2011-2012 HIPAA Training New Hire Orientation and General Training 1
This training is to ensure all Health Management workforce members (associates, contracted individuals, volunteers and students) understand our HIPAA policies and procedures to maintain the privacy and security of patient information. 2 11/9/2009 2
HIPAA is a broad law dealing with the privacy and security of health information: The Privacy Rule tells hospitals and physicians when and how they can use or disclose patient health information. The Security Rule tells hospitals and physicians how to protect health information from being inappropriately accessed, edited, or destroyed. 3 11/9/2009 3
Who are your HIPAA Officers? The HIPAA Privacy Officer is your HIM Director The HIPAA Security Officer is your Risk Manager 4 4
The first essential element of HIPAA: PHI Protected Health Information (PHI) is ALL PERSONAL HEALTH, BILLING AND DEMOGRAPHIC INFORMATION, IN ANY FORMAT (Oral, Paper, Picture or Electronic) CREATED OR HELD BY A COVERED ENTITY (hospital or physician, payer) (includes past, present and future healthcare) 5 11/9/2009 5
Minimum Necessary or need to know All members of the workforce contribute to the care of the patient. That doesn t mean everyone needs to see health information about patients. If you do not need to know confidential information to provide care (clinical or financial) you are NOT permitted to access it. This includes your PHI. 6 11/9/2009 6
Disciplinary Actions for Violations of HIPAA Policies & Procedures There are three different groups of disciplinary action depending on the violation. The following examples show what can happen if you do not protect our patients information correctly: 7 11/9/2009 7
Not signing off computer (with PHI) when leaving a work area. Inadvertent disclosure of PHI to the wrong patient Failure to follow o appropriate a guidelines es for the use of fax, mailing, E-mail, computer or other transmission of patient information causing a disclosure to an unintended recipient. 8 11/9/2009 8
Sharing your password with a coworker. Unauthorized access of information on a patient t you have no job-related responsibility for, including your friends, family, co-workers AND your own information! 9 11/9/2009 9
Using a co-worker s password without their knowledge. Disclosure of PHI which you have accessed, without authorization and when NOT involved in the care of the patient. Releasing any PHI for personal gain or releasing PHI with intent to harm the reputation of the individual or our organization. Accessing HIV test results, records of sexual or domestic abuse, drug and alcohol test results or other highly protected information when not involved in the care of those patients. 10 11/9/2009 10
Our #1 Biggest Risk: Nosy Associates Aco-worker accesses information. The only reason was for curiosity regarding: A co-worker who is a patient A physician i who is a patient t A neighbor who is a patient Health Management has a zero tolerance for associates who access patient information without authorization! 11 11/9/2009 11
Actions that could cause a HIPAA violation Taking pictures of any patient s image, body part or X-ray with personal cell phone cameras (this will be grounds for termination) Unauthorized access of sensitive health information (HIV, Abuse, Psych records) Access of the associate s own patient t record in the computer system Sharing or stealing another co-worker s password for the computer systems Not verifying who you disclose patient information to (financial or clinical) and not confirming that the person requesting the information is authorized to receive it 12 11/9/2009 12
Where can I find our HIPAA policies and procedures? HIPAA Policy & Procedure Manuals are located: 1. On-line at your facility s Intranet site 2. On the home office intranet: t hma-info.com 13 11/9/2009 13
Steps you should take to protect patient privacy include: Respect the patient s information and condition the same way you would expect others to respect and care for yours. Close treatment room doors or use privacy curtains when discussing the care of a patient. Ensure that medical records are not left where others can see or gain access to them. Keep laboratory, radiology and other test results private. Make sure computer screens containing PHI are not visible to others not involved with the patient. 14 11/9/2009 14
Destruction of paper containing patient t information Shred all patient information when it is to be discarded. Do not place anything with a patient s name or identifiers in the regular trash. Patient name bands Telemetry strips What about IV bags with med labels? If you can, peel off label. Label must be shredded or blacked-out with a marker. 15 11/9/2009 15
Visitor Identification All associates should question visitors or other persons who are in restricted areas and are not escorted by an associate of the facility or are not displaying i proper identification. ifi i Vendors and contractors will be wearing their company ID in addition to hospital identification noting that they have permission to be in the building. All associates, volunteers and other workforce members must wear their identification badge as issued by the hospital. 16 11/9/2009 16
IMPORTANT!! Every associate, physician and VIP admitted to our hospital will have their records reviewed for inappropriate access. Associates are not permitted to snoop in each other s patient information when they come into the hospital for care. Audit trails will document who was where in our systems and will document what the associate was accessing. This is performed by our HIPAA Officers (Privacy & Security). Your User ID will link to every item opened, read or printed. 17 11/9/2009 17
The types of information that you are not permitted to access, acquire, use or disclose without authorization from the patient t include: 18 Medical information Name, address, phone number Social Security Number, date of birth Photo of any part of the patient s body, including X-ray images, whether or not they contain the patient s name Any information or data that could be used to identify the patient 11/9/2009 18
Notification to Patients Federal law now requires us to tell patients if someone has snooped into their information protected by HIPAA. We must also notify patients any time their protected health information was inappropriately disclosed d outside of the facility, or if it was stolen or breached. We are required to notify the patient in writing and report all breaches of PHI to the Federal Government. 19 11/9/2009 19
Under the Notification Rule, a breach means the acquisition, access, use or disclosure of PHI which violates the HIPAA Privacy Rule and compromises the security or privacy of the PHI. 20 11/9/2009 20
At any one time, if there are more than 500 patients who have their records snooped into or, if their protected health information is disclosed in any way outside of our facility, we must notify every patient and the Federal Government immediately. We may also need to notify the local media if 500 or more of the patients are from the same state. 21 11/9/2009 21
Who do we need to notify if a breach of PHI is detected? All of the affected patients. t The Federal Government. Local media if 500 or more patients in the same area are affected. 22 11/9/2009 22
Examples of Breaches Lost laptop p or PDA PHI left behind in the cafeteria, lounge, or public area Snooping in patient records without a need to know the information Cell phone pictures taken by associates that identify a patient or characteristics of a patient (x-ray or body part) PHI faxed to the wrong fax number, or emailed to the wrong address Information intended for one patient handed to another patient (not verifying your work). 23 11/9/2009 23
Reporting deadlines for breach notifications Once we discover a breach of PHI, we have no more than 60 days (45 days in Florida) to comply with the Rule s notification requirement. You should immediately report all suspected PHI breaches to the Privacy Officer. The Privacy Officer will need to conduct a full investigation. Determination will need to be made if a breach occurred and notification is required. 24 11/9/2009 24
What can you do to prevent a breach of PHI? Take 5 seconds to confirm the name of the patient and the document you want to generate or use is correct! Verify the fax # or address you are about to use is correct Double check that you have entered the numbers or letters correctly. Verify all auto dial numbers in the fax machines are entered correctly and you select the intended preprogrammed fax number. Use Fax coversheets; they are important safeguards 25
Increased HIPAA enforcement actions could directly affect you! If you are found to be responsible for any type of a HIPAA violation that the State Attorney General believes has threatened or in some way harmed a patient who is a resident of your State, you can be held responsible for your actions. The State Attorney General can bring a civil action in federal court against you! 26 11/9/2009 26
Conclusion We must all remember to protect the privacy and security of patient information at all times. We are all patients from time to time. How would you feel if your own health information was used or disclosed in a way that was harmful to you or your family? If you have a question about HIPAA, ask your supervisor or your Privacy Officer. 27 11/9/2009 27
Reporting known or suspected HIPAA violations We expect all associates to adhere to the HIPAA policies, i but we know there may be times when the policy is being abused. You should report HIPAA violations or suspected violations to your supervisor or to your Privacy Officer. You may report anonymously, if you wish. Health Management Compliance Helpline: 1-888-462-0380 Health Management Associates, PO Box 770621, Naples, FL 34107 You will not be retaliated against if you report a privacy violation. It is part of your job to report instances where you suspect policies are being broken. 28 11/9/2009 28
Thank you for your attention. Please follow the instructions below: Please complete the Affirmation Statement at the end of this training! 29 11/9/2009 29