Understanding the Privacy and Security Regulations

Similar documents
Advanced HIPAA Communications and University Relations

HIPAA THE PRIVACY RULE

department chair Essentials Handbook Richard A. Sheff, MD Robert J. Marder, MD

MCCP Online Orientation

KENNETH R. ROHDE

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Rule. Best PHI Privacy Practices

Chapter 9 Legal Aspects of Health Information Management

Patient Privacy Requirements Beyond HIPAA

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

HIPAA Privacy Training for Non-Clinical Workforce

2018 Employee HIPAA Orientation (EHO) Handbook

CLINICIAN S GUIDE TO HIPAA PRIVACY

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

HIPAA Training Handbook for Long-Term Care: Privacy for Frontline Staff

HIPAA and HITECH: Privacy and Security of Protected Health Information

HIPAA Education Program

Staff Training and Survey Readiness Preparing your organization for accreditation and CMS compliance. Jean S. Clark, RHIA, CSHA

SUMMARY OF NOTICE OF PRIVACY PRACTICES

The Privacy & Security of Protected Health Information

FCSRMC 2017 HIPAA PRESENTATION

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Notice of HIPAA Privacy Practices Updates

Telemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

A general review of HIPAA standards and privacy practices 2016

HIPAA Training

EMPOWERING THE NEW HEATHCARE ERA

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Notice of Privacy Practices

HIPAA PRIVACY TRAINING

Professional Growth in Staff Development

CHI Mercy Health. Definitions

Information Privacy and Security

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Health Information Privacy Policies and Procedures

NOTICE OF PRIVACY PRACTICES

Medical Executive Committee. Essentials Handbook. Richard A. Sheff, MD Robert J. Marder, MD

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

2514 Stenson Dr Cedar Park TX Fax

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

NOTICE OF PRIVACY PRACTICES

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

NOTICE OF PRIVACY PRACTICES

Protecting Patient Privacy It s Everyone s Responsibility

credentials Essentials Handbook Richard A. Sheff, MD Robert J. Marder, MD Committee

OREGON HIPAA NOTICE FORM

PATIENT INFORMATION. In Case of Emergency Notification

Privacy and Security For Teammates

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

NOTICE OF PRIVACY PRACTICES

Emergency. Operations. Plan Template. Emergency. Preparedness Solutions. Chris Bellone, CEM, CHEP

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

NOTICE OF PRIVACY PRACTICES

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

A REFERENCE FOR FIELD STAFF

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Notice of Privacy Practices

CNA Training Advisor

HIPAA Are You As Compliant as You Think?

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

CNA Training Advisor

Self-pay patients: Quarterly benchmarking report. A supplement to the Patient Access Resource Center

The HIPAA privacy rule and long-term care : a quick guide for researchers

HIPAA Privacy and Security Training for Researchers

Business Risk Planning

GREATER HUDSON VALLEY HEALTH SYSTEM ORANGE REGIONAL MEDICAL CENTER CATSKILL REGIONAL MEDICAL CENTER Policy/Procedure

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Parental Consent For Minors to Receive Services

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

I. PURPOSE DEFINITIONS. Page 1 of 5

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Title: HIPAA PRIVACY ADMINISTRATIVE

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

NOTICE OF PRIVACY PRACTICES

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Social Media IUSM-GME-PO-0031

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

HIPAA Privacy & Security Training

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

MAIN STREET RADIOLOGY

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

CNA Training Advisor

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

Notice of Privacy Practices

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Transcription:

Omnibus Rule Update HIPAA Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations Kate Borten, CISSP, CISM

Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations

: Understanding the Privacy and Security Regulations is published by HCPro, Inc. Copyright 2013 HCPro, Inc. All rights reserved. Printed in the United States of America. 5 4 3 2 1 ISBN: 978-1-61569-222-4 No part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, Inc., or the Copyright Clearance Center (978-750-8400). Please notify us immediately if you have received an unauthorized copy. HCPro, Inc., provides information resources for the healthcare industry. HCPro, Inc., is not affiliated in any way with The Joint Commission, which owns the JCAHO and Joint Commission trademarks. Kate Borten, CISSP, CISM, Author Gerianne Spanek, Managing Editor Mary Stevens, Editor James T. DeWolf, Publisher and Editorial Director Mike Mirabello, Production Specialist Amanda Donaldson, Proofreader Matt Sharpe, Senior Manager of Production Shane Katz, Art Director Jean St. Pierre, Vice President of Operations and Customer Service Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions. Arrangements can be made for quantity discounts. For more information, contact: HCPro, Inc. 75 Sylvan Street, Suite A-101 Danvers, MA 01923 Telephone: 800-650-6787 or 781-639-1872 Fax: 800-639-8511 Email: customerservice@hcpro.com Visit HCPro online at: www.hcpro.com and www.hcmarketplace.com. 05/2013 22027

2013 HCPro, Inc. SAMPLE CONTENTS About the Author... vi Intended Audience...1 Learning Objectives...2 HIPAA Basics...3 HITECH Act and Omnibus Rule Overview...4 Terms You Should Know...5 Covered entities... 5 Protected health information or PHI... 5 Business associates... 6 Minimum necessary/need to know... 7 Case scenario #1: We need to talk... 8 Minimum necessary/need to know: Ask yourself... 9 Privacy...9 Case scenario #2: Start spreading the news... 10 Use and Release of PHI...11 Treatment, payment, and healthcare operations...11 Special cases of permitted disclosures...11 Disclosure of PHI to residents family and friends... 13 iii

iv HIPAA and minors... 13 HIV, substance abuse, mental health records, and psychotherapy notes... 14 HIPAA authorization...15 Faxing... 16 Case scenario #3: Where s my fax?... 17 Case scenario #4: You don t want to be on this list... 17 What your organization does to protect confidentiality... 18 Incidental disclosures...19 Resident Rights...20 Notice of privacy practices... 20 Access to a resident s own PHI... 21 Amending a medical record or other PHI... 22 Restricting PHI use and disclosure... 23 Accounting of PHI disclosures... 23 Security...24 Security: What you can do... 24 Security: What your organization does... 25 Personal user IDs and passwords... 26 Tips to protect your password... 27 Case scenario #5: I need a favor while I m basking in the sun... 28 Physical security... 28 Case scenario #6: I need caffeine... 29 Destruction of PHI... 30 2013 HCPro, Inc.

2013 HCPro, Inc. SAMPLE Protecting against computer viruses... 30 Unauthorized software and hardware... 31 Email security... 32 Encryption... 32 Off-site security... 33 Protecting laptop computers and other portable devices... 33 Case scenario #7: The absentminded administrator... 34 Portable computers and viruses... 35 The Consequences of Breaking the Rules...35 Reporting violations... 36 If your facility experiences a breach... 37 Breach notification requirements... 37 Obtaining Help...38 In Conclusion...39 Final Exam...41 Answer Key...45 Certificate of Completion...50 v

vi SAMPLE Kate Borten, CISSP, CISM Kate Borten, president of The Marblehead Group, offers a unique blend of technical and management expertise, information security and privacy knowledge, and an insider s understanding of the healthcare industry. Her company, founded in 1999, serves the full spectrum of covered entities and their business associates with respect to understanding privacy and security regulations, establishing and enhancing their formal privacy and security programs, and assessing risk and regulatory compliance. ABOUT THE AUTHOR Borten has more than 20 years of experience designing, implementing, and integrating healthcare information systems at world-renowned medical facilities, including Massachusetts General Hospital, where she was responsible for system development. Before founding The Marblehead Group, Borten served as chief information security officer at CareGroup, Inc., where she established a comprehensive information security program that encompassed all entities within this major Boston-area integrated healthcare delivery system. She is an internationally certified information security professional, an Information Systems Security Association (ISSA ) senior member, and a member of the New England chapter s board of directors. She has chaired health sector information security and privacy national conferences and frequently speaks on these topics. 2013 HCPro, Inc.

2013 HCPro, Inc. SAMPLE Intended Audience This book explains the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as applicable and relevant to long-term care management, staff members, and volunteers. It also addresses the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 privacy, security, and breach notification provisions and the 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act (Omnibus Rule). The intended audience includes the following: Facility owners Chief executive officers Chief operating officers Chief financial officers HIPAA Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations Therapists Nursing directors Nursing management Contracted staff 1

Administrators Department heads Nurses Licensed vocational nurses Licensed practical nurses Minimum data set coordinators Learning Objectives Certified nursing assistants Housekeeping staff Volunteers Vendors Administrative staff Students This book explains certain HIPAA and HITECH Act requirements for privacy and security of patient information. It covers workplace practices that protect patient privacy and ensure the security of confidential health information. After reading this book, you should be able to do the following: Describe the HIPAA and HITECH Act privacy, security, and breach notification requirements for covered entities Define protected health information and explain why protecting patient privacy is important Summarize how to protect confidential health information by following proper physical security procedures 2 2013 HCPro, Inc.

2013 HCPro, Inc. SAMPLE Describe how to protect confidential information you may come across while performing your job Contact the correct individual with your questions about protecting patient privacy Identify and report suspected privacy and security incidents appropriately HIPAA Basics HIPAA is a broad federal law that establishes the basic privacy protections to which all U.S. patients are entitled. Its original goal was to make it easier for individuals to move from one health insurance plan to another as they change jobs or become unemployed. The law also requires that common electronic transactions, such as insurance claims, be in a standard form for healthcare organizations and payers. The government has made transitioning to electronic health records a priority and has increased scrutiny to ensure that the transition does not compromise patient privacy. Most hospitals and healthcare organizations have always had strict privacy and confidentiality policies, but there was no overall federal law protecting the privacy and security of personally identifiable health information. With the enactment of HIPAA, patients right to have their health information kept private and secure became more than just an ethical obligation of physicians, hospitals, and other healthcare facilities such as 3

this one it became federal law with civil and even criminal penalties for violations. Whether you are a facility owner, department head, administrator, nurse, therapist, housekeeping staff member, student, volunteer, or vendor, you have access to patient information. You also may regularly communicate with patients, their families and friends, and your colleagues. Understanding what HIPAA requires with respect to privacy and security is especially important. No matter where you work in healthcare, you must understand what HIPAA requires of you to keep patient information, in any form (e.g., written, oral, or electronic), private and secure. HITECH Act and Omnibus Rule Overview The American Recovery and Reinvestment Act of 2009 became federal law February 17, 2009. The HITECH Act, a subset of that law, enhances HIPAA s privacy and security regulations. Further, it gives more power to federal and state authorities to enforce privacy and security protections for patient data, and it significantly raised the penalties for noncompliance. More specifically, the HITECH Act limits use of patient information for marketing purposes, gives patients new rights regarding their information, makes business associates directly liable for compliance (while remaining contractually liable to covered entities), and mandates breach notification to affected patients and the U.S. Department of Health and Human Services (HHS). 4 2013 HCPro, Inc.

The 2013 Omnibus Rule implements many of the HITECH Act s provisions as well as new protection for genetic information, as mandated by the Genetic Information Nondiscrimination Act (GINA), and new privacy provisions from the HHS. The rule strengthens requirements in the Breach Notification Rule, and it clarifies and extends the definition of business associate. The Omnibus Rule s material changes affect most, if not all, covered entities and their business associates, requiring new contracts and new privacy notices. The rule s enforcement date is September 23, 2013. Terms You Should Know Covered entities HIPAA Privacy, Security, Breach Notification, and Omnibus Rules apply to all covered entities (CE). CEs include health plans, healthcare clearinghouses, and most provider organizations, such as physician practices, therapists, dental practices, hospitals, ambulatory facilities, skilled nursing facilities, home health agencies, and pharmacies. Your employer is a CE. All HIPAA covered entities must comply with these rules or face civil and even criminal penalties. Protected health information or PHI HIPAA sets rules for when and how patients protected health information or PHI may be used and released. PHI can take any form including electronic, paper, and spoken. PHI includes any information that can be linked to a specific patient or resident. 2013 HCPro, Inc. 5

PHI may include obvious identifiers such as name of a resident, medical record number, and insurance subscriber number. But information without obvious identifiers can still point to one resident. For example, if only one resident underwent a particular procedure this week, the procedure would be enough to identify that patient and would be PHI. PHI includes demographic information about the patient as well as financial and health information. PHI includes, for example, billing information, insurance eligibility or coverage, the reason a person is sick or in the facility, information about past health conditions or treatments, treatments and medications a resident receives, test results, photographs and radiology images, allergies, and observations about a resident s condition. The Omnibus Rule explicitly adds genetic information about individuals and their family members to the definition of PHI. Business associates A business associate (BA) is a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a CE. The HITECH Act and Omnibus Rule make BAs directly liable for compliance with the Security Rule and relevant parts of other HIPAA rules. Even though BAs have become directly liable for certain provisions, CEs must continue to have BA contracts protecting PHI as specified by HIPAA s Privacy and Security Rules and amended by the Omnibus Rule. The Omnibus Rule changes require most CEs to revise their BA contracts and have them re-signed by September 23, 2013. Going 6 2013 HCPro, Inc.

forward, your organization must ensure that new BAs sign these contracts before being given access to your PHI. The types of functions or activities that may make a person or entity a BA include, but are not limited to, billing, transcription, collections, information technology (IT) services, document and data storage and disposal, legal services, management, data aggregation, accreditation, e-prescribing gateways, health information organizations, and patient safety organizations. Minimum necessary/need to know HIPAA requires that organizations follow the principle of minimum necessary. Only individuals with an authorized need to know to perform their jobs may have access to PHI. And HIPAA requires individuals to access and share only the minimum necessary information to perform their jobs without compromising resident healthcare. Physicians, nurses, therapists, dietitians, and other caregivers use PHI to determine an individual s health status and which services are necessary. The billing department uses PHI to bill residents and their insurers for services and items provided. Physicians and quality control directors review PHI to ensure that residents receive good care. These are all examples of treatment, payment, and healthcare operations all permissible under HIPAA without obtaining resident approval. All staff members of organizations that provide long-term care contribute to the quality of resident care. However, this doesn t mean everyone needs to see health information pertaining to all residents. 2013 HCPro, Inc. 7

And it doesn t mean everyone who cares for a particular resident necessarily needs to see all of the information about that resident. Many employees and other workforce members have no access to resident information, either via computer or on paper, because they don t need to know this information. This is an important phrase to remember need to know. If you don t need to know confidential resident information to perform your job, you will not be given access to it. This means you should not access or view medical records or other PHI, either on a computer screen or on paper. You are responsible for safeguarding resident information in your possession. Don t leave it unattended or in areas where others can see it. This is especially important in public buildings, provider locations, and areas with heavy pedestrian traffic. Case scenario #1: We need to talk Two nurses need to discuss a resident s treatment, and they need a place to do so privately. Q A Must facilities provide a soundproof room for such conversations? Privacy regulations don t require healthcare organizations to provide private or soundproof rooms. However, staff members must take reasonable measures to avoid being overheard. If a private room is not available, discuss residents in an out-of-the-way location, lower your voice, and be discreet. 8 2013 HCPro, Inc.

HIPAA Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations Kate Borten, CISSP, CISM This handbook, which provides fundamental privacy and security training for new and seasoned staff, is updated to reflect the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act (also known as the Omnibus Rule). It includes scenarios that depict workplace practices specific to staff and settings to educate them about their role in protecting patient health information. A quiz and certificate of completion help ensure that your staff understands what the law requires. This is one in a series of HIPAA handbooks for healthcare workers in a variety of roles and settings and business associates to help ensure their compliance with the requirements of the new Omnibus Rule. Other handbooks in the series are tailored for the following members of the healthcare team: Behavioral health staff Home health staff Business associates Nursing and clinical staff Coders, billers, and HIM staff Executive, administrative, and corporate staff Healthcare staff Nutrition, environmental services, and volunteer staff Physicians Registration and front office staff Need to train your entire team or organization? Volume discounts are available for bulk purchases. Please call 877-233-8828 for more information. Blend handbook training with our HIPAA Privacy and Security elearning Library HCPro s HIPAA elearning courses are updated to reflect the new provisions set forth in the HIPAA Omnibus Rule. Visit us at www.hcmarketplace.com, call 877-233-8828, or email esales@hcpro.com for more information on our other training resources. HHLTCS2 75 Sylvan Street, Suite A-101 Danvers, MA 01923 www.hcmarketplace.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback