys in a secure location.

Device Security and Protection Be aware of the placement of workstation monitors. The screens should not be visible to those without authorization to view the information displayed. All data on workstations must be destroyed before a workstation is de-commissioned. Contact the IST Service Desk for assistance (84357). Every time you leave your workstation, sign off or use the Windows locking mechanism. If you have questions about this process, please contact the IST Service Desk.

Protecting Patient Information As a Team Member, maintaining a patient's privacy is part of your job. You should access or view a person's PHI only when it is required for your job. Simply because you are able to see a person's PHI does not mean it is legal. Snooping in a person's PHI can lead to disciplinary action up to and including termination. By law, unauthorized access to a patient s information must be communicated to the patient. The Medical Center routinely conducts audits of access to patient records and our systems to ensure proper access by Team Members.

Protecting Patient Information (cont d) Do not look up the medical records of co-workers, friends, family members, neighbors, or celebrities unless it is required by your job. MyChart, a personal health record, can be used to view your own and family member medical records once the appropriate forms are completed. Contact your personal physician to ask if they participate. All of our patients are entitled to privacy and confidentiality. Do your part and only look up information you need to do your job.

Protecting Patient Information (cont d) Do not look up your own medical record. This is a violation of the Medical Center procedures. There are approved methods to retrieve your PHI. For example, if you are waiting for a lab result or want to view a clinic note or operative report, you must contact your physician for the information, use MyChart, or make a written request to the Medical Records Department. Your access to your own PHI must be based on the same procedures available to other patients, not based on your job-related access to the Medical Center information systems (e.g. EPIC).

Mobile Media Security and Protection All storage media such as CD s, DVD s, and memory sticks must be kept in secure locations. Do not store ephi on mobile, electronic devices or storage media such as laptops, cell phones, tablets, CD s, DVD s and memory sticks unless they are encrypted. If a mobile, electronic device or storage media containing ephi or any Medical Center confidential or proprietary information is lost or stolen, you are required to contact an Information Security Officer immediately via the Information Service Desk (84357).

Email Security and Protection Do not send confidential information in an email, in either the message or in an attachment, unless the communication line is secure and encrypted. If you are not sure the communication line is secure, do not send the email and contact an Information Security Officer for clarification. If you do not know the sender of an email do not open the email, if you inadvertently open the email please do not open attachments or select any hyperlinks. The Medical Center Security and Privacy policies are on the Intranet for review.

Emergency Mode Operation Plan The Medical Center has an Emergency Mode Operation Plan (Policy K18) to enable critical business processes to continue to operate while the Medical Center is functioning in emergency mode (i.e. emergencies or disasters such as fire, vandalism, terrorism, natural disaster, or system failure). The plan sets forth: (1) specific procedures to allow the continuation of critical business processes for protection of the security of electronic protected health information while operating in this mode and (2) procedures for obtaining necessary electronic protected health information during an emergency.

Training, Compliance and Reporting Security compliance and training are continuous activities and are required for all Team Members. The HIPAA security standard includes individuals working from home or non-medical Center locations. The United States Government (Centers for Medicare and Medicaid Services) will enforce the HIPAA security rule and impose penalties on organizations and/or individuals for violations. If you suspect that a security violation has occurred, contact an IST Security Officer immediately.

Additional Resources All KDMC Security Policies are located on the Intranet for Team Member education, reference and guidance. If you have questions, please refer to the Medical Center policies and/or contact one of the persons listed on the previous slide.

Contact Information The Information Security Officer for the Medical Center is David McDonald. The Chief Privacy Officer for the Medical Center is Scott Hill. The HIM Privacy Officer for the Medical Center is Heather Marcum.

You have completed the Fourth Reporting Period General Compliance Training. Before you earn 100% credit for participation, you must complete the (i) Post Test and achieve a minimum of 85% accuracy, (ii) Conflict of Interest Certification, and (iii) Attestation The following slide is an example of the Attestation. 71

By accepting Yes to the Fourth Reporting Period General Compliance Training Attestation, I certify: I received, read and understand the content presented in the Fourth Reporting Period General Compliance Training module; I understand that if I have any questions about the content, I should contact Mona Thompson or Paula Willis; I received, read and understand the Code of Conduct and policies contained in the training; I agree to follow the Code of Conduct; I agree to comply with all Federal health care program requirements and understand it is my obligation to promptly report any suspected violations of any Federal health care program requirements, the Code of Conduct or of the Medical Center s own policies and procedures. 72

POST TEST TEAM MEMBER IS REQUIRED TO OBTAIN 85% ACCURACY 73

QUESTION/ANSWER Which of the following best describes the major goal of the Medical Center s Compliance & Integrity Program? 1. To plan facility construction projects 2. To prevent, detect and correct accidental and intention violation of laws, regulations, policies and Code of Conduct 3. To enhance marketing of the Medical Center s services ANSWER: Number 2. The Medical Center s Corporate Compliance Program was designed to prevent accidental and intentional violations of laws, regulations, and policies to detect violations if they occur, and to prevent future noncompliance. 74

QUESTION/ANSWER Which of the following is NOT an element of the Medical Center s Compliance & Integrity Program? 1. Education and training 2. Annual reports to the American Medical Association 3. A hotline and communication system 4. Policies and procedures ANSWER: Number 2. Reports to the AMA are not a basic element. Although compliance programs may have various characteristics, they all typically contain seven basic elements, including education & training, a hotline and communication system, auditing & monitoring, enforcement, policies and procedures, and a Compliance Officer. 75

QUESTION/ANSWER Who is responsible for compliance with the Medical Center s Code of Conduct? 1. Board of Directors 2. Team Members 3. Executive Management Team 4. Medical Staff and Allied Health Professionals 5. Contractors and Vendors 6. Volunteers 7. Students 8. All of the Above ANSWER: Number 8. Responsibility for compliance with the Code of Conduct applies to everyone, including the Medical Center s Board of Directors, Team Members, Vice President/Executive Management Team, Medical Staff and Allied Health Professionals, and Contractors/Vendors/Volunteers and Students. All Medical Center will be conducted in compliance with all applicable laws, regulations, and Medical Center s policies and procedures and Code ofconduct. 76

QUESTION/ANSWER Which of following situations could likely constitute a Conflict of Interest? 1. Reporting a joke you overheard which offended you; 2. Making a decision required as part of your duties that could be influenced by a financial or other gain too you or a family member; 3. Participating in a Team Member Satisfaction Survey conducted by the Medical Center. Answer: Number 2. A conflict of interest may arise when your own private interests conflict with your duties at the Medical Center. It is important to avoid any activities that may influence or appear to influence your ability to render objective decisions in the course of your job responsibilities. All decisions should be based on the needs of the Medical Center s patients, community, and the Medical Center. If you were offended by a joke, let the person who the joke offended you. You may also report it to your supervisor, the Compliance & Integrity Department, the Compliance Hotline, the Lighthouse Hotline, orthe Compliance Concern Form. 77

QUESTION/ANSWER What is the responsibility of every Team Member? 1. Stay at least one hour beyond the normal shift 2. Report suspected violation of the Code of Conduct, Medical Center s policies and procedures and Federal healthcare program requirement 3. Be a member of at least one Medical Center committee 4. None of the above ANSWER: Number 2 The Medical Center expects all Team Members be familiar with the Code of Conduct, compliance-program policies and procedures, policies an procedures associate with the Team Member s job responsibilities, and Federal healthcare program requirements. The Medical Center will not tolerate violations of laws, regulations, or Medical Center standards, policies, or procedures. Furthermore, it is the duty of every Team Member to timely report suspected violations. 78

QUESTION/ANSWER Select all the Options for Reporting a Compliance Concern 1. Call the Compliance Hotline at (606) 408-4145 or (877) 327-4145; 2. Call the Lighthouse Hotline at (844) 940-0003; 3. Complete the Compliance Concern Form; 4. Contact Vice President/Chief Compliance Officer, Mona Thompson (606-408-4496); 5. Contact Compliance Officer, Paula Willis (606-408-0161); 6. Contact your supervisor, director or Vice President; 7. Email corporatecompliance@kdmc.kdhs.us (not anonymous); 8. Send written correspondence intercompany or to 2201 Lexington Avenue, Ashland, KY 41101 Attn: Compliance & Integrity Department; 9. All the above ANSWER: Number 9 All the options above are available to report a compliance concern or allegations of violations of Federal health care requirements. 79

QUESTION/ANSWER Identify the two team members who represent the Medical Center s Compliance & Integrity Department: 1. Scott Hill; 2. Heather Marcum; 3. Mona Thompson; 4. Mark Beilstein; 5. Paula Willis; 6. Kelly Hurt ANSWER: Number 3, 5. Although all the referenced team members are involved with regulatory matters, the Medical Center s Compliance & Integrity Department is served by Mona Thompson (Vice President/Chief Compliance Officer) and Paula Willis (Compliance Officer). 80

QUESTION/ANSWER Identify how you can help the Medical Center be compliant: 1. Follow the Code of Conduct; 2. Follow the compliance program policies and procedures; 3. Report any Potential Conflicts of Interest; 4. Complete all required compliance training; 5. Report compliance concerns to the Compliance & Integrity Department or any of the other available reporting options; 6. Report any allegations of potential Overpayments; 7. Be aware of the seven elements of a Compliance Program; 8. All of the above. ANSWER: Number 8. Each team member is obligated to follow the Code of Conduct and compliance program policies and procedures. In addition, each team member is required to timely report any compliance concern or suspected Overpayment and complete required compliance training. It is important each team member is aware of the seven elements of the compliance program. 81

QUESTION/ANSWER Security Awareness Training is not necessary for all team members 1. True 2. False ANSWER: False 82

QUESTION/ANSWER It is better to leave your screen visible to customers and patients so they can correct any mistakes as you enter data. 1. True 2. False ANSWER: False 83

QUESTION/ANSWER It is a good idea to keep the same password for a long time so you don t forget it. 1. True 2. False ANSWER: False 84

QUESTION/ANSWER You should never share your user ID and password with anyone at any time. 1. True 2. False ANSWER: True 85

QUESTION/ANSWER Jane was not very busy so she spent from 9:00 AM to 12:00 PM looking through her family s medical records. This was acceptable since she did not look at stranger s data. 1. True 2. False ANSWER: False 86

QUESTION/ANSWER It is acceptable to review your neighbor s medical record to make sure you can send them a proper get well gift. 1. True 2. False ANSWER: False 87

QUESTION/ANSWER It is acceptable to leave your work laptop in your car. 1. True 2. False ANSWER: False 88

QUESTION/ANSWER It is acceptable to allow your toddler to play on your work phone. 1. True 2. False ANSWER: False 89

QUESTION/ANSWER Mary researched in EPIC her daughter s ex-husband s new wife. This is acceptable because she only looked at demographics, not health information to see how nice of a house the new wife has. 1. True 2. False ANSWER: False 90

QUESTION/ANSWER Dr. Sam is driving to a clinic 40 miles away from the Medical Center campus but wants his nurse to email a patient s lab result so he can look at it ahead of time. The nurse should do this to help Dr. Sam be more efficient with his time. 1. True 2. False ANSWER: False 91

QUESTION/ANSWER Julie, a nurse in an affiliate office using Physician connect, has a coworker that is distraught because she believes her husband s affair has resulted in a child. It is acceptable to let the co-worker sign into EPIC as Julie so she can verify if she has a step child. 1. True 2. False ANSWER: False 92

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback