HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Similar documents
What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

MCCP Online Orientation

HIPAA PRIVACY TRAINING

Advanced HIPAA Communications and University Relations

HIPAA Privacy Regulations Governing Research

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

HIPAA and HITECH: Privacy and Security of Protected Health Information

Information Privacy and Security

HIPAA Privacy Rule. Best PHI Privacy Practices

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA Education Program

HIPAA Policies and Procedures Manual

CLINICIAN S GUIDE TO HIPAA PRIVACY

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

HIPAA Privacy Training for Non-Clinical Workforce

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

Compliance Program, Code of Conduct, and HIPAA

CHI Mercy Health. Definitions

A general review of HIPAA standards and privacy practices 2016

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

Notice of Privacy Practices

HIPAA THE PRIVACY RULE

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

CAPITAL SURGEONS GROUP, PLLC

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

The Privacy & Security of Protected Health Information

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

NOTICE OF PRIVACY PRACTICES

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Health Information Privacy Policies and Procedures

NOTICE OF PRIVACY PRACTICES

The HIPAA privacy rule and long-term care : a quick guide for researchers

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Parental Consent For Minors to Receive Services

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Professional Compliance Program Grievance Report

OREGON HIPAA NOTICE FORM

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Mental Health. Notice of Privacy Practices

HIPAA Training

Notice of Privacy Practices

HIPAA Privacy & Security Training

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

SUMMARY OF NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices for Protected Health Information (PHI)

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

NOTICE OF PRIVACY PRACTICES

Greenwood Connections Notice of Privacy Practice

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Notice of Privacy Practices

Re-Vita -Life. Sub-dermal Bio-identical Pellets

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

HIPAA COMPLIANCE APPLICATION

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Notice of Privacy Practices

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

Lutheran Brethren Homes, Inc. NOTICE OF PRIVACY PRACTICES

Privacy and Security For Teammates

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy and Security Training for Researchers

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy Policies & Procedures Table of Contents

JOINT NOTICE OF PRIVACY PRACTICES

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Notice of HIPAA Privacy Practices Updates

NOTICE OF PRIVACY PRACTICES

Chapter 9 Legal Aspects of Health Information Management

NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES

Patient Privacy Requirements Beyond HIPAA

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

Transcription:

HIPAA Health Insurance Portability and Accountability Act Presented by the UMMC Office of Integrity and Compliance

Rules and Regulations to ensure Privacy Set Federally recognized standards to ensure both Privacy and Security of patient health information (PHI). Both standards are overseen by the Office of Civil Rights. Within UMMC, standards are enforced by Office of Integrity and Compliance, Privacy Officer Information Systems, Security Officer

Policies and Procedures UMMC has created policies and procedures to facilitate compliance with all standards. These are to be followed by employees who come into contact with patient health information. The policies can be found on the UMMC Intranet or by clicking the following link: http://compliance.umc.edu/faq.html

HIPAA Privacy Standards The Privacy Standards provide for the following: Boundaries for the uses and disclosures of protected health information; The implementation of administrative, technical and physical safeguards to help ensure health information remains confidential; More control of an individual's health information by the individual; and Civil and criminal penalties for violators of the standards. Continue

What information is protected by the regulations? The HIPAA Privacy Standards protect individually identifiable health information, which is collectively referred to as protected health information (PHI). Basically, PHI is clinical information, such as an individual s diagnosis, in combination with some type of information that allows you to identify that individual. For instance, a diagnosis on a progress note that contains the patient s name in right hand corner would be considered PHI. PHI can be transmitted or maintained in any form or medium, which includes PHI that is transmitted orally, stored or transmitted on paper and/or electronically. Continue

Examples of PHI Some examples of confidential and protected health information: Documentation created by physicians, nurses, and other health care providers and assembled in medical records; Conversations about an individual's care or treatment between health care providers; Information about patients in UMMC s computer system; and Billing information about an individual s health care. Continue

Information that can be used to identify a patient can include: Patient s Name; Address or zip code; Month and date of service or other relevant date; Date of Birth; Telephone and/or fax number; E-mail address; Social Security Number; Medical Record or patient account numbers; Vehicle identifiers or serial numbers; Health plan beneficiary number; Device identifiers or serial numbers; Biometric identifiers, including finger & voice prints; Full face photographic images or other images; Web Locators (URLs) or Internet Protocol (IP) addresses; Any other unique identifying number, characteristic, or code. Continue

Which Disclosures are Allowed Without Authorization? Except for psychotherapy notes, the privacy standards allow UMMC to disclose information without an authorization for the following purposes: To comply with the law, such as reporting communicable diseases to the Mississippi State Department of Health; For the treatment of the individual; To obtain payment for services rendered by UMMC; and/or To carry out the healthcare operations of UMMC. Continue

Disclosures Allowed by Law There are many disclosures that UMMC makes because it is required by law and therefore, no authorization is required. Some of these include but are not limited to: Disclosures about victims of child abuse Disclosures for judicial proceedings, such as responding to a subpoena Disclosures for Law Enforcement purposes Continue

What is Considered Treatment Under HIPAA? Treatment includes the management of healthcare and related services by one or more healthcare providers, including the coordination with a third party, such as a skilled nursing facility; consultations with other providers; or the referral of a patient from one provider to another. The following are examples of treatment activities: Healthcare staff orally coordinating services at the hospital nursing station. The teaching physician or dental instructor discussing a patient s condition during training rounds. Continue

Examples of Treatment Cont A healthcare provider discussing lab test results with a patient or other provider in a joint treatment area. A dentist referring a patient to an orthodontist. Nurses or other health care providers discussing a patient s condition over the phone with the patient, a provider, or a family member. Continue

Payment The billing department uses confidential information to bill patients or their insurance companies for the services they receive. Continue

What are Healthcare Operations? Healthcare operations are activities that UMMC performs on a day-to-day basis in order to stay in business. Examples of healthcare operations include: Utilization review activities; Compliance activities; Internal auditing activities; Teaching of students; and/or Performance improvement activities Continue

Disclosures/Releases with Authorizations Disclosures, other than those previously listed, can be made by UMMC only if the patient signs an authorization. Authorizations, which are sometimes referred to as consents to release, must contain the necessary core elements and statements before the information can be released. Fulfilling an authorization that does not contain the required core elements and statements is a violation of this federal regulation. Only authorized employees can disclose patient information. Continue

What YOU Need to Know About HIPAA

Several Important Concepts: Concept #1 Need to Know- Only access patient information if you have been assigned some form of responsibility for the patient s care. Share information about patients only with other individuals who have a need to know. Part of protecting our patient s privacy is to ensure that employees access only that information which they need to know in order to perform their job duties. If an employee does not have a valid reason to know a patient s information, they should refrain from accessing it.

Need to Know Scenario s Scenario 1: Sue was involved in a car accident and was rushed to the ER. Jane, her best friend, is a nurse on 2 North. She wants to check the EHR portal and make sure Sue is ok. Does Jane have an appropriate need to know? NO. Jane should only access the patient s information if she took a part in the patient s care or was conducting a job activity which required her to look at the patient s information. Scenario 2: Judy watched the local news this morning and saw where a local high school student was involved in an accident and transported to UMC. She just wants to check and make sure the student is ok. She has access to Invision and thinks surely no one will find out. Does Judy have an appropriate need to know? NO. She should only access the information if she has a need to know in order to fulfill her job duties. Also, The Office of Integrity and Compliance monitors access into patient charts. We will find out!!

Several Important Concepts Concept #2 Minimum Necessary- It is UMMC policy that each employee use and disclose only that information that is minimally necessary to fulfill a purpose or duty. Only access or view the minimum amount of patient health information necessary to complete your job duties.

Minimum Necessary Scenario s Scenario 1: Amy has been asked by one of her co-workers to lend a hand and look up a patients lab results in the portal. Amy notices that the patient has recently been an inpatient on the Psych floor and decides to view the psych notes from the prior visit. Should Amy access the Psych notes? No. Amy should only access the minimum necessary to accomplish her job task, i.e. look up lab results. She should refrain from snooping for additional information.

Several Important Concepts Concept #3 Patients Rights- Under HIPAA, patients have several rights related to there PHI. Below is a comprehensive list of those rights. The next slide shows how you should respond to a patient if they have questions pertaining to those rights. Right to access and obtain a copy of there medical record Right to receive an accounting of disclosures The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations Right to file a complaint Right to agree or object to being included in the hospital directory Right to request confidential communications Right to a Notice of Privacy Practices

Patient Right Right to access and obtain a copy of there medical record How to handle request Refer requests to Release of Information of the respective area. Right to receive an accounting of disclosures Refer requests to Release of Information of the respective area. The right to request that restrictions be placed on the use of his/her PHI even for the purposes of treatment, payment and healthcare operations Refer requests to the Office of Integrity and Compliance. Right to agree or object to being included in the hospital directory Right to request confidential communications Refer inquires to Registration Refer requests to the Office of Integrity and Compliance. Right to a Notice of Privacy Practices Refer inquiries to the Office of Integrity and Compliance

Did you Know The American Recovery and Reinvestment Act, also known as the Stimulus Bill, signed by President Barack Obama on February 19, 2009, included changes and additions to the HIPAA laws? Until then, there had not been any changes made to the HIPAA laws since enforcement in 2003.

Revisions to HIPAA Among the changes and additions to the privacy laws include: Breach Notification Requirements Additional Patient Rights Criminal Penalties for Employees who violate HIPAA law

Breach Notifications Under these new set of laws, if a patient s PHI is breached, i.e. inappropriately released without authorization, we will be required to notify the patient of the occurrence. If a breach involves over 500 individuals, we will be required to notify a local media outlet (local news station/paper) that a breach occurred. For example, Dr. Smith carries a UMC owned computer to a conference out of state. The computer includes all of ABC s Clinic patient information in an excel spreadsheet and the spreadsheet is not password protected or encrypted. The hospital will be required to contact a local news station for reporting.

Criminal Penalties Previously, employees who inappropriately accessed, used, or disclosed a patients health information was not subject to criminal penalties. The hospital would take the blame. NOW UNDER THE STIMULUS BILL-IF YOU INAPPROPRIATELY ACCESS, USE OR DISCLOSE A PATIENT S HEALTH INFORMATION, YOU CAN BE CHARGED WITH CRIMINAL PENALTIES!!!!!!!

Additional Patient Rights The right to request and receive at a reasonable cost their health information in electronic format if the information is maintained as an Electronic Health Record (EHR). The right to apply restrictions on disclosures made to Covered Entities for any item or service, for which the patient has paid the full cost out of pocket. The right to receive a full accounting of disclosures made by the Covered Entity or Business Associate involving treatment, payment, or health care operations during the previous three years.

Facebook and other Social Networking Sites Did you know a common HIPAA privacy violation involves employees posting patient information on Facebook and other social networking sites/blogs? The rising popularity of social networking sites has brought new responsibilities to those individuals working in the healthcare setting in ensuring that our patient s health information remains protected. As a UMMC employee, you are obligated to protect the privacy of all patient information.

HIPAA Violation Involving Social Networking Sites Scenario 1: Mary is a nurse and is on duty when a VIP is rushed to the ED following a car accident. She is assigned to this patient and because of such is aware of the accident details and the patient s condition. Upon leaving work and returning home, Mary checks her Facebook page and notices where someone has posted a link to the local newspaper article highlighting the story. Mary decides to comment on that individuals Facebook page confirming the article s brief description of the patient s condition and providing more in-depth information regarding the patient s status while also indicating that she took care of the patient in the ED. Does this constitute a HIPAA violation? YES! The information that Mary posted was information she knew only because she was an employee that assisted in the patient s care.

Facebook and other Social Networking Sites The Office of Integrity and Compliance does not discourage the personal use of such sites but you must refrain from posting or discussing any patient information (including patient pictures) on any social networking site/blog.

Brief Pointers Family and Friends- you should not access health information of family/friends if you do not have a need to know. VIPS- Do not access health information of individuals who are of public interest unless you have a need to know. Passwords- Do not share passwords- We audit and you will be held responsible. This includes portable devices Disposing Patient Information- if in printed format, must be disposed- NEVER throw away in regular garbage without at least shredding by hand. Ongoing Monitoring- We perform ongoing monitoring of access into patient health information. Employee to Employee access. IF WE FIND YOU ARE NOT CONNECTED TO THE PATIENT S CARE OR DO NOT HAVE THE APPROPRIATE NEED TO KNOW TO COMPLETE YOUR JOB DUTIES, YOU WILL BE HELD ACCOUNTABLE.

More Information Check out Policies and Procedures online- UMC Intranet IF YOU NEED TO REPORT A VIOLATION- Directly to your superior Compliance Hotline Compliance Report Form Office of Integrity and Compliance

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback